This Addendum regulates only the Processing of Personal Data subject to EU Data Protection Law for the Purposes (as defined in Annex 2) by the Parties in the context of the Services. Annexes 1, 2, and 3 form an integral part of this Addendum.
- Definitions. The following terms have the meanings set out below for this Addendum:
- 1.1 “Controller” means the entity which alone or jointly with others determines the purposes and the means of the Processing of Personal Data.
- 1.2 “Data Subject” means a natural person whose Personal Data are processed in the context of this Addendum.
- 1.3 “EU Data Protection Law” means GDPR and the e-Privacy Directive 2002/58/EC (as amended by Directive 2009/136/EC, and as amended and replaced from time to time) and their national implementing legislations, if any.
- 1.4 “GDPR” means the EU General Data Protection Regulation 2016/679 (as amended and replaced from time to time).
- 1.5 “Personal Data” means any information relating to an identified or identifiable natural person.
- 1.6 “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.
- 1.7 “Privacy Shield” means the EU-U.S. Privacy Shield framework created by the U.S. Department of Commerce (“DoC”) and the European Commission, and the Swiss-U.S. Privacy Shield framework created by the DoC and the Swiss government.
- 1.8 “Processor” means the entity that processes Personal Data on behalf of a Controller.
- 1.9 “Processing of Personal Data” (or “Processing/Process”) means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- 1.10 “Services” has the meaning in the Agreement.
- 1.11 “Standard Contractual Clauses” means the standard contractual clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection set out in the European Commission’s decision (C(2010)593) of 5 February 2010.
- 1.12 “Sub-Processor” means the entity engaged by the Processor or any further sub-contractor to Process Personal Data on behalf of and under the instructions of the Controller.
- 1.13 “Supervisory Authority” means an independent public authority that has been established by a state for which EU Data Protection Law is the applicable law regarding the protection of Personal Data.
- 1.14 “Third Countries” means all countries outside of the scope of the data protection laws of the European Economic Area (“EEA”), excluding countries approved as providing adequate protection for Personal Data by the European Commission from time to time.
- Roles of the Parties. For purposes of this Addendum, Customer, as controller, appoints IntentData.io, Inc. as a Processor for the Processing of Personal Data (as defined in Annex 2) on Customer’s behalf for the Purposes (as defined in Annex 2).
- Obligations of IntentData.io, Inc. when Processing Personal Data for the Purposes in connection with the Services, IntentData.io, Inc.:
- 3.1 Will only Processes Personal Data on behalf of Customer in accordance with the Customer’s lawful written instructions and not for any other purposes than those specified in Annex 2 or as otherwise agreed by both Parties in writing.
- 3.2 Will promptly inform Customer if, in its opinion, Customer’s instructions infringe EU Data Protection Law, or if IntentData.io, Inc. is unable to comply with Customer’s instructions.
- 3.3 Will, taking into account the nature of the Processing and the information available to IntentData.io, Inc., offer an opinion to the Customer regarding compliance with Customer’s obligations under EU Data Protection Law, including data security, data breach notifications, data protection impact assessments, and prior consultations with supervisory authorities.
- 3.4 Will, taking into account the nature of the Processing, take appropriate technical and organizational measures to assist Customer in fulfilling Customer’s obligation to respond to Data Subjects’ requests to exercise their rights as provided under EU Data Protection Law. If IntentData.io, Inc. receives a request directly from a Data Subject, law enforcement agency or regulator. IntentData.io, Inc. shall, unless prohibited from doing so by applicable law (including binding terms of the request itself), notify Customer about such request and only take further action as instructed by Customer. To the extent legally permitted, Customer shall be responsible for all reasonable costs arising from IntentData.io, Inc.’s provision of such assistance or compliance with such requests.
- 3.5 Will notify Customer when local laws prevent IntentData.io, Inc. from complying with the instructions received from Customer via this Addendum, or when it is required to process Personal Data by law to which IntentData.io, Inc. is subject, except if such disclosure is prohibited by applicable law.
- 3.6 Will, at the choice and direction of the Customer after the end of the provision of the Services, delete or return all Personal Data processed under this Addendum to the Customer, and delete existing copies unless EU or member state law requires storage of the Personal Data.
- 3.7 Will implement (and regularly test and review) internal Personal Data Breach identification, response and notification procedures in accordance with good industry practice. In the event of a Personal Data Breach relating to or affecting the Personal Data:
- 3.7.1 IntentData.io, Inc. shall, at its own expense, notify such Personal Data Breach to Customer without undue delay after IntentData.io, Inc. becoming aware of such Personal Data Breach; and
- 3.7.2 IntentData.io, Inc. shall, at its own expense: (i) co-operate with Customer’s reasonable requests; and (ii) provide all information reasonably requested by Customer, in each case, as required to enable Customer to comply with EU Data Protection Law and co-operate with the directions or guidance of any Supervisory Authority.
- Data Transfers. IntentData.io, Inc. shall not transfer any Personal Data to a Third Country unless the following conditions are fulfilled.
- 4.1 IntentData.io, Inc. complies with reasonable instructions notified to it in advance by Customer with respect to the processing of the Personal Data.
- 4.2 If the transfer is to IntentData.io, Inc.:
- 4.2.1 In the US, IntentData.io, Inc. shall maintain its certification under Privacy Shield to process such Personal Data;
- 4.2.2 IntentData.io, Inc. shall comply with the data importer obligations in the Standard Contractual Clauses which are hereby incorporated into and form part of this Addendum and Customer shall comply with the data exporter obligations.
- 4.3 If the transfer is to a Sub-Processor in a Third Country, IntentData.io, Inc. shall:
- 4.3.1 if the transfer is to the US, ensure that the receiving party is certified to process such Personal Data under Privacy Shield; or
- 4.3.2 ensure that the Sub-Processor shall comply with the data importer obligations in the Standard Contractual Clauses. For the purpose of this Section 4.3.2, Customer hereby grants IntentData.io, Inc. a mandate to execute the Standard Contractual Clauses with any relevant Sub-Processor it appoints on behalf of the Customer.
- 5.1 Customer acknowledges and agrees that IntentData.io, Inc. may engage third-party Sub-Processors in connection with the performance of the Services. The Sub-Processors approved by Customer as at the date of the Agreement or this Addendum are listed in Annex 3 hereto. IntentData.io, Inc. has entered into a written agreement with each Sub-Processor containing data protection obligations not less protective than those in this Addendum with respect to the protection of Personal Data to the extent applicable to the nature of the Services provided by such Sub-processor.
- 5.2 Customer shall, within ten days of the effective date of this Addendum, notify IntentData.io, Inc. by email to firstname.lastname@example.org of it's desire to receive notifications of new Sub-Processors (“Sub-Processor Notification Process”). IntentData.io, Inc. shall provide notification via the Sub-Processor Notification Process of a new Sub-Processor before authorizing any new Sub-Processor(s) to Process Personal Data in connection with the provision of the applicable Services.
- 5.3 Customer may object to IntentData.io, Inc.’s use of a new Sub-Processor by notifying IntentData.io, Inc. promptly in writing to privacy@IntentData.io, Inc..com within ten (10) business days after receipt of IntentData.io, Inc.’s notice in accordance with the Sub-Processor Notification Process. In the event Customer objects to a new Sub-Processor, as permitted in the preceding sentence, IntentData.io, Inc. will use reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer’s configuration or use of the Services to avoid Processing of Personal Data by the objected-to new Sub-Processor without unreasonably burdening the Customer. If IntentData.io, Inc. is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, Customer may terminate the applicable Order Form(s) with respect only to the Services that cannot be provided by IntentData.io, Inc. without the use of the objected-to new Sub-Processor by providing written notice to IntentData.io, Inc.. IntentData.io, Inc. will refund Customer any prepaid fees covering the remainder of the term of such Order Form(s) following the effective date of termination with respect to such terminated Service, without imposing a penalty for such termination on Customer.
- 5.4 Where a Sub-Processor fails to fulfill its data protection obligations, IntentData.io, Inc. shall remain fully liable to Customer for the performance of the Sub-Processor’s obligations.
- 5.5 Customer acknowledges and expressly agrees that IntentData.io, Inc. may engage new Sub-Processors as described in Sections 5.1 to 5.3 of this Addendum.
- Security of the Processing; Confidentiality.
- 6.1 IntentData.io, Inc. will, taking into account the nature of the processing, implement and maintain a comprehensive written information security program with appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including the security measures listed in Annex 1 and as appropriate: (a) the encryption of Personal Data; (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (c) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
- 6.2 IntentData.io, Inc. must take steps to ensure that any person acting under its authority who has access to Personal Data is subject to a duly enforceable contractual or statutory confidentiality obligation and will not process the Personal Data except on instructions from Customer.
- Data Protection Audit.
- 7.1 Customer, acting by itself or through its appointed representative (acting pursuant to an NDA approved by IntentData.io, Inc.), shall have the right during the term of the Agreement and for as long thereafter as IntentData.io, Inc. processes Personal Data regarding which Customer is a Controller, to assess compliance by IntentData.io, Inc. with the applicable requirements of the EU Data Protection Law and/or this Addendum, and to review the technical and organizational measures taken by IntentData.io, Inc. against the unauthorized or unlawful processing of Personal Data and against the unauthorized access to, accidental loss or destruction of, or damage to, Personal Data, on at least thirty (30) days’ advance notice to IntentData.io, Inc.. Before the commencement of any audit, Customer and IntentData.io, Inc. shall mutually agree upon the scope, timing, and duration of the audit, and Customer shall take all reasonable measures to limit any adverse impact thereof on IntentData.io, Inc..
- 7.2 To the extent permitted by applicable law, Customer shall bear the costs and expenses incurred in respect of the parties’ compliance with their obligations under this clause.
- Invalidity and Severability; Conflict. In the event of any inconsistency between this Addendum and Standard Contractual Clauses entered into by the parties, if any, the Standard Contractual Clauses shall prevail.
IntentData.io, Inc. will, as a minimum, implement the following types of security measures:
- - When Processing Personal Data on behalf of Customer in connection with the Services, IntentData.io, Inc. has implemented and will maintain appropriate technical and organizational security measures for the Processing of such data, including the measures specified in this Section to the extent applicable to IntentData.io, Inc.’s Processing of Personal Data. These measures are intended to protect Personal Data against accidental or unauthorized loss, destruction, alteration, disclosure or access, and against all other unlawful forms of processing.
- - Physical Access Control. IntentData.io, Inc. employs measures designed to prevent unauthorized persons from gaining access to data processing systems in which Personal Data is processed, such as the use of security personnel, secured buildings and data center premises.
- - System Access Control. The following may, among other controls, be applied depending upon the particular Services ordered: authentication via passwords and the logging of access on several levels. For Services: (i) log-ins to Services Environments by IntentData.io, Inc. employees (ii) logical access to data centers is restricted and protected by firewall/VLAN.
- - Transmission Control. Except as otherwise specified for the Services, transfers of data outside the Service environment are also encrypted.
- - Input Control. The Personal Data source is under the control of the Customer and is managed by secured file transfer (i.e., via web services or entered into the application) from the Customer. Note that some Services permit Customers to use unencrypted file transfer protocols. In such cases, Customer is solely responsible for its decision to use such unencrypted field transfer protocols.
- - Data Backup. Back-ups are taken on a regular basis; back- ups are secured using a combination of technical and physical controls, depending on the particular Service.
- - Data Segregation. Personal Data from different IntentData.io, Inc. customers’ environments is logically segregated on IntentData.io, Inc.’s systems.
ANNEX 2 – Description of the Processing Activities
This Annex 2 describes the Processing by IntentData.io, Inc. under the Addendum.
Subject-matter of the Processing
The performance of the Services pursuant to the Agreement.
Nature and Purpose of the Processing
Processing Personal Data on behalf of and in accordance with Customer’s documented instructions for the following purposes: (i) Processing in accordance with the Agreement; (ii) Processing initiated by Data Subjects as required under EU Data Protection Law; and (iii) Processing to comply with other documented, reasonable instructions provided by Customer where such instructions are consistent with the terms of the Agreement.
Types of Personal Data
Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:
- - First and last name
- - Title, work department, and manager/supervisor name
- - Position
- - Employer
- - Contact information (company, email, phone, physical business address)
- Biographical and directory information, including linked social media profile or posts
- IDs and login credentials for use of the Services
- Identifiers related to work or personal devices used to access data exporter’s IT systems
- Log information generated through the use of data exporter’s IT systems
- Actions performed by the employee while accessing or using the Services
- IP address
- localization data
Categories of Data Subjects
Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects:
- - Customer’s end-user customers, prospects, and partners, including employees, contractors, collaborators, and advisors of such end-user customers, prospects, and partners (who are natural persons).
Duration of the Processing
Until directed by Customer to end Processing.
|Nature of Processing
1600 Amphitheatre Pkwy
Mountain View, CA 94043
|Document and file sharing
|Amazon Web Services, Inc.
P.O. Box 81226
Seattle, WA 98108-1226
Last Updated: September 17, 2019