Verbit Data Processing Addendum (DPA) for Transcribers
Last updated July 3, 2019
This Data Processing Addendum (“Addendum”) is entered into between you or the entity you represent (the Transcriber, referred to in this Addendum, as “Provider”) on behalf of the Provider and all Provider Affiliates (defined below) and VerbIT Software Ltd. (referred to in this Addendum as “Company”) and all Company Affiliates (as defined below). This Addendum forms part of the Terms and Conditions for Transcription Services, entered into by Company and Provider, as may be modified by Company from time to time (“Principal Agreement”). If you, the Provider do not agree or cannot commit to the protections and limitations on the use of personal data you receive and process while providing the Services and the other obligations and terms set forth in this Addendum, then you may not enter the Principal Agreement and provide Services to Verbit.
1.1 In this Addendum, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly. Capitalized terms not defined herein shall have the meaning given to them in the Principal Agreement.
1.1.1 “Applicable Laws” means all applicable international, national, federal, and state data protection and privacy laws, including EU Data Protection Laws and other laws with respect to the processing of personal data;
1.1.2 “Company Affiliate” means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with Company, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise;
1.1.3 “Company Personal Data” means any Personal Data Processed by a Contracted Processor on behalf of the Company pursuant to or in connection with the Principal Agreement;
1.1.4 “Contracted Processor” means Provider or a Subprocessor (as defined below);
1.1.5 “EEA” means the European Economic Area;
1.1.6 “EU Data Protection Laws” means the GDPR and any law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding instrument which implements the GDPR, the Data Protection Directive 95/46/EC and the e-Privacy Directive 2002/58/EC, or any decision, directive or regulation of the EU Parliament, EU Commissions, EU Court of Justice or other body, as any of the above may amended, replaced or superseded from time to time;
1.1.7 “GDPR” means EU General Data Protection Regulation 2016/679;
1.1.8 “Provider Affiliate” means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with Provider, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise;
1.1.9 “Services” means the services and other activities to be supplied to or carried out by or on behalf of Provider for the Company pursuant to the Principal Agreement;
1.1.10 “Standard Contractual Clauses” means the European Commission’s approved Standard Contractual Clauses for the transfer of Personal Data from the European Union or the European Economic Area to processors established in third countries (controller-to-processor transfers), as set out in the Annex to Commission Decision 2010/87/EU, a complete copy of which is set out in Annex 2 to this Addendum. To the extent the European Commission alters the text of such clauses or approves superseding text, Annex 2 to this Addendum shall be deemed amended to reflect the amended or superseding text approved by the European Commission;
1.1.11 “Subprocessor” means any person (including any third party and any Provider Affiliate, but excluding an employee of Provider or any of its subcontractors) appointed by or on behalf of Provider to Process Personal Data on behalf of the Company in connection with the Principal Agreement; and
1.2 The terms, “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Process”, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.
1.3 The word “include” shall be construed to mean include without limitation, and cognate terms shall be construed accordingly.
2. Personal Data Types and Processing Purposes
2.1 The Company and the Provider acknowledge that for the purpose of the Data Protection Legislation, the Company is the controller and the Provider is the processor.
2.2 The Company retains control of the Company Personal Data and shall remain responsible for its compliance obligations under applicable Data Protection Legislation, including providing any required notices and obtaining any required consents, and for the processing instructions it gives to the Provider.
2.3 Annex 1 describes the subject matter, duration, nature and purpose of processing and the Personal Data categories and Data Subject types in respect of which the Provider may process Company Personal Data.
2.4 Provider shall maintain records of all processing operations under its responsibility that contain at least the minimum information required by the Applicable Laws and shall make such information available to any supervisory authority on request.
3. Processing of Company Personal Data
3.1 Provider shall:
3.1.1 comply with all Applicable Laws in the Processing of Company Personal Data; and
3.1.2 only Process, and ensure that any person acting under its authority only Processes, Company Personal Data on the Company’s documented instructions. The Provider will not process the Personal Data for any other purpose other than complying with such instructions or in a way that does not comply with this Addendum or Applicable Laws. The Provider must promptly notify the Company if, in its opinion, the Company’s instruction violates any Applicable Laws.
3.1.3 The Provider must promptly comply with any Company’s request or instruction requiring the Provider to amend, transfer, delete or otherwise process the Personal Data, or to stop, mitigate or remedy any unauthorised processing.
3.1.4 Keep Company Personal Data physically separated from other data of Provider or its customers.
3.2 The Provider will maintain the confidentiality of all Company Personal Data and will not disclose Company Personal Data to third parties unless the Company or this Addendum specifically authorizes the disclosure, or as expressly required by law, subject to the following sentence, and solely to the extent required. If a law, court, regulator or supervisory authority requires the Provider to process or disclose Company Personal Data, the Provider must first and promptly inform the Company of the legal or regulatory requirement and give the Company an opportunity to object or challenge the requirement, unless the law prohibits such notice, assist the Company in its lawful efforts to challenge the requirement or restrain the extent of the disclosure, and notify the court, authority or other authority and any additional required recipients that the Company Personal Data is confidential in nature, and request that it be kept in strict confidence.
3.3 The Provider will assist the Company with meeting the Company’s compliance obligations under Applicable Laws, taking into account the nature of the Provider’s processing and the information available to the Provider, including in relation to Data Subject rights, data protection impact assessments and reporting to and consulting with supervisory authorities under the Applicable Laws.
3.4 Subject to the provisions of this Addendum, the Company instructs Provider (and authorizes Provider to instruct each Subprocessor engaged in accordance with this Addendum) to Process Company Personal Data in order to provide the Services.
4. Provider Personnel
Provider will ensure that all employees, authorized agents or contractors of any Contracted Processor who may have access to the Company Personal Data are (a) informed that the Company Personal Data are confidential in nature, (b) are aware of the Provider (or other Contracted Processor’s) obligations with respect to the Company Personal Data, (c) are given appropriate training with respect to the handling of the Company Personal Data; (d) are not given access to the Company Personal Data unless required for the purpose of performing the Services; and (d) are subject to binding written obligations of confidentiality and to comply with Applicable Laws in the context of that individual’s duties to the Contracted Processor.
5.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Provider must at all times in relation to the Company Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate:
5.1.1 the pseudonymisation and encryption of personal data;
5.1.2 the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
5.1.3 the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
5.1.4 a process for regularly testing, assessing and evaluating the effectiveness of security measures.
5.2 In assessing the appropriate level of security, Provider shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.
6.1 The Provider may not authorize any third party or Subprocessor to process Company Personal Data without (i) notifying the Company of the location of the processing, and the nature of the processing by the Subprocessor, including all the details requested in Annex 1 (with “Subprocessor” replacing, ‘Provider”); (ii) obtaining the Company’s prior written approval of such Subprocessor; and complying with the requirements of this Addendum in respect of Subprocessors.
6.2 Those Subprocessors approved as of the commencement of this Addendum, if any, are as set out in Annex 1, including the name, location and contact information of such Subprocessor, and the nature of the processing.
6.3 The Provider may only engage Subprocessors which are capable of performing the obligations of Provider as set forth in this Agreement, and pursuant to a binding written agreement which (i) includes provisions at least as protective of, and restrictive of the processing of the Personal Data, as those set forth in this Addendum, (ii) provides sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing meets the requirements of all Applicable Laws, (iii) otherwise complies with Article 28(4) of the GDPR, and (iv) provides the Company with rights, as a third-party beneficiary, to enforce all terms of, and seek damages under, such agreement in place of the Provider.
6.4 The Provider shall remain fully liable towards the Company for the Subprocessor’s performance of any and all obligations under the respective agreement.
6.5 In the event of any change of the nature, purpose, location, of processing by a Subprocessor or the identity of the Subprocessor, Provider shall notify Company of such changes and may not continue to transfer the Company Personal Data or otherwise engaged the Subprocessor without Company’s written consent.
7. Data Subject Rights
7.1 Taking into account the nature of the Processing, Provider must implement appropriate technical and organizational measures, as may be appropriate, for the fulfilment of the Company’s obligations to respond to requests to exercise Data Subject rights under the Applicable Laws, including without limitation, as such rights and related obligations are set forth in Articles 12 through 23 of the GDPR.
7.2 The Provider must notify the Company immediately if it receives any complaint, notice or communication that relates directly or indirectly to the processing of the Personal Data or to either Party’s compliance with Applicable Law.
7.3 The Provider must notify the Company promptly if it receives a request from a Data Subject for access to their Personal Data or to exercise any of their related rights under Applicable Law.
7.4 Provider shall have a policy to enable it to comply with any requests made in connection with the Company Personal Data and ensure that its systems and services are designed to enable it to promptly locate the relevant Company Personal Data, respond to such requests and do any other act in respect of the Company Personal Data as may be required under Applicable Laws.
7.5 The Provider will fully cooperate and assist the Company, and comply with the Company’s instructions in connection with responding to any complaint, notice, communication or Data Subject request. Such cooperation shall include: promptly providing the Company with all data requested and implementing technical and organizational measures needed to permit Company to respond to requests or complaints made in respect of the processing of Company Personal Data.
8. Personal Data Breach
8.1 Provider will immediately notify Company, and in any event within 24 hours upon Provider or any Subprocessor becoming aware of a Personal Data Breach affecting Company Personal Data.
8.2 As part of such notice, the Provider shall also provide the Company with the following information:
8.2.1 description of the nature of the Personal Data Breach, including the categories and approximate number of both Data Subjects and Personal Data records concerned;
8.2.2 the name and contact information of the relevant personnel which may provide further information;
8.2.3 a description of the likely consequences of the Personal Data Breach; and
8.2.4 description of the measures taken or proposed to be taken to address the Personal Data Breach, including measures to mitigate its possible adverse effects.
8.3 Without limitation to the above, (i) where such information or other information pertinent to the Personal Data Breach is not initially available, Provider shall provide the Company with such information immediately as it becomes available; and (ii) Provider shall provide such additional information as may be requested by the Company.
8.4 The Provider shall co-operate with Company and comply with Company’s instructions in connection with the investigation, mitigation and remediation of each such Personal Data Breach and fulfillment of obligations pursuant to Applicable Laws.
8.5 The Provider acknowledges and agrees that Company may provide all such information to third parties, including, without limitation, Data Subjects, Supervising Authorities and other governmental entities, its customers and Affiliates, and the general public.
9. Data Protection Impact Assessment and Prior Consultation
Provider shall promptly assist the Company, and provide the Company with all information requested, in connection with any data protection impact assessments (whether conducted by the Company, its customers, competent authorities or other third parties), and prior consultations with Supervising Authorities or other governmental authorities or competent data privacy authorities or other third parties, including, without limitation, those assessments and consultations which Company reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Applicable Law.
10. Data Protection Officer
10.1 The Provider shall designate a data protection officer, with sufficient knowledge of data protection law (including, without limitation, the EU Data Protection Laws), in any case where a core activity of the Provider consists of (i) processing operations, which by virtue of their nature, scope or purposes, require regular and systematic monitoring of data subjects on a large scale, or (ii) processing on a large scale of Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation or Personal Data relating to criminal convictions and offences.
10.2 Provider shall publish the contact details of the data protection officer and communicate them to Company, and any applicable Supervisory Authority and any third party designated by Company.
11. Deletion or return of Company Personal Data
11.1 Subject to sections 11.2 and 11.3, Provider shall promptly and in any event within thirty (30) days of the date of cessation of any Services involving the Processing of Company Personal Data (the “Cessation Date”), delete and procure the deletion of all copies of such Company Personal Data, if any.
11.2 Subject to section 11.3, Company may in its discretion by written notice to Provider within thirty (30) days of the Cessation Date require Provider to (a) return a complete copy of all Company Personal Data to Company by secure file transfer in such format as is reasonably notified by Company to Provider; or (b) delete and procure the deletion of all other copies of Company Personal Data Processed by any Contracted Processor. Provider shall comply with any such written request within thirty (30) days from receiving such request.
11.3 Each Contracted Processor may retain Company Personal Data to the extent required by Applicable Laws and only to the extent and for such period as required by Applicable Laws and always provided that Provider shall ensure the confidentiality of all such Company Personal Data and shall ensure that such Company Personal Data is only Processed as necessary for the purpose(s) specified in the Applicable Laws requiring its storage and for no other purpose.
12. Audit Rights
12.1 Provider shall make available to Company on request all information necessary to demonstrate compliance with this Addendum, and shall allow for and contribute to audits, including inspections, by the Company or an auditor mandated by the Company or any Supervising Authority in relation to the Processing of the Company Personal Data by the Contracted Processors.
12.2 In addition, Provider shall, on Company’srequest (i) submit to Company an existing attestation or certificate by an independent professional expert pursuant to standards approved by Supervising Authorities, and (iii) upon reasonable advance notice, during regular business hours and without interrupting Provider’s business operations, permit Company or its designed auditor to conduct an on-site inspection of Provider’s business operations or have the same conducted by a qualified third party which shall not be a competitor of Provider.
13. Cross-Border Transfers of Personal Data
13.1 The Parties hereby enter into the Standard Contractual Clauses and agree that such Standard Contractual Clauses shall apply, as an integral part of this Addendum, to any processing by the Provider of Company Personal Data outside the European Economic Area (EEA) with the Company as the “data exporter” and the Provider as “data importer” as such terms are used in the Standard Contractual Clauses.
13.2 In the event the EC Commission or other appropriate authority amends or replaces the Standard Contractual Clauses, such amended or successor terms shall apply to the processing by the Provider of the Company Personal Data outside the EEA. In the event that it is determined by any competent authority that Standard Contractual Clauses are no longer an appropriate basis for the transfer of Personal Data to countries outside the EEA, the parties shall promptly take all steps reasonably necessary to implement appropriate protections as required by Data Protection Legislation.
13.3 The Provider may not transfer or otherwise process Company Personal Data outside the EEA without obtaining the Company’s prior written consent.
14. Indemnification and Liability
Notwithstanding anything to the contrary in the Principal Agreement, (i) Provider shall indemnify and hold harmless Company and any Company Affiliate against all losses, fines and sanctions arising from any claim by a third party or Supervisory Authority arising from any breach of this Addendum; and (ii) Provider’s liability for any breach of this Addendum shall be unlimited.
15. General Terms
15.1 Governing law and jurisdiction. Without prejudice to clauses 7 (Mediation and Jurisdiction) and 9 (Governing Law) of the Standard Contractual Clauses:
15.1.1 the parties to this Addendum hereby submit to the choice of jurisdiction stipulated in the Principal Agreement with respect to any disputes or claims howsoever arising under this Addendum, including disputes regarding its existence, validity or termination or the consequences of its nullity; and
15.1.2 this Addendum and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the Principal Agreement.
15.2 Order of precedence.
15.2.1 Nothing in this Addendum reduces Provider’s obligations under the Principal Agreement in relation to the protection of Personal Data or permits Provider to Process (or permit the Processing of) Personal Data in a manner which is prohibited by the Principal Agreement. In the event of any conflict or inconsistency between this Addendum and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
15.2.2 Subject to section 15.2, with regard to the subject matter of this Addendum, in the event of inconsistencies between the provisions of this Addendum and any other agreements between the parties, including the Principal Agreement and including (except where explicitly agreed otherwise in writing, signed on behalf of the parties) agreements entered into or purported to be entered into after the date of this Addendum, the provisions of this Addendum shall prevail.
15.3 Changes in Applicable Data Protection Laws. The Company may propose any other variations to this Addendum which Provider reasonably considers to be necessary to address the requirements of any Applicable Law. In such case, Provider shall not unreasonably withhold or delay agreement to any consequential variations to this Addendum proposed by Company.
15.4 Severance. Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
ANNEX 1: DETAILS OF PROCESSING OF COMPANY PERSONAL DATA
This Annex 1 includes certain details of the Processing of Company Personal Data as required by Article 28(3) GDPR.
Subject matter and duration of the Processing of Company Personal Data
The subject matter and duration of the Processing of the Company Personal Data are set out in the Principal Agreement and this Addendum.
The nature and purpose of the Processing of Company Personal Data
Providing transcription services of materials provided by the Company’s customers for transcription (“Transcription Materials”).
The types of Company Personal Data to be Processed
Various types of data as included in the Transcription Materials.
The categories of Data Subjects to whom the Company Personal Data relates
Customers of Company who have provided the Transcription Materials or other owner of the Transcription Materials (if they are natural individuals), and any data subjects to which the contents of the Transcription Materials relate.
The obligations and rights of Company and Company Affiliates
The obligations and rights of Company and Company Affiliates are set out in the Principal Agreement and this Addendum.
ANNEX 2: STANDARD CONTRACTUAL CLAUSES [Privacy Shield equivalent – Required only if Company/Provider transfers information from EEA to a not approved country outside EEA & no other appropriate safeguard is in place]
Standard Contractual Clauses (processors)
For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection
Name of the data exporting organization: VerbIT Software Ltd.
Address: Yigal Alon 94, Tel-Aviv, Israel
(the data exporter)
And the Provider as defined in the Data Processing Addendum (and “Transcriber” as defined in the Principal Agreement)
(the data importer)
each a “party”; together “the parties”,
HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.
The data exporter has entered into a data processing addendum (“DPA”) with the data importer. Pursuant to the terms of the DPA, it is contemplated that services provided by the data importer will involve the transfer of personal data to data importer. Data importer is located in a country not ensuring an adequate level of data protection. To ensure compliance with Directive 95/46/EC and applicable data protection law, the controller agrees to the provision of such Services, including the processing of personal data incidental thereto, subject to the data importer’s execution of, and compliance with, the terms of these Clauses.
For the purposes of the Clauses:
(a) ‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’ and ‘supervisory authority’ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
(b) ‘the data exporter’ means the controller who transfers the personal data;
(c) ‘the data importer’ means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses;
(d) ‘the subprocessor’ means any processor engaged by the data importer or by any other subprocessor of the data importer who agrees to receive from the data importer or from any other subprocessor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;
(e) ‘the applicable data protection law‘ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;
(f) ‘technical and organisational security measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
Details of the transfer
The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.
Third-party beneficiary clause
- The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.
- The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
- The data subject can enforce against the subprocessor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
- The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.
Obligations of the data exporter
The data exporter agrees and warrants:
(a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;
(b) that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses;
(c) that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;
(d) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
(e) that it will ensure compliance with the security measures;
(f) that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection;
(g) to forward any notification received from the data importer or any subprocessor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;
(h) to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for subprocessing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
(i) that, in the event of subprocessing, the processing activity is carried out in accordance with Clause 11 by a subprocessor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and
(j) that it will ensure compliance with Clause 4(a) to (i).
Obligations of the data importer
The data importer agrees and warrants:
(a) to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(c) that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;
(d) that it will promptly notify the data exporter about:
(i) any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation,
(ii) any accidental or unauthorised access, and
(iii) any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;
(e) to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;
(f) at the request of the data exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;
(g) to make available to the data subject upon request a copy of the Clauses, or any existing contract for subprocessing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;
(h) that, in the event of subprocessing, it has previously informed the data exporter and obtained its prior written consent;
(i) that the processing services by the subprocessor will be carried out in accordance with Clause 11;
(j) to send promptly a copy of any subprocessor agreement it concludes under the Clauses to the data exporter.
- The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or subprocessor is entitled to receive compensation from the data exporter for the damage suffered.
- If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity.
The data importer may not rely on a breach by a subprocessor of its obligations in order to avoid its own liabilities.
- If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the subprocessor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the subprocessor agrees that the data subject may issue a claim against the data subprocessor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the subprocessor shall be limited to its own processing operations under the Clauses.
Mediation and jurisdiction
- The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:
(a) to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;
(b) to refer the dispute to the courts in the Member State in which the data exporter is established.
- The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.
Cooperation with supervisory authorities
- The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
- The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
- The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any subprocessor preventing the conduct of an audit of the data importer, or any subprocessor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5 (b).
The Clauses shall be governed by the law of the Member State in which the data exporter is established.
Variation of the contract
The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.
- The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the subprocessor which imposes the same obligations on the subprocessor as are imposed on the data importer under the Clauses. Where the subprocessor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the subprocessor’s obligations under such agreement.
- The prior written contract between the data importer and the subprocessor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
- The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.
- The data exporter shall keep a list of subprocessing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5 (j), which shall be updated at least once a year. The list shall be available to the data exporter’s data protection supervisory authority.
Obligation after the termination of personal data processing services
- The parties agree that on the termination of the provision of data processing services, the data importer and the subprocessor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
- The data importer and the subprocessor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.
Appendix 1 to the Standard Contractual Clauses
This Appendix forms part of the Clauses and must be completed and signed by the parties
The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix
The data exporter is:
VerbIT Software Ltd.
The data importer is:
The Provider as defined in the Data Processing Addendum.
The personal data transferred concern the categories of data subjects described in Annex 1 of the Data Processing Addendum.
Categories of data
The personal data transferred concern the categories of data described in Annex 1 of the Data Processing Addendum.
Special categories of data (if appropriate)
The personal data transferred concern the following special categories of data:
As may be included in the Transcription Materials (as defined in Annex 1 of the Data Processing Addendum).
The personal data transferred will be subject to the following basic processing activities:
Provider will access and transcribe the Transcription Materials.
Company will process the data necessary to provide the services, to maintain the platform, to provide IT support, to manage the information provided by the data subject, to enable access, etc.
Appendix 2 to the Standard Contractual Clauses
This Appendix forms part of the Clauses and must be completed and signed by the parties.
Description of the technical and organizational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c):
The Provider undertakes to fulfil all of Company’s requirements with regard to information security as specified in the Addendum and this Schedule, and as they will be from time to time, and to take strict cautionary measures, and carry out all that is required in all aspects, for the purpose of maintaining the security of the Personal Data in its possession, as described in this Addendum and in accordance with Applicable Laws.
- Data Center & Network Security
(a) Data Centers.
Infrastructure. Provider maintains geographically distributed data centers. Provider stores all production data in physically secure data centers.
Redundancy. Infrastructure systems have been designed to eliminate single points of failure and minimize the impact of anticipated environmental risks. Dual circuits, switches, networks or other necessary devices help provide this redundancy. The Processor Services are designed to allow Provider to perform certain types of preventative and corrective maintenance without interruption. All environmental equipment and facilities have documented preventative maintenance procedures that detail the process for and frequency of performance in accordance with the manufacturer’s or internal specifications. Preventative and corrective maintenance of the data center equipment is scheduled through a standard process according to documented procedures.
Power. The data center electrical power systems are designed to be redundant and maintainable without impact to continuous operations, 24 hours a day, and 7 days a week. In most cases, a primary as well as an alternate power source, each with equal capacity, is provided for critical infrastructure components in the data center. Backup power is provided by various mechanisms such as uninterruptible power supply (UPS) batteries, which supply consistently reliable power protection during utility brownouts, blackouts, over voltage, under voltage, and out-of-tolerance frequency conditions. If utility power is interrupted, backup power is designed to provide transitory power to the data center, at full capacity, for up to 10 minutes until the diesel generator systems take over. The diesel generators are capable of automatically starting up within seconds to provide enough emergency electrical power to run the data center at full capacity typically for a period of days.
Server Operating Systems. Provider servers use hardened operating systems which are customized for the unique server needs of the business. Data is stored using proprietary algorithms to augment data security and redundancy. Provider employs a code review process to increase the security of the code used to provide the Processor Services and enhance the security products in production environments.
Businesses Continuity. Provider replicates data over multiple systems to help to protect against accidental destruction or loss. Provider has designed and regularly plans and tests its business continuity planning/disaster recovery programs.
(b) Networks & Transmission.
Data Transmission. Data centers are typically connected via high-speed private links to provide secure and fast data transfer between data centers. This is designed to prevent data from being read, copied, altered or removed without authorization during electronic transfer or transport or while being recorded onto data storage media. Provider transfers data via Internet standard protocols.
External Attack Surface. Provider employs multiple layers of network devices and intrusion detection to protect its external attack surface. Provider considers potential attack vectors and incorporates appropriate purpose-built technologies into external facing systems.
Intrusion Detection. Intrusion detection is intended to provide insight into ongoing attack activities and provide adequate information to respond to incidents. Provider’s intrusion detection involves:
- Tightly controlling the size and make-up of Provider’s attack surface through preventative measures;
- Employing intelligent detection controls at data entry points; and
- Employing technologies that automatically remedy certain dangerous situations.
Incident Response. Provider monitors a variety of communication channels for security incidents, and Provider’s security personnel will react promptly to known incidents.
Encryption Technologies. Provider makes HTTPS encryption (also referred to as SSL or TLS connection) available. Provider servers support ephemeral elliptic curve Diffie Hellman cryptographic key exchange signed with RSA and ECDSA. These perfect forward secrecy (PFS) methods help protect traffic and minimise the impact of a compromised key, or a cryptographic breakthrough.
- Security of Information Systems
The Provider undertakes to secure its information systems as follows:
Risk Assessments and Penetration Tests. To carry out, periodic reviews, vulnerability assessments, penetration tests and risk assessments, for the information systems on which the Information is stored from time to time and as reasonably required, and in any case not less than once per eighteen (18) months, and to immediately take all of the required measures for the purpose of correcting the deficiencies that are discovered as a result of such assessments and checks.
Information Security Technologies. To have suitable information security technologies and measures implemented for the organizational network that will prevent unauthorized access to Company’s Personal Data, and to protect the Provider’s information systems, including workstations, servers, network systems, end user equipment and portable equipment, through industry best-practice information security technologies for the prevention of unauthorized access of information and information systems, including monitoring systems, documentation and alerts on unauthorized access attempts.
Separation of Systems. To separate by logical separation the activities carried out for Company from other processing activities carried out by the Provider. For this purpose, the Provider undertakes to store the Personal Data only on the Provider’s designated central systems and not on personal workstations.
Security Updates. To regularly update the security systems connected to the Personal Data and in accordance with the manufacturer’s guidelines.
Encryption of Data in Public Networks. Not to permit access to the database infrastructure from the internet, and not to transmit the Personal Data over the internet or other public networks, except if the Personal Data is encrypted in an industry best-practice method of encryption and the user identifies him/herself through physical means that are under his/her exclusive control.
Portable Devices. Not to remove from the Provider (for the purpose of repair or any other purpose) digital storage devices that include Company’s Personal Data, not to save Information belonging to Company on mobile devices without first encrypting it with an industry best-practice method of encryption and implementing two-factor authentication mechanisms, and not to remove Personal Data belonging to Company from the Provider on portable media, hard disks and back-up methods without Company’s prior written approval.
- Access and Site Controls
(a) Site Controls.
On-site Data Center Security Operation. Provider’s data centers maintain an on-site security operation responsible for all physical data center security functions 24 hours a day, 7 days a week. The on-site security operation personnel monitor Closed Circuit TV (“CCTV”) cameras and all alarm systems. On-site security operation personnel perform internal and external patrols of the data center regularly.
Data Center Access Procedures. Provider maintains formal access procedures for allowing physical access to the data centers. The data centers are housed in facilities that require electronic card key access, with alarms that are linked to the on-site security operation. All entrants to the data center are required to identify themselves as well as show proof of identity to on-site security operations. Only authorised employees, contractors and visitors are allowed entry to the data centers. Only authorised employees and contractors are permitted to request electronic card key access to these facilities. Data center electronic card key access requests must be made in advance and in writing, and require the approval of the requestor’s manager and the data center director. All other entrants requiring temporary data center access must: (i) obtain approval in advance from the data center managers for the specific data center and internal areas they wish to visit; (ii) sign in at on-site security operations; and (iii) reference an approved data center access record identifying the individual as approved.
On-site Data Center Security Devices. Provider’s data centers employ an electronic card key and biometric access control system that is linked to a system alarm. The access control system monitors and records each individual’s electronic card key and when they access perimeter doors, shipping and receiving, and other critical areas. Unauthorised activity and failed access attempts are logged by the access control system and investigated, as appropriate. Authorised access throughout the business operations and data centers is restricted based on zones and the individual’s job responsibilities. The fire doors at the data centers are alarmed. CCTV cameras are in operation both inside and outside the data centers. The positioning of the cameras has been designed to cover strategic areas including, among others, the perimeter, doors to the data center building, and shipping/receiving. On-site security operations personnel manage the CCTV monitoring, recording and control equipment. Secure cables throughout the data centers connect the CCTV equipment. Cameras record on-site via digital video recorders 24 hours a day, 7 days a week. The surveillance records are retained for at least 7 days based on activity.
(a) Access Control.
Infrastructure Security Personnel. Provider has, and maintains, a security policy for its personnel, and requires security training as part of the training package for its personnel. Provider’s infrastructure security personnel are responsible for the ongoing monitoring of Provider’s security infrastructure, the review of the Processor Services, and responding to security incidents.
Access Control and Privilege Management. Customer’s administrators and users must authenticate themselves via a central authentication system or via a single sign on system in order to use the Processor Services.
Internal Data Access Processes and Policies – Access Policy. Provider’s internal data access processes and policies are designed to prevent unauthorized persons and/or systems from gaining access to systems used to process personal data. Provider aims to design its systems to: (i) only allow authorized persons to access data they are authorized to access; and (ii) ensure that personal data cannot be read, copied, altered or removed without authorization during processing, use and after recording. The systems are designed to detect any inappropriate access. Provider employs a centralized access management system to control personnel access to production servers, and only provides access to a limited number of authorized personnel. Provider requires the use of unique user IDs, strong passwords, two factor authentication and carefully monitored access lists to minimize the potential for unauthorized account use. The granting or modification of access rights is based on: the authorized personnel’s job responsibilities; job duty requirements necessary to perform authorized tasks; and a need to know basis. The granting or modification of access rights must also be in accordance with Provider’s internal data access policies and training. Approvals are managed by workflow tools that maintain audit records of all changes. Access to systems is logged to create an audit trail for accountability. Where passwords are employed for authentication (e.g. login to workstations), password policies that follow at least industry standard practices are implemented. These standards include restrictions on password reuse and sufficient password strength.
(a) Data Storage, Isolation & Authentication.
Provider stores data in a multi-tenant environment on Provider-owned servers. Data, the Processor Services database and file system architecture are replicated between multiple geographically dispersed data centers. Provider logically isolates each customer’s data. A central authentication system is used across all Processor Services to increase uniform security of data.
(b) Decommissioned Disks and Disk Destruction Guidelines.
Certain disks containing data may experience performance issues, errors or hardware failure that lead them to be decommissioned (“Decommissioned Disk”). Every Decommissioned Disk is subject to a series of data destruction processes (the “Data Destruction Guidelines”) before leaving Provider’s premises either for reuse or destruction. Decommissioned Disks are erased in a multi-step process and verified complete by at least two independent validators. The erase results are logged by the Decommissioned Disk’s serial number for tracking. Finally, the erased Decommissioned Disk is released to inventory for reuse and redeployment. If, due to hardware failure, the Decommissioned Disk cannot be erased, it is securely stored until it can be destroyed. Each facility is audited regularly to monitor compliance with the Data Destruction Guidelines.
- Personnel Security
Provider personnel are required to conduct themselves in a manner consistent with the company’s guidelines regarding confidentiality, business ethics, appropriate usage, and professional standards. Provider conducts reasonably appropriate backgrounds checks to the extent legally permissible and in accordance with applicable local labor law and statutory regulations.
Personnel are required to execute a confidentiality agreement and must acknowledge receipt of, and compliance with, Provider’s confidentiality and privacy policies. Personnel are provided with security training. Personnel handling Customer Personal Data are required to complete additional requirements appropriate to their role. Provider’s personnel will not process Customer Personal Data without authorization.
- Subprocessor Security
Before onboarding Subprocessors, Provider conducts an audit of the security and privacy practices of Subprocessors to ensure Subprocessors provide a level of security and privacy appropriate to their access to data and the scope of the services they are engaged to provide. Once Provider has assessed the risks presented by the Subprocessor then, subject always to the requirements set out in Section 11.3 (Requirements for Subprocessor Engagement), the Subprocessor is required to enter into appropriate security, confidentiality and privacy contract terms.
- Information Security Supervisor
The Provider undertakes to appoint an Information Security Supervisor who will be responsible for the fulfilment of all of the Provider’s obligations under Applicable Laws, and to appoint a contact person who will be responsible for the implementation of the information security requirements specified in the Addendum and this Schedule.