Data Protection Addendum
HOW TO EXECUTE THIS DPA:
To complete this DPA, please email [email protected]. Upon receipt of a validly completed DPA by Digital.ai, such DPA shall become legally binding.
A pdf document version of the DPA can be downloaded here for Customer review.
Data Protection Addendum
This Data Protection Addendum (“DPA”) forms part of the Agreement (defined below) between Digital.ai and Customer for Digital.ai to provide Services to Customer. Unless otherwise defined herein, all capitalized terms have the meaning given to them in the applicable Agreement.
Digital.ai may, in the course of providing Services to Customer pursuant to the Agreement, Process Customer Personal Data that is subject to Data Protection Laws. This DPA sets forth the obligations of the parties with regard to the Processing of Personal Data pursuant to the Agreement.
In consideration of the mutual obligations set out herein, the parties agree to comply with the following provisions, each acting reasonably and in good faith.
1. DEFINITIONS
“Affiliates” means any person or entity which directly or indirectly owns, controls, or is controlled by, or is under common control with a party, where control is defined as owning or directing more than 50% of the voting equity securities or similar ownership interest in the controlled entity.
“Agreement” means all current and future agreements between Digital.ai and Customer in connection with which Digital.ai provides Services involving the Processing of Personal Data on behalf of Customer, such as a Master Subscription Agreement (“MSA”) and all Orders applicable to the Services. This DPA is incorporated into such Agreement(s) by this reference.
“Controller” means the entity which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
“Data Protection Laws” means all local, state, federal, or international laws, regulations, or treaties applicable to protecting the fundamental rights and freedoms of persons and their right to privacy with regard to the Processing of Personal Data under the Agreement, as may be defined in such laws, including, the European Area Law, the California Consumer Protection Act of 2018 as amended by the California Privacy Rights Act of 2020 (“CCPA”), and any subsequent supplements, amendments, or replacements to the same.
“European Area” means the European Union (“EU”), European Economic Area (“EEA”), Switzerland, and/or the United Kingdom of Great Britain and Northern Ireland (“UK”).
“European Area Law” means the (i) EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”); (ii) the GDPR as amended and incorporated into UK law under the UK European Union (Withdrawal) Act 2018 and as amended by Schedule 1 to the Data Protection, Privacy and Electronic Communications (Addendums etc.) (EU Exit) Regulations 2019 (SI 2019/419) (collectively “UK Data Protection Law”); (iii) the Swiss Federal Data Protection Act of 19 June 1992 and its corresponding ordinances (“Swiss DPA”); or (iv) any successor or amendments thereto (including without limitation implementation of GDPR by Member States into their national law); or (v) any other law relating to the data protection, security, or privacy of individuals that applies in the European Area.
“Personal Data” means any Customer Data (as defined in the Agreement) that relates to an identified or identifiable natural person (“Data Subject”), which is protected under Data Protection Laws.
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed, and for which a Controller is required under Data Protection Laws to provide notice to competent data protection authorities or Data Subjects.
“Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Processor” means the entity which Processes Personal Data on behalf of the Controller.
“Services” means the provision of maintenance and support services and/or the provision of software as a service (“SaaS”) and/or any other services, hosted, managed or otherwise, which are provided under the Agreement and for the purposes of which Digital.ai Processes Personal Data on behalf of Customer.
“Standard Contractual Clauses” or “SCCs” means (i) standard contractual clauses for international transfers published by the European Commission on June 4, 2021 governing the transfer of European Area Personal Data to Third Countries as adopted by the European Commission and the Swiss Federal Data Protection and Information Commissioner (“Swiss FDPIC”) relating to data transfers to Third Countries (collectively “EU SCCs”); (ii) the international data transfer addendum (“UK Transfer Addendum”) adopted by the UK Information Commissioner’s Office (UK ICO) for data transfers from the UK to Third Countries; or (iii) any similar such clauses by a data protection regulator relating to data transfers to Third Countries, including without limitation any successor clauses thereto.
“Subprocessor” means a Digital.ai Affiliate or third party engaged by Digital.ai in connection with the Services and which Processes Personal Data in accordance with this DPA.
“Supervisory Authority” means an independent public authority which is established under applicable Data Protection Laws.
“Third Countries” means countries that, where required by applicable Data Protection Laws, have not received an adequacy decision from an applicable authority relating to data transfers, including regulators such as the European Commission, UK ICO, or Swiss FDPIC relating to data transfers.
2. PROCESSING OF PERSONAL DATA
2.1 Role of the Parties. This DPA applies to the Processing of Personal Data by Digital.ai and its Subprocessors in connection with its provision of the Services. For the purposes of this DPA, Digital.ai is the Processor and Customer is the Controller.
2.2 Scope of Processing. The subject matter and duration of the Processing of Personal Data are set out in the Agreement, which describes the provision of the Services to Customer. The nature and purposes of Processing for which Personal Data is Processed on behalf of the Customer, the types of Personal Data and categories of Data Subjects are set forth in Exhibit 1 to this DPA.
2.3 Instructions. Digital.ai shall only Process Personal Data on behalf of and in accordance with Customer’s documented instructions, including with regard to transfers of Personal Data to a Third Country or international organization (as described in Section 7). The Agreement (including this DPA) constitutes such documented initial instructions to Process Customer Personal Data and each use of the Services then constitutes further instructions. Digital.ai will use reasonable efforts to comply with other reasonable Customer instructions, provided such are consistent with the terms of the Agreement, required by Data Protection Laws and technically feasible. Digital.ai will inform Customer if it cannot comply with an instruction or in Digital.ai’s opinion, any Customer instruction(s) infringe applicable Data Protection Laws.
2.4 Compliance with Laws. The parties agree to comply with all applicable Data Protection Laws, as further detailed below:
2.4.1 Digital.ai shall comply with all Data Protection Laws applicable to Digital.ai in its role as a Processor with respect to Personal Data. When providing the Services, Digital.ai may also Process Personal Data where required to do so by applicable Data Protection Laws, in which case Digital.ai shall inform Customer of that legal requirement before Processing unless the law prohibits such notice on important public-interest grounds.
2.4.2 Customer shall comply with all Data Protection Laws applicable to Customer in its role as a Controller and shall obtain all necessary consents, and provide all necessary notifications, to Data Subjects to enable Digital.ai to carry out lawfully the Processing contemplated by this DPA. Customer is responsible for the accuracy and quality of the Personal Data, and the means by which Customer acquired the Personal Data.
3. DATA SUBJECT RIGHTS
3.1 Data Subject Requests. Digital.ai will, in a manner consistent with the functionality of the Services and Digital.ai’s role as a Processor, provide reasonable support to Customer to enable Customer to respond to Data Subject requests to exercise their rights under applicable Data Protection Laws (“Data Subject Requests”).
3.2 Responding to Data Subject Requests. Customer is responsible for responding to Data Subject Requests. If Digital.ai receives a Data Subject Request or other complaint from a Data Subject regarding the Processing of Personal Data, Digital.ai will, to the extent legally permitted, promptly notify Customer, provided the Data Subject has given sufficient information to identify Customer. Unless required by applicable law, Digital.ai shall not respond to any such Data Subject Request without Customer’s prior written authorization or instruction, except to confirm such request relates to Customer.
4. RETENTION AND DELETION OF PERSONAL DATA
4.1 Personal Data Retention. Upon termination of the parties’ Agreement and/or after the end of provision of the Services to which this DPA applies, Digital.ai shall delete or return any Customer Personal Data in accordance with Data Protection Laws and/or consistent with the terms of the Agreement as soon as reasonably practicable, unless applicable law requires further storage.
5. SECURITY OF PROCESSING
5.1 Security Measures. Digital.ai will implement and maintain appropriate technical and organizational measures, as specified in Exhibit 2 to this DPA, to protect Personal Data against the accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to, Personal Data in accordance with applicable Data Protection Laws. Customer is responsible for making an independent determination as to whether the technical and organizational measures for the Services meet Customer’s requirements, including any of its security obligations under applicable Data Protection Laws.
5.2 Personnel. To Process Personal Data, Digital.ai and its Subprocessors shall only grant access to authorized personnel who have committed themselves to confidentiality requirements at least as protective as those of this DPA or the Agreement. Such personnel shall be required to Process Personal Data in accordance with Customer’s instructions as set forth in the Agreement and only to the extent necessary for performance of the Services.
6. SUBPROCESSORS
6.1 Use of Subprocessors. Customer authorizes Digital.ai to engage Subprocessors in accordance with this DPA, provided that Digital.ai shall enter into a written agreement with such Subprocessors that is consistent with the terms hereof. Digital.ai shall be liable for the acts and omissions of any Subprocessor to the same extent as if performed by Digital.ai.
6.2 Subprocessor List. The list of Subprocessors used by Digital.ai to provide the Services, as of the effective date of this DPA is attached hereto as Exhibit 3 and is published at Digital.ai Data Protection FAQs (“Subprocessor List”). Digital.ai shall notify Customer of any intended additions or replacements to the Subprocessor List by updating the published Subprocessor List at least thirty (30) days prior to authorizing any new Subprocessor to Process Personal Data.
6.3 Objection Rights. This Section 6.3 shall apply to the extent Customer is established within the European Area or where otherwise required by Data Protection Laws applicable to Customer. In such event, Customer may object on reasonable grounds, relating to data protection, to Digital.ai’s use of a new Subprocessor by notifying Digital.ai in writing promptly, and within fifteen (15) days following Digital.ai’s notification pursuant to Section 6.2 above. In the event of such objection, Digital.ai will take commercially reasonable steps to address the objections raised by Customer and provide Customer with reasonable written explanation of the steps taken to address such objection.
7. DATA TRANSFERS
7.1 Transfers. Customer authorizes Digital.ai and its Subprocessors to Process Personal Data for the purposes of providing the Services, which Processing may include making necessary transfers of Personal Data, in accordance with the terms of this DPA.
7.2 Controller-to-Processor SCCs: All transfers of Personal Data out of the European Area shall be governed by the relevant Standard Contractual Clauses which the parties hereby enter into and incorporate to this DPA by the aforementioned reference. The Standard Contractual Clauses will apply to any transfers of Personal Data from Customer (as “data exporter”) to Digital.ai (as “data importer”), as follows:
7.2.1 EEA Personal Data. Transfers of European Area Personal Data by Customer to Digital.ai or Digital.ai to Customer in Third Countries are subject to the Standard Contractual Clauses, Module Two (“Controller to Processor”), unless the parties explicitly agree that Module 3 (“Processor to Processor”) shall also apply, attached to this DPA and incorporated by reference. The information required for the purposes of the SCCs is provided in Exhibit 1 to this DPA. The parties agree that the SCCs are incorporated into this DPA without further need for reference, incorporation, or attachment and that by executing the Agreement referencing this DPA, each party is deemed to have executed the SCCs.
7.2.2 Swiss Personal Data. Where Personal Data is subject to the Swiss DPA, the SCCs referenced above shall be modified as follows, as applicable: (i) References to “Regulation (EU) 2016/679” and any articles therefrom shall be interpreted to include references to the Swiss DPA; and (ii) References to “EU”, “Union” and “Member State” shall be interpreted to include references to “Switzerland”.
7.2.3 UK Personal Data. For Personal Data transfers subject to UK Data Protection Law and transferred in accordance with the UK Transfer Addendum, the parties agree as follow:
7.2.3.1 Each party agrees to be bound by the terms and conditions set out in the UK Transfer Addendum, in exchange for the other party also agreeing to be bound by the UK Transfer Addendum.
7.2.3.2 The Standard Contractual Clauses will be interpreted in accordance with Part 2 of the UK Transfer Addendum.
7.2.3.3 Sections 9 to 11 of the UK Transfer Addendum override Clause 5 (Hierarchy) of the EU SCCs.
7.2.3.4 For the purposes of Section 12 of the UK Transfer Addendum, the EU SCCs will be amended in accordance with Section 15 of the UK Transfer Addendum.
7.2.3.5 Information required by Part 1 of the UK Transfer Addendum is provided in Exhibit 1 to this DPA.
7.2.4 To the extent that any revised transfer addendums or mechanisms are issued by the UK ICO, the Parties agree to incorporate such revisions in accordance with Section 18-20 of the UK Transfer Addendum.
7.3 Clarifications. It is not the intention of either party, nor the effect of this DPA, to contradict or restrict any of the provisions set forth in the Standard Contractual Clauses. In no event does this DPA restrict or limit the rights of any Data Subject or competent Supervisory Authority. Nothing in this DPA shall be construed to prevail over any conflicting clause of the SCCs. Where this DPA further specifies audit and Subprocessor rules, such specifications also apply in relation to the SCCs.
7.4 Alternative Data Transfer Mechanism. To the extent that any substitute or additional appropriate safeguards or mechanisms under any Data Protection Laws are required to transfer Personal Data to a Third Country the parties agree to implement the same as soon as practicable and document such requirements for implementation in an attachment to this DPA.
8. PERSONAL DATA BREACH NOTIFICATION
8.1 Notification of Personal Data Breach. Digital.ai will notify Customer promptly without undue delay after becoming aware of any Personal Data Breach involving Customer Personal Data Processed by Digital.ai and provide reasonable information in its possession to assist Customer in meeting its obligations to report a Personal Data Breach as required under Data Protection Laws. Digital.ai will use reasonable efforts to identify the cause of such Personal Data Breach and shall take appropriate measures to mitigate the effects and to minimize any damage resulting from the Personal Data Breach to the extent such remediation is within Digital.ai’s reasonable control. Notification will be delivered to Customer in accordance with Section 8.2. Such notification shall not be interpreted or construed as an admission of fault or liability by Digital.ai.
8.2 Notice Delivery. Notifications of Personal Data Breaches, if any, will be delivered to one or more of Customer’s business, technical or administrative contacts by means Digital.ai selects, including via email. Customer is responsible for ensuring it provides and maintains accurate contact information at all times.
9. AUDIT
9.1 Information Requests. Digital.ai shall make available to Customer, upon reasonable written request, information related to the Processing of Personal Data of Customer as necessary to demonstrate Digital.ai’s compliance with the obligations under this DPA.
9.2 Customer Audit. Digital.ai shall allow for inspection requests by Customer (or its independent auditor) related to Personal Data Processed by Digital.ai in order to verify Digital.ai’s compliance with this DPA, if: (a) Digital.ai has not provided sufficient written evidence of its compliance with the technical and organizational measures, e.g. a certification of compliance with ISO 27001 or other standards; (b) a Personal Data Breach has occurred; (c) an audit is formally requested by Customer’s Supervisory Authority; or (d) Data Protection Law provides Customer with a mandatory on-site inspection right; and provided that Customer shall not exercise this right more than once per year unless mandatory Data Protection Law requires more frequent inspections. Any information provided by Digital.ai pursuant to this Section 9 is subject to the confidentiality obligations of the Agreement. Such inspections will be conducted in a manner that does not impact the security, confidentiality, integrity, availability and continuity of the inspected facilities, networks and systems, nor compromise any confidential data Processed therein.
9.3 Cost of Audit. Customer is responsible for the costs of any audit, unless such audit reveals a material breach by Digital.ai of this DPA, then Digital.ai shall bear its own expenses of the audit. If an audit determines that Digital.ai has breached its obligations under this DPA, Digital.ai will promptly remedy the breach at its own cost.
10. DATA PROTECTION IMPACT ASSESSMENTS
10.1 If Customer is required by applicable Data Protection Law to perform a data protection impact assessment or prior consultation with a Supervisory Authority related to Customer’s use of the Services, Digital.ai will, upon Customer’s reasonable request, provide such documents as are generally available for the Services; for example, any then-current Service Organizational Control (SOC) SOC 2 reports, ISO/IEC 27001:2013 certifications and/or comparable industry-standard successor reports, as may be applicable to the Services.
10.2 Any additional assistance in the cooperation or prior consultation with a Supervisory Authority in the performance of its tasks relating to this Section 10, to the extent required under Data Protection Law, shall be mutually agreed between the Parties taking into account the nature of the Processing and information available to Digital.ai. To the extent legally permitted, Customer shall be responsible for any costs arising from Digital.ai’s provision of such assistance.
11. GOVERNMENT INQUIRIES
11.1 If compelled to disclose Personal Data to a law enforcement or governmental entity, Digital.ai will give Customer reasonable notice of the demand to allow Customer to seek a protective order or other appropriate remedy to the extent Digital.ai is legally permitted to do so.
12. GENERAL
12.1 Customer Affiliates. Customer is responsible for coordinating all communication with Digital.ai on behalf of its Affiliates regarding this DPA. Customer represents that it is authorized to enter into this DPA and any Standard Contractual Clauses incorporated herein or entered into under this DPA, issue instructions, and make and receive any communications or notifications in relation to this DPA on behalf of its Affiliates.
12.2 Conflict. The applicable law and competent courts for this DPA are those of the main Agreement which this DPA attaches to. If there is any conflict or inconsistency between this DPA and the Agreement, this DPA shall prevail to the extent that conflict or inconsistency relates to Personal Data. Except as expressly amended herein, the terms and conditions of the Agreement shall govern this DPA.
12.3 Termination. The Term of this DPA will end in accordance with the terms of the Agreement.
12.4 Miscellaneous. Each reference to the DPA herein means this DPA including its Exhibits, Annexes and/or Appendices. The section headings contained in this DPA are for reference purposes only and shall not in any way affect the meaning or interpretation of this DPA.
EXHIBIT 1
Description of Processing
This Exhibit 1 applies to describe the Processing of Customer’s Personal Data for the purposes of the Standard Contractual Clauses, or as applicable, equivalent provisions of any other Data Protection Laws.
1. LIST OF PARTIES
Data exporter(s):
Name: [CUSTOMER NAME]
Address: [CUSTOMER ADDRESS]
Contact person’s name, position and contact details: [CUSTOMER CONTACT]
Relevant activities: Use of Digital.ai’s products and services pursuant to the Agreement.
Signature and date: Per the parties’ execution of the DPA
By entering into the DPA, the data exporter is deemed to have signed these Standard Contractual Clauses incorporated herein as of the effective date of the DPA.
Role (controller/processor): Controller
Data importer(s):
Name: Digital.ai Software, Inc.
Address: 285 Summer Street, Boston, MA 02210
Contact person’s name, position and contact details: [email protected]
Relevant activities: Provision of Digital.ai’s products and services pursuant to the Agreement.
Signature and date: Per the parties’ execution of the DPA
By entering into the DPA, the data importer is deemed to have signed these Standard Contractual Clauses incorporated herein as of the effective date of the DPA.
Role (controller/processor): Processor
2. DESCRIPTION OF TRANSFER & PROCESSING
Categories of data subjects whose personal data is transferred |
|
Categories of personal data transferred |
|
Sensitive personal data transferred |
No Sensitive Information is processed by Digital.ai.
|
Frequency of the transfer |
Transfers will be made on a continuous basis for cloud products and services, and on a one-off basis for support requests. |
Nature of the processing
Purpose of the processing
|
Digital.ai acts as a Processor for the Personal Data submitted by Customer in the course of using Digital.ai’s products and services; the nature of processing includes transfer, storage and such other processing activities that are specified pursuant to the terms of the Agreement and accompanying Order Form(s).
To provide and support Digital.ai’s products and services to Customer as more fully described in in the Agreement and accompanying Order Form(s). |
Period for which the personal data will be retained or criteria used to determine that period |
For the duration of the Agreement in place with Digital.ai, except where otherwise specified in the Agreement, or otherwise permitted or required by law. |
Subprocessor transfers – subject matter, nature, and duration of processing |
Digital.ai (Data Importer) uses the sub-processors identified in uses the Sub-processors identified in the Subprocessor List set forth in Exhibit 3 to this DPA, to support Digital.ai in providing its products and services to Customer (Data Exporter). The subject matter and duration of processing is outlined above within this Annex. The nature of the specific sub-processing services are further particularized within the Subprocessor List identified in Exhibit 3. |
Signatures |
The Parties agree that the EU SCCs and the UK Transfer Addendum are incorporated by reference and that by executing the Agreement referencing this DPA, each party is deemed to have executed the SCCs and the UK Transfer Addendum. |
3. European Economic Area SCC and UK Transfer Addendum Information
SCC Clause |
GDPR |
Swiss DPA |
UK Data Protection Law |
|||
Module in Operation
|
||||||
Clause 7- Docking Clause |
An entity that is not a party to these clauses may, with the agreement of the parties, accede to these Clauses at any time, either as a data exporter or as a data importer, by completing the Appendix and signing Annex 1.A |
|||||
Clause 9(a)- Use of Sub-processors |
GENERAL WRITTEN AUTHORISATION: The data importer has the data exporter’s general authorisation for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub-processors at least 15 days in advance, thereby giving the data exporter sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the data exporter with the information necessary to enable the data exporter to exercise its right to object. |
|||||
Clause 11 (Redress) |
Optional language in Clause 11 shall not apply. |
|||||
Clause 17- Governing Law |
These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of Netherlands. |
These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of Switzerland. |
These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of England and Wales |
|||
Clause 18 – Choice of Forum and Jurisdiction |
(b) The parties agree that those shall be the courts of Netherlands.
|
The parties agree that those shall be the competent courts of Switzerland. |
The parties agree that those shall be the competent courts of England and Wales. |
|||
Annex 1A- List of Parties |
The name, address, and contact person’s name, position, and contact details, and each party’s role in processing personal data are provided in Section 1 of Exhibit 1 to the DPA. |
|||||
Annex 1B – Description of Transfer |
This information can be found in Section 2 of Exhibit 1 to the DPA.
To the extent applicable, the descriptions of safeguards applied to the special categories of Personal Data can be found in Exhibit 2 to the DPA. |
|||||
Clause 13 and Annex 1C – Competent Supervisory Authority |
Identify the competent supervisory authority/ies in accordance with Clause 13: Dutch Data Protection Commission |
Identify the competent supervisory authority/ies in accordance with Clause 13: FDPIC |
Identify the competent supervisory authority/ies in accordance with Clause 13: UK Informational Commissioner |
|||
Annex II – Technical and Organizational Measures |
The description of technical and organization measures designed to ensure the security of Personal Data is described more fully in Exhibit 2 to the DPA. |
|||||
Annex II – Technical and Organizational Measures – Subprocessors |
The description of technical and organization measures designed to ensure the security of Personal Data processed by Sub-processors is described more fully in Exhibit 2 to the DPA.
|
|||||
Annex III – List of Subprocessors |
As listed in Exhibit 3 to the DPA and published at Digital.ai Data Protection FAQs |
|||||
Ending the UK Transfer Addendum when the Approved Addendum changes |
N/A |
Which Parties may end this Addendum as set out in Section 19: ☒ Importer ☒ Exporter ☐ neither Party |
||||
EXHIBIT 2
Technical and Organizational Security Measures
This Exhibit 2 applies to describe the applicable technical and organizational measures for the purposes of the Standard Contractual Clauses, or as applicable, equivalent provisions of any other Data Protection Law.
The technical and organizational measures set forth in Annex II have been implemented by data importer to ensure an appropriate level of security, taking into account the nature, scope, context and purposes of processing, and the risk of varying likelihood and severity for the rights and freedoms of natural persons.
Description of Technical and Organizational measures, including technical and organizational measures to ensure the security of the data:
Information Security Policy, Procedures, and Standards. Digital.ai will maintain an information security program (including the adoption and enforcement of internal policies and procedures) designed to help secure personal data against accidental or unlawful loss, access or disclosure. A review of all Digital.ai information security policies, procedures and technical standards is conducted at least once annually. Where applicable, backup copies of personal data can be made available and tested periodically to confirm integrity and demonstrate resiliency. A vulnerability assessment is performed on critical systems periodically, and penetration testing is performed at least once annually.
Encryption. Digital.ai utilizes encryption methods which are considered secure according to industry best practices shall be used to secure data both at rest and while in transit. The encryption methods used meet or exceed the Transport Layer Security (TLS) 1.2 or Advanced Encryption Standard (AES) 256.
Audits. Where applicable, Digital.ai will use external auditors and/or performs internal audits to verify the adequacy of its security measures according to ISO 27001, SOC 2 or ISO 13485 standards.
Access Controls. User Identification and Authorization. Digital.ai will maintain access controls and policies to manage what access is allowed to the Digital.ai network from each network connection and user, including the use of firewalls or functionally equivalent technology and authentication controls.
Physical Security. Physical barrier controls are used to prevent unauthorized entrance to facilities where personal data is processed either by or on behalf of Digital.ai. The controls exist both at the perimeter and at building access points. Entry typically requires either electronic access control validation (e.g., card access systems, etc.) or validation by human security personnel (e.g., contract or in-house security guard service, receptionist, etc.). Employees and contractors are assigned photo-ID badges that must be worn while the employees and contractors are at any of the facilities. Visitors are required to sign-in with designated personnel, must show appropriate identification, are assigned a visitor ID badge that must be worn while the visitor is at any of the facilities, and are continually escorted by authorized employees or contractors while visiting the facilities.
Event logging. Digital.ai’s network and systems are configured so that system errors and security events are logged, and the log files are protected from alternation by users.
System Configuration. Digital.ai will develop, document, and maintain a current baseline configuration for all in-scope systems. Baseline must be reviewed and updated annually and as needed due to system upgrades, patches, or other significant changes. Previous configurations to support rollback must be retained. Minimum baseline configuration must be established for information systems or computer with elevated security controls.
Digital.ai Subprocessors are required to maintain technical and organizational measures consistent to those set out in this Exhibit B as applicable to the Personal Data processed by those Subprocessors.
Additional information about Digital.ai’s security certifications and practices is located here.
EXHIBIT 3
List of Subprocessors
Infrastructure subprocessor |
Description of Service |
Location |
Amazon Web Services (“AWS”) |
Cloud infrastructure and service provider |
United States, Germany |
Rackspace Technology |
Cloud infrastructure and service provider |
United States |
Other subprocessors |
Description of Service |
|
ServiceRocket, Inc. |
Cloud based customer support and implementation services |
United States, India |
Pendo.io, Inc. |
Cloud based software support and analytics |
United States |
Snowflake, Inc. |
Database as a service provider |
United States |
Zendesk |
Customer service software |
United States |
Sumo Logic, Inc. |
Cloud based software security and log analytics |
United States |
CPRA Supplemental Addendum
This CPRA Supplemental Addendum (“CPRA Addendum”) forms part of the DPA between Digital.ai (“Service Provider” for purposes of the CPRA Addendum) and Customer (as identified in DPA) for Digital.ai to provide Services to the Customer.
In the course of providing Services pursuant to the Agreement, Digital.ai may process ‘personal information’ of California consumers, which is subject to the California Consumer Privacy Act of 2018 (CCPA), as amended by the California Privacy Rights Act of 2020 (CPRA) . The term ‘personal information’ as defined under the CCPA/CPRA shall be understood as Personal Data disclosed by Customer to Digital.ai in the course of fulfilling the Agreement(s).
As of the effective date of this CPRA Addendum, such Processing shall be performed pursuant to the terms below, which apply in addition to all applicable and non-conflicting contractual terms already governing Digital.ai’s Processing of Personal Information under the Agreement, and which supersede any terms previously agreed between the parties specifically for the purpose of complying with the CCPA (as defined below). For the avoidance of doubt, this CPRA Addendum does not apply to any Processing performed by or for the purposes of either party under Cal. Civ. Code sections 1798.145 and 1798.146.
For the purposes of this CPRA Addendum, the following definitions apply in addition to the definitions contained in the DPA and Agreement, including all addenda that may complement it.
1. Definitions. In this Addendum, the following terms shall have the meaning set forth below:
1.1 “CCPA” means the California Consumer Privacy Act Cal. Civ. Code section 1798.100 et seq., and its implementing regulations as in effect until December 31, 2022;
1.2 “CPRA” means the California Privacy Rights Act Cal. Civ. Code section 1798.100 et seq., and its implementing regulations, as in effect from January 1, 2023.
Until December 31, 2022, any reference to the CPRA shall be construed as a reference to the relevant provisions of the then-current CCPA, if any. As of January 1, 2023, any prior reference to the CCPA shall be construed as a reference to the relevant provisions of the CPRA.
1.3 Customer is the “Business” in the meaning of Cal. Civ. Code section 1798.140 subdivision (d) and Digital.ai is the “Service Provider” in the meaning of Cal. Civ. Code section 1798.140 subdivision (ag).
1.4 All other terms used in this CPRA Addendum shall have the meanings set forth in Cal. Civ. Code section 1798.140.
2. Supplemental Terms. Where Digital.ai is acting as a Service Provider pursuant to the Agreement, the following supplemental terms apply:
2.1 Customer discloses the Personal Data to Digital.ai solely for the purpose of Digital.ai’s provision of the Services contemplated under the Agreement, for Customer’s business purposes specified therein. Digital.ai shall not Process the Personal Data for any other business purpose unless permitted by this CPRA Addendum or by the CPRA.
2.2 Digital.ai is acting solely as a Service Provider with respect to Personal Data. Accordingly, the disclosure of Personal Information by Customer to Digital.ai in the course of fulfilling the Agreement(s) does not constitute a Sale of the Personal Data.
2.3 Digital.ai will not ‘sell’ or “share’ Customer Personal Data (as those terms are defined under CPRA).
2.4 Digtial.ai will not (1) retain, use or disclose Personal Data (i) for any purpose other than for the specific Business Purpose of performing the Services, or (ii) outside of the direct business relationship between Customer and Digital.ai, or (2) combine Personal Information received pursuant to the Agreement with Personal Data received from or on behalf of another person(s), or collected from Digital.ai’s own interactions with individuals, unless permitted by the CPRA.
2.5 Digital.ai will comply with all provisions of the CPRA that are applicable to Digital.ai as a Service Provider and will provide the level of privacy protection for Personal Data as further described in the Agreement, including facilitating Customer’s responses to, and compliance with, its verifiable consumers’ requests as detailed in Section 3 (Data Subject Rights), and implementing security measures as described in Section 5 (Security of Processing).
2.6 To ensure that Digital.ai uses Personal Data in a manner consistent with Customer’s obligations under the CPRA, Customer may take the reasonable and appropriate steps set forth in Section 9 of the DPA (Audits).
2.7 Digital.ai will promptly notify Customer, if Digital.ai makes a determination that it can no longer meet its obligations under this CPRA Addendum.
2.8 If Customer reasonably believes that Digital.ai is using Personal Data in a manner not authorized by the Agreement or by the CPRA, Customer may take the following reasonable and appropriate steps: (i) notify Digital.ai so that the parties may work together in good faith to resolve the matter, or (ii) exercise any other rights provided in the Agreement.
2.9 Digital.ai will notify Customer if it engages any third party to assist it in Processing of Customer’s Personal Data and ensure that any such engagement is governed by a written contract that imposes obligations on the third party that are similar in all material respects to those imposed on Digital.ai under this CPRA Addendum; the list of third parties used by Digital.ai in connection with its provision of the Services is available at https://digital.ai/legal/data-protection-addendum/.
3. Order of Precedence. Where the terms of this CPRA Addendum conflict with other contractual terms in place between Customer and Digital.ai, the terms of this CPRA Addendum shall govern specifically and solely in relation to Digital.ai’s Processing of the Personal Data as defined herein.
IN WITNESS WHEREOF, this CPRA Addendum is entered into and becomes a binding part of the Agreement with effect from the date signed by Customer.
On behalf of the Customer:
Name: Customer as identified in DPA
Authorized Signature: Per the parties’ execution of the DPA.
On behalf of the Service Provider:
Name: Digital.ai Software Inc.
Authorized Signature: Per the parties’ execution of the DPA