Data Processing Addendum
Last updated: October 10, 2023
This DPA supplements the Agreement and applies exclusively to Ontic’s Processing of Client Personal Data in providing services to Client under the Agreement.
Any capitalized term not defined in this DPA shall have the meaning given to it in the Agreement. This DPA is not intended to remove or lessen Client’s obligations with respect to Personal Data under the Agreement.
1. Definitions
Terms such as “Personal Data”, “Data Subject”, “Processing”, “Controller”, “Processor”, “Personal Data Breach”, and “Supervisory Authority” that are defined in Article 4 of the General Data Protection Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing of Directive 95/46/EC (“GDPR“) shall have the meanings assigned to them in such Article. Other capitalized terms not otherwise defined in this DPA shall have the respective meanings assigned to them in this Section 1.
“Affiliate” has the meaning set forth in the Agreement;
“Applicable Laws” means any and all governmental laws, rules, directives, regulations or orders that are applicable to a particular Party’s performance under this DPA, including any applicable US or EU Data Protection Law.
“CCPA” means Section 1798.100 et seq. of the California Civil Code and any attendant regulations issued thereunder as may be amended from time to time, including but not limited to the California Privacy Rights Act of 2020 (the “CPRA”) and its implementing regulations.
“Client Personal Data” means any data that comprises Personal Data of Data Subjects located in the EEA provided by Client to Ontic (“Submitted Data”) or collected by Ontic on behalf of Client (“Returned Data”).
“EEA” means the European Economic Area, which constitutes the member states of the European Union (“EU“) and Norway, Iceland and Liechtenstein, as well as for purposes of this DPA, the United Kingdom.
“EU Data Protection Law” means the GDPR and the GDPR as incorporated into domestic law in England and Wales pursuant to Section 3 of the European Union (Withdrawal) Act 2018 (the “UK GDPR“).
“Standard Contractual Clauses” means (i) where the GDPR applies, the standard contractual clauses annexed to the European Commission’s Decision (EU) 2021/914 of 4 June 2021, available at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32021D0914&qid=1623940939861 (“EU SCCs”); and (ii) where the UK GDPR applies, the EU SCCs as amended and modified by the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, adopted pursuant to or permitted under Article 46 of the UK GDPR (“UK Addendum” and together with the EU SSCs, the “UK SCCs”); in each case as may be amended, superseded or replaced from time to time as incorporated by this DPA by reference.
“Sub-Processor” means any third-party person or entity engaged by Ontic to Process Client Personal Data in connection with the provision of the Services to the Client.
2. Purpose and Scope
An overview of the categories of Data Subjects, types of Client Personal Data being Processed and the nature and purpose of the Processing is provided in Annex 1A. The Parties acknowledge and agree that with regard to the Processing of Client Personal Data under EU Data Protection Law and this DPA, Client is the Controller and Ontic is the Processor. Each Party will comply with its respective obligations under EU Data Protection Law with respect to the Processing of Client Personal Data.
By entering into this DPA, Client instructs Ontic to Process Client Personal Data: (a) to provide the Services in accordance with the features and functionality of the Services and related documentation; (b) to enable Client’s authorized user-initiated actions on and through the Services; (c) as set forth in the Agreement and applicable Order Forms and/or SOWs; and (d) as further documented by written instructions given by Client. Notwithstanding the foregoing, Ontic will inform Client promptly if it becomes aware that Client’s instructions may violate applicable EU Data Protection Law.
3. Security
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects, Ontic shall, in relation to Client Personal Data, implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk (including those outlined in Annex 2 of this DPA, “Security Measures“). In assessing the appropriate level of security, Ontic shall take into account the risks that are presented by Processing Client Personal Data including, in particular, the risks presented by a Client Personal Data Breach (as defined in Section 5). Ontic may make such changes to the Security Measures as Ontic deems necessary or appropriate from time to time, including without limitation to comply with Applicable Law, but no such changes will materially reduce the overall level of protection for Client Personal Data. Ontic will take appropriate steps to ensure compliance with the Security Measures by its employees, agents, contractors and Sub-Processors to the extent applicable to their scope of performance, including ensuring that all persons authorized to Process Client Personal Data have agreed to appropriate obligations of confidentiality.
4. Data Subject Rights
If Ontic receives a request from a Data Subject in relation to Client Personal Data, then, to the extent legally permissible, Ontic will advise the Data Subject to submit their request to Client and Client will be responsible for responding to any such request including, where necessary, by using the functionality of the Services. Client hereby agrees that Ontic may confirm to a Data Subject that his or her request relates to Client. To the extent Client is unable through its use of the Services to address a particular Data Subject request, Ontic will, upon Client’s request and taking into account the nature of Client Personal Data Processed, provide reasonable assistance in addressing the Data Subject request (provided Ontic is legally permitted to do so and that the Data Subject request was made in accordance with EU Data Protection Law). To the extent permitted by Applicable Law, Client shall be responsible for any costs arising from Ontic’s provision of such assistance.
5. Client Personal Data Breach
Ontic will notify Client without undue delay after becoming aware of a Personal Data Breach with respect to Client Personal Data transmitted, stored or otherwise Processed by Ontic or its Sub-Processors (a “Client Personal Data Breach“). Such notice may be provided (1) by posting a notice in the Services; (2) by sending an email to the email address set forth on an order form or statement of work; (3) by sending a notice to Client’s contact information listed on the signature page to this DPA; and/or (4) pursuant to the notice provisions of the Agreement. Client shall ensure that its contact information is current and accurate at all times during the terms of this DPA. Ontic will promptly take all actions relating to its Security Measures (and those of its Sub-Processors) that it deems necessary and advisable to identify and remediate the cause of a Client Personal Data Breach. In addition, Ontic will promptly provide Client with: (i) reasonable cooperation and assistance with regard to the Client Personal Data Breach, (ii) reasonable information in Ontic’s possession concerning the Client Personal Data Breach insofar as it affects Client, including remediation efforts and any notification to Supervisory Authorities and, (iii) to the extent known: (a) the possible cause of the Client Personal Data Breach; (b) the categories of Client Personal Data involved; and (c) the possible consequences to Data Subjects. Ontic’s notification of or response to a Client Personal Data Breach under this Section will not constitute an acknowledgment of fault or liability with respect to the Client Personal Data Breach, and the obligations herein shall not apply to Personal Data Breaches that are caused by Client or its authorized users. If Client decides to notify a Supervisory Authority, Data Subjects or the public of a Client Personal Data Breach, Client will provide Ontic with advance copies of the proposed notices and, subject to Applicable Law (including any mandated deadlines under EU Data Protection Law), allow Ontic an opportunity to provide any clarifications or corrections to those notices. Subject to Applicable Law, Ontic will not reference Client in any public filings, notices or press releases associated with the Client Personal Data Breach without Client’s prior written consent.
6. Client Responsibilities
Without limiting its responsibilities under the Agreement, Client is solely responsible for: (a) any of Client’s account data, Client’s account login credentials (including activities conducted with login credentials), and other data provided by Client to Ontic, subject to Ontic’s Processing obligations under the Agreement and this DPA; and (b) providing any notices required by EU Data Protection Law to, and receiving any required consents and authorizations required by EU Data Protection Law from, persons whose Personal Data may be included in Client’s account data, Client’s account login credentials, and other data provided by Client to Ontic. Further, no provision of this DPA includes the right to, and Client shall not, directly or indirectly, enable any person or entity other than its authorized users to access and use the Services or use (or permit others to use) the Services other than as described in the applicable order, statement of work, the Agreement and this DPA, or for any unlawful purpose.
7. Sub-Processors
The Controller acknowledges and agrees that:
(a) Affiliates of Ontic may be used as Sub-Processors; and
(b) Ontic and its Affiliates respectively may engage Sub-Processors in connection with the provision of the Services.
As a condition to permitting a Sub-Processor to Process Client Personal Data, Ontic will enter into a written agreement with the Sub-Processor containing data protection obligations no less protective than those in this DPA with respect to Client Personal Data. Subject to this Section 7, Ontic reserves the right to engage and substitute Sub-Processors as it deems appropriate but shall: (a) remain responsible to Client for the provision of the Services and (b) be liable for the actions and omissions of its Sub-Processors undertaken in connection with Ontic’s performance of this DPA to the same extent Ontic would be liable if performing the Services directly.
Ontic’s current list of Sub-Processors is set forth in Annex 3.
During the term of this DPA, Ontic shall provide the Client with at least 14 days notification, via email (or in-application notice), of any new or replacement Sub-Processor(s) who may Process Client Personal Data before authorizing any new or replacement Sub-Processor(s) to Process Client Personal Data in connection with the provision of the Services. If the Client objects to a new or replacement Sub-Processor within 14 days of such notice, and Ontic is unable to take corrective steps to exclude such Sub-Processor, then either party may terminate the relevant portion of the applicable Order Form with respect to those Services which cannot be provided by Ontic without the use of the new or replacement Sub-Processor. Ontic will refund the Client any prepaid fees covering the remainder of the Term of the applicable Order Form following the effective date of termination with respect to such terminated Services. If the Client does not provide a timely objection notice with respect to a new Sub-Processor, Client will be deemed to have authorized Ontic to use of the Sub-Processor and to have waived its right to object. Ontic may use a new or replacement Sub-Processor while the objection procedures under this Section 7 are in process.
8. Transfer Mechanisms
Subject to the terms and conditions of the Agreement and EU Data Protection Law, Ontic currently makes available the Standard Contractual Clauses as a transfer mechanism. The Standard Contractual Clauses apply to any transfer of Client Personal Data under this DPA from the EEA to a country that is not considered to provide an “adequate level” of data protection by the EU Commission and/or UK Government (to the extent such transfers are subject to EU Data Protection Law).
(a) The Standard Contractual Clauses and the terms of this Section 8(a) apply to any transfer of Submitted Data, to the extent such transfer is subject to EU Data Protection Law:
a. For the purposes of the EU SCCs: (i) the module two (controller to processor) terms shall apply; (ii) Clause 9, Option 2 of the applicable module of the EU SCCs shall apply and Ontic may engage Sub-Processors as described in Section 7 of this DPA; (iii) in Clause 11, the optional language shall be deleted; (iv) the audits described in Clauses 8.3 and 8.9 of the applicable module of the EU SCCs shall be carried out as set out in and subject to the requirements of Section 9 of this DPA; (v) pursuant to Clauses 8.5 and 16(d), upon termination of this DPA, Client Personal Data will be returned and/or destroyed in accordance with Section 11 of this DPA; (vi) in Clause 17, Option 1 shall apply and the EU SCCs shall be governed by Irish law; (vii) in Clause 18(b), disputes shall be resolved before the courts of Ireland; and (viii) the Appendix of the EU SCCs shall be populated with the information set out in the Annexes to this DPA.
b. For the purposes of the UK SCCs, the UK Addendum shall be populated with the relevant information set out in the Annexes to this DPA.
c. If and to the extent the Standard Contractual Clauses conflict with any provision of this DPA regarding the transfer of Submitted Data from Client to Ontic, the Standard Contractual Clauses shall prevail to the extent of such conflict.
(b) The Standard Contractual Clauses and the terms of this Section 8(b) apply to any transfer of Returned Data, to the extent such transfer is subject to EU Data Protection Law:
a. For the purposes of the EU SCCs: (i) module four (processor to controller) terms shall apply; (ii) in Clause 11, the optional language shall be deleted; (iii) the audits described in Clauses 8.3 of the module four of the EU SCCs shall be carried out as set out in and subject to the requirements of Section 9 of this DPA; (iv) pursuant to Clauses 16(d), upon termination of this DPA, Client Personal Data will be returned and/or destroyed in accordance with Section 11 of this DPA; (v) in Clause 17, the EU SCCs shall be governed by Irish law; (vi) in Clause 18, disputes shall be resolved before the courts of Ireland, and (vii) the Annexes of the EU SCCs shall be populated with the information set out in the Annexes to this Addendum.
b. For the purposes of the UK SCCs, the UK SCCs shall be populated with the relevant information set out in the Annexes to this Addendum.
c. If and to the extent the Standard Contractual Clauses conflict with any provision of this DPA regarding the transfer of Returned Data from Ontic to Client, the Standard Contractual Clauses shall prevail to the extent of such conflict.
9. Audit
Where required by EU Data Protection Law, Ontic will allow Client (directly or through a third-party auditor subject to written confidentiality obligations) to conduct an audit of Ontic’s procedures relevant to the protection of Client Personal Data to verify Ontic’s compliance with its obligations under this DPA. Any audit conducted under this DPA shall consist of examination of the most recent reports, certificates and/or extracts prepared by an independent auditor mutually agreed upon by the parties bound by confidentiality provisions similar to those set out in the Agreement. In the event that provision of the same is not sufficient under EU Data Protection Law, the Client may at its own expense conduct a more extensive audit which will be:
(a) limited in scope to matters specific to the Client and agreed in advance with Ontic;
(b) carried out during US local business hours and upon reasonable notice which shall be not less than 30 days unless an identifiable material issue has arisen; and
(c) conducted in a way which does not interfere with Ontic’s day-to-day business;
(d) undertaken no more than once in any 12-month period, except where required by a competent Supervisory Authority or where an audit is required due to a Client Personal Data Breach.
To that end and before the commencement of any such audit, Client and Ontic shall mutually agree upon the audit’s participants, schedule and scope, which shall in no event permit Client or its third-party auditor to access the Services’ hosting sites, underlying systems or infrastructure. Representatives of Client performing an audit shall protect the confidentiality of all information obtained through such audits in accordance with the Agreement, may be required to execute an enhanced mutually agreeable nondisclosure agreement and shall abide by Ontic’s security policies while on Ontic’s premises. Upon completion of an audit, Client agrees to promptly furnish to Ontic any written audit report or, if no written report is prepared, to promptly notify Ontic of any non-compliance discovered during the course of the audit. If identified, Ontic will remedy any material deficiency pursuant to its applicable policy. Client shall reimburse Ontic for its time expended in connection with an audit at Ontic’s then-current professional service rates, which shall be made available to Client upon request and shall be reasonable taking into account the time and effort required by Ontic.
10. Impact Assessment and Additional Information
Ontic will provide Client with reasonable cooperation, information and assistance as needed to fulfill Client’s obligation under EU Data Protection Law, including as needed to carry out a data protection impact assessment related to Client’s use of the Services (in each case to the extent Client does not otherwise have access to the relevant information, and such information is in Ontic’s control). Without limiting the foregoing, Ontic shall provide reasonable assistance to Client in the cooperation or prior consultation with the Supervisory Authority in the performance of its tasks relating to this Section to the extent required by EU Data Protection Law.
11. Data Deletion
Client may request, return or delete Client Personal Data in accordance with the Agreement.
12. Client Data Subject to CCPA
As used in this Section 12, “Business Purpose”, “Collects”, “Consumer”, “Sell”, “Share” and “Service Provider” have the meanings assigned to them in the CCPA.
If Client Data comprises Personal Information subject to the CCPA (“CCPA Personal Data“), Ontic is the Service Provider consistent with the requirements of the CCPA. The parties agree as follows with respect to such CCPA Personal Data:
(a) CCPA Personal Data is disclosed by Client only for limited and specified purposes of providing the Services to Client pursuant to the terms of the Agreement. Each party agrees to comply with applicable obligations under CCPA and shall provide the same level of privacy protection to CCPA Personal Data as required by CCPA.
(b) Ontic will not Sell or Share any CCPA Personal Data it Collects pursuant to the Agreement.
(c) Ontic agrees not to retain, use or disclose CCPA Personal Data Collected pursuant to the Agreement for any commercial purpose other than for the Business Purposes specified in the Agreement or as otherwise permitted by the CCPA.
(d) Ontic will not retain, use or disclose CCPA Personal Data Collected pursuant to the Agreement outside of the direct business relationship between Ontic and Client, unless expressly permitted by CCPA.
(e) Client shall have the right to take reasonable and appropriate steps to help ensure that Ontic uses the CCPA Personal Data Collected pursuant to the Agreement in a manner consistent with its obligations under CCPA.
(f) Ontic shall notify Client if it makes a determination that it can no longer meet its obligations under CCPA. Upon such notice, Client may take reasonable and appropriate steps to stop and remediate unauthorized use of CCPA Personal Data.
(g) Ontic will enable Client to comply with Consumer requests made pursuant to the CCPA. Client will inform Ontic of any Consumer request pursuant to the CCPA that Ontic must comply with and provide information necessary for Ontic to comply with the request. If Ontic receives a request to know or a request to delete from a consumer with respect to CCPA Personal Data, Ontic shall either act on behalf of Client in responding to the request or inform the consumer that the request cannot be acted upon because the request has been sent to a service provider.
(h) Notwithstanding the foregoing, as permitted under the CCPA, Ontic may retain, use or disclose CCPA Personal Data Collected pursuant to the Agreement: (i) for the specific Business Purpose(s) set forth in the Agreement that is required by CCPA, (ii) to retain and employ another service provider or contractor as a subcontractor, where the subcontractor meets the requirements for a Service Provider under the CCPA, (iii) for internal use by Ontic to build or improve the quality of its services it is providing to Client, even if this Business Purpose is not specified in the Agreement, provided that Ontic does not use the CCPA Personal Data to perform services on behalf of another person, (iv) to prevent, detect or investigate data security incidents or protect against malicious, deceptive, fraudulent or illegal activity, even if this Business Purpose is not specified in the Agreement or (v) for the purposes enumerated in California Civil Code section 1798.145, subdivisions (a)(1) through (a)(7).
13. Liability
Each Party’s (and each of its Affiliate’s) liability taken together in the aggregate, arising out of or related to this DPA, including any annexes attached hereto or clauses referenced herein, whether in contract, tort, or under any other theory of liability, is subject to the limitation of liability provisions of the Agreement, except to the extent such liability cannot be limited under EU Data Protection Law.
14. Term and Termination
Unless earlier terminated as provided herein, this DPA shall terminate automatically together with termination or expiry of the Agreement.
ANNEX 1A
LIST OF PARTIES
| With respect to Submitted Data: | With respect to Returned Data: | |
| Data exporter(s) | Name: The Client entity identified in the Agreement or on an applicable Order. Address: The Client’s address specified on the Order. Contact person’s name, position and contact details: Name: _____________________ Position: ___________________ Email: _____________________ Activities relevant to the data transferred under the Standard Contractual Clauses: The data exporter is a customer of the data importer and utilizing the data importer’s services as described in more detail in the Agreement. Role (controller/processor): Controller. | Name: Ontic Technologies, Inc. Address: 4009 Marathon Blvd., Austin, Texas 78756. Contact person’s name, position and contact details: Scott Shepherd, Chief Legal Officer, legal@ontic.com. Activities relevant to the data transferred under these Clauses: The data importer is providing certain services to the data exporter, as described in more detail in the Agreement. Role (controller/processor): Processor |
| Data importer(s) | Name: Ontic Technologies, Inc. Address: 4009 Marathon Blvd, Austin, Texas 78756. Contact person’s name, position and contact details: Scott Shepherd, Chief Legal Officer, legal@ontic.com. Activities relevant to the data transferred under these Clauses: The data importer is providing certain services to the data exporter, as described in more detail in the Agreement. Role (controller/processor): Processor | Name: The Client entity identified in the Agreement or on an applicable Order. Address: The Client’s address specified on the Order. Contact person’s name, position and contact details: Name: _____________________ Position: ___________________ Email: _____________________ Activities relevant to the data transferred under the Standard Contractual Clauses: The data importer is a customer of the data exporter and utilizing the data importer’s services as described in more detail in the Agreement. Role (controller/processor): Controller. |
ANNEX 1B
DESCRIPTION OF THE TRANSFER
| With respect to Submitted Data: | With respect to Returned Data: | |
| Categories of data subjects: | The Personal Data transferred may include but is not limited to the following categories of Data Subjects: Individuals about whom data is uploaded to the Services by (or at the direction of) the data exporter or by its authorized users, Affiliates, and other participants whom the data exporter has granted the right to access the Services in accordance with the provisions of the Agreement. | The Personal Data transferred may include but is not limited to the following categories of Data Subjects: Individuals about whom data is collected by Ontic from data sources on behalf of the Client at the direction of the data importer or by its authorized users, Affiliates, and other participants whom the data exporter has granted the right to access the Services in accordance with the provisions of the Agreement. |
| Categories of personal data: | The Personal Data transferred may include but is not limited to the following categories of data: Any data uploaded to the Services by (or at the direction of) the data exporter or by its authorized users, Affiliates and other participants whom the data exporter has granted the right to access the Services in accordance with the provisions of the Agreement. Such data may include, but is not limited to: Name Image Address Phone Numbers Social Media Handles Birth Dates | The Personal Data transferred may include but is not limited to the following categories of data: Any data collected by Ontic from data sources on behalf of Client at the direction of the data importer or its authorized users, Affiliates and other participants whom the data exporter has granted the right to access the Services in accordance with the provisions of the Agreement. Such data may include, but is not limited to: Name Image Address Phone Numbers Social Media Handles Birth Dates |
| Sensitive data transferred (if applicable) and applied restrictions or safeguards: | Special categories of data, if any, may be uploaded to the Services, by (or at the direction of) data exporter or by its authorized users, Affiliates and other participants whom the data exporter has granted the right to access the Services in accordance with the provisions of the Agreement, in compliance with Applicable Law, and may include, but is not limited to: race or ethnic origin political opinions religious or philosophical beliefs trade-union membership health; sex life; sexual orientation | Special categories of data, if any, may be collected by Ontic on behalf of Client as part of the Services, at the direction of data importer or by its authorized users, Affiliates and other participants whom the data importer has granted the right to access the Services in accordance with the provisions of the Agreement, in compliance with Applicable Law, and may include, but is not limited to: race or ethnic origin political opinions religious or philosophical beliefs trade-union membership health; sex life; sexual orientation |
| Frequency of the transfer: | At data exporter’s discretion in using the Services during the term of the Agreement. | Subject to data exporter’s direction in using the Services during the term of the Agreement. |
| Nature of the processing: | Client Personal Data transferred will be processed in accordance with the Agreement and any applicable SOW or Order Form, and may be subject to the following basic processing activities: a. Client Personal Data will be processed to the extent necessary to provide the Services in accordance with both the Agreement and the data exporter’s instructions. b. Technical support, issue diagnosis, security scans, and error correction to ensure the efficient and proper running of the systems and to identify, analyze and resolve technical issues both generally in the provision of the Services and specifically in answer to a data exporter query. c. Disclosures in accordance with the Agreement, as compelled by Applicable Laws. | Client Personal Data transferred will be processed in accordance with the Agreement and any applicable SOW or Order Form, and may be subject to the following basic processing activities: a. Client Personal Data will be processed to the extent necessary to provide the Services in accordance with both the Agreement and the data importer’s instructions. b. Technical support, issue diagnosis, security scans, and error correction to ensure the efficient and proper running of the systems and to identify, analyze and resolve technical issues both generally in the provision of the Services and specifically in answer to a data importer query. c. Disclosures in accordance with the Agreement, as compelled by Applicable Laws. |
| Purpose(s) of the data transfer and further processing: | Personal Data is processed for the purposes of providing the Services in accordance with the Agreement and any applicable Order. | Personal Data is processed for the purposes of providing the Services in accordance with the Agreement and any applicable Order. |
| Period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period: | Personal Data will be retained and deleted in accordance with Section 11 of this DPA. | Personal Data will be retained and deleted in accordance with Section 11 of this DPA. |
ANNEX 1C
COMPETENT SUPERVISORY AUTHORITY
Where the Client as the data exporter is established in an EU Member State: The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer shall act as competent supervisory authority.
Where the Client as the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679: The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established shall act as competent supervisory authority.
Where the Client as the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679: The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behavior is monitored, are located shall act as competent supervisory authority.
ANNEX 2
SECURITY MEASURES
Ontic as the data importer has implemented and will maintain the following technical and organizational security measures:
Safeguards – Ontic has appropriate safeguards designed to protect Client Personal Data consistent with accepted industry practices and ensures that such safeguards comply with Applicable Laws, the Agreement and the DPA.
These safeguards include:
(a) secure facilities, data centers, paper files, servers, back-up systems and computing equipment including, mobile devices and other equipment with information storage capability;
(b) network, device application, database and platform security;
(c) secure transmission, storage and disposal;
(d) authentication and access controls within applications, operating systems and equipment;
(e) logging access and retention of such access control logs according to Ontic’s retention policies;
(f) encryption of Client Personal Data at rest;
(g) encryption of Client Personal Data in transit;
(h) separation of Client Personal Data from information of Ontic’s other customers;
(i) personnel security including background checks consistent with Applicable Law;
(j) annual penetration testing and more frequent vulnerability scans – Ontic will promptly implement a corrective action plan to correct material issues identified; and
(k) limiting access to Client Personal Data and providing privacy and information security training to Ontic’s employees (bound in writing by obligations of confidentiality in accordance with the terms of the Agreement and the DPA).
Malicious Code. Ontic will not introduce to Client’s systems or devices or use any software or code that contains Malicious Code designed to:
(a) permit unauthorized access to Client’s systems or devices; or
(b) disable, erase, or otherwise harm software, hardware, or data owned or controlled by Client.
Business Continuity Plan. Ontic has developed a disaster recovery and business continuity plan (“DRBC Plan”) which includes:
(a) documentation of applicable business processes, procedures and responsibilities;
(b) back-up methodology;
(c) identification of disaster recovery scenarios and service level agreements for service recovery;
(d) responsibilities of Sub-Processors in the event of a disaster;
(e) a communications strategy; and
(f) procedures for reverting to normal service.
The DRBC Plan is reviewed annually and tested as appropriate. Ontic ensures it is able to implement the DRBC Plan at any time in accordance with its terms.
ANNEX 3
LIST OF SUBPROCESSORS
The Client as the data exporter has authorized the use of the Sub-Processors set forth below:
Amazon Web Services
