Legal Bits

Data Processing Agreement for RequirementONE SaaS and Private Cloud Services (“Data Processing Agreement”)

Last Modified: November 15, 2019

1. Definitions

Term Definition
Applicable Data Protection Law means all data privacy or data protection laws or regulations globally that apply to the Processing of Personal Information under this Data Processing Agreement.
Applicable European Data Protection Law means (i) the EU General Data Protection Regulation EU/2016/679, as supplemented by applicable EU Member State law and as incorporated into the EEA Agreement; (ii) the Swiss Federal Act of 19 June 1992 on Data Protection, as amended; and (iii) the UK Data Protection Act 2018.
Europe means for the purposes of this Data Processing Agreement (i) the European Economic Area, consisting of the EU Member States, Iceland, Lichtenstein and Norway; (ii) Switzerland and (iii) the UK after it withdraws from the EU.
Individual shall have the same meaning as the term “data subject” or the equivalent term under Applicable Data Protection Law.
Process/Processing, Controller, Processor, Binding Corporate Rules  (or the equivalent terms) have the meaning set forth under Applicable Data Protection Law.
RequirementONE Processor Code means RequirementONE’s Privacy Code for Processing Personal Information of Customer Individuals referenced in the European DPA Addendum.
RequirementONE means RequirementONE INC.
Order means an agreement you have made with RequirementONE for RequirementONE Services
Personal Information shall have the same meaning as the term “personal data”, “personally identifiable information (PII)” or the equivalent term under Applicable Data Protection Law.
Personal Information Breach means a breach of security leading to the misappropriation or accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Information transmitted, stored or otherwise Processed on RequirementONE systems or the Services environment that compromises the security, confidentiality or integrity of such Personal Information.
Regulator shall have the same meaning as the term “supervisory authority”, “data protection authority” or the equivalent term under Applicable Data Protection Law.
Subscription means the SaaS, Private Cloud, Apps, Automation, Reporting, Customer Success or Professional services specified in the Subscription Agreement.
Subscription Period means the term specified for You to receive Subscription from the Order
Third-Party Sub-processor means a third party that RequirementONE subcontracts with and which may Process Personal Information.
You or Your means the customer entity that has executed the Agreement

Other capitalized terms have the definitions provided for them in the Services Agreement.

2. Scope and Applicability

2.1. This Data Processing Agreement applies to RequirementONE’s Processing of Personal Information on Your behalf as a Processor for the provision of the Subscription specified in Your Order. Unless otherwise expressly stated in Your Order, this version of the Data Processing Agreement shall be effective and remain in force for the Subscription Period.

2.2. In addition, any Processing of Personal Information subject to Applicable European Data Protection Law is subject to the additional terms of the European DPA Addendum set out in Exhibit 1.

3. Responsibility for Processing of Personal Information and Your instructions

3.1. You are a Controller and RequirementONE is a Processor for the Processing of Personal Information as part of the provision of the Services. Each party is responsible for compliance with its respective obligations under Applicable Data Protection Law.

3.2. RequirementONE will Process Personal Information solely for the purpose of providing the Subscription in accordance with the Order and this Data Processing Agreement.

3.3. In addition to Your instructions incorporated into the Subscription Agreement, You may provide additional instructions in writing to RequirementONE with regard to Processing of Personal Information in accordance with Applicable Data Protection Law. RequirementONE will promptly comply with all such instructions to the extent necessary for RequirementONE to

(i) comply with its Processor obligations under Applicable Data Protection Law; or
(ii) assist You to comply with Your Controller obligations under Applicable Data Protection Law relevant to Your use of the Subscription.

3.4. RequirementONE will follow Your instructions at no additional cost to You and within the time-frames reasonably necessary for You to comply with your obligations under Applicable Data Protection Law, unless RequirementONE is informed that to comply will incur additional charges or fees not covered by the fees for Subscriptions payable under the Subscription Agreement, such as additional license or third-party contractor fees. Should this be the case, RequirementONE will promptly inform You thereof upon receiving this information. Without prejudice to RequirementONE’s obligation to comply with Your instructions, the parties will then negotiate in good faith with respect to any such charges or fees.

3.5. Unless otherwise specified in the Subscription Agreement, You may not provide RequirementONE with any sensitive or special Personal Information that imposes specific data security or data protection obligations on RequirementONE in addition to or different from those specified in the Data Processing Agreement or Order.

4. Privacy Inquiries and Requests from Individuals

4.1. If You receive a request or inquiry from an Individual related to Personal Information processed by RequirementONE for the provision of Subscription, You can either

(i) securely access Your Subscription environment that holds Personal Information to address the request, or
(ii) to the extent such access is not available to You, submit a request via the RequirementONE Helpdesk with detailed written instructions to RequirementONE on how to assist You with such request.

4.2. If RequirementONE directly receives any requests or inquiries from Individuals that have identified You as the Controller, it will promptly pass on such requests to You without responding to the Individual. Otherwise, RequirementONE will advise the Individual to identify and contact the relevant controller(s).

5. RequirementONE Third-Party Sub-processors

5.1. To the extent RequirementONE engages Third-Party Sub-processors to Process Personal Information, such entities shall be subject to the same level of data protection and security as RequirementONE under the terms of the Order. RequirementONE is responsible for the performance of the Third-Party Sub-processors’ obligations in compliance with the terms of this Data Processing Agreement and Applicable Data Protection Law.

6. Cross-border data transfers

6.1. Without prejudice to any applicable data center restrictions for hosted Subscription specified in Your Order, RequirementONE may Process Your Personal Information globally as necessary to deliver the Subscription.

6.2. To the extent such global access involves a transfer of Personal Information subject to cross-border transfer restrictions under Applicable Data Protection Law, such transfers shall be subject to security and data privacy requirements consistent with the relevant requirements of this Data Processing Agreement and Applicable Data Protection Law.

7. Security and Confidentiality

7.1. RequirementONE has implemented and will maintain appropriate technical and organizational security measures for the Processing of Personal Information designed to prevent accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Information. These security measures govern all areas of security applicable to the Subscription, including physical access, system access, data access, transmission and encryption, input, data backup, data segregation and security oversight, enforcement and other security controls and measures. Additional details regarding the specific security measures that apply to the Subscription You have ordered are set out in the relevant security practices for the Subscription, which may be obtained by contacting the RequirementONE Helpdesk.

7.2. All RequirementONE and Third-Party Sub-processors that Process Personal Information, are subject to appropriate written confidentiality arrangements, including confidentiality agreements, regular training on information protection, and compliance with RequirementONE policies concerning protection of confidential information.

8. Incident Management and Breach Notification

8.1. RequirementONE has implemented controls and policies designed to detect and promptly respond to incidents that create suspicion of or indicate destruction, loss, alteration, unauthorized disclosure or access to Personal Information transmitted, stored or otherwise Processed. RequirementONE will promptly define escalation paths to investigate such incidents in order to confirm if a Personal Information Breach has occurred, and to take reasonable measures designed to identify the root cause(s) of the Personal Information Breach, mitigate any possible adverse effects and prevent a recurrence.

8.2. RequirementONE will notify you of a confirmed Personal Information Breach without undue delay but at the latest within 24 hours. As information regarding the Personal Information Breach is collected or otherwise reasonably becomes available to RequirementONE, RequirementONE will also provide You with

(i) a description of the nature and reasonably anticipated consequences of the Personal Information Breach;
(ii) the measures taken to mitigate any possible adverse effects and prevent a recurrence; and
(iii) where possible, information about the types of Personal Information that were the subject of the Personal Information Breach. You agree to coordinate with RequirementONE on the content of Your intended public statements or required notices for the affected Individuals and/or notices to the relevant Regulators regarding the Personal Information Breach.

9. Return and Deletion of Personal Information

9.1. Upon termination of the Subscription, RequirementONE will promptly return, or delete any remaining copies of Personal Information on RequirementONE systems or Subscription environments, except as otherwise stated in the Order.

9.2. For Personal Information held on Your Subscription environments, or for Subscriptions for which no data retrieval functionality is provided by RequirementONE as part of the Subscription, You are advised to take appropriate action to back up or otherwise store separately any Personal Information while the production Subscription environment is still active prior to termination.

10. Legal Requirements

10.1. RequirementONE may be required by law to provide access to Personal Information, such as to comply with a subpoena or other legal process, or to respond to government requests, including public and government authorities for national security and/or law enforcement purposes.

10.2. RequirementONE will promptly inform You of requests to provide access to Personal Information, unless otherwise required by law.

 

Exhibit 1: European Data Processing Addendum for RequirementONE Services (“European DPA Addendum”)

This European DPA Addendum supplements the Data Processing Agreement to include additional Processor terms applicable to the Processing of Personal Information subject to Applicable European Data Protection Law.

Except as expressly stated otherwise in the Data Processing Agreement, the Order, this European DPA Addendum, in the event of any conflict between these documents, the following order of precedence applies (in descending order):

(i) this European DPA Addendum;

(ii) the body of the Data Processing Agreement; and

(iii) the Order.

1. Cross-Border Data Transfers

1.1. The RequirementONE Processor Policy applies to the Processing of Personal Information by RequirementONE on Your behalf in its role as a Processor as part of the provision of Services under the Services Agreement and this European DPA Addendum, where such Personal Information is:

(i) subject to any data transfer restrictions under Applicable European Data Protection Law; and
(ii) processed by RequirementONE in a country outside Europe.

1.2. Transfers to Third-Party Sub-processors shall be subject to security and data privacy requirements consistent with the Data Processing Agreement and the Services Agreement.

2. Description of Processing

2.1. Duration of processing activities. RequirementONE may Process Personal Information during the term of the Services Agreement and to perform its obligations under the Data Processing Agreement, unless otherwise required by applicable law.

2.2. Processing activities. RequirementONE may Process Personal Information as necessary to perform the Services, including where applicable for hosting and storage; backup and disaster recovery; service change management; issue resolution; applying new product or system versions, patches, updates and upgrades; monitoring and testing system use and performance; IT security purposes including incident management; maintenance and performance of technical support systems and IT infrastructure; and migration, implementation, configuration and performance testing.

2.3. Categories of Personal Information. In order to perform the Services and depending on the Services You have ordered, RequirementONE may Process some or all of the following categories of Personal Information: personal contact information such as name, mobile number, email address, and passwords; employment details including employer name, job title and function, and business contact details; goods and services provided; IP addresses and online behavior and interest data.

2.4. Categories of Data Subjects. Categories of Data Subjects whose Personal Information may be Processed in order to perform the Services may include, among others, Your representatives and end users, such as Your employees, contractors, collaborators, and partners.

2.5. Additional or more specific descriptions of Processing activities, categories of Personal Information and Data Subjects may be described in the Services Agreement.

3. Your Instructions

3.1. Your right to provide instructions to RequirementONE encompasses instructions regarding

(i) data transfers; and
(ii) assistance with Data Subject requests to access, delete or erase, restrict, rectify, receive and transmit (data portability), block access to or object to Processing of specific Personal Information or sets of Personal Information as described in Section 3 of the Data Processing Agreement.

3.2. To the extent required by the Applicable EEA Data Protection Law, RequirementONE will immediately inform You if, in its opinion, Your instruction infringes Applicable European Data Protection Law. You acknowledge and agree that RequirementONE is not responsible for performing legal research and/or for providing legal advice to You.

4. Notice and Objection Right to New Third-Party Sub-processors

4.1. Subject to the terms and restrictions specified in this Section of the European DPA Addendum and the Data Processing Agreement, You provide RequirementONE general written authorization to engage RequirementONE Affiliates and Third Party Sub-processors to assist in the performance of the Services.

4.2. RequirementONE maintains lists of Third-Party Sub-processors that may Process Personal Information. These lists are available via the RequirementONE Helpdesk.

4.3. Within fourteen (14) calendar days of RequirementONE providing such a list to You, You may object to the involvement of a Third-Party Sub-processor in the performance of the Services, providing objective justifiable grounds related to the ability of such Third-Party Sub-processor to adequately protect Personal Information in accordance with the Data Processing Agreement or Applicable European Data Protection Law in writing by submitting a “service request” via the RequirementONE Helpdesk. You and RequirementONE will work together in good faith to find a mutually acceptable resolution to address such objection, including but not limited to reviewing additional documentation supporting the Third Party Sub-processor’s or RequirementONE Affiliate’s compliance with the Data Processing Agreement or Applicable European Data Protection Law, or delivering the Services without the involvement of such Third Party Sub-processor. To the extent You and RequirementONE do not reach a mutually acceptable resolution within a reasonable time frame, You shall have the right to terminate the relevant Services (i) upon serving thirty (30) days prior notice; (ii) without liability to You or RequirementONE and (iii) without relieving You from Your payment obligations under the Services Agreement up to the date of termination. If the termination in accordance with this Section 4.3 only pertains to a portion of Services under an order, You will enter into an amendment or replacement order to reflect such partial termination.

5. Data Protection Officer

5.1. RequirementONE has appointed a Data Protection Officer who may be contacted via the RequirementONE Helpdesk

 

Questions or Additional Information:

If you have questions regarding this Agreement or wish to obtain additional information, please contact us.