Data Protection Addendum (DPA)
This Data Protection Addendum (“DPA”) to the Agreement (“Agreement”) is entered into by and between Customer (who may also be identified in this DPA as “Controller”, or “Exporter”) and YourSix Inc., a United States company with offices at 1611 County Road B West Suite 221, Roseville, MN, United States (“YourSix”, “Processor”, or “Importer”), each a “Party” and collectively the “Parties.”
Capitalized terms in this DPA, not otherwise defined in this Addendum or in the Agreement shall have the meaning ascribed to them in applicable data protection laws, including but not limited to, the European Union General Data Protection Legislation (hereinafter the “GDPR”), the United Kingdom Data Protection Act 2018, 2018 c. 12 (hereinafter the “UK Data Protection Act”), and the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. (hereinafter the “CCPA”).
PREAMBLE
Whereas, YourSix and Customer have entered into the Agreement whereby YourSix will provide the YourSix Solution to Customer;
Whereas, Customer may have employees, agents, or clients located in the European Union (EU), European Economic Area (EEA), and/or the United Kingdom (UK);
Whereas, Customer may have employees, agents, or clients located in the state of California;
Whereas, Under the terms of the Agreement, YourSix may carry out data processing activities on behalf of Customer in relation to Personal Data of individuals located in the EU/EEA and/or UK, to which activities the GDPR UK Data Protection Act, or CCPA may apply;
Whereas, For the purposes of this DPA, Customer is considered a “Data Controller” and YourSix is considered a “Data Processor” or “Service Provider” as defined by the GDPR, UK Data Protection Act, or CCPA, as applicable;
Whereas, The Parties have agreed in those cases where YourSix or any of its affiliates, which Process Personal Data on Customer’s behalf, is established outside the EU/EEA or UK or in a country which does not ensure an adequate level of data protection by a European Commission Decision pursuant to the GDPR or UK Data Protection Act, to enter into the appropriate standard contractual clauses to secure the international transfer of Personal Data;
Whereas, Therefore, the Parties mutually agree to execute this DPA in order to meet the European Union and United Kingdom privacy law requirements, as applicable, by adopting the substantial contents of the EU Model Clauses for Processors and the UK Model Clauses for Processors.
Whereas, For this purpose, the present DPA sets forth the terms that follow and contains the following Annex and Appendices:
Attachment 1 | Contains the details of the Parties, data subjects, categories of data, and processing operations covered by this Addendum as required for the adoption of Standard Contractual Clauses (as defined below); |
Attachment 2 | Contains a description of the technical and organisational security measures implemented by the data importer as required for the adoption of Standard Contractual Clauses (as defined below); |
Annex A | Contains the contractual clauses set out in the European Commission’s Implementing Decision (EU) 2021/914 of 4th June 2021 on standard contractual clauses for the transfer of personal data to processors established in third countries, adopted by the Parties as their own contractual clauses where applicable, and as modified by Attachments 1 and 2; |
Annex B | Contains the contractual clauses set forth by the UK pursuant to the UK Data Protection Act and the Data Protection, Privacy and Electronic Communications Regulations 2019, 2019 No. 419, adopted by the Parties as their own contractual clauses where applicable, and as modified by Attachments 1 and 2; |
NOW THEREFORE, in consideration of the mutual obligations set out herein, and intending to be legally bound, the parties hereby agree to the terms and conditions set out below.
1. Definitions
1.1 In this DPA, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:
1.1.1 “Applicable Laws” means any applicable federal, state, and/or international law in respect of which Customer and/or YourSix is subject, including, to the extent applicable, the European Union’s General Data Protection Regulation 2016/679, laws implementing or supplementing the GDPR, the United Kingdom Data Protection Act of 2018, 2018 c 12, the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., and the data protection or privacy laws of other countries;
1.1.2 “Data Subject” means an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person;
1.1.3 “Personal Data” means any information relating to a Data Subject;
1.1.4 “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise Processed;
1.1.5 “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction;
1.1.6 “Restricted Transfer” means:
1.1.6.1 a transfer of Customer Data between Customer and YourSix; or
1.1.6.2 an onward transfer of Customer Data between YourSix and a Subprocessor or between two establishments of YourSix or a Subprocessor,
in each case, where such transfer would cause Customer Data to be transferred to any jurisdiction outside the United Kingdom, the European Union, or the European Economic Area for which the applicable regulatory body has not adopted an adequacy decision or adequacy regulation;
1.1.7 “Services” means the services and other activities to be supplied to or carried out by or on behalf of YourSix for Customer pursuant to the Agreement;
1.1.8 “Standard Contractual Clauses” means the contractual clauses set out in the European Commission’s Implementing Decision (EU) 2021/914 of 4th June 2021 on standard contractual clauses for the transfer of personal data to processors established in third countries or the contractual clauses set forth by the UK pursuant to the UK Data Protection Act and the Data Protection, Privacy and Electronic Communications Regulations 2019, 2019 No. 419, as applicable;
1.1.9 “Subprocessor” means any person or entity appointed by or on behalf of YourSix to Process Personal Data on behalf of Customer in connection with the Agreement; and
1.1.10 “Customer Data” means any Personal Data Processed by YourSix on behalf of Customer pursuant to or in connection with the Agreement.
1.2 The word “include” shall be construed to mean include without limitation, and cognate terms shall be construed accordingly.
2. Processing of Customer Data
2.1 Customer shall determine the purpose and means of YourSix’s Processing of Customer Data.
2.2 YourSix shall:
2.2.1 comply with all Applicable Laws in the Processing of Customer Data;
2.2.2 use Customer Data only for the purpose of fulfilling its respective duties and providing Services under the Agreement; and
2.2.3 not otherwise Process Customer Data other than on Customer’s documented instructions unless Processing is required by Applicable Laws to which YourSix is subject, in which case YourSix shall to the extent permitted by Applicable Laws inform Customer of that legal requirement before the relevant Processing of that Personal Data.
2.3 Customer instructs YourSix (and authorizes YourSix to instruct each Subprocessor) to:
2.3.1 Process Customer Data; and
2.3.2 in particular, transfer Customer Data to any country or territory, as reasonably necessary for the provision of the Services and consistent with the Agreement.
2.4 YourSix shall immediately notify Customer of any changes in relation to the Processing that are likely to result in a high risk to the rights and freedoms of natural persons.
2.5 Attachment 1 to this Addendum sets out certain information regarding YourSix’s Processing of the Customer Data. Customer may make reasonable amendments to Attachment 1 by written notice to YourSix from time to time as Customer reasonably considers necessary to meet those requirements.
3. YourSix Personnel
3.1 YourSix shall take reasonable steps to ensure the reliability of any employee, agent, or contractor who may have access to the Customer Data, ensuring in each case that access is strictly limited to those individuals who need to know and/or access Customer Data, as strictly necessary for the purposes of the Agreement, and to comply with Applicable Laws in the context of that individual’s duties, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
4. Security
4.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, YourSix shall in relation to the Customer Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk (“Data Security Standards”), including, as appropriate:
4.1.1 he pseudonymisation and encryption of Customer Data;
4.1.2 the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
4.1.3 the ability to restore the availability and access to Customer Data in a timely manner in the event of a physical or technical incident; and
4.1.4 a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing.
5. Subprocessing
5.1 Customer authorises YourSix to appoint (and permit each Subprocessor appointed in accordance with this section 5 to appoint) Subprocessors in accordance with this section 5 and any restrictions in the Agreement.
5.2 The Subprocessors for the Services used by YourSix are identified in Attachment 1 to this DPA. YourSix may continue to use those Subprocessors, identified in Attachment 1, already engaged by YourSix as of the date of this Addendum, subject to YourSix in each case as soon as practicable meeting the obligations set out in section 5.4.
5.3 YourSix shall give Customer prior written notice of the appointment of any new Subprocessor, including full details of the Processing to be undertaken by the Subprocessor. If, within thirty (30) days of receipt of that notice, Customer notifies YourSix in writing of any objections (on reasonable grounds) to the proposed appointment then YourSix shall not appoint (nor disclose Customer Data to) the proposed Subprocessor except with the prior written consent of Customer.
5.4 YourSix shall ensure that each Subprocessor performs the obligations under this Addendum as they apply to the Processing of Customer Data as if each Subprocessor were party to this Addendum in place of YourSix. Where a Subprocessor fails to fulfil its data protection obligations, YourSix shall remain fully liable to Customer for the performance of such Subprocessor’s obligations.
6. Data Subject Rights
6.1 Taking into account the nature of the Processing, YourSix shall assist Customer by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligations, as reasonably understood by Customer, to respond to requests to exercise Data Subject rights under any Applicable Laws.
6.2 YourSix shall:
6.2.1 promptly notify Customer if YourSix receives a request from a Data Subject under any Applicable Law in respect of Customer Data; and
6.2.2 not respond to that request except on the documented instructions of Customer or as required by Applicable Laws to which YourSix is subject, in which case YourSix shall to the extent permitted by Applicable Laws inform Customer of that legal requirement before YourSix responds to the request.
7. Personal Data Breach
7.1 YourSix shall notify Customer without undue delay (but in no more than 24 hours) upon YourSix becoming aware of an actual or reasonably suspected Personal Data Breach affecting Customer Data, providing Customer with sufficient information to allow Customer to meet any reporting or notification obligations. Such notification shall as a minimum:
7.1.1 describe the nature of the Personal Data Breach, the categories and numbers of Data Subjects concerned, and the categories and numbers of Personal Data records concerned;
7.1.2 communicate the name and contact details of YourSix’s data protection officer or other relevant contact from whom more information may be obtained;
7.1.3 describe the likely consequences of the Personal Data Breach; and
7.1.4 describe the measures taken or proposed to be taken to address the Personal Data Breach.
7.2 Notifications made pursuant to section 7.1 shall be directed to the point of contact listed in the agreement covering the Services provided to Customer.
7.3 YourSix shall cooperate with Customer and take such reasonable commercial steps as are directed by Customer to assist in the investigation, mitigation, and remediation of any Personal Data Breach.
7.4 In the event of a Personal Data Breach, YourSix is not authorized to notify a data protection or other authority, the Data Subjects concerned, or any other third parties unless YourSix is required to do so under Applicable Laws. In such event, YourSix shall, to the extent permitted under Applicable Laws, liaise and coordinate with Customer prior to making a notification. The parties shall use their best efforts to agree on a joint approach with a view to prevent any contradicting or inconclusive notifications. This includes providing each other with the details of any notification and the date and time on which notification will be made.
8. Data Protection Impact Assessment and Prior Consultation
8.1 YourSix shall provide reasonable assistance to Customer with any data protection impact assessments and prior consultations with data privacy authorities which Customer reasonably considers to be required of Customer by any Applicable Laws, in each case solely in relation to Processing of Customer Data by, and taking into account the nature of the Processing and information available to, YourSix.
8.2 YourSix shall without undue delay (but in no more than 24 hours), and to the extent it is permitted to do so by Applicable Laws, inform Customer about (i) any audits, inquiries, orders, administrative or criminal charges, and any other measures or proceedings (including involving Subprocessors) taken by data protection authorities or other public authorities; (ii) any complaints, claims, or civil proceedings initiated by third parties, and (iii) any subpoenas, search warrants, or discovery requests, to the extent that these relate to Customer Data or YourSix’s obligations under this Addendum.
9. Deletion or Return of Customer Data
9.1 Subject to sections 9.2 and 9.3, YourSix shall promptly and in any event no later than thirty (30) days after the date of cessation of any Services involving the Processing of Customer Data (the “Cessation Date”), delete and procure the deletion of all copies of those Customer Data by YourSix. As used in this section 9, “delete” means to remove or obliterate Customer Data such that it cannot be recovered or reconstructed.
9.2 YourSix may retain Customer Data only to the extent required by Applicable Laws and only to the extent and for such period as required by Applicable Laws and always provided that YourSix shall ensure the confidentiality of all such Customer Data and shall ensure that such Customer Data is only Processed as necessary for the purpose(s) specified in the Applicable Laws requiring its retention and for no other purpose.
9.3 YourSix shall provide written confirmation to Customer that it has fully complied with this section 9 within sixty (60) days of the Cessation Date, when requested by Customer.
10. Audit Rights
10.1 YourSix shall make available to Customer on request all information necessary to demonstrate compliance with this Addendum, and shall allow for and contribute to audits, including inspections, by Customer or an auditor mandated by Customer in relation to the Processing of the Customer Data by YourSix. YourSix shall immediately inform Customer if, in its opinion, an instruction pursuant to this section 10 infringes any Applicable Laws.
10.2 Each party shall bear its own costs with respect to any audit unless (i) the audit is performed because YourSix has given Customer the notice required by section 2.4 or (ii) it is determined that YourSix has breached this Addendum, in which case YourSix shall reimburse Customer for all necessarily incurred costs resulting from the audit.
11. Transfer Mechanisms for United Kingdom and European Data Restricted Transfers
11.1 European Union and European Economic Area. YourSix agrees that it shall abide by the relevant terms of the Standard Contractual Clauses incorporated as Appendix A to this Addendum for Restricted Transfers outside of the European Union and European Economic Area (“EU SCCs”). The EU SCCs shall apply to YourSix in its role as the “data importer.” The EU SCCs shall apply to Customer in its role as the “data exporter.” YourSix agrees that, as provided in the EU SCCs, Data Subjects shall be third party beneficiaries to the EU SCCs. In addition, Customer and YourSix hereby agree that the security provisions in the Agreement shall apply to EU Annex II of the EU SCCs.
11.2 United Kingdom. YourSix agrees that it shall abide by the relevant terms of the Standard Contractual Clauses incorporated as Appendix B to this Addendum for Restricted Transfers outside of the United Kingdom (“UK SCCs”). The UK SCCs shall apply to YourSix in its role as the “data importer.” The UK SCCs shall apply to Customer in its role as the “data exporter.” YourSix agrees that, as provided in the UK SCCs, Data Subjects shall be third party beneficiaries to the UK SCCs.
11.3 YourSix warrants and represents that, before the commencement of any Restricted Transfer to a Subprocessor, YourSix’s entry into the EU SCCs and UK SCCs under section 11.1, and agreement to variations to those SCCs made under section 13.5.1, as agent for and on behalf of that Subprocessor will have been duly and effectively authorized (or subsequently ratified) by that Subprocessor.
12. General Terms
Notifications
12.1 Any notifications made to Customer pursuant to this Addendum shall be directed to the point of contact listed in the agreement covering the Services provided to Customer.
Governing law and jurisdiction
12.2 Without prejudice to clauses 17 (Governing Law) and 18 (choice of forum and jurisdiction) of the EU SCCs, and clauses 7 (Mediation and Jurisdiction) and 9 (Governing Law) of the UK SCCs:
12.2.1 the parties to this Addendum hereby submit to the choice of jurisdiction stipulated in the Agreement with respect to any disputes or claims howsoever arising under this Addendum, including disputes regarding its existence, validity or termination or the consequences of its nullity; and
12.2.2 this Addendum and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the Agreement.
Order of precedence
12.3 Nothing in this Addendum reduces YourSix’s obligations under the Agreement in relation to the protection of Customer Data or permits YourSix to Process (or permit the Processing of) Customer Data in a manner which is prohibited by the Agreement.
12.4 In the event of inconsistencies between the provisions of this Addendum and any other agreements between the parties, including the Agreement and (except where explicitly agreed otherwise in writing, signed on behalf of the parties) agreements entered into or purported to be entered into after the date of this Addendum, the provisions of this Addendum shall prevail. Notwithstanding the foregoing, in the event of any conflict or inconsistency between this Addendum and the applicable set of Standard Contractual Clauses (EU SCCs or UK SCCs), the applicable set of Standard Contractual Clauses shall prevail.
Changes in Applicable Laws
12.5 Customer may:
12.5.1 by at least thirty (30) days’ written notice to YourSix from time to time make any variations to the EU SCCs or UK SCCs (including any standard contractual clauses entered into under section 11.1), as they apply to Restricted Transfers which are subject to a particular Applicable Law, which are required, as a result of any change in, or decision of a competent authority under, that Applicable Law, to allow those Restricted Transfers to be made (or continue to be made) without breach of that Applicable Law; and
12.5.2 propose any other variations to this Addendum which Customer reasonably considers to be necessary to address the requirements of any Applicable Law.
12.6 If Customer gives notice under section 12.5.1, YourSix shall promptly cooperate (and ensure that any affected Subprocessors promptly cooperate) to ensure that equivalent variations are made to any agreement put in place under section 5.
12.7 If Customer gives notice under section 12.5.2, the parties shall promptly discuss the proposed variations and negotiate in good faith with a view to agreeing and implementing those or alternative variations designed to address the requirements identified in Customer’s notice as soon as is reasonably practicable.
12.8 Neither Customer nor YourSix shall require the consent or approval of any YourSix Affiliate to amend this Addendum pursuant to this section 12 or otherwise.
Breach
12.9 In the event of a material breach of YourSix’s duties and obligations under this Addendum which affects the confidentiality, integrity, or security of Customer Data, Customer shall be entitled to terminate this Addendum and the Agreement for cause with immediate effect. If Customer terminates this Addendum and the Agreement pursuant to this Section 12.9, (i) all obligations of YourSix and all rights that Customer has under this Addendum shall survive termination and remain in full force and effect, and (ii) any fees/charges paid in advance by Customer will be pro-rated and promptly refunded by YourSix.
Severance
12.10 Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
IN WITNESS WHEREOF, this DPA is entered into and becomes a binding part of the Agreement upon the Parties’ execution of the Agreement.
ATTACHMENT 1: DETAILS OF PROCESSING OF CUSTOMER DATA
This Attachment 1 includes certain details of the Processing of Customer Data and amends the Standard Contractual Clauses incorporated in this DPA as Annex and Annex B, as applicable.
The Parties:
Data Exporter: Data Exporter’s Contact Information and Execution of the Agreement may be found in the Agreement in which this DPA is incorporated.
Role: Controller
Data Importer:
Name: YourSix
Address: 1611 County Road B West Suite 221, Roseville, MN, United States
Contact person’s name, position and contact details:
Christine Wetton
Chief Risk and Compliance Officer
Activities relevant to the data transferred under these Clauses:
Sales, support, and processing of surveillance footage of Customer business locations and neighboring areas pursuant to the Agreement between the Parties.
Role: Processor
Categories of data subjects whose personal data is transferred:
Employees, agents, clients, and visitors of Customer.
Categories of Personal Data Transferred:
The categories of personal data transferred may include data subjects’:
- Name
- Phone number
- Tax identification number
- Fingerprints
- Photographs, video images, and likeness
- Dates and times of entry and exit from Customer’s places of business
- Emergency contacts.
The types of Customer Data to be Processed
Personal data of data subjects falling within the categories set forth in the section preceding and subsequent to this section.
Sensitive Data Transferred:
Sensitive data to be processed may include data subjects’ race/ethnic group, biometric data, and trade union membership. Sensitive data will be safeguarded in accordance with the policies and procedures referenced in Attachment 2 to this DPA.
The frequency of the transfer:
Daily while the agreement between the Parties is in effect.
Nature of the Processing:
Collection, maintenance, and transmission as directed by Customer.
The period for which the personal data will be retained, or if that is not possible, the criteria used to determine the period:
Data will be retained as long as the agreement between the Parties is in effect.
Competent Supervisory Authority:
The Republic of Ireland for transfers from the EU or EEA; the United Kingdom for transfers from the United Kingdom.
List of Sub-Processors:
N/A
ATTACHMENT 2: Technical and Organizational Measures including Technical and Organizational Measures to endure the Security of the Data
This Appendix describes the technical and organizational security measures and related policies and procedures that YourSix and any other data importer shall, as a minimum, implement and maintain to protect the security of Processing of Personal Data under the Agreement, taking into account the nature of the Processing and the risks associated thereof.
As set forth in its written information security policy, YourSix has implemented reasonable technical, physical, and organizational measures concerning data security as related to the processing of Personal Data. All devices entering the cloud environment are required to be pre-authorized via a serial number and owner authentication key. After being connected to the cloud platform for the first time, each device is forced through the public key infrastructure (PKI) system that YourSix has deployed for managing and enforcing SSL handshakes between each device and the cloud. After the initial auto-deployment of device certificates is complete, modern versions of TLS are leveraged for device, user and cloud communications to encrypt data in transit. Additionally, YourSix leverages disk-level encryption to ensure that Personal Data is encrypted at rest. Further device security measures are also implemented with a goal of preventing the misuse of default passwords. All devices entering the YourSix cloud environment receive a randomized key for authenticating against the root user that is native to each device.
YourSix greatly limits the access to administrative settings and pages of the cloud platform as well as underlying architecture to only those individuals whom must have access to provide our customers with support. YourSix has implemented intrusion detection and prevention systems, web application firewalls and DDoS mitigation. YourSix maintains logs associated with user logins and other events for historical, threat avoidance, and other security purposes.
Updated: March 23, 2022