DATA PRIVACY AND SECURITY ADDENDUM
Last Updated: January 4, 2022
This Data Privacy and Security Addendum (“DPA”) establishes minimum data protection and security standards and related requirements for Taralex LLC dba Xappex (“Xappex”) in connection with its performance of Services for ______(“Customer”) in accordance with Terms of Service Agreement available at https://www.xappex.com/docs/legal/terms-of-service/ , including any statements of work or similar documents governed by such agreement (collectively, the “Agreement”). This DPA forms an integral part of the Agreement. In the event of any conflict between this DPA and the Agreement, the terms of this DPA shall govern. Capitalized terms that are not defined in this DPA shall have the meaning ascribed to them in the Agreement or Data Protection Laws.
(a) “Data Protection Laws” means all data protection and privacy laws applicable to a party and its Processing of Personal Data under the Agreement, including, where applicable and without limitation, (i) EU Regulation 2016/674 (“EU GDPR”); (ii) its incorporation into the laws of England and Wales, Scotland and Northern Ireland by virtue of Section 3 of the UK European Union (Withdrawal) Act 2018 (“UK GDPR”); (iii) the Swiss Federal Act on Data Protection (“FADP”); (iv) United States federal and/or state data protection or privacy statutes, including but not limited to the California Consumer Protection Act of 2018 (“CCPA”) and the California Privacy Rights Act of 2020 (“CPRA”); (v) the Australian Data Privacy Regulation (“ADPR”) in each case, as may be amended, superseded or replaced from time to time; and/or (vi) any other data protection and privacy laws applicable to a party and its Processing of Personal Data in connection with the Agreement.
(b) “Model Clauses” means the Standard Contractual Clauses (Processors) (2010/87/EU): Commission decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council (notified under document C(2010) 593).
(c) “Customer Data” means any data of any type which is provided by Customer to Xappex or accessed or collected by Xappex on behalf of Customer in connection with providing the Services or otherwise performing Xappex’s obligations under the Agreement, including information which Customer inputs, or provides to Xappex for inputting, into the Services, limited to Customer`s account data, which includes account identifier, Customer`s and Customer`s user`s business name, name, email address, telephone number, and postal address.
(d) “Security Best Practices” means security procedures that are at the highest of the following: (i) privacy & IT security best practices (e.g., ISO, SANS); (ii) the privacy and security requirements mandated by Data Protection Laws; and (iii) the security requirements, obligations, specifications, and event reporting procedures set forth in this DPA.
(e) “Security Incident” means, any actual or potential (i) loss or misuse (by any means) of Customer Data; (ii) Personal Data Breach; and/or (iii) other act or omission that compromises or may compromise the security, confidentiality, or integrity of Customer Data, or any system of, or system used by, Customer or its employees, contractors, shareholders, customers, clients and/or suppliers.
(f) “Security Policies” means statements and guidelines for securing company information pertaining to Security Best Practices and mandating compliance with applicable laws and regulations.
(g) “Security Procedures” means statements of the step-by-step actions taken to achieve and maintain compliance with Security Best Practices.
(h) “Security Technical Controls” means any specific hardware, software or administrative mechanisms necessary to enforce Security Best Practices in accordance with the terms of this Agreement as methods for addressing security risks to information technology systems and relevant physical locations, or implementing related policies. Security Technical Controls specify technologies, methodologies, implementation procedures, and other detailed factors or other processes to be used to implement Security Policy elements relevant to specific groups, individuals, or technologies.
(i) “Services” means those services, including without limitation Processing, that Xappex performs for or on behalf of Customer pursuant to the Agreement.
The terms “Data Controller”, “Data Processor”, “Personal Data Breach”, “Personal Data” and “Processing” have the meaning given to them in the applicable Data Protection Laws. The term “Data Controller” shall also include a “business” as defined in the CCPA and the CPRA or analogous terms in the applicable Data Protection Laws, and the term “Data Processor” shall also include a “service provider” as defined in the CCPA and CPRA or analogous terms in the applicable Data Protection Laws.
(a) Role of the Parties. As between Xappex and Customer, Customer is the Data Controller of Customer Data, and Xappex shall Process Customer Data only as a Data Processor acting on behalf of Customer and, with respect to the CCPA/CPRA, as a “service provider” as defined therein.
(b) General Obligations. Xappex agrees, warrants, represents, and undertakes to Customer that it shall:
(i) Process the Customer Data only in accordance with applicable Data Protection Laws, including, without limitation, the obligations under Articles 32 to 36 of the EU GDPR (taking into account the nature of Processing), all compliance standards, laws and regulations designed to protect Customer Data;
(ii) Process the Customer Data only in accordance with Section 2(c) of this DPA (Details of Processing) and only on documented instructions from Customer, including with regard to transfers of personal data to a third country or an international organization, unless required to do so by applicable Data Protection Laws to which the Xappex is subject; in such a case, the Xappex shall inform Customer of that legal requirement before Processing, unless such laws prohibit such information on important grounds of public interest;
(iii) Ensure that persons authorized to Process the Customer Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
(iv) Assist Customer in ensuring compliance with all applicable Data Protection Laws;
(v) Taking into account the nature of the Processing, assist Customer by implementing appropriate technical and organizational measures, including, at the very least, such measures contained in Section 3 (Security) of this DPA and assist Customer in ensuring compliance with its obligation to respond to data subject’s rights requests laid down in Data Protection Laws; and
(vi) Make available to Customer all information necessary to demonstrate compliance with all applicable Data Protection Laws including, without limitation, the obligations laid down in Article 28 of the GDPR, and allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer.
(c) Details of Processing.
(i) Subject matter: The subject matter of the Processing under this DPA is Customer Data.
(ii) Duration: The duration of the Processing under this DPA is the term of the Agreement.
(iii) Nature and purpose of Processing: Xappex shall Process Customer Data only to provide the Services.
(iv) Categories of data subjects: Former, present and/or prospective employees, contractors, shareholders, customers, clients and/or suppliers.
(d) Subprocessing. Customer agrees that in order to provide the Services, Xappex may engage subprocessors to Process Customer Data. Customer specifically authorizes the engagement of those subprocessors listed at https://www.xappex.com/uncategorized/xappexs-sub-processors-list/ (“Subprocessor List”). Where Xappex engages any subprocessors pursuant to this Section:
(i) Xappex will restrict the subprocessors’ access to Customer Data only to what is necessary to assist Xappex in providing or maintaining the Services and will prohibit the subprocessor from accessing Customer Data for any other purpose. Xappex will enter into a written agreement with the subprocessor imposing data protection obligations no less protective of Customer Data as this DPA to the extent applicable to the nature of the services provided by such subprocessor. Xappex will remain responsible and fully liable for the compliance of any subprocessors with the obligations of this DPA and for any acts or omissions of the subprocessor that cause Xappex to breach any of its obligations under this DPA.
(ii) Xappex will provide thirty (30) days’ prior notice via the Subprocessor List if it intends to make any changes to its subprocessors. Customer may object in writing to Xappex’s appointment of a new subprocessor during this 30-day notice period, provided that such objection is based on reasonable grounds relating to data protection. In such an event, the parties will discuss such concerns in good faith with a view to achieving resolution. If the parties cannot agree to a mutually acceptable resolution within ten (10) days, Customer shall have the right to immediately terminate the Agreement without any further liability or fees.
(e) Selling and Sharing Prohibited. Xappex acknowledges and confirms that it does not receive any Customer Data as consideration for any Services or other items that Xappex provides to Customer. Xappex shall not have, derive or exercise any rights or benefits regarding Customer Data. Xappex must not sell or share any Customer Data as the terms “selling” and “sharing” are defined in the CCPA and CPRA. Xappex must not collect, share or use any Customer Data except as necessary to perform the Services for Customer. Xappex represents and warrants that it understands the rules, requirements and definitions of the CCPA and CPRA and agrees to refrain from taking any action that would cause any transfers of Customer Data to or from Xappex to qualify as “selling personal information” or “sharing personal information” under the CCPA and CPRA.
(f) Deletion of Customer Data. If requested by Customer, upon termination or expiration of the Agreement or earlier Xappex shall promptly delete all Customer Data in its possession or control (including, without limitation, all copies and regardless of its format), confirming in writing to Customer once deleted. This requirement shall not apply to the extent Xappex is required by mandatory applicable law to retain Customer Data where Xappex shall immediately inform Customer of such requirement before retention. To the extent Customer Data must be retained by Xappex for mandatory applicable legal purposes, such Customer Data shall be considered and remain the Confidential Information of Customer and the confidentiality obligations under the Agreement shall continue indefinitely.
Xappex represents, warrants, and undertakes that it has established and for so long as Xappex Processes Customer Data it will at all times enforce, an ongoing program of Security Policies, Security Procedures, and Security Technical Controls, which reasonably ensures delivery of Security Best Practices and which includes, without limitation, the following:
(a) Information Security:
(i) a privacy and security incident management program;
(ii) a privacy and security awareness program;
(iii) business continuity and disaster recovery plans, including regular testing; and
(iv) procedures to conduct periodic independent security risk evaluations to identify critical information assets, assess threats to such assets, determine potential vulnerabilities, and provide for timely and appropriate remediation.
(b) Physical Access:
(i) physical protection mechanisms for all information assets and information technology to ensure such assets and technology are stored and appropriately protected;
(ii) appropriate facility and room entry controls to limit physical access to systems that store or process Customer Data;
(iii) processes to ensure access to facilities and rooms are monitored and is restricted on a “need to know” basis; and
(iv) controls to physically secure all Customer Data and to securely destroy such information when it is no longer needed in accordance with this DPA and the Agreement.
(c) Logical Access:
(i) appropriate mechanisms for user authentication and authorization in accordance with a “need to know” policy;
(ii) controls and auditable logs to enforce and maintain rigorous access restrictions for employees, and subcontractors;
(iii) timely and accurate administration of user account and authentication management;
(iv) processes to ensure Xappex-supplied defaults for passwords and security parameters are appropriately managed (e.g., changed periodically etc.);
(v) mechanisms to encrypt or hash all passwords or otherwise ensure all passwords are not stored unsecured in clear text; and
(vi) processes to immediately revoke accesses of inactive accounts or terminated/transferred users.
(d) Security Architecture and Design:
(i) a security architecture that reasonably ensures delivery of Security Best Practices;
(ii) documented and enforced technology configuration standards;
(iii) regular testing of security systems and Security Best Practices;
(iv) a system of effective firewall(s) and intrusion detection technologies necessary to protect Customer Data; and
(v) database and application layer design processes that ensure web applications are designed to protect the information data that is Processed through such systems.
(e) System and Network Management:
(i) mechanisms to keep security patches current;
(ii) monitor, analyze, and respond to security alerts;
(iii) appropriate network security design elements that provide for segregation of data from other third-party data;
(iv) use and regularly update anti-virus software; and
(v) the integrity, resilience and availability of any software or services utilized to Process the Customer Data.
Failure by Xappex to comply with Security Best Practices or its obligations hereunder shall constitute a breach of the Agreement.
(f) Security Audit. Customer (or its designated representatives) may, on an annual basis or more frequently as reasonably requested by Customer, at Customer’s expense, conduct an audit to verify that Xappex is operating in accordance with this DPA. Such audit(s) may include a review of all aspects of Xappex’s performance, including, but not limited to, Xappex’s general controls and security practices and procedures. Xappex will cooperate with Customer in conducting any such audit, and will allow Customer reasonable access, during normal business hours and upon reasonable notice, to all pertinent records, documentation, computer systems, data, personnel and areas used to Process the Customer Data areas as Customer reasonably requests to complete such audit. Customer will take reasonable steps to prevent the audit from materially impacting Xappex’s operations. Xappex shall correct any deviations from Security Best Practices that are identified in any security audit as soon as practicable, but in no event more than five days after receiving notice from Customer outlining any deviations (provided, however, that if five days is not a practicable cure period, then Xappex may instead present a remediation plan to Customer within such five day period that sets forth an achievable and reasonable timeframe, and Xappex must thereafter diligently proceed to correct any deviations in accordance with such plan).
(g) Security Incidents. Xappex shall immediately notify (within 24 hours) Customer of any Security Incidents, and provide Customer with: a detailed description of the Security Incident; the type of data that was the subject of the Security Incident; the identity of each affected person, and the steps Xappex takes in order to mitigate and remediate such Security Incident, in each case as soon as such information can be collected or otherwise becomes available. Xappex shall use its best efforts to immediately mitigate and remedy any Security Incident and prevent any further Security Incident(s) at its sole expense. Subject to Xappex’s applicable legal obligations, Xappex agrees that Customer shall have the sole right to determine (i) whether notice of the Security Incident is to be provided to any individuals, regulators, law enforcement agencies, consumer reporting agencies or others as required by law or regulation, or otherwise in Customer’s discretion, (ii) the contents of such notice, and (iii) whether any type of remediation may be offered to affected persons, as well as the nature and extent of any such remediation. In the event of a Security Incident involving Customer Data in Xappex’s possession or otherwise caused by or related to Xappex’s acts or omissions, and without limiting Customer’s other rights and remedies, Xappex will pay all costs and expenses of (i) any disclosures and notification required by applicable law or as otherwise determined as appropriate in Customer’s reasonable discretion, (ii) monitoring and reporting on the impacted individuals’ or entities’ credit records if determined in Customer’s reasonable discretion as reasonable to protect such individuals, and (iii) all other costs incurred by Customer in responding to, remediating and mitigating damages caused by such Security Incident.
Without limiting any other indemnification obligations set forth in the Agreement, Xappex agrees to defend, indemnify and hold harmless Customer and/or Customer affiliates, their officers, directors, managers, employees or other representatives from and against any and all claims, actions, demands, and legal proceedings and all liabilities, damages, losses, judgments, authorized settlements, costs and expenses, including without limitation reasonable attorneys’ fees, arising out of, or in connection in the course of performance hereunder, any breach of the obligations set forth in this DPA. Notwithstanding anything to the contrary in the Agreement, the parties expressly agree that the indemnification obligation set forth herein shall not be subject to any liability caps or exclusions of special damages.