Data Protection Addendum
Posted: July 22, 2022
Prior Version: November 21, 2021
This DynaFile Data Protection Addendum (“Addendum”) supplements the DynaFile Master Subscription Agreement (together with any Order Forms or SOWs entered into pursuant thereto, the “Agreement”) between Blue Ribbon Technologies, LLC (“BRT”) and the customer entity that is a party to the Agreement (“Customer”).
The terms used in this Addendum shall have the meanings set forth in this Addendum. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement. Except as modified below, the terms of the Agreement shall remain in full force and effect. The obligations set forth in this Addendum shall only apply to the extent required by Data Protection Laws (as defined below) with regard to the relevant Customer Personal Data (as defined below), if applicable.
- “Controller” means the individual or entity that determines the purposes and means of the Processing of Personal Data.
- “Customer Personal Data” means Personal Data uploaded by Customer to the Service (as defined in the Agreement).
- “Data Protection Laws” means the data protection and privacy laws applicable to a party’s Processing of Customer Personal Data under the Agreement, including, to the extent applicable, the California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100 et seq. (“CCPA”), the Virginia Consumer Data Protection Act (“VCPDA”), when effective, the Colorado Privacy Act and its implementing regulations (“CPA”), when effective, the Utah Consumer Privacy Act (“UCPA”), when effective, Connecticut SB6, An Act Concerning Personal Data Privacy and Online Monitoring (“CTDPA”), and any other applicable law or regulation related to the protection of Customer Personal Data in the United States that is already in force or that will come into force during the term of this Addendum.
- “Personal Data” means information that constitutes “personal data,” “personal information,” “personally identifiable information,” or similar term as defined in and governed by Data Protection Laws.
- “Personal Data Breach” means a breach of BRT’s security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data in BRT’s possession, custody, or control.
- “Process” means any operation or set of operations performed upon Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, alignment, combination, restriction, erasure, destruction or disclosure by transmission, dissemination or otherwise making available.
- “Processor” means the individual or entity that Processes Personal Data on behalf of a Controller. For the avoidance of doubt, Processor shall also mean service provider (as such term is defined under the CCPA).
- “Services” means the products and/or services that BRT has agreed to provide to Customer under the Agreement.
- “Subprocessor” means any Processor appointed by BRT to Process Customer Personal Data on behalf of Customer under the Agreement.
- Processing of Customer Personal Data.
- Roles of the Parties; Compliance. The parties acknowledge and agree that, as between the parties, with regard to the Processing of Customer Personal Data under the Agreement Customer is a Controller and BRT is a Processor of Customer Personal Data. Each party will comply with the obligations applicable to it in such role under Data Protection Laws with respect to the Processing of Customer Personal Data.
- Details of Processing. Except as modified by an Order Form or SOW, the parties acknowledge and agree that (a) the nature and purpose of the Processing is to provide the Services; (b) the type of Customer Personal Data subject to the Processing are such types as Customer is authorized to provide to the Services under the Agreement; and (c) the duration of the Processing is from BRT’s receipt of Customer Personal Data until deletion of all Customer Personal Data by BRT in accordance with the Agreement.
- Customer Instructions. BRT shall not Process Customer Personal Data other than on Customer’s documented instructions unless Processing is required by Data Protection Laws to which BRT is subject, in which case BRT shall, to the extent permitted by Data Protection Laws, inform Customer of that legal requirement before Processing Customer Personal Data. For the avoidance of doubt, the Agreement, including any Processing reasonably necessary and proportionate to achieve the business purpose outlined in the Agreement, and any related statement of work or order form entered into by Customer pursuant to the Agreement shall constitute documented instructions for the purposes of this Addendum. Customer’s instructions shall comply with Data Protection Laws and be duly authorized, with all necessary rights, permissions, and consents secured.
- Processing Subject to the CCPA. As used in this Section 2.4, the terms “Sell,” “Share,” “Business Purpose,” and “Commercial Purpose” shall have the meanings given in the CCPA and “Personal Information” shall mean any personal information (as defined in the CCPA) contained in Customer Personal Data. BRT will not: (a) Sell or Share any Personal Information; (b) retain, use, or disclose any Personal Information (i) for any purpose other than for the Business Purposes specified in the Agreement, including for any Commercial Purpose other than the Business Purposes specified in the Agreement, or as otherwise permitted by the CCPA, or (ii) outside of the direct business relationship between Customer and BRT; or (c) combine Personal Information received from, or on behalf of, Customer with Personal Data received from or on behalf of any third party, or collected from BRT’s own interaction with Data Subjects, except to perform any Business Purpose permitted by the CCPA. BRT hereby certifies that it understands the foregoing restrictions under this Section 2.4 and will comply with them. The parties acknowledge that the Personal Information disclosed by Customer to BRT is provided to BRT only for the limited and specified purposes set forth in the Agreement and this Addendum. BRT will comply with applicable obligations under the CCPA and provide the same level of privacy protection to Personal Information as is required by the CCPA. Customer has the right to take reasonable and appropriate steps to help ensure that BRT uses the Personal Information transferred in a manner consistent with Customer’s obligations under the CCPA by exercising Customer’s audit rights pursuant to Section 10 of this Addendum. BRT will notify Customer if it makes a determination that BRT can no longer meet its obligations under the CCPA. If BRT notifies Customer of unauthorized use of Personal Information, including under the foregoing sentence, Customer will have the right to take reasonable and appropriate steps to stop and remediate such unauthorized use by limiting the Personal Information shared with BRT, terminating the portion of the Agreement relevant to such unauthorized use, or taking such other steps mutually agreed between the parties in writing.
- Customer Obligations. As between the parties, Customer shall be solely responsible for: (a) giving adequate notice and making all appropriate disclosures to Data Subjects regarding Customer’s use and disclosure and BRT’s Processing of Customer Personal Data; (b) obtaining all necessary rights, and, where applicable, all appropriate and valid consents to disclose such Customer Personal Data to BRT to permit the Processing of such Customer Personal Data by BRT for the purposes of performing BRT’s obligations under the Agreement or as may be required by Data Protection Laws; and (c) ensuring that this Addendum, the Agreement, and Customer’s selected Subscription Edition are sufficient to meet Customer’s needs under Data Protection Laws. Customer shall have sole responsibility for the accuracy, quality, and legality of Customer Personal Data and the means by which Customer acquired Customer Personal Data. Customer will ensure that BRT’s Processing of Customer Personal Data in accordance with Customer’s instructions will not cause BRT to violate any applicable law, regulation, or rule, including, without limitation, Data Protection Laws.
- Confidentiality. BRT shall take reasonable steps to ensure that BRT personnel that Process Customer Personal Data are subject to contractual obligations of confidentiality or are under an appropriate statutory obligation of confidentiality.
- Security. BRT shall implement and maintain appropriate technical and organizational security measures that are designed to protect Customer Personal Data from Security Incidents and designed to preserve the security and confidentiality of Customer Personal Data in accordance with BRT’s security standards described in Exhibit 1 (“Security Measures“). Customer is responsible for reviewing the information made available by BRT relating to data security and making an independent determination as to whether the Services meet Customer’s requirements and legal obligations under Data Protection Laws. Customer acknowledges that the Security Measures are subject to technical progress and development and that BRT may update or modify the Security Measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Services provided to Customer.
- Subprocessing. BRT may engage such Subprocessors as BRT considers reasonably appropriate for the Processing of Customer Personal Data in accordance with this Addendum, provided that BRT shall notify Customer of the addition or replacement of such Subprocessor and Customer may, on reasonable grounds, object to a Subprocessor by notifying BRT in writing within ten (10) days of receipt of BRT’s notification, giving reasons for Customer’s objection. Upon receiving such objection, BRT shall: (a) work with Customer in good faith to make available a commercially reasonable change in the provision of the Services which avoids the use of that proposed Subprocessor; and (b) where such change cannot be made within ten (10) days of BRT’s receipt of Customer’s notice, Customer may by written notice to BRT with immediate effect terminate the portion of the Agreement or relevant SOW to the extent that it relates to the Services which require the use of the proposed Subprocessor. This termination right is Customer’s sole and exclusive remedy to Customer’s objection of any Subprocessor appointed by BRT. BRT will require Subprocessors to enter into an agreement with equivalent effect to the Processing terms contained in this Addendum.
- Data Subject Rights. BRT shall promptly notify Customer if it receives a request from a Data Subject under any Data Protection Laws in respect to Customer Personal Data. In the event that any Data Subject exercises any of its rights under the Data Protection Laws in relation to Customer Personal Data, BRT will shall use reasonable commercial efforts to assist Customer in fulfilling its obligations as Controller following written request from Customer, provided that BRT may charge Customer on a time and materials basis in the event that BRT considers, in its reasonable discretion, that such assistance is onerous, complex, frequent, or time consuming.
- Personal Data Breach. In the event of a Personal Data Breach that compromises Customer Personal Data, BRT will notify Customer without undue delay after becoming aware of the Personal Data Breach. Such notification may be delivered to an email address provided by Customer or by direct communication (for example, by phone call or an in-person meeting). Customer is solely responsible for ensuring that the appropriate notification contact details are current and valid. BRT will take reasonable steps to provide Customer with information available to BRT that Customer may reasonably require to comply with its obligations as Controller to notify relevant individuals, regulators, and other third parties. BRT’s notification of or response to a Personal Data Breach under this Section will not be construed as an acknowledgement by BRT of any fault or liability with respect to the Personal Data Breach.
- Deletion or Return of Customer Personal Data. During the Term, subject to the terms and conditions of the Agreement, BRT will return or delete Customer Personal Data when Customer uses the functionality of the Services to request such return or deletion. Unless otherwise required by applicable law, following termination or expiration of the Agreement BRT shall delete all Customer Personal Data and all copies of Customer Personal Data. Customer Personal Data, computer records, or files that have been created pursuant to BRT’s automatic archiving and back-up procedures shall be deleted as soon as reasonably practicable.
- Relevant Records and Audits. Upon Customer’s written request, BRT will make available to Customer information in BRT’s possession reasonably necessary to demonstrate BRT’s compliance with applicable Data Protection Laws. Customer may audit BRT’s compliance with its obligations under this Addendum up to once per year by requesting a copy of BRT’s most recent Statement on Standards for Attestation Engagement No. 18 (SSAE 18) System and Organization Controls (SOC 2) Type II audit report. Such reports constitute BRT’s Confidential Information under the Agreement.
- General Terms. Except as expressly modified by the Addendum, the terms of the Agreement remain in full force and effect. The requirements of this Addendum are in addition to and not in lieu of the requirements of the Agreement. Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either amended as necessary to ensure its validity and enforceability, while preserving the intent of the provision as closely as possible or, if this is not possible, the remainder of the Agreement shall be construed in a manner as if the invalid or unenforceable part had never been contained therein. With regard to the subject matter of this Addendum, the provisions of this Addendum shall prevail over the other terms of the Agreement with regard to data protection obligations for Customer Personal Data under Data Protection Laws. Any claims brought under or arising out of this Addendum, if applicable, will be subject to the terms and conditions, including but not limited to, the exclusions and limitations set forth in the Agreement.
BRT has implemented and will maintain a comprehensive written information security program that contains administrative, technical, and physical safeguards intended to protect personal information that are appropriate to: (1) the size, scope, and type of BRT’s business, (2) the resources available to BRT, (3) the type of information stored by BRT, and (4) the need for security and confidentiality of such information.
More specifically, BRT has implemented the following measures:
- Advanced NextGen Firewall Devices with both Host-Based and Network-Based Intrusion Detection and Automatic Threat Prevention
- Continuous monitoring and alerting of all network traffic at all layers via multiple secured and locked down SEIM and logging appliances
- Segmented and secured networks that enforce encryption-in-transit of all data both internally and externally with per-client separated database and document repository data
- Multiply redundant, enterprise grade hardware and infrastructure components with full enforcement of encryption-at-rest of all client data
- Geographically diverse data center operations with less than 60 second data replication windows
A full overview of the security measures can be found by downloading BRT’s Security and Redundancy Whitepaper and a comprehensive detail of such measures can be obtained by requesting BRT’s most recent Statement on Standards for Attestation Engagement No. 18 (SSAE 18) System and Organization Controls (SOC 2) Type II audit report.