Vendor Data Processing Addendum

Last Updated: 3/17/2022

This Vendor Data Processing Addendum (“DPA”) is by and between BitSight Technologies, Inc. including its subsidiaries and affiliates (collectively “BitSight”) and the service provider agreeing to these terms (“Vendor”) and forms part of, and is incorporated into, the Main Service Agreement or other written or electronic agreement between Vendor and BitSight for the purchase of services from Vendor (“Agreement”) and applies to the transfer of Personal Data (as defined below) from BitSight to Vendor in relation to the provision of the services described in the Agreement (“Services”).

  • 1. Definitions. The following definitions apply to this DPA:

    • 1.1. “Applicable Data Protection Laws” means all laws and regulations applicable to the Processing of Personal Data under this DPA, in each case as amended from time to time, including without limitation the California Consumer Privacy Act of 2018, European Data Protection Laws and Brazil’s General Data Protection Law, Lei Geral de Proteção de Dados.
    •  
    • 1.2. “Controller”, “Data Subject”, “Personal Data”, “Processing” and “Processor” each has the meaning given to it in Applicable Data Protection Laws.
    •  
    • 1.3. “Data Subject Request” means a Data Subject's request to exercise any rights that person has under Applicable Data Protection Laws in respect of that person’s Personal Data, including, without limitation, any right to access, correct, amend, transfer, obtain a copy of, object to the Processing of, block or delete such Personal Data.
    •  
    • 1.4. “European Data Protection Laws” means the EU’s General Data Protection Regulation 2016/679 (the “EU GDPR”), the EU GDPR in such form as incorporated into the law of England and Wales, Scotland and Northern Ireland and the UK Data Protection Act 2018 (the “UK GDPR”), and the Swiss Federal Act on Data Protection, and any other applicable law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding instrument implementing any of the foregoing (in each case as amended, consolidated, re-enacted or replaced from time to time).
    •  
    • 1.5. “Personal Data” means Personal Data as defined by Applicable Data Protection Laws, which is Processed by Vendor on behalf of BitSight in connection with the performance of the Services. Personal Data includes the categories of data listed in Schedule 1 to this DPA.
    •  
    • 1.6. “Regulator” means any regulatory or governmental body, including, without limitation, any supervisory authority with authority over Processing of Personal Data.
    •  
    • 1.7. “Security Incident” means any actual or reasonably suspected (a) accidental, unauthorized or unlawful loss, destruction or theft of Personal Data; (b) unauthorized or unlawful use, disclosure, alteration, encryption, acquisition of or access to, or other unauthorized Processing of Personal Data; or (c) unauthorized access to, use of, inability to access, or malicious infection of, BitSight or Vendor information systems that reasonably may be expected to compromise the privacy, confidentiality or security of Personal Data.
    •  
    • 1.8. “Standard Contractual Clauses” means the Standard Contractual Clauses approved with Commission Implementing Decision (EU) 2021/914 of June 4, 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as amended, supplemented, updated or replaced from time to time.
    •  
    • 1.9. “Subcontractor” means a third-party subcontractor engaged by or on behalf of Vendor in accordance with Section 5 of the DPA that will Process Personal Data as part of the Services.
  • 2. Roles of the Parties; Vendor’s Processing of Personal Data

    • 2.1. The parties acknowledge and agree that with regard to Personal Data, BitSight is either a Controller or Processor and Vendor is a Processor or a sub-Processor.
    •  
    • 2.2. Vendor’s Processing of Personal Data shall comply with its obligations under Applicable Data Protection Laws and Vendor shall not perform the Services in a manner that causes BitSight to violate Applicable Data Protection Laws. Without limiting the generality of the foregoing, Vendor shall:
      • 2.2.1. process Personal Data only on BitSight’s behalf and in accordance with BitSight’s instructions, and treat Personal Data as BitSight’s confidential information. BitSight instructs Vendor to Process Personal Data in accordance with the Agreement and to comply with BitSight’s other reasonable instructions (e.g., via email) where such instructions are consistent with the Agreement;
      •  
      • 2.2.2. without limitation of Section 2.2.1, not anonymize, analyze or aggregate Personal Data except as required in connection with the Agreement or with BitSight’s prior written consent;
      •  
      • 2.2.3. notify BitSight in writing immediately if Vendor (a) cannot comply with this DPA or (b) believes in its reasonable opinion that any instruction given by BitSight infringes Applicable Data Protection Laws;
      •  
      • 2.2.4. maintain reasonably detailed records of (a) its Processing activities, (b) its compliance with this DPA and (c) Security Incidents.
      •  
    • 2.3. Other than as expressly permitted herein, by the Agreement, or required by law, Vendor shall not disclose Personal Data to any third parties without BitSight’s prior written consent.
  • 3. Data Subject Requests

    • 3.1. Vendor shall, to the extent permitted by law, notify BitSight promptly upon receipt (and in no event later than 48 hours thereafter) of a Data Subject Request or any other request or complaint of a Data Subject relating to Personal Data. Vendor shall not respond to any such Data Subject Request without BitSight’s prior written instructions.
    •  
    • 3.2. Vendor shall promptly and without undue delay provide such cooperation and assistance as BitSight may reasonably request (including assistance by appropriate technical and organizational measures) in relation to such requests or complaints, including, without limitation, such cooperation and assistance as may be required to allow BitSight to meet any deadlines relating to, or otherwise fulfill its legal obligations in respect of, Data Subject Requests.
  • 4. Vendor Personnel

  • Vendor shall limit access to Personal Data to Vendor personnel who have executed written confidentiality agreements in respect of the Personal Data that survive termination of the personnel engagement.
  • 5. Subcontractors

    • 5.1. Vendor shall ensure that the subcontract entered into with any Subcontractor imposes on the Subcontractor obligations substantially equivalent to those to which Vendor is subject under this DPA.
    •  
    • 5.2. Vendor represents and warrants that prior to permitting any Subcontractor to access Personal Data, Vendor shall conduct a reasonable, documented investigation of such Subcontractor to verify that it is capable of maintaining the privacy, confidentiality and security of Personal Data in compliance with this DPA.
    •  
    • 5.3. Vendor shall not sub-contract any of its Processing activities performed on behalf of BitSight without BitSight’s prior written consent. Vendor shall submit the request for authorization to BitSight at least sixty (60) days prior to the engagement of the Subcontractor. Vendor will make a list of Subcontractors engaged by Vendor available online or, upon BitSight’s request, Vendor will provide to BitSight a list of Subcontractors. This list will serve as Annex III to this DPA.
    •  
    • 5.4. Vendor shall be responsible and liable for the acts, omissions or defaults of its Subcontractors in the performance of obligations under this DPA or otherwise as if they were Vendor’s own acts, omissions or defaults.
  • 6. Security Measures

    • 6.1. Vendor shall take reasonable technical and organizational measures to ensure the confidentiality, integrity, availability and resilience of Vendor systems used for Processing Personal Data and protect against the unlawful destruction, loss, encryption, alteration, unauthorized disclosure of or access to Personal Data transmitted, stored or otherwise Processed. Without limiting the generality of the foregoing, such measures shall be no less protective of Personal Data than the measures Vendor uses to protect its own information of a similar nature. Vendor shall comply with its written information security policies at all times that it has access to Personal Data. Upon BitSight’s request, Vendor will provide BitSight with additional information about its security measures and controls, including with a list of security measures implemented by Vendor that will serve as Annex II to this DPA.
    •  
    • 6.2. Vendor represents and warrants to BitSight that Vendor’s responses to any information security questionnaire provided by BitSight will remain true and correct in all material respects. Vendor shall promptly notify BitSight of any material change to the facts described in such responses.
  • 7. Security Incidents and Incident Response

    • 7.1. Vendor shall notify BitSight promptly (but in no case later than the expiry of any regulatory or individual notification period which BitSight is subject to under Applicable Data Protection Law) after learning of a Security Incident. Notification must include an email to Vendor’s primary account contact and to BitSight Legal at [email protected].
    •  
    • 7.2. Notification shall include, at a minimum (a) a description of the Incident including impact and likely consequences thereof; (b) the expected resolution time (if it has not already been resolved); (c) corrective measures to be taken, evaluation of alternatives, and next steps; and (d) the name and phone number of the Vendor representative that BitSight may contact to obtain further information and updates.
    •  
    • 7.3. Without limitation of the foregoing, Vendor shall promptly and without undue delay provide BitSight with the following information as it becomes available: (a) a detailed description of the nature of the Security Incident, including where possible the categories and approximate number of Data Subjects and Personal Data records concerned; (b) a description of the measures taken or proposed to be taken to address the Security Incident, including, where appropriate, measures to mitigate its possible adverse effects; and (c) whether any regulatory authority, the Data Subjects or the media have been informed or are otherwise already aware of the Security Incident, and their response.
    •  
    • 7.4. Vendor shall use best efforts to mitigate and remediate the Security Incident and prevent similar Security Incidents from occurring in the future. Vendor agrees to keep BitSight informed of the progress of such efforts, and to provide BitSight with all facts about the Security Incident as appropriate for BitSight to conduct its own assessment of the risk to Personal Data and BitSight’s business. To the extent Vendor claims privilege over its investigation of the Security Incident, Vendor shall conduct an additional, non-privileged investigation to provide all information about the Security Incident to BitSight that this DPA or the Agreement and Applicable Data Protection Laws require Vendor to provide.
    •  
    • 7.5. At BitSight’s request, Vendor shall notify affected individuals and other parties about the Security Incident in a manner and format determined by BitSight in its sole discretion. BitSight, in its sole discretion, will determine whether to notify Regulators or affected individuals about Security Incidents. The content of any filings, press releases or other communications related to any Security Incident that reference BitSight must, if permitted by law, be approved by BitSight prior to any publication or communication thereof. At BitSight’s request, in communicating with Data Subjects or other parties about the Security Incident, including in connection with any notifications, Vendor will identify itself and not BitSight as the sender of such communications and as the entity that experienced the Security Incident.
  • 8. Security Audits

    • 8.1. Upon reasonable notice, BitSight or its designated third party may audit (a) Vendor’s information security and privacy policies, practices and procedures applicable to the systems, applications, and facilities Processing Personal Data, including inspection of data centers or premises where the Personal Data is stored or accessed from as well as requesting annual certification regarding information security practices; and (b) Vendor’s Processing practices. Vendor shall provide all information and assistance reasonably requested by BitSight in connection with any such audits and inspections, including, without limitation, such information as BitSight requires to demonstrate Vendor’s compliance with this DPA and both parties’ compliance with Applicable Data Protection Laws. Vendor shall as promptly as reasonably practicable take such remedial actions as BitSight may reasonably require following such inspection. If the requested audit scope is addressed in an SSAE 16/ISAE 3402 Type 2, ISO, NIST or similar audit report performed by a qualified third party auditor (“Audit Reports”) within twelve (12) months of BitSight’s audit request and Vendor confirms there are no known material changes in the controls audited, BitSight agrees to accept those findings in lieu of requesting an audit of the controls covered by the report.
  • 9. Cross-Border Data Transfer

    • 9.1. Vendor shall not permit Personal Data to be Processed in Russia, China or any country subject to an active sanctions program administered by the Office of Foreign Assets Control of the United States Department of Treasury.
    •  
    • 9.2. To the extent the Services involve a cross-border transfer of Personal Data within the meaning of the European Data Protection Laws, the Parties agree to comply with the Standard Contractual Clauses, which are incorporated herein by reference, in relation to any such transfers. Where Vendor is a Processor, Vendor shall comply with all the obligations of the “data importer” under Module Two of the Standard Contractual Clauses. Where Vendor is a sub-Processor, Vendor shall comply with all the obligations of the “data importer” under Module Three of the Standard Contractual Clauses. In each case, BitSight shall comply with the obligations, and shall have the rights, of the “data exporter” under Module Two and Module Three respectively, of the Standard Contractual Clauses. The Standard Contractual Clauses are completed as follows:
    •  
      • 9.2.1. The optional docking clause in Clause 7 is implemented; Clause 9(a) option 1 is implemented and the time period therein is specified as sixty (60) days; the optional redress clause in Clause 11(a) is struck; Clause 13, (a) paragraph 2 is implemented; Clause 17, option 1 is implemented and the governing law is the law of Portugal; the court in Clause 18(b) are the Courts in Portugal;
      •  
      • 9.2.2. Annex I to the Standard Contractual Clauses shall be completed as follows: For the purposes of Section A (List of Parties) of Annex I, (i) the data exporter’s and the data importer’s identity and contact details and, where applicable, information about their respective data protection officer and/or representative in the European Union are those set forth in the Main Services Agreement, in an order or as otherwise communicated by each Party to the other Party; (ii) for the purpose of Module 2, BitSight is a Controller, and Vendor is a Processor; for the purpose of Module 3, BitSight is a Processor and Vendor is a Subprocessor; (iii) the activities relevant to the data transferred under the Standard Contractual Clauses relate to the provision of the Vendor Services pursuant to the Main Services Agreement; and (iv) Vendor’s entering into this Data Sharing Agreement shall be treated as Vendor’s signature of Annex I, Section A; For the purposes of Section B (Description of Transfer) of Annex I, (i) categories of data subjects are Data Exporter’s employees, customers, affiliates, contractors and any other individuals that have a relationship with BitSight that are processed or collected by Vendor while providing professional services or application support services as defined by the data exporter under the Main Services Agreement; (ii) categories of personal data transferred are Personal Data submitted, stored, sent by, or received from, BitSight or its users, including names, user IDs, email addresses, IP addresses and other electronic or technical data submitted, stored or sent by users; (iii) the Personal Data processed may also concern the following special categories of data: Racial or ethnic origin, political opinions, religious or other beliefs, trade union membership, physical or mental health details, the commission or alleged commission by an individual of any offence, any proceedings for any offence committed or alleged to have been committed by an individual, the disposal of such proceedings or the sentence of any court in such proceedings; (iv) the frequency of the transfer is continuous (for as long as BitSight or users use the Vendor services); (v) the nature of the Processing includes but is not limited to collection, storage, retrieval, use, disclosure, erasure, destruction and access to Personal Data, (vi) the purpose(s) of the transfer and further processing is conducting the operations necessary for the provision of the Vendor services pursuant to the Main Services Agreement, including but not limited to communications regarding the Vendor services, setting up accounts and providing support; (vii) Personal Data will be deleted upon BitSight's request, when no longer needed or six months after account expiration (unless subject to a legal or other obligation for retention). For the purposes of Section C (Competent Supervisory Authority) of Annex I, the competent supervisory authority identified in accordance with Clause 13 is Portugal’s data protection authority (Comissão Nacional de Proteção de Dados (CNPD)).
      •  
      • 9.2.3. The list of security measures in Annex II to the Standard Contractual Clauses and the list of subprocessors currently engaged by Vendor in Annex III to the Standard Contractual Clauses will be provided to BitSight on request and will serve as Annex II and Annex III to this DPA respectively.
      •  
    • 9.3. If required under UK data protection law, the parties enter into and agree to be bound by the provisions of the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, as issued by the UK Information Commissioner and as available at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf (“UK Addendum”). Part 1 of the UK Addendum will be deemed to be completed like its equivalent provisions in the Standard Contractual Clauses in Section Annex I, Section 1. For the purpose of Table 4 of such Part 1, the party that may end the UK Addendum in accordance with Section 19 of the UK Addendum is Bitsight. For the purposes of any transfers covered by the UK data protection laws, the Standard Contractual Clauses will be deemed to be amended as set out in Part 2 of the UK Addendum. Any references to EU legislation, EU authorities and the EU Member States in the UK Standard Contractual Clauses are amended to reflect corresponding UK legislation, UK competent authorities as appropriate.
    •  
    • 9.4. Vendor represents and warrants that all other cross-border transfers of Personal Data initiated by Vendor or its Subcontractors shall comply with data transfer requirements under Applicable Data Protection Laws.
  • 10. Co-operation with Regulators and Conduct of Claims

    • 10.1. Vendor shall promptly notify (email is sufficient) BitSight of all inquiries or requests that Vendor receives from a Regulator that relate to the Processing of Personal Data, and cooperate with BitSight in responding to such inquiry or request, in accordance with BitSight’s instructions.
    •  
    • 10.2. In the event that Vendor receives a request, subpoena or other process that would require disclosure, Vendor shall (a) to the extent permitted by law, promptly notify BitSight in writing (email is sufficient) as far in advance as possible of such disclosure or Processing to allow BitSight to seek protective treatment of such Personal Data; (b) reasonably cooperate with BitSight’s efforts to obtain such protective treatment or similar relief; and (c) disclose only that Personal Data required to comply with its legal obligations. BitSight shall have the right, at its sole discretion, to assume control of the defense and settlement of any government proceeding or third-party claim that relates to the Processing of Personal Data, including claims against Vendor or its Subcontractors, provided that BitSight shall not enter into any compromise or settlement of such claim or compromise any such claim without Vendor’s prior written consent if such compromise or settlement would assert any liability against Vendor, increase the liability (including under an indemnity) of Vendor, or impose any obligations or restrictions on Vendor, such as imposing an injunction or other equitable relief upon Vendor. Where required, such consent shall not be unreasonably withheld or delayed. BitSight’s exercise of such right under this Section 10.2 shall (a) not be construed to require BitSight to bear the costs of such defense and settlement and (b) be without prejudice to its contractual, legal, equitable or other rights to seek recovery of such costs.
    •  
    • 10.3. Vendor shall provide BitSight with such assistance and information as BitSight may reasonably request in order for BitSight to comply with any obligation to carry out a data protection impact assessment or consult with a Regulator pursuant to Articles 35 and 36 of GDPR, respectively.
  • 11. Termination

    • 11.1. This DPA will terminate when Vendor ceases to Process Personal Data, unless otherwise agreed in writing between the parties.
    •  
    • 11.2. On termination of the DPA for whatever reason, or upon written request from BitSight at any time, Vendor shall cease to use or Process any Personal Data, (if requested by BitSight) return a copy of the Personal Data to BitSight, and securely delete or destroy, as applicable, all Personal Data in Vendor’s possession or control (except as otherwise required by law or other express data retention requirements of the Agreement) and certify such secure deletion within 30 days of BitSight’s request.
  • 12. General

    • 12.1. The terms and conditions included in this DPA shall supersede and replace any and all prior data protection or processing agreements or prior versions of the Standard Contractual Clauses or data privacy or data protection terms included in any other agreements between the parties relating to the subject-matter covered by this DPA.
    •  
    • 12.2. Vendor’s obligations under this DPA are in addition to and not in lieu of its obligations under other provisions of the Agreement. If the terms of the Agreement conflict with the terms of this DPA, the terms that afford BitSight greater protection shall apply. In the event of conflicts between the terms of the Standard Contractual Clauses and the Agreement or the DPA, the Standard Contractual Clauses shall prevail.
    •  
    • 12.3. To the extent required by Applicable Data Protection Laws or the Standard Contractual Clauses, this DPA shall be governed by the law of the applicable jurisdiction. In all other cases, this DPA shall be governed by the laws of the jurisdiction specified in the Agreement.
    •  
    • 12.4. With respect to the transfer of Personal Data from BitSight to Vendor under other Applicable Data Protection Laws, the Parties agree to comply with Section 9 above to the extent standard contractual clauses are required to meet legal obligations regarding cross-border transfers under the relevant Applicable Data Protection Laws.