Track record of successful GDPR implementations across industries.
This VeraSafe Data Processing Addendum, including its exhibits and appendices (this “Addendum”) is entered into by and between VeraSafe, LLC, a limited liability company incorporated under the laws of Delaware, for itself and for and on behalf of its relevant Affiliates (“VeraSafe”), and the entity that entered into the Agreement (as defined below) with VeraSafe (“Participant”).
This Addendum, which may be updated from time to time, forms an integral part of the Agreement and is effective upon its incorporation into the Agreement. This Addendum may be so incorporated by reference in the Agreement or in an executed amendment thereto.
NOW, THEREFORE, in consideration of the mutual agreements set forth in this Addendum, the Parties agree as follows:
1. Definitions.
1.1. As used herein, the following terms have the following meanings when capitalized:
- “Agreement” means the VeraSafe Master Services Agreement, Master License Agreement, Master License and Services Agreement, or Technical and Professional Services Agreement entered into between VeraSafe and Participant together with any appendices, Program Addenda, and Statements of Work thereto.
- “Applicable Data Protection Laws” means all laws and regulations applicable to the Processing of Participant Personal Data, including but not limited to the laws and regulations identified in Exhibit B hereto as may be amended, modified, or supplemented from time to time, as applicable.
- “Contracted Processor” means any third party appointed by or on behalf of VeraSafe to Process Participant Personal Data in connection with the Services.
- “Contracted Processor Page” means the webpage, as may be updated from time to time by VeraSafe, currently available at: https://www.verasafe.com/legal-notices/subprocessors.
- “Participant Personal Data” means any Personal Data Processed by or on behalf of VeraSafe to provide the Services in accordance with the Agreement.
- “Data Exporter” and “Data Importer” shall have the same meanings assigned to them in Part A of Exhibit A hereto.
- “GDPR” means the EU GDPR and UK GDPR as those terms are defined in Exhibit B, as applicable.
- “Jurisdiction Specific Terms” means all terms applicable to the Processing of Personal Data that apply to the extent that VeraSafe Processes Participant Personal Data protected by Applicable Data Protection Laws in one of the jurisdictions identified in these terms. The Jurisdiction Specific Terms are set forth in Exhibit B.
- “Restricted Transfer” means any transfer of Participant Personal Data protected by Applicable Data Protection Laws to a Third Country or an international organization in a Third Country (including data storage on foreign servers).
- “SCCs” or “Standard Contractual Clauses” are the model clauses for Restricted Transfers adopted from time to time by the relevant authorities of the jurisdictions indicated in Exhibit B, insofar as their use is approved by the relevant authorities as an appropriate mechanism or safeguard for Restricted Transfers.
- “Sub-Processor” means a direct Processor of a Processor. For the avoidance of doubt, Contracted Processors are Sub-Processors.
1.2. The terms “Controller”, “Data Protection Assessment”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing”, “Processor”, “Rights of the Data Subjects”, “Supervisory Authority”, and “Third Country” shall have the same meanings as under Applicable Data Protection Laws, and their cognate and corresponding terms shall be construed accordingly.
1.3. Capitalized terms that are used but not defined herein shall have the meanings given to them in the Agreement.
2. Scope and Applicability.
2.1. Duration. This Addendum shall take effect upon its incorporation into the Agreement and shall remain effective until Participant Personal Data is no longer Processed by VeraSafe pursuant to the Agreement.
2.2. Scope. This Addendum will apply to the Processing of all Participant Personal Data, regardless of country of origin, place of Processing, location of Data Subjects, or any other factor. The Processing of Personal Data that does not constitute Participant Personal Data is outside the scope of this Addendum.
2.3. Exhibits and Appendices. This Addendum includes the following exhibits and appendices:
- Exhibit A – Details of Processing;
- Appendix I to Exhibit A – Technical and Organizational Security Measures;
- Exhibit B – Jurisdiction Specific Terms; and
- Exhibit C – Supplemental Clauses to the Standard Contractual Clauses.
3. Processing of Participant Personal Data.
3.1. This Addendum shall apply only where, and to the extent that, VeraSafe factually acts as a Processor of Participant Personal Data. For the avoidance of doubt, the following situations fall within the scope of and are covered by this Addendum: (a) when Participant acts as a Controller and VeraSafe acts as a Processor; and (b) when Participant acts as a Processor and VeraSafe acts as a Sub-Processor.
3.2. VeraSafe shall:
- comply with all Applicable Data Protection Laws in the Processing of Participant Personal Data;
- not Process Participant Personal Data other than on Participant’s instruction (including with regard to Restricted Transfers) unless such Processing is required by Applicable Data Protection Laws, in which case VeraSafe shall, to the extent reasonably possible and permitted by Applicable Data Protection Laws, inform Participant of such requirement before Processing that Participant Personal Data; and
- immediately inform Participant in the event that, in VeraSafe’s reasonable opinion, a Processing instruction given by Participant may infringe Applicable Data Protection Laws.
3.3 All necessary information relating to the details of Processing is set out in Exhibit A.
3.4 Participant instructs VeraSafe (and authorizes VeraSafe to instruct each Contracted Processor it engages) to Process Participant Personal Data and, in particular, transfer Participant Personal Data to any country or territory, only as reasonably necessary for the provision of the Services and consistent with the Agreement and this Addendum.
3.5. Where Participant is acting as a Processor, it warrants that it shall:
- Process Participant Personal Data only on behalf of the relevant Controller’s documented instructions and, in turn, only instruct VeraSafe to carry out such Processing activities on behalf of Participant in accordance with said instructions of the Controller; and
- obtain prior authorization from the relevant Controller for subcontracting the Processing of Participant Personal Data to VeraSafe and its Contracted Processors.
4. Personnel.
4.1. VeraSafe shall take reasonable steps to ensure:
- the reliability of any employee, agent, or contractor who may have access to Participant Personal Data;
- that access to Participant Personal Data is limited to those individuals who need to know or access it, as necessary to fulfil the instructions given to VeraSafe by Participant or to comply with Applicable Data Protection Laws; and
- that all such individuals are subject to confidentiality undertakings, professional obligations of confidentiality, or statutory obligations of confidentiality.
5. Security of Processing.
VeraSafe shall implement and maintain the administrative, technical, and organizational security measures identified in Appendix I to Exhibit A, which ensure a level of security appropriate to the risk of Processing and take into account: the state of the art, costs of implementation, and the nature and purposes of Processing; the risk of varying likelihood and severity to the rights and freedoms of natural persons; and the risks presented by the Processing activities, particularly those risks related to Personal Data Breaches.
6. Contracted Processors.
6.1. Authorization for Existing Contracted Processors. Participant authorizes VeraSafe to continue using those Contracted Processors engaged as of the Effective Date and listed on the Contracted Processors Page, and further authorizes VeraSafe and its Contracted Processors to appoint additional Contracted Processors, provided the obligations of this Section 6 are met.
6.2. Authorization for Appointment of Contracted Processors. VeraSafe shall provide Participant with prior notice of the appointment of any new Contracted Processor by updating the Contracted Processors Page. The Contracted Processors Page will reflect the date on which it was last updated. Participant is solely responsible for periodically reviewing the Contracted Processors Page.
6.3. Objection to Contracted Processors.
- Participant will be deemed to have consented to the appointment of a new Contracted Processor if no objection thereto is received within fourteen (14) days of VeraSafe’s notice thereof. Participant may object to the appointment of a Contracted Processor by providing a written objection, which shall include the name of the objected-to Contracted Processor and a reasonable statement of objection.
- If an objection is received, the Parties will work together in good faith with a view of achieving a commercially reasonable resolution. If no mutually agreeable resolution is available, Participant may, immediately upon written notice to VeraSafe, terminate the Agreement for convenience, with no further fees due other than those incurred up to and including the date of termination. Upon its receipt of notice of such termination, VeraSafe shall cease Processing Participant Personal Data.
6.4. Requirements for Appointing Contracted Processors. With respect to each Contracted Processor, VeraSafe shall:
- conduct due diligence to ensure that the Contracted Processor is capable of providing the level of protection and security for Participant Personal Data required by this Addendum;
- disclose to Participant, upon request, the results of that due diligence;
- restrict the Contracted Processor’s access to Participant Personal Data to only what is necessary to assist VeraSafe in providing the Services, and prohibit the Contracted Processor from accessing Participant Personal Data for other purposes; and
- ensure that the arrangement between VeraSafe and the Contracted Processor is governed by a written contract that includes terms which offer substantially similar protections for Participant Personal Data as those set out in this Addendum, to the extent applicable to the nature of the services provided by such Contracted Processor.
6.5. Where any Contracted Processor fails to fulfil its data protection obligations under such written contract (or in the absence thereof, as the case may be), VeraSafe shall remain fully liable to Participant for the performance of the respective Contracted Processors’ data protection obligations under such contract and/or Applicable Data Protection Laws.
7. Rights of the Data Subjects.
7.1. Taking into account the nature of the Processing, VeraSafe shall assist Participant by implementing appropriate technical and organizational measures, insofar as possible, to respond to valid requests to exercise Rights of the Data Subjects under Applicable Data Protection Laws.
7.2. With regard to the Rights of the Data Subjects within the scope of this Section 7, VeraSafe shall:
- promptly notify Participant if it or any of its Contracted Processors receive a request from a Data Subject with respect to Participant Personal Data;
- not respond to that request, except on the instructions of Participant or as required or permitted by Applicable Data Protection Laws, in which case VeraSafe shall, to the extent reasonably possible and permitted by Applicable Data Protection Laws, inform Participant of such requirement before it responds to the request or directs its Contracted Processors to respond; and
- promptly comply with any commercially reasonable and lawful documented instructions from Participant regarding responding to a request to exercise Rights of a Data Subject.
8. Personal Data Breaches.
8.1. Breach Response. If VeraSafe discovers, is notified of, or has reason to suspect a Personal Data Breach affecting Participant Personal Data under its or its Contracted Processors’ control, VeraSafe will (a) immediately implement measures intended to stop the unauthorized access; (b) secure the Participant Personal Data; and (c) notify Participant without undue delay and, in any event, within seventy-two (72) hours of becoming aware of such suspected Personal Data Breach.
8.2. Breach Obligations. Upon providing notice of a Personal Data Breach, VeraSafe shall:
- describe to Participant: (1) the nature of the Personal Data Breach, (2) where reasonably possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned, (3) the impact of such Personal Data Breach upon Participant and the affected Data Subjects, and (4) the measures taken or proposed by VeraSafe to address the Personal Data Breach;
- provide and supplement notifications to Participant as and when additional information becomes available;
- reasonably assist Participant in meeting its relevant obligations pursuant to Applicable Data Protection Laws, including obligations to notify Supervisory Authorities or Data Subjects of a Personal Data Breach; and
- use commercially reasonable efforts to investigate, mitigate, and remediate each such Personal Data Breach and prevent a recurrence of such Personal Data Breach.
8.3. No Acknowledgement of Fault. VeraSafe’s notification of or response to a Personal Data Breach under this Section will not be construed as an acknowledgement by VeraSafe of any fault or liability with respect to the Personal Data Breach.
9. Data Protection Assessment and Prior Consultation.
VeraSafe shall provide Participant with relevant information and documentation, and reasonably assist Participant in complying with its obligations with regard to any data protection assessments or prior consultations with Supervisory Authorities when required pursuant to Applicable Data Protection Laws, but in each such case solely with regard to Participant Personal Data Processed by, and taking into account the nature of Processing and information available to, VeraSafe and its Contracted Processors. To the extent legally permitted, Participant shall reimburse VeraSafe for any time expended for any such assistance at VeraSafe’s then-current hourly Program Fees.
10. Deletion or Return of Personal Data.
10.1. VeraSafe shall provide Participant with the technical means, consistent with the way the Services are provided, to request the deletion of Participant Personal Data, with the exception of any Participant Personal Data that may be retained pursuant to applicable laws.
10.2. If requested by Participant and following the cessation of the Services, VeraSafe shall promptly delete or return all Participant Personal Data (including copies) to Participant, with the exception of any Participant Personal Data that may be retained pursuant to applicable laws.
10.3. VeraSafe shall also cause all Contracted Processors that have received Participant Personal Data to delete or return, as applicable, all such Participant Personal Data, with the exception of any Participant Personal Data that may be retained pursuant to applicable laws.
10.4. This Section 10 does not apply to Participant Personal Data that has been archived on back-up systems, which VeraSafe or its Contracted Processors, as applicable, shall securely isolate and protect from any further Processing, except to the extent required or permitted by applicable law.
11. Audit Rights.
VeraSafe shall allow for and reasonably cooperate with audits, including remote inspections, by Participant or an auditor mandated by Participant (on behalf of itself or its clients) with regard to the Processing of the Participant Personal Data by VeraSafe and its Contracted Processors. To the extent legally permitted, Participant shall reimburse VeraSafe for any time expended for any such audit at VeraSafe’s then-current hourly Program Fees.
12. Jurisdiction Specific Terms.
To the extent VeraSafe Processes Participant Personal Data protected by Applicable Data Protection Laws in a jurisdiction listed in Exhibit B, then the terms and definitions specified in Exhibit B with respect to the applicable jurisdiction shall apply in addition to the terms of this Addendum.
13. Restricted Transfers.
13.1. Restricted Transfers of Participant Personal Data within the scope of this Addendum shall be conducted in accordance with Exhibit B and Applicable Data Protection Laws.
13.2. If the relevant authorities adopt a new version of SCCs as a lawful mechanism for Restricted Transfers in a jurisdiction referenced in Exhibit B, the Parties are deemed to have agreed to the execution of the new version of the SCCs by signing this Addendum, and, if necessary, VeraSafe shall be entitled to update Exhibit A and Exhibit B (and their appendices, as applicable) accordingly.
13.3. If an alternative transfer mechanism, such as Binding Corporate Rules, is adopted by VeraSafe during the term of the Agreement (an “Alternative Mechanism”), and VeraSafe notifies Participant that some or all Restricted Transfers can be conducted in compliance with Applicable Data Protection Laws pursuant to the Alternative Mechanism, VeraSafe may rely on the Alternative Mechanism instead of the transfer mechanisms in Exhibit B for Restricted Transfers to which the Alternative Mechanism applies.
13.4. VeraSafe is certified to the EU-U.S. Data Privacy Framework of the U.S. Department of Commerce (the “DPF”), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF. VeraSafe will cease to rely on the foregoing as lawful mechanisms for Restricted Transfers if it makes a determination that it can no longer meet its obligation to provide the levels of protection as are required by the DPF principles.
14. Amendment.
14.1. VeraSafe may update this Addendum at its reasonable discretion, provided that it gives Participant prior notice thereof by making the updated version of the Addendum available to Participant at https://verasafe.com/legal-notices/data-processing-addendum. Each new version of the Addendum will reflect the date on which it was last updated. Participant is solely responsible for periodically reviewing the Addendum for updates.
- If no objection is received within fourteen (14) days of any such update, Participant will be deemed to have consented thereto.
- If Participant objects to any such update in writing within fourteen (14) days, the Parties will cooperate and negotiate in good faith regarding any required updates.
- If no mutually agreeable resolution is available, Participant may, immediately upon written notice to VeraSafe, terminate the Agreement for convenience, with no further fees due other than those incurred up to and including the date of termination. Upon its receipt of notice of such termination, VeraSafe shall cease Processing Participant Personal Data.
15. Liability.
15.1. Subject to Applicable Data Protection Laws, the liability of each Party under this Addendum shall be subject to the exclusions and limitations of liability set out in the Agreement.
15.2. VeraSafe shall be liable to Participant for any breach of the Agreement or this Addendum, and the obligations set out therein (including by means of additional contract, as the case may be), by itself or its Contracted Processors.
16. General Terms.
16.1. Prior Existing Agreement. This Addendum supersedes and replaces all prior and contemporaneous proposals, statements, sales materials or presentations, and agreements, oral and written, with regard to the subject matter of this Addendum, including any prior data processing addenda entered into between VeraSafe and Participant in connection with the Agreement. Notwithstanding, all clauses of the Agreement that are not explicitly amended or supplemented by the clauses of this Addendum remain in full force and effect and shall apply, as long as this does not contradict mandatory requirements of Applicable Data Protection Laws.
16.2. Annual Review. Each Party must review this Addendum (including Exhibit A and its appendices) at regular intervals to ensure that the Addendum remains accurate, up to date, and continues to provide appropriate safeguards to the Participant Personal Data. Each Party will carry out these reviews each time there is a change to the Personal Data, the purposes for Processing, the Data Importer information, or any risk assessments related to the Processing contemplated in this Addendum.
16.3. Conflicts. In the event of any conflict between the Agreement and this Addendum, the provisions of this Addendum shall prevail. In case of any conflict or ambiguity between the Jurisdiction Specific Terms and any other terms of this Addendum, the applicable Jurisdiction Specific Terms shall prevail.
16.4. Severability. Should any provision of this Addendum be found legally invalid or unenforceable, then the invalid or unenforceable provision will be deemed superseded by a valid, enforceable provision that most closely matches the intent of the original provision, and the remainder of this Addendum will continue in effect.
16.5. Non-Compliance. If VeraSafe determines that it can no longer meet any of its obligations set out within this Addendum, Applicable Data Protection Laws, or the SCCs (where applicable), it shall (a) promptly notify Participant of that determination, and (b) cease the Processing, if requested by Participant, or immediately take other reasonable and appropriate steps to remediate the lack of compliance.
16.6. Ambiguity. VeraSafe may amend this Addendum without notice to or consent of Participant for the purposes of (a) curing any ambiguity, (b) curing, correcting or supplementing any defective provision contained herein, or (c) making any other provisions with respect to matters or questions arising under this Addendum; provided that such action shall not materially alter the Addendum.
16.7. Authority. If you are accepting the terms of this Addendum on behalf of either Party, you represent and warrant that you have the authority to bind that Party and its Affiliates, where applicable, to the terms and conditions of this Addendum.
16.8. Disclosure to Supervisory Authorities. The Parties acknowledge that either Party may disclose this Addendum and any relevant privacy provisions in the Agreement to Supervisory Authorities, or any other judicial or regulatory body, upon their request.