Scope, Order of Precedence and Term This Data Processing Addendum shall be incorporated into the relevant End User License Agreement(s) (“EULA”) and/or Terms and Conditions that expressly incorporate this Data Processing Addendum by reference.
Except as expressly stated otherwise in this Data Processing Addendum, in the event of any conflict between the terms set forth in any applicable Incorporating Documents (as defined below), including any policies or schedules referenced therein, and the terms of this Data Processing Addendum, the relevant terms of this Data Processing Addendum shall take precedence.
This Data Processing Addendum includes the terms and conditions of CARET’s Data Transfer Agreement (as defined below), where applicable, as though incorporated fully herein. In the event of any conflict between the terms set forth in this Data Processing Addendum and the Data Transfer Agreement, the terms contained in the Data Transfer Agreement shall take precedence.
“CARET” means Abacus Data Systems, Inc., together with the CARET Affiliates.
“Affiliate,” or “Affiliates” means any entity which is controlled by, controls or is in common control with CARET.
“Applicable Data Protection Law” means (i) Directive 95/46/EC of October 24, 1995, as amended, on the protection of individuals with regard to the Processing of Personal Data and on the free movement of such data (‘Directive’) until such time that it is replaced by GDPR, applicable as of May 25, 2018; (ii) the GDPR; and (iii) any other data privacy or data protection law or regulation that applies to the Processing of Personal Data under Client’s EULA and/or Cloud Services Agreement.
“Data Controller” means the entity which determines the purposes and means of the Processing of Personal Data.
“Data Processor” means the entity which Processes Personal Data on behalf of the Data Controller.
“Data Subject” “means the individual to whom Personal Data relates (not a business or other entity).
“Data Transfer Agreement” means the agreement between CARET and Clients, where applicable, concerning the transfer of Personal Data outside the European Economic Area (“EEA”) that sets forth Standard Contractual Clauses as adopted by the European Commission. The Data Transfer Agreement can be accessed here.
“GDPR” means the General Data Protection Regulation (EU 2016/679) and/or any legislation which preserves or replaces it following the United Kingdom’s exit from the European Union. To the extent that any legislation preserves or replaces the GDPR following the United Kingdom’s exit from the European Union, references to the GDPR shall be interpreted as references to the nearest equivalent provision(s) of such new legislation.
“Personal Data” means any information that CARET may Process on Client’s behalf in connection with the products or services provided to Client by CARET relating to a Data Subject who can be identified, such as by a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that Data Subject. A Data Subject can also be directly or indirectly identified by a person’s online identifiers such as internet protocol addresses and cookie identifiers which monitor the person’s online behavior.
“Processing,” “Process,” “Processes” and “Processed” mean any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structure, storage (including archiving), adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
“Supervisory Authority” means an independent public authority which is established by an EU Member State.
“Third Party Sub-processor” means a third-party subcontractor, other than an CARET Affiliate, engaged by CARET and which may Process Personal Data as set forth in Section 8
“Incorporating Document(s)” means any End User License Agreement and/or Terms and Conditions that expressly incorporate this Data Processing Addendum.
“Service Order Form” means a document executed by Client through which Client purchases any subscription, product or service from CARET (which shall include but is not limited to proposals, service order forms, service order addendums and statements of work).
“Client” means the customer (sole proprietorship or entity) that has executed a Service Order Form that are governed by any Incorporating Documents. Other capitalized terms have the definitions provided for them in the applicable Service Order Form, corresponding Incorporating Documents, or as otherwise specified below.
Controller and Processor of Personal Data and Purpose of Processing
Client is and will at all times remain the Controller of the Personal Data Processed by CARET. Client is responsible for compliance with Client’s obligations as a Controller under Applicable Data Protection Law, in particular for justification of any transmission of Personal Data to CARET (including providing any required notices and obtaining any required consents and/or authorizations, or otherwise securing an appropriate legal basis under Applicable Data Protection Law), and for Client’s decisions and actions concerning the Processing of such Personal Data.
Where CARET Processes Personal Data, CARET is and will at all times remain a Processor with regard to the Personal Data provided by Client to CARET. CARET is responsible for compliance with its obligations as a Processor under Applicable Data Protections Law. Not all products or services governed by any Incorporating Documents necessarily require CARET to Process Personal Data.
CARET and any persons acting under the authority of CARET, including any CARET Affiliates and Third-Party Sub-processors as set forth in Section 8 will Process Personal Data solely for the purpose of (i) providing the products or service contracted for by Client that are governed by any Incorporating Documents, (ii) complying with Client’s documented written instructions in accordance with Section 5, or (iii) complying with CARET’s regulatory obligations in accordance with Section 13.
As the Data Controller, Client warrants, represents and undertakes to CARET that Client has lawful grounds for the processing of Personal Data.
Categories of Personal Data and Data Subjects
In order to provide Client with the products or service contracted for that are governed by any Incorporating Documents, CARET may Process some or all of the following categories of Personal Data: personal contact information such as name, home address, home telephone or mobile number, fax number, email address, and passwords; information concerning family, lifestyle and social circumstances including age, date of birth, marital status, number of children and name(s) of spouse and/or children; employment details including employer name, job title and function, employment history, salary and other benefits, job performance and other capabilities, education/qualification, identification numbers, social security details and business contact details; financial details; goods and services provided; unique IDs collected from mobile devices, network carriers or data providers, IP addresses, and online behavior and interest data.
Categories of Data Subjects whose Personal Data may be Processed in order to perform any obligations under applicable Incorporating Documents may include, among others, Client’s representatives and end users, such as Client’s employees, job applicants, contractors, collaborators, partners, suppliers, customers and clients.
Additional categories of Personal Data and/or Data Subjects may be described in any applicable Service Order Forms, or corresponding Incorporating Documents. Unless otherwise specified in the applicable Service Order or corresponding Incorporating Documents, content provided to CARET by Client may not include any sensitive or special personal data that imposes specific data security or data protection obligations on CARET in addition to or different from those specified in any applicable Service Order Form.
Processing of Personal Data
CARET will Process Personal Data on Client’s written instructions as specified in the applicable Service Order Form, corresponding Incorporating Document, and this Data Processing Addendum, including instructions regarding data transfers as set forth in Section 7.
Client may provide additional instructions in writing to CARET with regard to Processing of Personal Data in accordance with Applicable Data Protection Law. CARET will comply with all such instructions to the extent necessary for CARET to (i) comply with its Processor obligations under Applicable Data Protection Law; or (ii) assist Client to comply with Client’s Controller obligations under Applicable Data Protection Law relevant to Client’s use of products or services that are governed by any Incorporating Documents, including assistance with notifying Personal Data breaches as set forth in Section 11, Data Subject requests as set forth in Section 6, and Data Protection Impact Assessments (DPIAs).
To the extent required by Applicable Data Protection Law, CARET will immediately inform Client if, in its opinion, Client’s instruction infringes Applicable Data Protection Law. Client acknowledge and agrees that CARET is not responsible for performing legal research and/or for providing legal advice to Client.
Without prejudice to CARET’s obligations under Section 5, the parties will negotiate in good faith with respect to any charges or fees that may be incurred by CARET to comply with instructions with regard to the Processing of Personal Data that require the use of resources different from or in addition to those CARET is required to perform pursuant to any applicable Incorporating Documents.
Rights of Data Subjects
Where applicable, CARET will grant Client electronic access to any applicable cloud environment that holds Personal Data related to products or services provided to Client by CARET that are governed by any Incorporating Documents to enable Client to respond to requests from Data Subjects to exercise their rights under Applicable Data Protection Law, including requests to access, delete or erase, restrict, rectify, receive and transmit, block access to or object to Processing of specific Personal Data or sets of Personal Data.
To the extent such electronic access is not available to Client, Client can submit a “service request” via CARET Support CARET Support, or other applicable primary support tool provided for the Services, and provide detailed written instructions to CARET, including the Personal Data necessary to identify the Data Subject, on how to assist with such Data Subject requests in relation to Personal Data stored in an applicable cloud environment that holds Personal Data related to products or services provided to Client by CARET that are governed by any Incorporating Documents. CARET will promptly follow such instructions. If applicable, the parties will negotiate in good faith with respect to any charges or fees that may be incurred by CARET to comply with instructions that require the use of resources different from or in addition to those CARET is required to perform pursuant to any applicable Incorporating Documents.
If CARET directly receives any Data Subject requests regarding Personal Data, it will promptly pass on such requests to Client without responding to the Data Subject if the Data Subject identifies Client as the Data Controller. If the Data Subject does not identify Client, CARET will instruct the Data Subject to contact the entity responsible for collecting their Personal Data.
Personal Data Transfers
Personal Data held in any applicable cloud environment provided to Client by CARET that are governed by any Incorporating Documents will be hosted in the data center region specified in the Service Order Form (if specified). Where the data center region is specified in the applicable Service Order Form, CARET will not migrate the applicable cloud environment to a different data center region without Client’s prior written authorization.
Without prejudice to Section 7.1, CARET may access and Process Personal Data on a global basis as necessary to perform any duties or obligations CARET is required to perform pursuant to any applicable Incorporating Documents, including for IT security purposes, maintenance and performance of cloud environments and related infrastructure, technical support and change management.
To the extent such global access involves a transfer of Personal Data originating from the European Economic Area (“EEA”) or Switzerland to CARET Affiliates or Third-Party Sub-processors located in countries outside the EEA or Switzerland that have not received a binding adequacy decision by the European Commission or by a competent national EEA data protection authority, such transfers are subject to CARET’s Data Transfer Agreement and Swiss-U.S. Privacy Shield Framework.
CARET Affiliates and Third Party Sub-processors
Subject to the terms and restrictions specified in Sections 3.3, 7 and 7.3, Client agrees that CARET may engage CARET Affiliates and Third Party Sub-processors to assist in the performance of any duties or obligations CARET is required to perform pursuant to any applicable Incorporating Documents.
Within fourteen (14) calendar days of CARET providing such notice to Client, Client may object to the intended involvement of a Third Party Sub-processor or CARET Affiliate in the performance of any duties or obligations CARET is required to perform pursuant to any applicable Incorporating Documents, providing objective justifiable grounds related to the ability of such Third Party Sub-processor or CARET Affiliate to adequately protect Personal Data in accordance with Applicable Data Protection Law in writing by submitting a “service request” via CARET Support, or other applicable primary support tool provided for the Services. In the event Client’s objection is justified, Client and CARET will work together in good faith to find a mutually acceptable resolution to address such objection, including but not limited to reviewing additional documentation supporting the Third Party Sub-processors’ or CARET Affiliate’s compliance with this Data Processing Addendum and Applicable Data Protection Law, or the performance of any duties or obligations CARET is required to perform pursuant to any applicable Incorporating Documents without the involvement of such Third Party Sub-processor. To the extent Client and CARET do not reach a mutually acceptable resolution within a reasonable timeframe, Client shall have the right to terminate the relevant agreement for products or services (i) upon serving prior notice in accordance with the terms set forth in the applicable Incorporating Documents; and (ii) without relieving Client from Client’s payment obligations under the Service Order Form(s) and applicable Incorporating Documents.
The CARET Affiliates and Third Party Sub-processors are required to abide by the same level of data protection and security as CARET under this Data Processing Addendum as applicable to their Processing of Personal Data. Client may request that CARET audit a Third Party Sub-processor or provide confirmation that such an audit has occurred (or, where available, obtain or assist Client in obtaining a third-party audit report concerning the Third Party Sub-processor’s operations) to verify compliance with such obligations. Client will also be entitled, upon written request, to receive copies of the relevant privacy and security terms of CARET’s agreement with any Third Party Sub-processors and CARET Affiliates that may Process Personal Data.
CARET remains responsible at all times for the performance of the CARET Affiliates’ and Third Party Sub-processors’ obligations in compliance with the terms of this Data Processing Addendum and Applicable Data Protection Law.
For more information on our Sub-processors, see here.
Technical and Organizational Measures, and Confidentiality of Processing
CARET has implemented and will maintain appropriate technical and organizational security measures for the Processing of Personal Data. These measures take into account the nature, scope and purposes of Processing as specified in this Data Processing Addendum, and are intended to protect Personal Data against the risks inherent to the Processing of Personal Data in the performance of any duties or obligations CARET is required to perform pursuant to any applicable Incorporating Documents, in particular risks from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise Processed.
In particular, CARET has implemented the physical access, system access, data access, transmission and encryption, input, data backup, data segregation and security oversight, enforcement and other security controls and measures specified in the applicable Incorporating Documents. Client is advised to carefully review the applicable Incorporating Documents to understand which specific security measures and practices apply to the particular products or services ordered by Client, and to ensure that these measures and practices are appropriate for the Processing of Personal Data pursuant to this Data Processing Addendum.
All CARET and CARET Affiliate staff, as well as any Third Party Sub-processors that may have access to Personal Data are subject to appropriate confidentiality arrangements.
Audit Rights and Cooperation with Client and Client’s Supervisory Authorities
Client may audit CARET’s compliance with its obligations under this Data Processing Addendum up to once per year. In addition, to the extent required by Applicable Data Protection Law, including where mandated by Client’s Supervisory Authority, Client or Client’s Supervisory Authority may perform more frequent audits, including inspections of the Cloud Service data center facility that Processes Personal Data. CARET will contribute to such audits by providing Client or Client’s Supervisory Authority with the information and assistance reasonably necessary to conduct the audit, including any relevant records of Processing activities applicable to the products or services ordered by Client.
If a third party is to conduct the audit, the third party must be mutually agreed to by Client and CARET (except if such Third Party is a competent Supervisory Authority). CARET will not unreasonably withhold its consent to a third-party auditor requested by Client. The third-party must execute a written confidentiality agreement acceptable to CARET or otherwise be bound by a statutory confidentiality obligation before conducting the audit.
To request an audit, Client must submit a detailed proposed audit plan to CARET at least two weeks in advance of the proposed audit date. The proposed audit plan must describe the proposed scope, duration, and start date of the audit. CARET will review the proposed audit plan and provide Client with any concerns or questions (for example, any request for information that could compromise CARET security, privacy, employment or other relevant policies). CARET will work cooperatively with Client to agree on a final audit plan.
If the requested audit scope is addressed in a SSAE 16/ISAE 3402 Type 2, ISO, NIST, PCI DSS, HIPAA or similar audit report issued by a qualified third-party auditor within the prior twelve months and CARET provides such report to Client confirming there are no known material changes in the controls audited, Client agrees to accept the findings presented in the third party audit report in lieu of requesting an audit of the same controls covered by the report.
The audit must be conducted during regular business hours at the applicable facility, subject to the agreed final audit plan and CARET’s health and safety or other relevant policies, and may not unreasonably interfere with CARET business activities.
Client will provide CARET any audit reports generated in connection with any audit under this Section 10, unless prohibited by Applicable Data Protection Law or otherwise instructed by a Supervisory Authority. Client may use the audit reports only for the purposes of meeting Client’s regulatory audit requirements and/or confirming compliance with the requirements of this Data Processing Addendum. The audit reports shall be and shall remain the Confidential Information of the parties under the terms of the applicable Service Order Form and/or applicable Incorporating Documents.
All audits are at Client’s expense. The parties will negotiate in good faith with respect to any charges or fees that may be incurred by CARET to provide assistance with an audit that requires the use of resources different from or in addition to any duties or obligations CARET is required to perform pursuant to any applicable Incorporating Documents.
Incident Management and Personal Data Breach Notification
CARET promptly evaluates and responds to incidents that create suspicion of or indicate unauthorized access to or Processing of Personal Data (“Incident”). All CARET and CARET Affiliates’ staff that have access to or Process Personal Data are instructed on responding to Incidents, including prompt internal reporting, escalation procedures, and chain of custody practices to secure relevant evidence. CARET’s agreements with Third Party Sub-processors contain similar Incident reporting obligations.
In order to address an Incident, CARET defines escalation paths and response teams involving internal functions such as Information Security and Legal. The goal of CARET’s Incident response will be to restore the confidentiality, integrity, and availability of any applicable cloud environment and the Personal Data that may be contained therein, and to establish root cause(s) and remediation steps. Depending on the nature and scope of the Incident, CARET may also involve and work with Client and outside law enforcement to respond to the Incident.
To the extent CARET becomes aware and determines that an Incident qualifies as a breach of security leading to the misappropriation or accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed on CARET systems or the applicable cloud environment that compromises the security, confidentiality or integrity of such Personal Data (“Personal Data Breach”), CARET will inform Client of such Personal Data Breach without undue delay but at the latest within 72 hours.
CARET will take reasonable measures designed to identify the root cause(s) of the Personal Data Breach, mitigate any possible adverse effects and prevent a recurrence. As information regarding the Personal Data Breach is collected or otherwise reasonably becomes available to CARET and to the extent permitted by law, CARET will provide Client with (i) a description of the nature and reasonably anticipated consequences of the Personal Data Breach; (ii) the measures taken to mitigate any possible adverse effects and prevent a recurrence; (iii) where possible, the categories of Personal Data and Data Subjects including an approximate number of Personal Data records and Data Subjects that were the subject of the Personal Data Breach; and (iv) other information concerning the Personal Data Breach reasonably known or available to CARET that Client may be required to disclose to a Supervisory Authority or affected Data Subject(s).
Unless otherwise required under Applicable Data Protection Law, the parties agree to coordinate in good faith on developing the content of any related public statements or any required notices for the affected Data Subjects and/or notices to the relevant Supervisory Authorities.
Return and Deletion of Personal Data upon Termination of Client’s Subscription Agreement or Client’s Cloud Services Agreement
Following termination of CARET’s obligations to provide products or services pursuant a Service Order Form and/or any Incorporating Documents, CARET will return or otherwise make available for retrieval Client’s Personal Data, unless otherwise expressly stated in the applicable Service Order Form and/or applicable Incorporating Documents. For any products or services where data retrieval functionality is not provided by CARET as part of the applicable product or service, Client is advised to take appropriate action to back up or otherwise store separately any Personal Data.
Upon termination of CARET’s duty to provide products or services or upon expiry of the retrieval period following termination of the applicable cloud environment (if available), CARET will promptly delete all copies of Personal Data from CARET’s systems or applicable cloud environment by rendering such Personal Data unrecoverable, except as may be required by law. CARET’s data deletion practices are described in more detail in the applicable Incorporating Documents.
Legally Required Disclosure Requests
If CARET receives any subpoena, judicial, administrative or arbitral order of an executive or administrative agency, regulatory agency, or other governmental authority which relates to the Processing of Personal Data (“Disclosure Request”), it will promptly pass on such Disclosure Request to Client without responding to it, unless otherwise required by applicable law (including to provide an acknowledgement of receipt to the authority that made the Disclosure Request).
At Client’s request, CARET will provide Client with reasonable information in its possession that may be responsive to the Disclosure Request and any assistance reasonably required for Client to respond to the Disclosure Request in a timely manner.
If Client have any questions or concerns regarding the terms and conditions set forth in this Data Processing Addendum, Client may write to us at compliance@getCARET.com or by mail to:
Attn: Sr. Cyber Security & Compliance Engineer
3262 Holiday Court
La Jolla, CA 92037
If Client have appointed a Data Protection Officer, Client may request CARET to include the contact details of Client’s Data Protection Officer in a Service Order Form, or may subsequently communicate the relevant contact details to CARET by submitting a “service request” via https://portal.abacusnext.com.