Track record of successful GDPR implementations across industries.
1. Introduction.
1.1. This VeraSafe Data Processing Addendum (this “Addendum”), including its two exhibits, is entered into by and between VeraSafe, LLC, a limited liability company incorporated under the laws of Delaware, and its relevant Affiliates (“VeraSafe”) and the entity who entered into the Agreement (as defined below) with VeraSafe (“Participant”).
1.2. This Addendum, which may be updated from time to time, forms an integral part of the Agreement and is effective upon its incorporation into the Agreement. This Addendum may be incorporated by reference in the Agreement or an executed amendment to the Agreement.
1.3. NOW, THEREFORE, in consideration of the mutual agreements set forth in this Addendum, the Parties agree as follows:
2. Definitions.
2.1. Capitalized definitions not otherwise defined herein shall have the meaning given to them in the Agreement. Except as modified or supplemented below, the definitions of the Agreement shall remain in full force and effect.
2.2. For the purpose of interpreting this Addendum, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:
- “Affiliate” means any entity within a controlled group of companies that directly or indirectly, through one or more intermediaries, is controlling, controlled by, or under common control with one of the Parties;
- “Agreement” means the Master Services Agreement, Master License Agreement, Master License and Services Agreement, or Technical and Professional Services Agreement in addition to any appendices, Program Addenda, and Statements of Work entered into between VeraSafe and Participant;
- “Applicable Laws” means all laws and regulations applicable to the Processing of Personal Data under the Agreement, including the laws of the European Union (or any member state thereof) and the laws of any other country, province, or state to which the Processing of Personal Data (both terms as defined below) is subject, including the laws specified in Exhibit B hereto;
- “Contracted Processor” means any third party appointed by or on behalf of VeraSafe to Process Personal Data on behalf of Participant in connection with the Agreement;
- “Contracted Processor Page” means the webpage, as may be updated from time to time by VeraSafe, currently available at: https://www.verasafe.com/legal-notices/subprocessors;
- “Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data;
- “GDPR” or “General Data Protection Regulation” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 “on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC,” as may be amended from time to time;
- “Personal Data” means any information relating to an identified or identifiable natural person (a “Data Subject”) pertaining to Participant (and the Data Subjects, respectively) Processed by VeraSafe on behalf of Participant pursuant to or in connection with the Agreement. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person;
- “Personal Data Breach” means any breach of security leading to the accidental or unlawful destruction, loss, or alteration or unauthorized disclosure of, or access to, Personal Data which VeraSafe Processes on behalf of Participant in connection with the Agreement;
- “Personal Data Recipient” means VeraSafe, a Contracted Processor, or both, collectively;
- “Processor” means a natural or legal person, public authority, agency, or other body which processes Personal Data on behalf of the Controller;
- “Processing” (or any cognate terms) means any operation or set of operations which is performed on data or on sets of data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction;
- “Services” means the services and other activities carried out by or on behalf of VeraSafe for Participant pursuant to the Agreement; and
- “VeraSafe” means the Party, as indicated in the opening paragraph of this Addendum, that has entered into the Agreement with Participant, including all Affiliates of that Party that are also bound by the Agreement, if any.
3. Applicability.
3.1. This Addendum will apply to the Processing of all Personal Data, regardless of country of origin, place of Processing, location of Data Subjects, or any other factor.
4. Processing of Personal Data.
4.1. This Addendum shall only apply where, and to the extent that, VeraSafe factually acts as a Processor. For the avoidance of doubt, the following situations fall within the scope of and are covered by this Addendum: (1) when Participant acts as a Controller and VeraSafe acts as a Processor; and (2) when Participant acts as a Processor and VeraSafe acts as a subprocessor.
4.2. VeraSafe shall:
- comply with all Applicable Laws in the Processing of Personal Data;
- at no time Process Personal Data other than at Participant’s documented instructions (including with regard to international transfers of Personal Data), unless such Processing is required by Applicable Laws to which the relevant Personal Data Recipient is subject, in which case VeraSafe shall, to the extent permitted by Applicable Laws, inform Participant of that legal requirement before Processing that Personal Data;
- only conduct transfers of Personal Data in compliance with all applicable conditions, as set forth in Applicable Laws;
- promptly update, when necessary, all information as provided in Exhibit A, attached hereto and incorporated by reference, and keep all such information complete and up to date; and
- immediately inform Participant in the event that, in VeraSafe’s opinion, a Processing instruction given by Participant may violate Applicable Laws.
4.3. Participant instructs VeraSafe (and authorizes VeraSafe to instruct each Contracted Processor it engages) to Process Personal Data and, in particular, to transfer Personal Data to any country or territory only as reasonably necessary for the provision of the Services and as is consistent with the Agreement and this Addendum.
4.4. Where Participant is acting as a Processor, it warrants that it:
- processes Personal Data only on behalf of its clients’ documented instructions and, in turn, instructs VeraSafe to carry out such Processing activities on behalf of Participant in accordance with said documented instructions; and
- has obtained the prior authorization from its client who is acting as a Controller regarding the Processing of Personal Data for subcontracting its activities to VeraSafe and any Contracted Processors.
5. VeraSafe Personnel.
5.1. VeraSafe shall take reasonable steps to ensure the reliability of its employees, agents, or contractors who may have access to Personal Data.
5.2. VeraSafe shall ensure that access to Personal Data is strictly limited to those individuals who need to know or access it, as strictly necessary to fulfill the documented Processing instructions given to VeraSafe by Participant or to comply with Applicable Laws.
5.3. VeraSafe shall ensure that all individuals referenced in Section 5.2 above are subject to formal confidentiality undertakings, professional obligations of confidentiality, or statutory obligations of confidentiality.
6. Security of Processing.
6.1. Taking into account the state of the art and the high sensitivity of Personal Data, VeraSafe shall, with regard to Personal Data, implement and maintain appropriate technical and organizational security measures to ensure a level of security appropriate to that risk (including, as appropriate, the measures referred to in Article 32(1) of the GDPR), as well as assist Participant with regard to ensuring Participant’s compliance with its own obligations related to its security measures.
6.2. In assessing the appropriate level of security required to protect Personal Data, VeraSafe shall take account, in particular, of the risks that are presented by the nature of its Processing activities and in particular, those related to possible Personal Data Breaches.
7. Subprocessing.
7.1. Participant authorizes VeraSafe to appoint (and permit each Contracted Processor appointed in accordance with this Section 7 to appoint) Contracted Processors in accordance with this Section 7 and any restrictions as set forth in the Agreement.
7.2. VeraSafe may continue to use those Contracted Processors already engaged by VeraSafe as of the date of this Addendum, subject to VeraSafe meeting the obligations set out in Section 7.5. The list of VeraSafe’s Contracted Processors as of the Effective Date is available on the Contracted Processor Page.
7.3. VeraSafe shall provide Participant prior notice of the appointment of any new Contracted Processors by updating the Contracted Processor Page. The Contracted Processor Page will reflect the “Last Updated” date at all times. Participant is solely responsible for periodically reviewing the Contracted Processors Page.
7.4. If Participant does not explicitly notify VeraSafe in writing of any objections to the proposed appointment within fourteen (14) days of the receipt of such notice, Participant shall be deemed to have consented to the proposed appointment. If Participant objects to a proposed appointment, the Parties will, for a period of no more than thirty (30) days from the date of Participant’s refusal, work together in good faith to attempt to find a commercially reasonable solution for Participant that avoids the use of the objected-to Contracted Processor. If no solution can be found which is satisfactory to both Parties, Participant, upon written notice to VeraSafe, may terminate the Agreement immediately (or upon such date as Participant selects), with no further fees due, other than what has been accrued up to, and including, the date of termination.
7.5. With respect to each prospective Contracted Processor, VeraSafe shall:
- before the Contracted Processor first Processes Personal Data (or, where relevant, in accordance with Section 7.2), carry out adequate due diligence to ensure that the Contracted Processor is capable of providing the level of protection and security for Personal Data required by this Addendum, the Agreement, and Applicable Laws; and
- ensure that the arrangement between VeraSafe and the prospective Contracted Processor is governed by a written contract that includes terms which offer at least the same level of protection for Personal Data as those set forth in this Addendum, and that such terms meet the requirements of Applicable Laws.
7.6. Where any Contracted Processor fails to fulfill its data protection obligations under such written contract (or in the absence thereof, as the case may be), VeraSafe shall remain fully liable to Participant for the performance of the respective Contracted Processors’ obligations under such contract.
8. Rights of the Data Subjects.
8.1. Taking into account the nature of the Processing, VeraSafe shall assist Participant by implementing appropriate technical and organizational measures, insofar as this is possible, to respond to requests to exercise rights of the Data Subjects under Applicable Laws.
8.2. With regard to the rights of the Data Subjects within the scope of this Section 8, VeraSafe shall:
- promptly notify Participant if any Personal Data Recipient receives a request from a Data Subject under any Applicable Law with respect to Personal Data;
- ensure that the Personal Data Recipient does not respond to that request, except on the documented instructions of Participant, or as required by Applicable Laws to which the Personal Data Recipient is subject, in which case VeraSafe shall, to the extent permitted by Applicable Laws, inform Participant of that legal requirement before the Personal Data Recipient responds to the request; and
- promptly comply with any documented instructions from Participant regarding response to a request to exercise rights of the Data Subjects under Applicable Laws.
9. Personal Data Breach.
9.1. If VeraSafe discovers, is notified of, or has reason to suspect a Personal Data Breach affecting Personal Data, VeraSafe will provide notice to Participant without undue delay.
9.2. VeraSafe shall provide Participant with sufficient information to assist Participant, or to allow Participant to assist its clients, so that each affected entity can meet its respective obligations pursuant to Applicable Laws, including any obligations to report the Personal Data Breach to the competent supervisory authorities and/or inform the Data Subjects.
9.3. VeraSafe shall cooperate with Participant and take all reasonable commercial steps to assist Participant in the investigation, mitigation, and remediation of each such Personal Data Breach.
10. Data Protection Impact Assessment and Prior Consultation.
10.1. VeraSafe shall provide Participant with relevant information and documentation and assist Participant in complying with its obligations with regard to any data protection impact assessments or prior consultations with supervisory authorities when Participant determines that such data protection impact assessments or prior consultations are required pursuant to Applicable Laws (including, without limitation, Article 35 or 36 of the GDPR), but in each such case solely with regard to the Processing of Personal Data by, and taking into account the nature of the Processing and information available to, the respective Personal Data Recipient.
10.2. Participant agrees to pay VeraSafe, upon receipt of invoice, a reasonable fee based on the Services provided in relation to Participant exercising its rights under this Section 10.
11. Deletion or Return of Personal Data.
11.1. VeraSafe shall provide Participant with the technical means, consistent with the way the Services are provided, to request the deletion of Personal Data upon the request of Participant, unless Applicable Laws require storage of any such Personal Data.
11.2. At Participant’s request, VeraSafe shall promptly, at the choice of Participant, delete or return all Personal Data to Participant, as well as delete existing copies, unless Applicable Laws require storage of any such Personal Data.
11.3. VeraSafe shall also cause all Contracted Processors that may have received any Personal Data to delete or return, as applicable, all such Personal Data without undue delay.
12. Audit Rights.
12.1. Participant may request, and VeraSafe shall make available to Participant (subject to obligations of confidentiality), information necessary to demonstrate (i) VeraSafe’s compliance with this Addendum, and (ii) Participant’s compliance with its undertakings under Applicable Laws with regard to the provision of Services.
12.2. After having reviewed such information, if Participant deems that it requires additional information, VeraSafe shall further reasonably assist and make available to Participant all such additional information and/or documentation (including relevant provisions of contracts with Contracted Processors) necessary to demonstrate compliance with this Addendum and/or Applicable Laws.
12.3. In addition, VeraSafe shall allow for and contribute to audits, including remote inspections of the Services, by Participant (on behalf of itself or its clients) or an auditor mandated by Participant (on behalf of itself or its clients) with regard to the Processing of Personal Data by the Personal Data Recipient.
12.4. VeraSafe shall provide the assistance described in this Section 12, insofar as VeraSafe believes such audits, and the specific requests of Participant, do not interfere with VeraSafe’s business operations or cause VeraSafe to breach any legal or contractual obligation to which it is subject.
12.5. Participant agrees to pay VeraSafe, upon receipt of invoice, a reasonable fee based on the Services provided in relation to the Participant exercising its rights under this Section 12 or the Standard Contractual Clauses, as defined and referenced in Exhibit B.
13. Jurisdiction Specific Terms.
13.1. To the extent that VeraSafe processes Personal Data protected by Applicable Laws in one of the jurisdictions listed in Exhibit B, then the terms specified in Exhibit B with respect to the applicable jurisdiction(s) (“Jurisdiction Specific Terms”) shall apply in addition to the terms of this Addendum. VeraSafe may update Exhibit B from time to time to reflect changes in or additions to Applicable Laws to which VeraSafe is subject.
13.2. In case of any conflict or ambiguity between the Jurisdiction Specific Terms and any other terms of this Addendum, the applicable Jurisdiction Specific Terms will take precedence.
14. No Selling of Personal Data.
14.1. VeraSafe acknowledges and confirms that it does not receive any Personal Data as consideration for any Services or products that VeraSafe provides to Participant. Participant retains all rights and interests in Personal Data. VeraSafe agrees to refrain from any actions that would cause any transfers of Personal Data to or from VeraSafe to qualify as selling Personal Data under Applicable Laws.
15. Liability and Indemnification.
15.1. Notwithstanding anything to the contrary in this Addendum or in the Agreement, this Addendum shall be subject to the limitations of liability and indemnification provisions included in the Agreement.
16. General Terms.
16.1. This Addendum supersedes and replaces all prior and contemporaneous proposals, statements, sales materials or presentations, and agreements, oral and written, with regard to the subject matter of this Addendum, including any prior data processing addenda entered into between VeraSafe and Participant.
16.2. All clauses of the Agreement, unless explicitly amended or supplemented by the clauses of this Addendum, remain in full force and effect, so long as they do not contradict with compulsory requirements of Applicable Laws under this Addendum.
16.3. In the event of any conflict between the Agreement (including any annexes and appendices thereto) and this Addendum, the provisions of this Addendum shall control, except as where the applicable Jurisdiction Specific Terms will apply and take precedence as discussed in Section 13.2 above.
16.4. Should any provision of this Addendum be found legally invalid or unenforceable, then the invalid or unenforceable provision will be deemed superseded by a valid, enforceable provision that most closely matches the intent of the original provision and the remainder of the Addendum will continue in effect.
16.5. If VeraSafe makes a determination that it can no longer meet any of its obligations in accordance with this Addendum, it shall promptly notify Participant of that determination and cease the Processing or take other reasonable and appropriate steps to remediate.
16.6. In the event that VeraSafe materially breaches this Addendum or suffers a material Personal Data Breach, Participant may, upon written notice to the VeraSafe, terminate the relevant Service Agreement immediately (or upon such date as Participant selects).
17. EU Representative.
17.1. The European Union Representative of VeraSafe, LLC pursuant to Article 27 of the GDPR is:
VeraSafe Czech Republic s.r.o.
Klimentská 46
Prague 1, 11002
Czech Republic
Contact form: https://verasafe.com/public-resources/contact-data-protection-representative