IntellumData Processing Agreement "DPA"
THIS AGREEMENT ("DPA") is entered into as of February 6, 2021 ("Effective Date"), by and between Intellum, Inc., a Georgia corporation located at 3525 Piedmont Rd NE, Building 7, Suite 500, Atlanta, GA 30305, USA, doing business as Intellum ("Intellum"), and the Client agreeing to the Underlying Agreements (defined below) ("Client"). Client is entering into this Agreement on behalf of itself and its Authorized Affiliates. All references herein to Client also apply to Client’s Authorized Affiliates.
WHEREAS, Intellum and Client have entered into, and may in the future enter into, one or more agreements, that require Intellum to provide certain Services to Client (the "Underlying Agreement(s)"); and
WHEREAS, in providing the Services to Client pursuant to the Underlying Agreement(s), Intellum may Process Personal Data on behalf of Client; and
WHEREAS, if and to the extent Intellum Processes Personal Data on behalf of Client, the parties will be subject to the GDPR, the CCPA and applicable "Data Protection Laws and Regulations"; and
WHEREAS, if and to the extent Intellum processes Personal Data on behalf of Client, Client will be acting in the capacity of Controller (data exporter), and Intellum will be acting in the capacity of Processor (data importer);
NOW, THEREFORE, in consideration of the foregoing, and in reliance on the mutual agreements contained herein, the parties agree as follows:
- “Authorized Persons” means Intellum’s employees, agents, and contractors that have a need to know or otherwise access User Data to enable Intellum to provide the Services.
- “CCPA” means the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., and its implementing regulations.
- “Controller” means a controller as defined under the GDPR.
- “Data Protection Laws” means all international, federal, national and state privacy and data protection laws and regulations to the extent applicable to Intellum and the Services.
- “Data Breach” means any loss or unauthorized access, acquisition, theft, destruction, disclosure or use of User Data that occurs while such User Data is in the possession of or under the control of Intellum.
- “GDPR” means the EU General Data Protection Regulation 2016/679.
- “Personal Data” means information relating to an identified or identifiable natural person. An identifiable natural person is a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
- “Process” or “Processing” means any operation or set of operations that are performed upon User Data, whether or not by automatic means, such as collection, accessing, processing, use, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure, dissemination, transmittal, alignment or combination, blocking, erasure, destruction or otherwise used as set out in the applicable Data Protection Laws.
- “Processor” means a processor as defined under the GDPR.
- “Services” means Intellum’s services, solutions and products.
- “Sub-Processor” shall mean an entity engaged by Intellum to assist it in Processing the User Data in fulfilment of its obligations with regard to the Services.
- “Third Party” is any person or entity other than Intellum and Client and Client’s Users.
- “User” is a person who is affiliated with Client and is a User of Intellum’s Services.
- “User Data” means all data relating to a User that is (i) provided to Intellum by Client or User or (ii) otherwise obtained, accessed, developed, or produced by Intellum. User Data may include Personal Data.
2. Data Privacy
- 2.1 Compliance with Laws. The Parties shall comply with their obligations under all Data Protection Laws. For purposes of the GDPR, Client is considered the Controller and Intellum is its Processor; if Client is considered a Processor for purposes of the GDPR, then Intellum is considered its Sub-Processor. For purposes of the CCPA, Intellum is a Service Provider as that term is defined by the CCPA.
- 2.2 Distribution of User Data. Client and Users should provide Intellum only with Personal Data that is requested by Intellum or that is otherwise necessary for Intellum to provide the Services. Intellum is not responsible for any other Personal Data. Client represents and warrants that it has obtained all consents from any Users to provide their Personal Data to Intellum.
- 2.3 Limitations on Use of Personal Data. Intellum shall not Process User Data other than for the purposes specified by Users and to provide the Services. Intellum shall not Process User Data for the benefit of any Third Party. Intellum shall access only the User Data that it needs to perform the Services (i.e., no more than necessary). Intellum will not store User Data longer than necessary to achieve the permitted purposes specified by User. Intellum may aggregate, de-identify, or anonymize Personal Data, so that it no longer meets the Personal Data definition, and may use such aggregated, de-identified, or anonymized data for its own research and development purposes. Intellum will not attempt to or actually re-identify any previously aggregated, de-identified, or anonymized data.
- 2.4 Restrictions. Except with a User’s prior, written approval, on a case-by-case basis, Intellum will not: (a) use User Data other than as necessary for Intellum to provide the Services, (b) disclose, sell, assign, lease or otherwise provide User Data to Third Parties (other than to its affiliates or Sub-Processors) except to the extent required or permitted by Data Protection Laws, or (c) merge User Data with other data, modify or commercially exploit any User Data.
- 2.5 Sensitive Personal Data. Client and Users are advised not to provide Intellum with Sensitive Personal Data. “Sensitive Personal Data” means (a) information that reveals a natural person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, (b) information or data concerning a natural person’s health or sex life or sexual orientation; or (c) genetic data or biometric data about a natural person.
Intellum may engage Sub-Processors in connection with the provision of the Services, provided, however, that Intellum may not provide a Sub-Processor with access to User Data unless the Sub-Processor has: (i) a business need to know / access the relevant User Data, as necessary for the purposes of the Services; (ii) signed a written obligation of confidentiality or are under professional obligations of confidentiality; and (iii) implemented technical, operational, physical, and organization safeguards to protect User Data against accidental or unlawful destruction or alteration and unauthorized disclosure or access. Intellum shall give Client written notice of the appointment of any new Sub-Processor. If, within thirty (30) days of receipt of that notice, Client notifies Intellum in writing of any reasonable objection to the proposed appointment, the Parties shall negotiate in good faith a mutually acceptable alternative. If no such alternative is agreed within sixty (60) days of the objection, Client will have the right to terminate the MSA to the extent it relates to services which require use of the proposed Sub-Processor.
At the date of the Agreement, Intellum utilized the following Sub-processors:
4. Data Subject Rights; Cooperation
Intellum shall use commercially reasonable efforts to cooperate and assist with a User’s exercise of his/her rights under applicable Data Protection Laws with respect to Personal Data Processed by Intellum, including, without limitation, the right to be forgotten, the right to data portability, and the right to access data under the GDPR. Upon Client’s request, Intellum shall provide Client with reasonable assistance needed to fulfill Client’s obligation under Data Protection Laws to carry out a data protection impact assessment related to Client’s use of the Services, to the extent Client does not otherwise have access to the relevant information, and to the extent such information is available to Intellum.
5. Return or Destruction of User Data
Upon the written request of a User, Intellum will return User Data to the User in a commonly readable format or securely delete User Data as soon as reasonably practicable. However, if Intellum is required by law to retain User Data or if User Data is stored in a manner such that it cannot readily be returned or destroyed without affecting other data, then Intellum will continue to protect such User Data in accordance with this Addendum and limit any use to the purposes of such retention.
6. Data Security
- 6.1 Security Program Requirements. Intellum will maintain a security program that contains administrative, technical, and physical safeguards appropriate to the complexity, nature, and scope of its activities. Intellum’s security program shall be designed to protect the security and confidentiality of User Data against unlawful or accidental access to, or unauthorized processing, disclosure, destruction, damage or loss of User Data. At a minimum, Intellum’s security program shall include: (a) limiting access of User Data to Authorized Persons; (b) implementing network, application, database, and platform security; (c) means for securing information transmission, storage, and disposal within Intellum’s possession or control; (d) means for encrypting User Data stored on media within Intellum’s possession or control by using modern acceptable cyphers and key lengths, including backup media; (e) means for encrypting User Data transmitted by Intellum over public or wireless networks by using modern acceptable cyphers and key lengths; and (f) means for keeping firewalls, routers, servers, personal computers, and all other resources current with appropriate security-specific system patches.
- 6.2 Regular Reviews. Intellum shall ensure that its security measures are regularly reviewed and revised to address evolving threats and vulnerabilities.
7. Data Breach Procedures
- 7.1 Notification. Intellum shall notify Client and any affected User of any Data Breach as soon as practicable and without undue delay after becoming aware of it. Such notification shall at a minimum: (i) describe the nature of the Data Breach, the categories and numbers of Users concerned, and the categories and numbers of Personal Data records concerned; (ii) communicate the name and contact details of Intellum's data protection officer or other relevant contact from whom more information may be obtained; and (iii) describe the measures taken or proposed to be taken to address the Data Breach.
- 7.2 Remedial Actions. In the event of a Data Breach for which Intellum is responsible, Intellum will use commercially reasonable efforts to: (a) remedy the Data Breach condition, investigate, document, restore the Services, and undertake required response activities; (b) provide regular status reports to Client on Data Breach response activities; (c) assist Client with the coordination of media, law enforcement, or other Data Breach notifications; and (d) assist and cooperate with Client in its Data Breach response efforts.
8. Cross-Border Transfers
- 8.1 Location. Intellum systems and Intellum’s Processing of User Data will occur within the following jurisdictions: United States of America and Ireland (the “Processing Jurisdictions”). Intellum will not transfer any User Data outside of the Processing Jurisdictions except as directed by or with the consent of Client and/or User. To the extent that Intellum is a recipient of Personal Data protected by the GDPR (“EU Personal Data”), Intellum agrees to abide by and Process EU Personal Data in compliance with the Standard Contractual Clauses, which are incorporated into this Addendum by Exhibit A, to enable the lawful transfer of EU Personal Data.
- 8.2 Sub-Processors. Before providing User Data of a European citizen to Sub-Processors, Intellum will use commercially reasonable efforts to ensure that the Sub-Processors will execute EU-prescribed Standard Contractual Clauses.
The indemnification obligation for each party is subject to the indemnification provision set forth in the Terms of Service. Any indemnification obligation is also subject to the limitation of liability provision in the Terms of Service.
Exhibit AStandard Contractual Clauses
For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection
The entity identified as the “Client” in the DPA (the “data exporter”)
Intellum, Inc. (the “data importer”) (each a “party”; together “the parties”)
3525 Piedmont Rd NE
Building 7, Suite 500
Atlanta, GA 30305, USA
HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.
The data exporter has entered into a data processing addendum (“DPA”) with the data importer. Pursuant to the terms of the DPA, it is contemplated that services provided by the data importer will involve the transfer of personal data to data importer. Data importer is located in a country not ensuring an adequate level of data protection. To ensure compliance with Directive 95/46/EC and applicable data protection law, the controller agrees to the provision of such services, including the processing of personal data incidental thereto, subject to the data importer’s execution of, and compliance with, the terms of these Clauses.
Clause 1 Definitions
For the purposes of the Clauses:
a. 'personal data', 'special categories of data', 'process/processing', 'controller', 'processor', 'data subject and 'supervisory authority' shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data; [If these Clauses are governed by a law which extends the protection of data protection laws to corporate persons, the words “except that, if these Clauses govern a transfer of data relating to identified or identifiable corporate (as well as natural) persons, the definition of "personal data" is expanded to include those data” are added.]
b. 'the data exporter' means the controller who transfers the personal data.
c. 'the data importer' means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country's system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC; [If these Clauses are not governed by the law of a Member State, the words "and who is not subject to a third country's system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC" are deleted.]
d. 'the subprocessor' means any processor engaged by the data importer or by any other subprocessor of the data importer who agrees to receive from the data importer or from any other subprocessor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;
e. 'the applicable data protection law' means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;
f. 'technical and organisational security measures' means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
Clause 2 Details of the transfer
The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.
Clause 3 Third-party beneficiary clause
1. The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.
2. The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
3. The data subject can enforce against the subprocessor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
4. The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.
Clause 4 Obligations of the data exporter
The data exporter agrees and warrants:
a. that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;
b. that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only on the data exporter's behalf and in accordance with the applicable data protection law and the Clauses;
c. that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;
d. that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
e. that it will ensure compliance with the security measures;
f. that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;
g. to forward any notification received from the data importer or any subprocessor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;
h. to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for subprocessing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
i. that, in the event of subprocessing, the processing activity is carried out in accordance with Clause 11 by a subprocessor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and
j. that it will ensure compliance with Clause 4(a) to (i).
Clause 5 Obligations of the data importer
The data importer agrees and warrants:
a. to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
b. that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
c. that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;
d. that it will promptly notify the data exporter about:
(i) any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation,
(ii) any accidental or unauthorised access, and
(iii) any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;
e. to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;
f. at the request of the data exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;
g. to make available to the data subject upon request a copy of the Clauses, or any existing contract for subprocessing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;
h. that, in the event of subprocessing, it has previously informed the data exporter and obtained its prior written consent;
i. that the processing services by the subprocessor will be carried out in accordance with Clause 11;
j. to send promptly a copy of any subprocessor agreement it concludes under the Clauses to the data exporter.
Clause 6 Liability
1. The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or subprocessor is entitled to receive compensation from the data exporter for the damage suffered.
2. If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity. The data importer may not rely on a breach by a subprocessor of its obligations in order to avoid its own liabilities.
3. If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the subprocessor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the subprocessor agrees that the data subject may issue a claim against the data subprocessor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the subprocessor shall be limited to its own processing operations under the Clauses.
Clause 7 Mediation and jurisdiction
1. The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:
(a) to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;
(b) to refer the dispute to the courts in the Member State in which the data exporter is established.
2. The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.
Clause 8 Cooperation with supervisory authorities
1. The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
2. The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
3. The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any subprocessor preventing the conduct of an audit of the data importer, or any subprocessor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5 (b).
Clause 9 Governing Law
The Clauses shall be governed by the law of the Member State in which the data exporter is established.
Clause 10 Variation of the contract
The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.
Clause 11 Subprocessing
1. The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the subprocessor which imposes the same obligations on the subprocessor as are imposed on the data importer under the Clauses. Where the subprocessor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the subprocessor's obligations under such agreement.
2. The prior written contract between the data importer and the subprocessor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
3. The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.
4. The data exporter shall keep a list of subprocessing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5 (j), which shall be updated at least once a year. The list shall be available to the data exporter's data protection supervisory authority.
Clause 12 Obligation after the termination of personal data processing services
Appendix 1 to theStandard Contractual Clauses
The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix.
The data exporter is the entity identified as “Client” in the DPA.
The data importer is: Intellum, Inc.
Subject matter and duration of the processing of Client Personal Data
The subject matter, nature, purpose and duration of the processing of the Client Personal Data are set out in the Agreement (likely a Statement of Work) and as may be further stated below or elsewhere in this Addendum.
The Client Personal Data transferred to processor is determined and controlled by Client in its sole discretion.
Categories of Data
The personal data transferred to or accessed by processor includes all relevant information required to deliver requested services under the Agreement, is determined and controlled by Client in its sole discretion and may include:
- Personal details such as first and last name, email address, telephone number and physical address
- Authentication credentials to use part of the services, such as username, IP address, PC name etc.
- Activities performed by controller personnel, its agents, contractors or affiliates as users of the performed services
- Any other category of data agreed upon between the Parties in an Agreement
Special Categories of data (if appropriate)
The Client Personal Data may concern the following special categories of data:
- With regard to clients in the healthcare industry, data governed by specific privacy regulations
- With regard to clients in the financial sector and other regulated industries, data covered under specific privacy regulations
- With regard to employment and similar litigation matters data concerning race, national origin or gender
Appendix 2 to theStandard Contractual Clauses
Description of the technical and organizational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c):
Data importer has implemented appropriate technical and organizational security measures to ensure a level of security appropriate to the risks that are presented by the processing and the nature of the Personal Data to be protected which shall be at least equivalent to those described in the Addendum.
If you have any questions please contact us at firstname.lastname@example.org