This Data Processing Addendum (this "DPA") is made as of the last date set forth on the signature page hereto (the “Effective Date”) by and between SW Development LLC, a limited liability company organized and existing under the laws of the State of Oregon, U.S.A. ("Smartwaiver"), and the entity or person set forth on the signature page hereto ("Customer"), pursuant to the Agreement (as defined below). This DPA has been pre-signed on behalf of Smartwaiver. This DPA will be void ab initio, with no force or effect, if the entity or person signing this DPA is not a party to an effective Agreement (as defined below) directly with Smartwaiver. Smartwaiver and Customer are sometimes referred to herein individually as a "party" or together as the "parties".
This DPA is supplemental to the Agreement and sets out the terms that apply when Personal Data is processed by Smartwaiver under the Agreement.
1.1. For the purposes of this DPA, the following terms shall have their respective meanings set forth below and other capitalized terms used but not defined in this DPA have the same meanings as set forth in the Agreement:
(a) "Agreement" means the Terms of Service or any amendments or addendums to the Terms of Service, as applicable, between the parties, in each case providing for the provision by Smartwaiver to Customer of the services described therein.
(b) "EEA" means the European Economic Area (including the United Kingdom).
(c) "EU Data Protection Legislation" means (i) prior to 25 May 2018, Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data ("Directive"), including any applicable national implementations of it; and (ii) on and after 25 May 2018, Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC ("GDPR") (as amended, replaced or superseded).
(d) "Controller" means the entity which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.
(e) "Processor" means an entity which processes Personal Data on behalf of the Controller.
(f) "Personal Data" means any information relating to an identified or identifiable natural person.
(g) "Privacy Shield" means the EU-U.S. and Swiss-U.S. Privacy Shield self-certification program operated by the U.S. Department of Commerce.
(h) "Privacy Shield Principles" means the Privacy Shield Principles (as supplemented by the Supplemental Principles) contained in Annex II to the European Commission Decision C(2016)4176 of July 12, 2016 (as may be amended, superseded or replaced).
(i) "Security Incident" means accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
(j) "Sensitive Data" means (a) social security number, passport number, driver's license number, or similar identifier (or any portion thereof), (b) credit or debit card number (other than the truncated (last four digits) of a credit or debit card), (c) employment, financial, genetic, biometric or health information; (d) racial, ethnic, political or religious affiliation, trade union membership, or information about sexual life or sexual orientation; (e) account passwords; (f) date of birth; (g) criminal history; (h) mother's maiden name; and (i) any other information that falls within the definition of "special categories of data" under EU Data Protection Legislation or any other applicable law relating to privacy and data protection.
2. Relationship with Agreement
2.1. Except as amended by this DPA, the Agreement will remain in full force and effect.
2.2. If there is a conflict between the Agreement and this DPA, the terms of this DPA will control.
2.3. Any claims brought under this DPA shall be subject to the terms and conditions, including but not limited to, the exclusions and limitations set forth in the Agreement.
3. Applicability of this DPA
3.1. Part A (being Sections 4 to 6 as well as Annexes A and B of this DPA), shall apply to the processing of Personal Data under the Agreement from the Effective Date above.
3.2. Part B (being Sections 7 to 11) shall apply to the processing of Personal Data by Smartwaiver falling within the scope of the GDPR from and including 25 May 2018.
3.3. With respect to the processing of Personal Data falling within the scope of Part B: (a) the terms of Part B shall apply in addition to, and not in substitution of, the terms in Part A; and (b) to the extent there is any conflict between the provisions in Part A and Part B, the provisions in Part B shall take priority from and including 25 May 2018.
3.4. Notwithstanding anything in this DPA, Smartwaiver will have the right to collect, extract, compile, synthesize and analyze aggregated, non-personally identifiable data or information (data or information that does not identify Customer or any other entity or natural person as the source thereof) resulting from Customer's use or operation of the Services (“Service Data”) including how its end users or their customers use Smartwaiver. To the extent any Service Data is collected or generated by Smartwaiver, such data will be solely owned by Smartwaiver and may be used by Smartwaiver for any lawful business purpose without a duty of accounting to Customer or its recipients. For the avoidance of doubt, this DPA will not apply to Service Data.
Part A: General data protection obligations
4. Roles and responsibilities
4.1. Parties' Roles. Customer, as Controller, appoints Smartwaiver as a Processor to process the Personal Data described in Annex A on Customer's behalf.
4.2. Purpose Limitation. Smartwaiver shall process the Personal Data for the purposes described in Annex A and only in accordance with the lawful, documented instructions of Customer, except where otherwise required by applicable law. The Agreement and this DPA sets out Customer's complete instructions to Smartwaiver in relation to the processing of the Personal Data and any processing required outside of the scope of these instructions will require prior written agreement between the parties.
4.3. Prohibited Data. Customer will not provide (or cause to be provided) any Sensitive Data to Smartwaiver for processing under the Agreement, and Smartwaiver will have no liability whatsoever for Sensitive Data, whether in connection with a Security Incident or otherwise. For the avoidance of doubt, this DPA will not apply to Sensitive Data.
4.4. Description of Processing. A description of the nature and purposes of the processing, the types of Personal Data, categories of data subjects, and the duration of the processing are set out further in Annex A.
4.5. Compliance. Customer shall be responsible for ensuring that:
(a) it has complied, and will continue to comply, with all applicable laws relating to privacy and data protection, including EU Data Protection Legislation, in its use of the Services and its own processing of Personal Data (except as otherwise required by applicable law); and
(b) it has, and will continue to have, the right to transfer, or provide access to, the Personal Data to Smartwaiver for processing in accordance with the terms of the Agreement and this DPA.
5.1. Security. Smartwaiver shall implement appropriate technical and organizational measures to protect the Personal Data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access.
5.2. Security Exhibit. The technical and organizational security measures which Smartwaiver shall have in place under the Agreement are set out at Annex B to this DPA.
6. International transfers
6.1. International Transfers. To the extent that Smartwaiver processes (or causes to be processed) any Personal Data originating from the EEA in a country that has not been designated by the European Commission as providing an adequate level of protection for Personal Data, the Personal Data shall be deemed to have adequate protection (within the meaning of EU Data Protection Legislation) by virtue of Smartwaiver's self- certification to the Privacy Shield. Smartwaiver shall agree to apply the Privacy Shield Principles when processing (or causing to be processed) any EEA or Swiss Personal Data under this Agreement.
6.2. Privacy Shield Notifications. Smartwaiver agrees to notify Customer without undue delay if its self- certification to the Privacy Shield is withdrawn, terminated, revoked, or otherwise invalidated. In such a case, the parties shall cooperate in good faith to put in place such alternative data export mechanisms as are required under EU Data Protection Legislation to ensure an adequate level of protection for the Personal Data.
Part B: GDPR Obligations from 25 May 2018
7. Additional security
7.1. Confidentiality of processing. Smartwaiver shall ensure that any person that it authorizes to process the Personal Data shall be subject to a duty of confidentiality (whether a contractual or a statutory duty).
7.2. Security Incidents. Upon becoming aware of a Security Incident, Smartwaiver shall notify Customer without undue delay and shall provide such timely information as Customer may reasonably require, including to enable Customer to fulfil any data breach reporting obligations under EU Data Protection Legislation. Smartwaiver shall take appropriate and commercially reasonable steps to mitigate the effects of such a Security Incident on the Personal Data under this Agreement.
8.1. Sub-processors. Customer agrees that Smartwaiver may engage Smartwaiver affiliates and third party sub- processors (collectively, "Sub-processors") to process the Personal Data on Smartwaiver's behalf. The Sub-processors currently engaged by Smartwaiver and authorized by Customer are available at https://support.smartwaiver.com/hc/en-us/articles/360007817653/.
8.2. Objection to Sub-processors. Customer may object in writing to the appointment of an additional Sub- processor. In the event that Customer objects on reasonable grounds relating to the protection of the Personal Data, then the parties shall discuss commercially reasonable alternative solutions in good faith. If no resolution can be reached, Smartwaiver will, at its sole discretion, either not appoint Sub-processor, or permit Customer to suspend or terminate the affected Smartwaiver service in accordance with the termination provisions of the Agreement.
8.3. Sub-processor obligations. Where a Sub-processor is engaged by Smartwaiver as described in this Section 8, Smartwaiver shall:
(a) restrict the Sub-processor’s access to Personal Data only to what is necessary to perform the subcontracted services;
(b) impose on such Sub-processors data protection terms that protect the Personal Data to the same standard provided for by this DPA; and
(c) remain liable for any breach of the DPA caused by a Sub-processor.
9.1. Cooperation and data subjects' rights. Smartwaiver shall, taking into account the nature of the processing, provide reasonable assistance to Customer insofar as this is possible, to enable Customer to respond to requests from a data subject seeking to exercise their rights under EU Data Protection Legislation. In the event that such request is made directly to Smartwaiver, Smartwaiver shall promptly inform Customer of the same.
9.2. Protection Impact Assessments. Smartwaiver shall, to the extent required by EU Data Protection Legislation and at Customer’s expense, taking into account the nature of the processing and the information available to Smartwaiver, provide Customer with commercially reasonable assistance with data protection impact assessments or prior consultations with data protection authorities that Customer is required to carry out under EU Data Protection
10. Deletion / return of data
10.1. Deletion or return of data: Upon termination or expiry of the Agreement, Smartwaiver shall at Customer’s election, delete or return to Customer the Personal Data (including copies) in Smartwaiver's possession, save to the extent that Smartwaiver is required by any applicable law to retain some or all of the Personal Data. SIGNED by the parties or their duly authorized representatives:
DESCRIPTION OF PROCESSING
Nature and purposes of processing
Smartwaiver is a US headquartered provider of member management software. This software consists primarily of CRM type software for customer management, billing and bookings.
Otherwise, the data processing will involve any such processing that is necessary for the purposes set out in the Agreement, the DPA, or as otherwise agreed between the parties. Categories of data subjects The personal data transferred concerns any data subjects handled by Smartwaiver on behalf and as instructed by the Customer using Smartwaiver.
Categories of data
The personal data transferred concern the following categories of data for the data subjects:
• Identification information (first and last name), contact information (address, telephone number (fixed and mobile), e-mail address, fax number), date of birth, purchase history, signed contracts; and
• Any other personal data that the Customer chooses to collect within their customer records using Smartwaiver's services.
The personal data transferred to Smartwaiver for processing is determined and controlled by the Customer in its sole discretion. As such, Smartwaiver has no control over the volume and sensitivity of personal data processed through its service by the Customer.
Special categories of data (if appropriate)
Smartwaiver does not intentionally collect or process any special categories of data in the provision of its service.
Under the Agreement, the Customer agrees not to provide special categories of data to Smartwaiver at any time.
Duration of processing
The personal data will be processed for the term of the Agreement, or as otherwise required by law or agreed between the parties.
SMARTWAIVER SECURITY MEASURES
1. Network-Level Controls
a. Smartwaiver will use host-based firewall(s) to protect hosts/infrastructure handling Personal Data. The firewall(s) must be able to effectively perform the following functions: stateful inspection, logging, support for strong encryption and hashing, ICMP and SNMP based monitoring and anti-spoofing.
b. Smartwaiver will have network-based security monitoring for the segment(s) on which hosts handling Personal Data are logically located.
c. Smartwaiver will assess network-level vulnerabilities and address critical vulnerabilities within 30 days. d. Smartwaiver will employ change management standards for network/infrastructure components handling Personal Data.
2. Hosting Level Controls
a. Smartwaiver will implement operating system hardening for hosts/infrastructure handling Personal Data. Operating system hardening includes, but is not limited to, the following configurations: strong password authentication/use of keys, inactivity time-out, disabling or removal of unused or expired accounts and services, turning off unused ports, and log management. In addition, Smartwaiver will implement access control processes and restrict access to operating system configurations based on the least privilege principle.
b. Smartwaiver will perform patch management on systems that host or handle Personal Data. Smartwaiver will implement critical patches within vendor recommended timeframes on systems that host or handle Personal Data, not to exceed 30 days after the patch is identified.
c. Smartwaiver will implement specific controls to log activities of users with elevated access to systems that host or handle Personal Data.
3. Application-Level Controls
a. Smartwaiver will maintain documentation on overall application architecture, process flows, and security features for applications handling Personal Data.
b. Smartwaiver will employ secure programming guidelines and protocols in the development of applications processing or handling Personal Data.
c. Smartwaiver will regularly perform patch management on applications that host or handle Personal Data. Smartwaiver will implement critical patches within vendor recommended timeframes on all applications that host or handle Personal Data, not to exceed 30 days.
4. Data-Level Controls
Smartwaiver will use strong encryption (TLS) for transmission of Personal Data that is considered Confidential Information. Smartwaiver databases and data backups of Personal Data will be encrypted at rest and while in transit.
5. End User Computing Level Controls
a. Smartwaiver will employ an end point security or antivirus solution for end user computing devices that handle Personal Data.
6. Compliance Controls
a. Smartwaiver will adopt appropriate physical, technical and organizational security measures in accordance with industry standards, including but not limited to, building access control, employee education and personnel security measures.
SIGNED by the parties or their duly authorized representatives:
Company Name: SW DEVELOPMENT LLC
Signed: Tod Bloxham
Name: Tod Bloxham
Date: August 26, 2019
As follows below: