IntellumData Processing Agreement "DPA"
THIS DATA PROCESSING AGREEMENT ("DPA") is entered into by and between Intellum, Inc., a Georgia corporation located at 3525 Piedmont Rd NE, Building 7, Suite 500, Atlanta, GA 30305, USA, ("Intellum") and the Client agreeing to the Underlying Agreement(s) (as defined below) ("Client"). Client is entering into this Agreement on behalf of itself and its Authorized Affiliates. All references herein to Client also apply to Client’s Authorized Affiliates.
WHEREAS, Intellum and Client have entered into, and may in the future enter into, one or more agreements that require Intellum to provide certain Services to Client (the "Underlying Agreement(s)");
WHEREAS, in providing the Services to Client pursuant to the Underlying Agreement(s), Intellum may Process Personal Data on behalf of Client;
WHEREAS, if and to the extent Intellum Processes Personal Data on behalf of Client, the parties will be subject to the GDPR, the CCPA and applicable "Data Protection Laws and Regulations";
WHEREAS, if and to the extent Intellum processes Personal Data on behalf of Client, Client will be acting in the capacity of Controller (data exporter), and Intellum will be acting in the capacity of Processor (data importer);
NOW, THEREFORE, in consideration of the foregoing, and in reliance on the mutual agreements contained herein, the parties agree as follows:
- “Authorized Persons” means Intellum’s employees, agents, and contractors that have a need to know or otherwise access User Data to enable Intellum to provide the Services.
- “CCPA” means the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., and its implementing regulations.
- “Controller” means a controller as defined under the GDPR.
- “Data Protection Laws” means all international, federal, national and state privacy and data protection laws and regulations to the extent applicable to Intellum and the processing of Personal Data in connection with the Services.
- “Data Breach” means any loss or unauthorized access, acquisition, theft, destruction, disclosure or use of User Data that occurs while such User Data is in the possession of or under the control of Intellum.
- “Data Subject” means the identified or identifiable person to whom Personal Data relates.
- “GDPR” means the EU General Data Protection Regulation 2016/679, including as implemented or adopted under the laws of the United Kingdom.
- “Personal Data” means information relating to an identified or identifiable natural person. An identifiable natural person is a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
- “Process” or “Processing” means any operation or set of operations that are performed upon User Data, whether or not by automatic means, such as collection, accessing, processing, use, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure, dissemination, transmittal, alignment or combination, blocking, erasure, destruction or otherwise used as set out in the applicable Data Protection Laws.
- “Processor” means a processor as defined under the GDPR, including any applicable “service provider” as that term is defined under CCPA.
- “Services” means Intellum’s services, solutions and products.
- “Standard Contractual Clauses” means Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as currently set out at https:/eur-lex.europa.eu/eli/dec_impl/2021/914/oj.
- “Sub-Processor” shall mean a Processor engaged by Intellum to assist it in Processing the User Data in fulfillment of Intellum’s obligations with regard to the Services.
- “Third Party” is any person or entity other than Intellum and Client and Client’s Users.
- “User” is a person who is affiliated with Client and is a User of Intellum’s Services.
- “User Data” means all data relating to a User that is (i) provided to Intellum by Client or User or (ii) otherwise obtained, accessed, developed, or produced by Intellum. User Data may include Personal Data.
2. Data Privacy
- 2.1 Roles of the Parties. The Parties shall comply with their obligations under all Data Protection Laws. For purposes of the GDPR, if Client is the Controller then Intellum is its Processor; if Client is a Processor, then Intellum is its Sub-Processor. For purposes of the CCPA, Intellum is a Service Provider as that term is defined by the CCPA.
- 2.2 Client’s Processing of Personal Data. Client shall, in its use of the Services, Process Personal Data in accordance with the requirements of Data Protection Laws, including any applicable requirement to provide notice to Data Subjects of the use of Intellum as Processor (including where the Client is a Processor, by ensuring that the ultimate Controller does so). For the avoidance of doubt, Client’s instructions for the Processing of Personal Data shall comply with Data Protection Laws. Client shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Client acquired Personal Data. Client specifically acknowledges and agrees that its use of the Services will not violate the rights of any Data Subject, including those that have opted-out form sales or other disclosures of Personal Data, to the extent applicable under Data Protection Laws.
- 2.3 Intellum’ s Processing of Personal Data. Intellum shall treat Personal Data as Confidential Information and shall Process Personal Data on behalf of and only in accordance with Client’s documented instructions for the following purposes: (i) Processing in accordance with the Underlying Agreement and applicable Order Form(s); (ii) Processing initiated by Users in their use of the Services; and (iii) Processing to comply with other documented reasonable instructions provided by Client (e.g., via email) where such instructions are consistent with the terms of the Underlying Agreement.
- 2.4 Details of the Processing. The subject-matter of Processing of Personal Data by Intellum is the performance of the Services pursuant to the Underlying Agreement. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this DPA are further specified in Schedule 2 (Description of Processing/Transfer) to this DPA.
- 2.5 Data Minimization and Sensitive Personal Data. Client and Users should provide Intellum only with Personal Data that is requested by Intellum or that is otherwise necessary for Intellum to provide the Services. Intellum is not responsible for any other Personal Data. Client represents and warrants that it has obtained all consents from any Users to provide their Personal Data to Intellum. Client and Users are advised not to provide Intellum with Sensitive Personal Data. “Sensitive Personal Data” means (a) information that reveals a natural person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, (b) information or data concerning a natural person’s health or sex life or sexual orientation; or (c) genetic data or biometric data about a natural person.
Intellum may engage Sub-Processors in connection with the provision of the Services, provided, however, that Intellum may not provide a Sub-Processor with access to Personal Data unless the Sub-Processor has: (i) a business need to know / access the relevant Personal Data, as necessary for the purposes of the Services; (ii) signed a written obligation of confidentiality or are under professional obligations of confidentiality; and (iii) implemented technical, operational, physical, and organization safeguards to protect Personal Data against accidental or unlawful destruction or alteration and unauthorized disclosure or access. Intellum shall give Client written electronic notice of the appointment of any new Sub-Processor through the Service. If, within thirty (30) days of receipt of that notice, Client notifies Intellum in writing of any reasonable objection to the proposed appointment, the Parties shall negotiate in good faith a mutually acceptable alternative. If no such alternative is agreed within sixty (60) days of the objection, Client will have the right to terminate the applicable Underlying Agreement to the extent it relates to services which require use of the proposed Sub-Processor.
4. Data Subject Rights; Cooperation
Intellum shall use commercially reasonable efforts to cooperate and assist with a Data Subject’s exercise of his/her rights under applicable Data Protection Laws with respect to Personal Data Processed by Intellum, including, without limitation, the right to be forgotten, the right to data portability, and the right to access data under the GDPR or CCPA. Upon Client’s request, Intellum shall provide Client with reasonable assistance needed to fulfill Client’s obligation under Data Protection Laws to carry out a data protection impact assessment related to Client’s use of the Services, to the extent Client does not otherwise have access to the relevant information, and to the extent such information is available to Intellum.
5. Return or Destruction of User Data
Upon the written request of a Data Subject, Intellum will return Personal Data to the Data Subject in a commonly readable format or securely delete Personal Data as soon as reasonably practicable. However, if Intellum is required by law to retain Personal Data or if Personal Data is stored in a manner such that it cannot readily be returned or destroyed without affecting other data, then Intellum will continue to protect such Personal Data in accordance with this DPA and limit any use to the purposes of such retention.
6. Data Security
- 6.1 Security Program Requirements. Intellum will maintain a security program that contains administrative, technical, and physical safeguards appropriate to the complexity, nature, and scope of its activities. Intellum’s security program shall be designed to protect the security and confidentiality of Personal Data against unlawful or accidental access to, or unauthorized processing, disclosure, destruction, damage or loss of Personal Data. At a minimum, Intellum’s security program shall include: (a) limiting access of Personal Data to Authorized Persons; (b) implementing network, application, database, and platform security; (c) means for securing information transmission, storage, and disposal within Intellum’s possession or control; (d) means for encrypting Personal Data stored on media within Intellum’s possession or control by using modern acceptable cyphers and key lengths, including backup media; (e) means for encrypting Personal Data transmitted by Intellum over public or wireless networks by using modern acceptable cyphers and key lengths; and (f) means for keeping firewalls, routers, servers, personal computers, and all other resources current with appropriate security-specific system patches.
- 6.2 Regular Reviews. Intellum shall ensure that its security measures are regularly reviewed and revised to address evolving threats and vulnerabilities. Intellum shall maintain an audit program to help ensure adherence with the obligations set forth in this DPA.
- 6.3 Audit Rights. Client may contact Intellum to request an on-site audit of Intellum’ s Processing activities covered by this DPA (“On-Site Audit”). An On-Site Audit may be conducted by Client either itself or through a Third-Party auditor selected by Client when:
- (i) the information available from “Third-Party certifications and audits” is not sufficient to demonstrate compliance with the obligations set out in this DPA and its Schedules;
- (ii) Client has received a notice from Intellum of a Data Breach; or
- (iii) such an audit is required by Data Protection Laws or by Client’s competent supervisory authority.
- Any On-Site Audits will be limited to no more than once per year and shall only be of applicable Personal Data Processing and storage facilities operated by Intellum or any of Intellum’ s Affiliates where Client’s Personal Data is processed. Client acknowledges that Intellum operates a multi-tenant cloud environment. Accordingly, Intellum shall have the right to reasonably adapt the scope of any On-Site Audit to avoid or mitigate risks with respect to, and including, service levels, availability, and confidentiality of other Intellum clients’ information.
7. Data Breach Procedures
- 7.1 Notification. Intellum shall notify Client and any affected User of any Data Breach as soon as practicable and without undue delay after becoming aware of it. Such notification shall at a minimum: (i) describe the nature of the Data Breach, the categories and numbers of Users concerned, and the categories and numbers of Personal Data records concerned; (ii) communicate the name and contact details of Intellum's data protection officer or other relevant contact from whom more information may be obtained; and (iii) describe the measures taken or proposed to be taken to address the Data Breach.
- 7.2 Remedial Actions. In the event of a Data Breach for which Intellum is responsible, Intellum will use commercially reasonable efforts to: (a) remedy the Data Breach condition, investigate, document, restore the Services, and undertake legally required response activities; (b) provide regular status reports to Client on Data Breach response activities; (c) assist Client with the coordination of media, law enforcement, or other Data Breach notifications; and (d) assist and cooperate with Client in its Data Breach response efforts.
8. Cross-Border Transfers
- 8.1 Location. Intellum systems and Intellum’s Processing of User Data will occur within the following jurisdictions: United States of America and Ireland (the “Processing Jurisdictions”). Intellum will not transfer any User Data outside of the Processing Jurisdictions except as directed by or with the consent of Client and/or User. To the extent that Intellum is a recipient of Personal Data protected by the GDPR, Intellum agrees to abide by and Process such Personal Data in compliance with the Standard Contractual Clauses, which are incorporated into this Addendum by Exhibit A, to enable the lawful transfer of EU Personal Data.
- 8.2 Sub-Processors. Before providing User Data of a European citizen (for purposes of this DPA, “European” shall include the European Union, the European Economic Area, Switzerland and the United Kingdom) to Sub-Processors, Intellum will use commercially reasonable efforts to ensure that the Sub-Processors will execute the Standard Contractual Clauses.
9. Other Obligations
Any indemnification and/or limitation of liability obligations of the parties are as set forth in the Underlying Agreement(s).
Schedule 1Transfer Mechanisms for European Data Transfers
1. STANDARD CONTRACTUAL CLAUSES OPERATIVE PROVISIONS AND ADDITIONAL TERMS
For the purposes of the European Union Controller to Processor Transfer Clauses (hereinafter, “EU C-to-P Transfer Clauses”) and the European Union Processor to Processor Transfer Clauses (hereinafter, “EU P-to-P Transfer Clauses”), Client is the data exporter and Intellum is the data importer and the Parties agree to the following. If and to the extent an Authorized Affiliate relies on the EU C-to-P Transfer Clauses or the EU P-to-P Transfer Clauses for the transfer of Personal Data, any references to “Client” in this Schedule, include such Authorized Affiliate. Where this section 1 does not explicitly mention EU C-to-P Transfer Clauses or EU P-to-P Transfer Clauses it applies to both of them.
- 1.1 Reference to the Standard Contractual Clauses. The relevant provisions contained in the Standard Contractual Clauses are incorporated by reference and are an integral part of this DPA. The information required for the purposes of the Appendix to the Standard Contractual Clauses are set out in Schedule 2.
- 1.2 Docking clause. The option under clause 7 shall not apply.
- 1.3 Instructions. This DPA and the Underlying Agreement are Client’s complete and final documented instructions at the time of signature of the Underlying Agreement to Intellum for the Processing of Personal Data. Any additional or alternate instructions must be consistent with the terms of this DPA and the Underlying Agreement. For the purposes of clause 8.1(a), the instructions by Client to Process Personal Data are set out in section 2.3 of this DPA and include onward transfers to a third party located outside Europe for the purpose of the performance of the Services.
- 1.4 Certification of Deletion. The parties agree that the certification of deletion of Personal Data that is described in clause 8.5 and 16(d) of the Standard Contractual Clauses shall be provided by Intellum to Client upon Client’s written request.
- 1.5 Security of Processing. For the purposes of clause 8.6(a), Client is solely responsible for making an independent determination as to whether the technical and organizational measures set forth in Intellum’s security documentation meet Client’s requirements and agrees that (taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of the Processing of its Personal Data as well as the risks to individuals) the security measures and policies implemented and maintained by Intellum provide a level of security appropriate to the risk with respect to its Personal Data. For the purposes of clause 8.6(c), personal data breaches will be handled in accordance with this DPA.
- 1.6 Audits of the SCCs. The parties agree that the audits described in clause 8.9 of the Standard Contractual Clauses shall be carried out in accordance with this DPA.
- 1.7 General authorization for use of Sub-processors. Option 2 under clause 9 shall apply. For the purposes of clause 9(a), Intellum has Client’s general authorization to engage Sub-processors in accordance with this DPA. Intellum shall make available to Client the current list of Sub-processors. Where Intellum enters into the EU P-to-P Transfer Clauses with a Sub-processor in connection with the provision of the Services, Client hereby grants Intellum authority to provide a general authorization on Controller’s behalf for the engagement of sub-processors by Sub-processors engaged in the provision of the Services, as well as decision making and approval authority for the addition or replacement of any such sub-processors.
- 1.8 Notification of New Sub-processors and Objection Right for new Sub-processors. Pursuant to clause 9(a), Client acknowledges and expressly agrees that Intellum may engage new Sub-processors as described in section 3 of this DPA. Intellum shall inform Client of any changes to Sub-processors following the procedure provided in this DPA.
- 1.9 Complaints – Redress. For the purposes of clause 11, and subject to this DPA, Intellum shall inform Data Subjects on its website of a contact point authorized to handle complaints. Intellum shall inform Client if it receives a complaint by, or dispute from, a Data Subject with respect to Personal Data and shall without undue delay communicate the complaint or dispute to Client. Intellum shall not otherwise have any obligation to handle the request (unless otherwise agreed with Client). The option under clause 11 shall not apply.
- 1.10 Liability. Intellum’ s liability under clause 12(b) shall be limited to any damage caused by its Processing where Intellum has not complied with its obligations under the GDPR specifically directed to Processors, or where it has acted outside of or contrary to lawful instructions of Client, as specified in Article 82 GDPR.
- 1.11 Supervision. Clause 13 shall apply as follows:
- 1.11.1 Where Client is established in an EU Member State, the supervisory authority with responsibility for ensuring compliance by Client with Regulation (EU) 2016/679 as regards the data transfer shall act as competent supervisory authority.
- 1.11.2 Where Client is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679, the supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established shall act as competent supervisory authority.
- 1.11.3 Where Client is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679, Data Protection Commission (DPC) of Ireland shall act as competent supervisory authority.
- 1.11.4 Where Client is established in the United Kingdom or falls within the territorial scope of application of the Data Protection Laws and Regulations of the United Kingdom (“UK Data Protection Laws and Regulations”), the Information Commissioner’s Office (“ICO”) shall act as competent supervisory authority.
- 1.11.5 Where Client is established in Switzerland or falls within territorial scope of application of the Data Protection Laws and Regulations of Switzerland (“Swiss Data Protection Laws and Regulations”), The Swiss Federal Data Protection and Information Commissioner shall act as competent supervisory authority insofar as the relevant data transfer is governed by Swiss Data Protection Laws and Regulations.
- 1.12 Notification of Government Access Requests. For the purposes of clause 15(1)(a), Intellum shall notify Client (only) and not the Data Subject(s) in case of government access request. Client shall be solely responsible for promptly notifying the Data Subject as necessary.
- 1.13 Governing Law. The governing law for the purposes of clause 17 shall be the law that is designated in the governing law section of the Underlying Agreement. If the Agreement is not governed by an EU Member State law, the Standard Contractual Clauses will be governed by either (i) the laws of Ireland; or (ii) where the Agreement is governed by the laws of the United Kingdom, the laws of England and Wales.
- 1.14 Choice of Forum and Jurisdiction. The courts under clause 18 shall be those designated in the venue section of the Underlying Agreement. If the Agreement does not designate an EU Member State court as having exclusive jurisdiction to resolve any dispute or lawsuit arising out of or in connection with this Agreement, the parties agree that the courts of either (i) Ireland; or (ii) where the Agreement designates the United Kingdom as having exclusive jurisdiction, the courts of England and Wales shall have exclusive jurisdiction to resolve any dispute arising from the Standard Contractual Clauses. For Data Subjects habitually resident in Switzerland, the courts of Switzerland are an alternative place of jurisdiction in respect of disputes.
- 1.15 Appendix. The Appendix shall be completed as follows:
- The contents of section 1 of Schedule 2 shall form Annex I.A to the Standard Contractual Clauses
- The contents of section 2 to 5 of Schedule 2 shall form Annex I.B. to the Standard Contractual Clauses
- The contents of section 6 of Schedule 2 shall form Annex II to the Standard Contractual Clauses.
- 1.16 Data Exports from the United Kingdom under the Standard Contractual Clauses. For data transfers governed by UK Data Protection Laws, the Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as revised under Section 18 of those Mandatory Clauses (“Approved Addendum”) shall apply. The information required for Tables 1 to 3 of Part One of Approved Addendum is set out in Schedule 2 of this DPA (as applicable). For the purposes of Table 4 of Part One of the Approved Addendum, neither party may end the Approved Addendum when it changes.
- 1.17 Data Exports from Switzerland under the Standard Contractual Clauses. For data transfers governed by Swiss Data Protection Laws, the Standard Contractual Clauses also apply to the transfer of information relating to an identified or identifiable legal entity where such information is protected similarly as Personal Data under Swiss Data Protection Laws until such laws are amended to no longer apply to a legal entity.
- 1.18 Conflict. The Standard Contractual Clauses are subject to this DPA and the additional safeguards set out hereunder. The rights and obligations afforded by the Standard Contractual Clauses will be exercised in accordance with this DPA, unless stated otherwise. In the event of any conflict or inconsistency between the body of this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
2. ADDITIONAL TERMS FOR THE EU P-TO-P TRANSFER CLAUSES
For the purposes of the EU P-to-P Transfer Clauses (only), the Parties agree the following.
- 2.1 Instructions and notifications. For the purposes of clause 8.1(a), Client hereby informs Intellum that it acts as Processor under the instructions of the relevant Controller in respect of Personal Data. Client warrants that its Processing instructions as set out in the Underlying Agreement and this DPA, including its authorizations to Intellum for the appointment of Sub-processors in accordance with this DPA, have been authorized by the relevant Controller. Client shall be solely responsible for forwarding any notifications received from Intellum to the relevant Controller where appropriate.
- 2.2 Security of Processing. For the purposes of clause 8.6(c) and (d), Intellum shall provide notification of a personal data breach concerning Personal Data Processed by Intellum to Client.
- 2.3 Documentation and Compliance. For the purposes of clause 8.9, all inquiries from the relevant Controller shall be provided to Intellum by Client. If Intellum receives an inquiry directly from a Controller, it shall forward the inquiry to Client and Client shall be solely responsible for responding to any such inquiry from the relevant Controller where appropriate.
- 2.4 Data Subject Rights. For the purposes of clause 10 and subject to section 3 of this DPA, Intellum shall notify client about any request it has received directly from a Data Subject without obligation to handle it (unless otherwise agreed) but shall not notify the relevant Controller. Client shall be solely responsible for cooperating with the relevant Controller in fulfilling the relevant obligations to respond to any such request.
Schedule 2Description of Processing / Transfer
The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix.
1. List Of Parties
- Data exporter. The data exporter is the entity identified as “Client” in the DPA.
- Data importer. The data importer is: Intellum, Inc.
- Subject matter and duration of the processing of Client Personal Data. The subject matter, nature, purpose and duration of the processing of the Client Personal Data are set out in the Agreement (likely a Service Order) and as may be further stated below or elsewhere in this Addendum.
2. Data Subjects
- The Client Personal Data transferred to processor is determined and controlled by Client in its sole discretion.
3. Categories Of Data
- The personal data transferred to or accessed by processor includes all relevant information required to deliver requested services under the Agreement, is determined and controlled by Client in its sole discretion and may include:
- Personal details such as first and last name, email address, telephone number and physical address
- Authentication credentials to use part of the services, such as username, IP address, PC name etc.
- Activities performed by controller personnel, its agents, contractors or affiliates as users of the performed services
- Any other category of data agreed upon between the Parties in an Agreement
4. Special Categories Of Data (if appropriate)
- The Client Personal Data may concern the following special categories of data:
- With regard to clients in the healthcare industry, data governed by specific privacy regulations applicable to the healthcare industry.
- With regard to clients in the financial sector and other regulated industries, data covered under specific privacy regulations applicable to the financial services industry.
5. Processing Operations
- Personal data will be processed for the purpose of and to the extent necessary for the performance of the services requested from Client under the Underlying Agreement only and will be subject to the basic processing activities set out in the Agreement for the performance of services.
6. Description of the technical and organizational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c):
- Data importer has implemented appropriate technical and organizational security measures to ensure a level of security appropriate to the risks that are presented by the processing and the nature of the Personal Data to be protected which shall be at least equivalent to those described in the Addendum.
If you have any questions regarding this DPA please contact Intellum at firstname.lastname@example.org