VeraSafe Data Processing Addendum

Effective Date: November 28, 2024

This VeraSafe Data Processing Addendum, including its exhibits and appendices (this “Addendum”) is entered into by and between VeraSafe, LLC, a limited liability company incorporated under the laws of Delaware, for itself and for and on behalf of its relevant Affiliates (“VeraSafe”), and the entity that entered into the Agreement (as defined below) with VeraSafe (“Participant”).

This Addendum, which may be updated from time to time, forms an integral part of the Agreement and is effective upon its incorporation into the Agreement. This Addendum may be so incorporated by reference in the Agreement or in an executed amendment thereto.

NOW, THEREFORE, in consideration of the mutual agreements set forth in this Addendum, the Parties agree as follows:

1. Definitions.

1.1. As used herein, the following terms have the following meanings when capitalized:

  1. Agreement” means the VeraSafe Master Services Agreement, Master License Agreement, Master License and Services Agreement, or Technical and Professional Services Agreement entered into between VeraSafe and Participant together with any appendices, Program Addenda, and Statements of Work thereto.
  2. Applicable Data Protection Laws” means all laws and regulations applicable to the Processing of Participant Personal Data, including but not limited to the laws and regulations identified in Exhibit B hereto as may be amended, modified, or supplemented from time to time, as applicable.
  3. Contracted Processor” means any third party appointed by or on behalf of VeraSafe to Process Participant Personal Data in connection with the Services.
  4. Contracted Processor Page” means the webpage, as may be updated from time to time by VeraSafe, currently available at: https://www.verasafe.com/legal-notices/subprocessors.
  5. Participant Personal Data” means any Personal Data Processed by or on behalf of VeraSafe to provide the Services in accordance with the Agreement.
  6. Data Exporter” and “Data Importer” shall have the same meanings assigned to them in Part A of Exhibit A hereto.
  7. GDPR” means the EU GDPR and UK GDPR as those terms are defined in Exhibit B, as applicable.
  8. Jurisdiction Specific Terms” means all terms applicable to the Processing of Personal Data that apply to the extent that VeraSafe Processes Participant Personal Data protected by Applicable Data Protection Laws in one of the jurisdictions identified in these terms. The Jurisdiction Specific Terms are set forth in Exhibit B.
  9. Restricted Transfer” means any transfer of Participant Personal Data protected by Applicable Data Protection Laws to a Third Country or an international organization in a Third Country (including data storage on foreign servers).
  10. SCCs” or “Standard Contractual Clauses” are the model clauses for Restricted Transfers adopted from time to time by the relevant authorities of the jurisdictions indicated in Exhibit B, insofar as their use is approved by the relevant authorities as an appropriate mechanism or safeguard for Restricted Transfers.
  11. Sub-Processor” means a direct Processor of a Processor. For the avoidance of doubt, Contracted Processors are Sub-Processors.

1.2. The terms “Controller”, “Data Protection Assessment”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing”, “Processor”, “Rights of the Data Subjects”, “Supervisory Authority”, and “Third Country” shall have the same meanings as under Applicable Data Protection Laws, and their cognate and corresponding terms shall be construed accordingly.

1.3. Capitalized terms that are used but not defined herein shall have the meanings given to them in the Agreement.

2. Scope and Applicability.

2.1. Duration. This Addendum shall take effect upon its incorporation into the Agreement and shall remain effective until Participant Personal Data is no longer Processed by VeraSafe pursuant to the Agreement.

2.2. Scope. This Addendum will apply to the Processing of all Participant Personal Data, regardless of country of origin, place of Processing, location of Data Subjects, or any other factor. The Processing of Personal Data that does not constitute Participant Personal Data is outside the scope of this Addendum.

2.3. Exhibits and Appendices. This Addendum includes the following exhibits and appendices:

  1. Exhibit A – Details of Processing;
  2. Appendix I to Exhibit A – Technical and Organizational Security Measures;
  3. Exhibit B – Jurisdiction Specific Terms; and
  4. Exhibit C – Supplemental Clauses to the Standard Contractual Clauses.

3. Processing of Participant Personal Data.

3.1. This Addendum shall apply only where, and to the extent that, VeraSafe factually acts as a Processor of Participant Personal Data. For the avoidance of doubt, the following situations fall within the scope of and are covered by this Addendum: (a) when Participant acts as a Controller and VeraSafe acts as a Processor; and (b) when Participant acts as a Processor and VeraSafe acts as a Sub-Processor.

3.2. VeraSafe shall:

  1. comply with all Applicable Data Protection Laws in the Processing of Participant Personal Data;
  2. not Process Participant Personal Data other than on Participant’s instruction (including with regard to Restricted Transfers) unless such Processing is required by Applicable Data Protection Laws, in which case VeraSafe shall, to the extent reasonably possible and permitted by Applicable Data Protection Laws, inform Participant of such requirement before Processing that Participant Personal Data; and
  3. immediately inform Participant in the event that, in VeraSafe’s reasonable opinion, a Processing instruction given by Participant may infringe Applicable Data Protection Laws.

3.3 All necessary information relating to the details of Processing is set out in Exhibit A.

3.4 Participant instructs VeraSafe (and authorizes VeraSafe to instruct each Contracted Processor it engages) to Process Participant Personal Data and, in particular, transfer Participant Personal Data to any country or territory, only as reasonably necessary for the provision of the Services and consistent with the Agreement and this Addendum.

3.5. Where Participant is acting as a Processor, it warrants that it shall:

  1. Process Participant Personal Data only on behalf of the relevant Controller’s documented instructions and, in turn, only instruct VeraSafe to carry out such Processing activities on behalf of Participant in accordance with said instructions of the Controller; and
  2. obtain prior authorization from the relevant Controller for subcontracting the Processing of Participant Personal Data to VeraSafe and its Contracted Processors.

4. Personnel.

4.1. VeraSafe shall take reasonable steps to ensure:

  1. the reliability of any employee, agent, or contractor who may have access to Participant Personal Data;
  2. that access to Participant Personal Data is limited to those individuals who need to know or access it, as necessary to fulfil the instructions given to VeraSafe by Participant or to comply with Applicable Data Protection Laws; and
  3. that all such individuals are subject to confidentiality undertakings, professional obligations of confidentiality, or statutory obligations of confidentiality.

5. Security of Processing.

VeraSafe shall implement and maintain the administrative, technical, and organizational security measures identified in Appendix I to Exhibit A, which ensure a level of security appropriate to the risk of Processing and take into account: the state of the art, costs of implementation, and the nature and purposes of Processing; the risk of varying likelihood and severity to the rights and freedoms of natural persons; and the risks presented by the Processing activities, particularly those risks related to Personal Data Breaches.

6. Contracted Processors.

6.1. Authorization for Existing Contracted Processors. Participant authorizes VeraSafe to continue using those Contracted Processors engaged as of the Effective Date and listed on the Contracted Processors Page, and further authorizes VeraSafe and its Contracted Processors to appoint additional Contracted Processors, provided the obligations of this Section 6 are met.

6.2. Authorization for Appointment of Contracted Processors. VeraSafe shall provide Participant with prior notice of the appointment of any new Contracted Processor by updating the Contracted Processors Page. The Contracted Processors Page will reflect the date on which it was last updated. Participant is solely responsible for periodically reviewing the Contracted Processors Page.

6.3. Objection to Contracted Processors.

  1. Participant will be deemed to have consented to the appointment of a new Contracted Processor if no objection thereto is received within fourteen (14) days of VeraSafe’s notice thereof. Participant may object to the appointment of a Contracted Processor by providing a written objection, which shall include the name of the objected-to Contracted Processor and a reasonable statement of objection.
  2. If an objection is received, the Parties will work together in good faith with a view of achieving a commercially reasonable resolution. If no mutually agreeable resolution is available, Participant may, immediately upon written notice to VeraSafe, terminate the Agreement for convenience, with no further fees due other than those incurred up to and including the date of termination. Upon its receipt of notice of such termination, VeraSafe shall cease Processing Participant Personal Data.

6.4.  Requirements for Appointing Contracted Processors. With respect to each Contracted Processor, VeraSafe shall:

  1. conduct due diligence to ensure that the Contracted Processor is capable of providing the level of protection and security for Participant Personal Data required by this Addendum;
  2. disclose to Participant, upon request, the results of that due diligence;
  3. restrict the Contracted Processor’s access to Participant Personal Data to only what is necessary to assist VeraSafe in providing the Services, and prohibit the Contracted Processor from accessing Participant Personal Data for other purposes; and
  4. ensure that the arrangement between VeraSafe and the Contracted Processor is governed by a written contract that includes terms which offer substantially similar protections for Participant Personal Data as those set out in this Addendum, to the extent applicable to the nature of the services provided by such Contracted Processor.

6.5. Where any Contracted Processor fails to fulfil its data protection obligations under such written contract (or in the absence thereof, as the case may be), VeraSafe shall remain fully liable to Participant for the performance of the respective Contracted Processors’ data protection obligations under such contract and/or Applicable Data Protection Laws.

7. Rights of the Data Subjects.

7.1. Taking into account the nature of the Processing, VeraSafe shall assist Participant by implementing appropriate technical and organizational measures, insofar as possible, to respond to valid requests to exercise Rights of the Data Subjects under Applicable Data Protection Laws.

7.2. With regard to the Rights of the Data Subjects within the scope of this Section 7, VeraSafe shall:

  1. promptly notify Participant if it or any of its Contracted Processors receive a request from a Data Subject with respect to Participant Personal Data;
  2. not respond to that request, except on the instructions of Participant or as required or permitted by Applicable Data Protection Laws, in which case VeraSafe shall, to the extent reasonably possible and permitted by Applicable Data Protection Laws, inform Participant of such requirement before it responds to the request or directs its Contracted Processors to respond; and
  3. promptly comply with any commercially reasonable and lawful documented instructions from Participant regarding responding to a request to exercise Rights of a Data Subject.

8. Personal Data Breaches.

8.1. Breach Response. If VeraSafe discovers, is notified of, or has reason to suspect a Personal Data Breach affecting Participant Personal Data under its or its Contracted Processors’ control, VeraSafe will (a) immediately implement measures intended to stop the unauthorized access; (b) secure the Participant Personal Data; and (c) notify Participant without undue delay and, in any event, within seventy-two (72) hours of becoming aware of such suspected Personal Data Breach.

8.2. Breach Obligations. Upon providing notice of a Personal Data Breach, VeraSafe shall:

  1. describe to Participant: (1) the nature of the Personal Data Breach, (2) where reasonably possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned, (3) the impact of such Personal Data Breach upon Participant and the affected Data Subjects, and (4) the measures taken or proposed by VeraSafe to address the Personal Data Breach;
  2. provide and supplement notifications to Participant as and when additional information becomes available;
  3. reasonably assist Participant in meeting its relevant obligations pursuant to Applicable Data Protection Laws, including obligations to notify Supervisory Authorities or Data Subjects of a Personal Data Breach; and
  4. use commercially reasonable efforts to investigate, mitigate, and remediate each such Personal Data Breach and prevent a recurrence of such Personal Data Breach.

8.3. No Acknowledgement of Fault. VeraSafe’s notification of or response to a Personal Data Breach under this Section will not be construed as an acknowledgement by VeraSafe of any fault or liability with respect to the Personal Data Breach.

9. Data Protection Assessment and Prior Consultation.

VeraSafe shall provide Participant with relevant information and documentation, and reasonably assist Participant in complying with its obligations with regard to any data protection assessments or prior consultations with Supervisory Authorities when required pursuant to Applicable Data Protection Laws, but in each such case solely with regard to Participant Personal Data Processed by, and taking into account the nature of Processing and information available to, VeraSafe and its Contracted Processors. To the extent legally permitted, Participant shall reimburse VeraSafe for any time expended for any such assistance at VeraSafe’s then-current hourly Program Fees.

10. Deletion or Return of Personal Data.

10.1. VeraSafe shall provide Participant with the technical means, consistent with the way the Services are provided, to request the deletion of Participant Personal Data, with the exception of any Participant Personal Data that may be retained pursuant to applicable laws.

10.2. If requested by Participant and following the cessation of the Services, VeraSafe shall promptly delete or return all Participant Personal Data (including copies) to Participant, with the exception of any Participant Personal Data that may be retained pursuant to applicable laws.

10.3. VeraSafe shall also cause all Contracted Processors that have received Participant Personal Data to delete or return, as applicable, all such Participant Personal Data, with the exception of any Participant Personal Data that may be retained pursuant to applicable laws.

10.4. This Section 10 does not apply to Participant Personal Data that has been archived on back-up systems, which VeraSafe or its Contracted Processors, as applicable, shall securely isolate and protect from any further Processing, except to the extent required or permitted by applicable law.

11. Audit Rights.

VeraSafe shall allow for and reasonably cooperate with audits, including remote inspections, by Participant or an auditor mandated by Participant (on behalf of itself or its clients) with regard to the Processing of the Participant Personal Data by VeraSafe and its Contracted Processors. To the extent legally permitted, Participant shall reimburse VeraSafe for any time expended for any such audit at VeraSafe’s then-current hourly Program Fees.

12. Jurisdiction Specific Terms.

To the extent VeraSafe Processes Participant Personal Data protected by Applicable Data Protection Laws in a jurisdiction listed in Exhibit B, then the terms and definitions specified in Exhibit B with respect to the applicable jurisdiction shall apply in addition to the terms of this Addendum.

13. Restricted Transfers.

13.1. Restricted Transfers of Participant Personal Data within the scope of this Addendum shall be conducted in accordance with Exhibit B and Applicable Data Protection Laws.

13.2. If the relevant authorities adopt a new version of SCCs as a lawful mechanism for Restricted Transfers in a jurisdiction referenced in Exhibit B, the Parties are deemed to have agreed to the execution of the new version of the SCCs by signing this Addendum, and, if necessary, VeraSafe shall be entitled to update Exhibit A and Exhibit B (and their appendices, as applicable) accordingly.

13.3. If an alternative transfer mechanism, such as Binding Corporate Rules, is adopted by VeraSafe during the term of the Agreement (an “Alternative Mechanism”), and VeraSafe notifies Participant that some or all Restricted Transfers can be conducted in compliance with Applicable Data Protection Laws pursuant to the Alternative Mechanism, VeraSafe may rely on the Alternative Mechanism instead of the transfer mechanisms in Exhibit B for Restricted Transfers to which the Alternative Mechanism applies.

13.4. VeraSafe is certified to the EU-U.S. Data Privacy Framework of the U.S. Department of Commerce (the “DPF”), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF. VeraSafe will cease to rely on the foregoing as lawful mechanisms for Restricted Transfers if it makes a determination that it can no longer meet its obligation to provide the levels of protection as are required by the DPF principles.

14. Amendment.

14.1. VeraSafe may update this Addendum at its reasonable discretion, provided that it gives Participant prior notice thereof by making the updated version of the Addendum available to Participant at https://verasafe.com/legal-notices/data-processing-addendum. Each new version of the Addendum will reflect the date on which it was last updated. Participant is solely responsible for periodically reviewing the Addendum for updates.

  1. If no objection is received within fourteen (14) days of any such update, Participant will be deemed to have consented thereto.
  2. If Participant objects to any such update in writing within fourteen (14) days, the Parties will cooperate and negotiate in good faith regarding any required updates.
  3. If no mutually agreeable resolution is available, Participant may, immediately upon written notice to VeraSafe, terminate the Agreement for convenience, with no further fees due other than those incurred up to and including the date of termination. Upon its receipt of notice of such termination, VeraSafe shall cease Processing Participant Personal Data.

15. Liability.

15.1. Subject to Applicable Data Protection Laws, the liability of each Party under this Addendum shall be subject to the exclusions and limitations of liability set out in the Agreement.

15.2. VeraSafe shall be liable to Participant for any breach of the Agreement or this Addendum, and the obligations set out therein (including by means of additional contract, as the case may be), by itself or its Contracted Processors.

16. General Terms.

16.1. Prior Existing Agreement. This Addendum supersedes and replaces all prior and contemporaneous proposals, statements, sales materials or presentations, and agreements, oral and written, with regard to the subject matter of this Addendum, including any prior data processing addenda entered into between VeraSafe and Participant in connection with the Agreement. Notwithstanding, all clauses of the Agreement that are not explicitly amended or supplemented by the clauses of this Addendum remain in full force and effect and shall apply, as long as this does not contradict mandatory requirements of Applicable Data Protection Laws.

16.2. Annual Review. Each Party must review this Addendum (including Exhibit A and its appendices) at regular intervals to ensure that the Addendum remains accurate, up to date, and continues to provide appropriate safeguards to the Participant Personal Data. Each Party will carry out these reviews each time there is a change to the Personal Data, the purposes for Processing, the Data Importer information, or any risk assessments related to the Processing contemplated in this Addendum.

16.3. Conflicts. In the event of any conflict between the Agreement and this Addendum, the provisions of this Addendum shall prevail. In case of any conflict or ambiguity between the Jurisdiction Specific Terms and any other terms of this Addendum, the applicable Jurisdiction Specific Terms shall prevail.

16.4. Severability. Should any provision of this Addendum be found legally invalid or unenforceable, then the invalid or unenforceable provision will be deemed superseded by a valid, enforceable provision that most closely matches the intent of the original provision, and the remainder of this Addendum will continue in effect.

16.5. Non-Compliance. If VeraSafe determines that it can no longer meet any of its obligations set out within this Addendum, Applicable Data Protection Laws, or the SCCs (where applicable), it shall (a) promptly notify Participant of that determination, and (b) cease the Processing, if requested by Participant, or immediately take other reasonable and appropriate steps to remediate the lack of compliance.

16.6. Ambiguity. VeraSafe may amend this Addendum without notice to or consent of Participant for the purposes of (a) curing any ambiguity, (b) curing, correcting or supplementing any defective provision contained herein, or (c) making any other provisions with respect to matters or questions arising under this Addendum; provided that such action shall not materially alter the Addendum.

16.7. Authority. If you are accepting the terms of this Addendum on behalf of either Party, you represent and warrant that you have the authority to bind that Party and its Affiliates, where applicable, to the terms and conditions of this Addendum.

16.8. Disclosure to Supervisory Authorities. The Parties acknowledge that either Party may disclose this Addendum and any relevant privacy provisions in the Agreement to Supervisory Authorities, or any other judicial or regulatory body, upon their request.

Exhibit A: Details of Processing

A. List of Parties

Parties’ Names and Addresses:VeraSafe:
VeraSafe, LLC and its relevant Affiliates
100 M Street S.E., Suite 600
Washington, D.C. 20003 USA

Participant: As set forth in the Agreement
Parties’ Data Protection Contacts:VeraSafe:
VeraSafe Internal Privacy Team
Email: [email protected]

Participant:
As set forth in the Agreement
VeraSafe’s Article 27 EU Representative:VeraSafe Czech Republic s.r.o.
Rohanské nábřeží 678/23
Prague 8, 18600
Czech Republic
Email: [email protected]
VeraSafe’s Article 27 UK Representative:VeraSafe United Kingdom Ltd.
Albert Embankment
SE1 7TL, London
United Kingdom
Email: [email protected]
VeraSafe’s Data Protection Officer:N/A
Activities Relevant to Transferred Data:Processing activities relating to the provision of the Services, as set forth in the Agreement.
Controllership Role:Each Party may serve one or more of the following roles, according to the purposes of the Personal Data being Processed:

Controller and Processor
Participant as the Controller and VeraSafe as the Processor
  • Participant is the Controller of Personal Data belonging to end users when Participant is servicing end users directly, while VeraSafe is Participant’s Processor.


Processor and (Sub-)Processor
Participant as the Processor and VeraSafe as the (Sub-)Processor
  • Participant is the Processor of Personal Data belonging to end users when Participant is servicing end users indirectly on behalf of Participant’s clients, i.e., Participant’s clients are the respective Controllers, whereas VeraSafe is Participant’s Sub-Processor.
Data Transfer Role:Each Party may serve one or more role, according to the purposes of the Personal Data being Processed:

  • A Party serves as the Data Exporter when sending (exporting) the Personal Data to the other Party.
  • A Party serves as the Data Importer when receiving (importing) the Personal Data from the other Party.

B. Description of Transfer

Subject Matter of the Processing:The subject matter of the Processing of Participant Personal Data pertains to the provision of Services pursuant to the Agreement.
Nature and Purpose of Processing:The Processing is related to the provision of Services, namely privacy, data protection, cybersecurity, AI, or digital consulting services, or related services, to Participant, as further detailed in the Agreement, and VeraSafe and its Contracted Processors (if applicable) will perform such acts of Processing of Personal Data as are necessary to provide those Services according to Participant’s instructions, including but not limited to the transmission, storage, and other Processing of Personal Data submitted to the Services.
Further Processing:VeraSafe shall not carry out any further processing of Personal Data beyond that which is permitted in terms of the Agreement or applicable law.
Retention:Generally, retention of Personal Data should not be required. In case Personal Data should be retained, any retention period will be limited to that which is permitted in terms of the Agreement or applicable law.
Categories of Data Subjects:Participant may submit or provide access to Personal Data that may include, but is not limited to, Personal Data relating to the following categories of Data Subjects:
  • Current, former, and prospective employees, independent contractors, officers, directors, and other representatives of Participant;

  • Current, former, and prospective employees, independent contractors, officers, directors, and other representatives of Participant’s current, former, and prospective affiliates, customers, clients, and vendors; and

  • Current, former, and prospective users of, and participants in, Participant’s services.
Categories of Personal Data:Participant may submit or provide access to Personal Data that, for each of the categories of Data Subjects listed above, may include, but is not limited to, the following categories of Personal Data:
  • Biographical information, such as first name and last name;

  • Contact information, such as email address, phone number, and postal address;

  • Professional information, such as job title, position, and information about a person’s company or business; and

  • Other information, such as a person’s interests, whether or not a person has opened email(s), information pertaining to a person’s use of VeraSafe’s applications, information about a person’s relationship with Participant, and details about a person’s data protection inquiry or concerns.
Special Categories of Personal Data:The Parties agree that no special categories of Personal Data will be transferred.
Frequency of the Transfer:Regular and repeating, as necessary, for as long as Participant uses the Services.
Subject Matter, Nature, and Duration of Processing by Contracted Processors:Any transfer to Contracted Processors will be only as necessary to perform the Services pursuant to the Agreement or as permitted in terms of applicable law. Upon request, VeraSafe will provide to Participant a description of Processing for any Contracted Processor(s), including the subject matter, nature, and duration of Processing.
Technical and Organizational Measures of Contracted Processors:When VeraSafe engages a Contracted Processor under the Addendum, VeraSafe and the Contracted Processor must enter into an agreement with data protection terms substantially similar to those contained in the Addendum. VeraSafe must ensure that the agreement with each Contracted Processor allows VeraSafe to meet its obligations with respect to Participant. In addition to implementing technical and organizational measures to protect Participant Personal Data, Contracted Processors must:

  • notify VeraSafe in the event of a Personal Data Breach so that VeraSafe may promptly notify Participant;

  • delete Participant Personal Data when instructed by VeraSafe in accordance with Participant’s instructions to VeraSafe;

  • not engage additional Contracted Processors without VeraSafe’s authorization; and

  • not process Participant Personal Data in a manner that conflicts with Participant’s instructions to VeraSafe.

Appendix I to Exhibit A

Technical and Organizational Security Measures

Throughout the term of the Agreement and for so long as VeraSafe has access to any Participant Personal Data, VeraSafe shall use its best efforts to implement and maintain the following (or substantially similar) technical and organizational security measures (“TOMs”) to safeguard such Participant Personal Data:

Type of TOMsDescription of TOMs
Measures for encryption of Personal Data:

  • Files uploaded to Google Drive or Microsoft OneDrive/SharePoint, or created in Google Docs or Microsoft 365 shall be encrypted in transit and at rest with AES256 bit encryption.

  • Data in transit between VeraSafe’s apps (web app, mobile, API) and its servers shall be encrypted using transport layer security for data transfer, creating a secure tunnel protected by AES256 bit encryption.

  • Data stored on mobile devices, including laptops, shall be encrypted at rest.

Measures for ensuring ongoing confidentiality, integrity, availability and resilience of Processing systems and services:

  • Implementation and enforcement of internal policies, including business continuity plans, high-level data security policies, and incident response plans.

  • Real-time monitoring tools that generate automated alerts shall be used to track the availability and performance of systems.

  • Policies for classifying, identifying, and handling Personal Data shall be created with data masking and anonymization in focus.

  • Identity and access management that uses Role-Based Access Control (RBAC) and least privilege principles.

  • Implementation of an in-house detection system and an intrusion prevention system to protect network infrastructure. Networks shall be segmented where appropriate.

  • Access to sensitive data shall be logged, monitored, and regularly reviewed.

  • Document repositories shall be subject to minor/major versioning, audit trails, and access reviews.

  • Microsoft 365 and Google Workplace shall be used to provide highly available, redundant, and automatic failover mechanisms to maintain uptime. Data shall be frequently backed up in geographically dispersed locations.

  • Use of anti-virus and anti-malware programs.

  • Implementation of DDoS detection and protection tools.

  • Security awareness, acceptable use, and data protection training shall be provided to personnel.

Measures for ensuring the ability to restore the availability of and access to Personal Data in a timely manner in the event of a physical or technical incident:

  • Those VeraSafe systems most critical to Personal Data shall have automated backups.

  • VeraSafe’s corporate data shall be backed up by Google Workspace, Microsoft 365, and third-party backup platforms, which utilize various cloud providers for their data centers.

Processes for regularly testing, assessing, and evaluating the effectiveness of technical and organization measures to ensure the security of the Processing:

  • Periodic vulnerability scans on information technology systems used for Processing Personal Data to identify weaknesses in systems and applications.

  • Patch-management processes for addressing vulnerabilities.

  • Tabletop exercises to simulate potential scenarios to test for resilience, backup restorations, and data integrity.

Measures for user identification and authorization:

  • Role-based access authorization policy based on least privilege and need to know.

  • Configuration of systems and applications to restrict access to only authorized personnel.

  • Monitoring and logging of user access.

  • Password policies and password management procedures that require strong passwords.

  • Multi-factor authentication.

  • Single sign-on (SSO) authentication.

Measures for the protection of Personal Data during transmission and storage:

  • Files uploaded to Google Drive and Microsoft OneDrive or created in Google Docs or Microsoft 365 shall be encrypted in transit and at rest with AES256 bit encryption.

  • Personal Data in transit between VeraSafe’s apps (web app, mobile, API) and servers shall be encrypted using transport layer security for data transfer, creating a secure tunnel protected by AES256 bit encryption.

  • Encryption of Personal Data stored on mobile devices, including laptops.

Measures for ensuring physical security of locations at which Personal Data are Processed:

  • VeraSafe is a full-cloud organization. Apart from laptops and related equipment, VeraSafe does not maintain physical or virtual IT infrastructure of its own.

  • Company issued devices that store data shall be fully encrypted at rest.

Measures for ensuring events logging:

  • Sufficient detail contained in web server and application logs to support incident investigation, including successful and failed login attempts and changes to sensitive configuration settings and files.

  • Cloud platforms, such as M365 and Google Workspace, shall be used for continuous logging of user activity.

  • Automatic triggers shall be utilized to address insider threats and anomalous activity.

Measures for ensuring system configuration, including default configuration:

  • Maintenance of security baselines for authorized operating systems and software applications.

  • Regular audits of systems to ensure compliance with VeraSafe’s security baselines.

Measures for internal IT security governance and management:

  • Dedicated IT governance team.

  • Implementation and maintenance of an information security management program based on generally accepted security standards, including, without limitation, mobile device policies, incident response management policies, acceptable use policies, asset management policies, and change management policies.

Measures for certification/assurance of processes and products:

  • Policies and procedures to ensure compliance with applicable legislative and regulatory requirements.

  • Due diligence process for onboarding new vendors and products.

Measures for ensuring data minimization:

  • An internal review process with relevant stakeholders to ensure that VeraSafe is only collecting Personal Data that it needs.

  • Ensuring that data minimization is embedded into company policies and procedures.

Measures for ensuring data quality:

  • Implementation and maintenance of appropriate technical and procedural controls to minimize, detect, and correct data integrity shortfalls in IT systems.

Measures for ensuring limited data retention:

  • Implementation of an internal retention schedule for Personal Data, including backups, based on legal and regulatory requirements.

  • Data shall be erased in accordance with data retention policies.

  • When necessary, ensuring secure disposal of devices that store Personal Data.

Measures for ensuring accountability:

  • Implementation and maintenance of a security and awareness program that includes privacy and security training for personnel responsible for Processing Personal Data.

  • Ensuring that personnel responsible for Processing Personal Data are bound by confidentiality obligations.

  • Procedures for discipline and sanctions when personnel violate security policies, non-disclosure agreements, and other policies related to Personal Data.

  • Enforcement of the measures described in the TOMs titled “[m]easures for internal IT security governance and management”.

Measures for allowing data portability and ensuring erasure:

  • Maintenance of a data inventory (i.e., a data map).

  • Processes for ensuring that Personal Data can be deleted if legally required.

 

Exhibit B: Jurisdiction Specific Terms

1. Australia.

When applicable, the Processing of Participant Personal Data shall be compliant with the Australian Privacy Principles, the Australian Privacy Act (1988), and any other applicable law, regulation, or decree of Australia pertaining to the protection of such information.

2. Canada.

When applicable, the Processing of Participant Personal Data shall be compliant with the Canadian Federal Personal Information Protection and Electronic Documents Act and any other applicable law, regulation, or decree of Canada pertaining to the protection of such information.

3. European Economic Area.

3.1 Definitions.

  1. EEA” means the European Economic Area, consisting of the EU Member States, and Iceland, Liechtenstein, and Norway.
  2. EEA Data Protection Laws” means the EU GDPR and all laws and regulations of the EU and the EEA countries applicable to the Processing of Participant Personal Data.
  3. EU 2021 SCCs” means the contractual clauses adopted by the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.
  4. EU GDPR” (as used in the Addendum) means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, as may be amended from time to time.

3.2 Restricted Transfers.

  1. With regard to any Restricted Transfer subject to EEA Data Protection Laws between the Parties, one of the following transfer mechanisms shall apply, in the following order of precedence:
    1. a valid adequacy decision adopted by the European Commission on the basis of Article 45 of the EU GDPR;
    2. the appropriate SCCs adopted by the European Commission from time to time; or
    3. any other lawful data transfer mechanism, as laid down in EEA Data Protection Laws.

3.3 Standard Contractual Clauses.

  1. The Addendum hereby incorporates by reference the SCCs. The Parties are deemed to have accepted, executed, and signed the SCCs where necessary in their entirety (including the annexures thereto).
  2. The Parties agree that any references to clauses, annexures, modules and choices within this Section shall be deemed to be the same as the cognate and corresponding references within any appropriate, updated SCCs as may be applicable from time to time pursuant to the Addendum.
  3. For the purposes of the EU 2021 SCCs and any substantially similar SCCs that may be adopted by the relevant authorities in the future:
    1. the Parties agree to apply the following modules:
      1. Module Two with respect to Controller-to-Processor Restricted Transfers; and
      2. Module Three with respect to Processor-to-Sub-Processor Restricted Transfers;
    2. Clause 7: The Parties choose not to include the optional docking clause;
    3. Clause 9(a): The Parties choose option 2, “General Written Authorization”, and the time period set forth in Section 6.3 of the Addendum (the procedures for designation and notification of new Contracted Processors are set forth in more detail in Section 6 of the Addendum);
    4. Clause 11: The Parties choose not to include the optional language relating to the use of an independent dispute resolution body;
    5. Clause 13 (Annex I.C): Unless otherwise required by applicable EEA Data Protection Laws, the competent Supervisory Authority is the Irish Data Protection Commission.
    6. Clause 17: The SCCs shall be governed by the laws of the Republic of Ireland;
    7. Clause 18: Any dispute arising from the SCCs shall be resolved by the courts of the Republic of Ireland;
    8. Annex I(A and B): The content of Annex I(A) and (B) is set forth in Exhibit A;
    9. Annex II: The content of Annex II is set forth in Appendix I to Exhibit A; and
    10. Annex III: The content of Annex III is set out on the Contracted Processors Page.
  4. The terms contained in Exhibit C to the Addendum supplement the SCCs.
  5. In cases where the SCCs apply and there is a conflict between the terms of the Addendum and the terms of the SCCs, the terms of the SCCs shall prevail with regard to the Restricted Transfer in question.

4. Singapore.

4.1 Applicability. Wherever the Processing pursuant to the Addendum falls within the scope of Singapore’s Personal Data Protection Act 2012, Personal Data Protection (Amendment) Bill 2020, Personal Data Protection Regulations 2021, and any corresponding decrees, regulations, or guidance, the provisions of the Addendum and this Section shall apply to such Processing.

4.2 Retention of Personal Data. VeraSafe shall not retain Participant Personal Data (or any documents or records containing Participant Personal Data, electronic or otherwise) for any period of time longer than is necessary to serve the purposes of the Agreement.

4.3 Deletion or Return of Personal Data. After returning or deleting Participant Personal Data pursuant to Section 10 of the Addendum, VeraSafe shall provide Participant with written confirmation that it no longer possesses any Participant Personal Data.

5. Switzerland.

5.1 Definitions. 

  1. EU 2021 SCCs” means the contractual clauses adopted by the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.
  2. FDPIC” means the Swiss Federal Data Protection and Information Commissioner.
  3. Swiss Data Protection Laws” includes the Federal Act on Data Protection of 19 June 1992 (“FADP”) and the Ordinance to the Federal Act on Data Protection.

5.2. Restricted Transfers.

  1. With regard to any Restricted Transfer subject to Swiss Data Protection Laws between the Parties, one of the following transfer mechanisms shall apply, in the following order of precedence:
    1.  a valid adequacy decision adopted by the FDPIC on the basis of Article 6 of the FADP;
    2. the appropriate SCCs adopted by the FDPIC from time to time; or
    3. any other lawful transfer mechanism, as laid down in Swiss Data Protection Laws.

5.3. Standard Contractual Clauses.

  1. The Addendum hereby incorporates by reference the EU 2021 SCCs, which have been adopted for use by the FDPIC with certain modifications. The Parties are deemed to have accepted, executed, and signed the EU 2021 SCCs where necessary in their entirety (including the annexures thereto).
  2. The Parties incorporate and adopt the EU 2021 SCCs for Restricted Transfers subject to Swiss Data Protection Laws in the same manner set forth in Section 3.3 of these Jurisdiction Specific Terms, subject to the following:
    1. Clause 13 (Annex I.C): The competent authority shall be the FDPIC. Nothing about the Parties’ designation of the competent Supervisory Authority shall be interpreted to preclude Data Subjects in Switzerland from applying to the FDPIC for relief;
    2. Clause 18: The Parties’ selection of forum may not be construed as forbidding Data Subjects habitually resident in Switzerland from suing for their rights in Switzerland;
    3. references to “Regulation (EU) 2016/679” and specific articles therein shall be replaced with references to the FADP and the equivalent articles or sections therein, insofar as there are any Restricted Transfers subject to Swiss Data Protection Laws; and
    4. the SCCs also protect the data of legal entities until the entry into force of the revised FADP.
  3. In cases where the SCCs apply and there is a conflict between the terms of the Addendum and the terms of the SCCs, the terms of the SCCs shall prevail with regard to the Restricted Transfer in question.

6. United Kingdom.

6.1. Definitions.

  1. EU 2021 SCCs” means the contractual clauses adopted by the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.
  2. UK Data Protection Laws” includes the Data Protection Act 2018 and the UK GDPR.
  3. UK GDPR” (as used in the Addendum) means the United Kingdom General Data Protection Regulation, as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of Section 3 of the European Union (Withdrawal) Act 2018.
  4. UK ICO” means the UK Information Commissioner’s Office.
  5. UK IDTA” means the International Data Transfer Agreement issued pursuant to Section 119A(1) of the Data Protection Act 2018 and approved by the UK Parliament.
  6. UK Transfer Addendum” (as used in this Section) means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued pursuant to Section 119A(1) of the Data Protection Act 2018 and approved by the UK Parliament.

6.2. Restricted Transfers.

  1. With regard to any Restricted Transfer subject to UK Data Protection Laws between the Parties, one of the following transfer mechanisms shall apply, in the following order of precedence:
    1.  a valid adequacy decision adopted pursuant to Article 45 of the UK GDPR;
    2. the UK IDTA;
    3. the appropriate SCCs adopted by the UK ICO from time to time (insofar as the Processing activities of the Data Importer are not subject to the UK GDPR by virtue of application of Article 3(2) of the UK GDPR); or
    4. any other lawful data transfer mechanism, as laid down in the UK Data Protection Laws.

6.3. EU 2021 SCCs and UK Transfer Addendum.

  1. The Addendum hereby incorporates by reference the EU 2021 SCCs, which have been adopted for use by the UK ICO with certain modifications and the addition of the UK Transfer Addendum. The Parties are deemed to have accepted, executed, and signed the EU 2021 SCCs where necessary in their entirety (including the annexures thereto).
  2. For the purposes of the tables to the UK Transfer Addendum:
    1. Table 1: The content of Table 1 is set forth in Part A of Exhibit A;
    2. Table 2: The content of Table 2 is incorporated and adopted as to Restricted Transfers subject to UK Data Protection Laws in exactly the same manner set forth in Section 3.3 of these Jurisdiction Specific Terms;
    3. Table 3: The content of Table 3 (Annexes 1A, 1B, II, and III) is set forth as follows:
      1. Annex 1: The content of Annex 1 is set forth in Exhibit A;
      2. Annex II: The content of Annex II is set forth in Appendix I to Exhibit A;
      3. Annex III: The content of Annex III is set out on the Contracted Processors Page; and
    4. Table 4: The Parties agree that either party may terminate the UK Transfer Addendum.
  3. The Parties incorporate and adopt the EU 2021 SCCs as to Restricted Transfers subject to UK Data Protection Laws in exactly the same manner set forth in Section 3.3 of these Jurisdiction Specific Terms, subject to the following:
    1. Clause 13 (Annex I.C): The competent authority shall be UK ICO;
    2. Clause 17: The EU 2021 SCCs, including the incorporated UK Transfer Addendum, shall be governed by the laws of England and Wales; and
    3. Clause 18: Any dispute arising from the SCCs, or the incorporated UK Transfer Addendum, shall be resolved by the courts of England and Wales. A Data Subject may also bring legal proceedings against the Data Exporter and/or Data Importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts.
  4. The terms contained in Exhibit C to the Addendum supplement the SCCs.
  5. In cases where the SCCs, in conjunction with the UK Transfer Addendum, apply and there is a conflict between the terms of the Addendum and the terms of the SCCs or UK Transfer Addendum, the terms of SCCs or the UK Transfer Addendum, as applicable, shall prevail with regard to the Restricted Transfer in question.

6.4. UK IDTA.

  1. The Addendum hereby incorporates by reference the UK IDTA. The Parties are deemed to have accepted, executed, and signed the UK IDTA where necessary in its entirety.
  2. For the purposes of the tables to the UK IDTA:
    1. Table 1: The content of Table 1 is set forth in Part A of Exhibit A;
    2. Table 2:
      1. The UK IDTA, shall be governed by the laws of England and Wales;
      2. Any dispute arising from the UK IDTA shall be resolved by the courts of England and Wales;
      3. The Parties’ controllership and data transfer roles are set out in Part A of Exhibit A;
      4. The UK GDPR may apply to the Data Importer’s Processing of the Personal Data;
      5. The Addendum and the Agreement set out the instructions for Processing Personal Data;
      6. The Data Importer shall Process Personal Data for the time period set out in Part B of Exhibit A. The Parties agree that either Party may terminate the UK IDTA before the end of such time period by serving one month’s written notice;
      7. The Data Importer may only transfer Personal Data to authorized Contracted Processors (if applicable), as set out within Section 6 of the Addendum, or to such third parties that the Data Exporter authorizes in writing or within the Agreement;
    3. Table 3: The content of Table 3 is set forth in Part B of Exhibit A and may be updated in accordance with Section 14 of the Addendum; and
    4. Table 4: The content of Table 4 is set forth in Appendix I to Exhibit A and may be updated in accordance with Section 14 of the Addendum.
  3. Part 2 (Extra Protection Clauses) and Part 3 (Commercial Clauses) of the UK IDTA are noted throughout the Addendum.
  4. The terms contained in Exhibit C to the Addendum supplement the UK IDTA.
  5. In cases where the UK IDTA applies and there is a conflict between the terms of the Addendum and the terms of the UK IDTA, the terms of the UK IDTA shall prevail.

7. United States of America.

7.1. Applicability. Wherever the Processing pursuant to the Addendum falls within the scope of United States Data Protection Laws (defined below), the provisions of the Addendum and this Section shall apply to such Processing.

7.2. Definitions.

  1. United States Data Protection Laws” include, individually and collectively, enacted state and federal laws, acts, and regulations of the United States of America that apply to the Processing of Personal Data, as may be amended from time to time.
  2. Personal Data Breach” (as used in the Addendum) includes “Breach of Security” and “Breach of the Security of the System” as defined under applicable United States Data Protection Laws.
  3. The terms “Business Purpose”, “Commercial Purpose”, “Sell”, and “Share” shall have the same meanings as under applicable United States Data Protection Laws, and their cognate and corresponding terms shall be construed accordingly.

7.3. Processing of Participant Personal Data.

  1. Participant discloses Participant Personal Data to VeraSafe solely for: (1) valid Business Purposes; and (2) to enable VeraSafe to perform the Services.
  2. VeraSafe shall not: (1) Sell or Share Participant Personal Data; (2) retain, use or disclose Participant Personal Data for a Commercial Purpose other than providing the Services specified in the Agreement or as otherwise permitted by United States Data Protection Laws; (3) retain, use, or disclose Participant Personal Data except where permitted under the Agreement between Participant and VeraSafe or pursuant to applicable law; nor (4) combine Participant Personal Data with other information that VeraSafe Processes on behalf of other persons or that VeraSafe collects directly from the Data Subject, with the exception of Processing for Business Purposes. VeraSafe certifies that it understands these prohibitions and agrees to comply with them.

7.4. Termination. Upon termination of the Agreement, VeraSafe shall, as soon as reasonably practicable, destroy all Personal Data it has Processed on behalf of Participant after the end of the provision of Services relating to the Processing and destroy all copies of the Personal Data unless applicable law requires or permits storage of such Personal Data.

Exhibit C: Supplemental Clauses to the Standard Contractual Clauses

By this Exhibit C (this “Exhibit”), the Parties provide additional safeguards and redress to the Data Subjects whose Personal Data is transferred pursuant to SCCs. This Exhibit supplements and is made part of, but is not in variation or modification of, the SCCs that may be applicable to the Restricted Transfer.

1. Definitions.

For the purpose of interpreting this Exhibit, the following terms shall have the meanings set out below:

1.1. “EO 12333” means the U.S. Executive Order 12333.

1.2. “FISA” means the U.S. Foreign Intelligence Surveillance Act.

1.3. “Schrems II Judgment” means the judgment of the European Court of Justice in Case C-311/18, Data Protection Commissioner v. Facebook Ireland Limited and Maximilian Schrems.

2. Applicability of Surveillance Laws.

2.1. Data Importer represents and warrants that, as of the Effective Date, it has not received any national security orders of the type described in Paragraphs 150-202 of the Schrems II judgment.

2.2. Data Importer represents that it reasonably believes that it is not eligible to be required to provide information, facilities, or assistance of any type under FISA Section 702 because:

  1. no court has found Data Importer to be an entity eligible to receive legal process issued under FISA Section 702: (1) an “electronic communication service provider” within the meaning of 50 U.S.C. § 1881(b)(4); or (2) an entity belonging to any of the categories of entities described within that definition; and
  2. if Data Importer were to be found eligible for process under FISA Section 702, which it believes it is not, it is nevertheless also not the type of provider that is eligible to be subject to UPSTREAM collection pursuant to FISA Section 702, as described in paragraphs 62 and 179 of the Schrems II judgment.

2.3. EO 12333 does not provide the U.S. government the ability to order or demand that Data Importer provide assistance for the bulk collection of information and Data Importer shall take no action pursuant to EO 12333.

3. Backdoors.

3.1. Data Importer certifies that:

  1. it has not purposefully created backdoors or similar programming for governmental agencies that could be used to access Data Importer’s systems or Participant Personal Data subject to the SCCs;
  2. it has not purposefully created or changed its business processes in a manner that facilitates governmental access to Participant Personal Data or systems; and
  3. national law or government policy does not require Data Importer to create or maintain back doors or to facilitate access to Participant Personal Data or systems.

3.2. Data Exporter will be entitled to terminate the contract on short notice in cases in which Data Importer does not reveal the existence of a back door or similar programming or manipulated business processes or any requirement to implement any of these or fails to promptly inform Data Exporter once their existence comes to its knowledge.

4. Information About Legal Prohibitions.

Data Importer will provide Data Exporter information about the legal prohibitions on Data Importer to provide information under this Exhibit. Data Importer may choose the means to provide this information.

5. Additional Measures to Prevent Access.

Notwithstanding the application of the security measures set forth in the Addendum, Data Importer will implement internal policies establishing that:

5.1. Data Importer must require an official, signed document issued pursuant to the applicable laws of the requesting third party before it will consider a request for access to transferred Participant Personal Data;

5.2. Data Importer shall, to the extent legally permissibly, notify Data Exporter of its receipt of each request or order for transferred Participant Personal Data;

5.3. Data Importer shall scrutinize every request for legal validity and, as part of that procedure, will reject any request Data Importer considers to be invalid;

5.4. if Data Importer is legally required to comply with an order, it will respond as narrowly as possible to the specific request; and

5.5. if Data Importer receives a request from public authorities to cooperate on a voluntary basis, Participant Personal Data transmitted in plain text may only be provided to public authorities with the express agreement of Data Exporter.

6. Termination.

This Exhibit shall automatically terminate with respect to the Processing of Participant Personal Data transferred in reliance of the SCCs if the Supervisory Authority or a competent regulator approves a different transfer mechanism that would be applicable to the Restricted Transfers covered by the SCCs (and if such mechanism applies only to some of the data transfers, this Exhibit will terminate only with respect to those transfers) and that does not require the additional safeguards set forth in this Exhibit.

Why VeraSafe?

Track record of successful GDPR implementations across industries.

Work directly with our in-house team of US and European attorneys, IT experts, and project managers.

Strategic, risked-based approach to compliance.

Fully customizable GDPR compliance program, tailored to fit your needs.

Holistic approach: We help you identify business opportunity hidden inside the GDPR.

Going beyond just EU privacy law, VeraSafe is your end-to-end partner for the entire privacy and cybersecurity domain.