Data Protection Addendum
Posted: November 21, 2021
This DynaFile Data Protection Addendum (“Addendum”) supplements the DynaFile Master Subscription Agreement (together with any Order Forms or SOWs entered into pursuant thereto, the “Agreement”) between Blue Ribbon Technologies, LLC (“BRT”) and the customer entity that is a party to the Agreement (“Customer”).
The terms used in this Addendum shall have the meanings set forth in this Addendum. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement. Except as modified below, the terms of the Agreement shall remain in full force and effect. The obligations set forth in this Addendum shall only apply to the extent required by Data Protection Laws (as defined below) with regard to the relevant Customer Personal Data (as defined below), if applicable.
- “Controller” means the individual or entity that determines the purposes and means of the Processing of Personal Data.
- “Customer Personal Data” means Personal Data uploaded by Customer to the Service (as defined in the Agreement).
- “Data Protection Laws” means the data protection and privacy laws applicable to a party’s Processing of Customer Personal Data under the Agreement, including, to the extent applicable, the California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100 et seq. (“CCPA”).
- “Personal Data” means information that constitutes “personal data,” “personal information,” “personally identifiable information,” or similar term as defined in and governed by Data Protection Laws.
- “Personal Data Breach” means a breach of BRT’s security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data in BRT’s possession, custody, or control.
- “Process” means any operation or set of operations performed upon Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, alignment, combination, restriction, erasure, destruction or disclosure by transmission, dissemination or otherwise making available.
- “Processor” means the individual or entity that Processes Personal Data on behalf of a Controller. For the avoidance of doubt, Processor shall also mean service provider (as such term is defined under the CCPA).
- “Services” means the products and/or services that BRT has agreed to provide to Customer under the Agreement.
- “Subprocessor” means any Processor appointed by BRT to Process Customer Personal Data on behalf of Customer under the Agreement.
- Roles and Compliance. The parties acknowledge and agree that, as between the parties, with regard to the Processing of Customer Personal Data under the Agreement Customer is a Controller and BRT is a Processor of Customer Personal Data. Each party will comply with the obligations applicable to it in such role under Data Protection Laws with respect to the Processing of Customer Personal Data.
- Processing of Customer Personal Data. BRT will Process Customer Personal Data only as necessary to perform its obligations and exercise its rights under the Agreement. If Customer Personal Data contains personal information (as defined in the CCPA), BRT will not (a) sell (as defined in the CCPA) such Customer Personal Data; (b) retain, use, or disclose such Customer Personal Data for any purpose other than for the specific purpose of providing the Services or as otherwise permitted by the CCPA, including retaining, using, or disclosing such Customer Personal Data for a commercial purpose (as defined in the CCPA) other than provision of the Services; or (c) retain, use, or disclose such Customer Personal Data outside of the direct business relationship between BRT and Customer. BRT hereby certifies that it understands its obligations under the foregoing subsections (a) through (c) and will comply with them. Notwithstanding anything to the contrary in the Agreement, the parties acknowledge and agree that BRT’s access to Customer Personal Data does not constitute part of the consideration exchanged by the parties in respect of the Agreement.
- Customer Obligations. As between the parties, Customer shall be solely responsible for: (a) obtaining all necessary rights, and, where applicable, all appropriate and valid consents necessary for BRT to Process Customer Personal Data as set forth in this Addendum or as may be required by Data Protection Laws; and (b) ensuring that this Addendum, the Agreement, and Customer’s selected Subscription Edition are sufficient to meet Customer’s needs under Data Protection Laws. Customer shall have sole responsibility for the accuracy, quality, and legality of Customer Personal Data and the means by which Customer acquired Customer Personal Data. Customer will ensure that BRT’s Processing of Customer Personal Data in accordance with Customer’s instructions will not cause BRT to violate any applicable law, regulation, or rule, including, without limitation, Data Protection Laws.
- Confidentiality. BRT shall take reasonable steps to ensure that BRT personnel that Process Customer Personal Data are subject to contractual obligations of confidentiality or are under an appropriate statutory obligation of confidentiality.
- Security. BRT shall implement and maintain appropriate technical and organizational security measures that are designed to protect Customer Personal Data from Security Incidents and designed to preserve the security and confidentiality of Customer Personal Data in accordance with BRT’s security standards described in Exhibit 1 (“Security Measures“). Customer is responsible for reviewing the information made available by BRT relating to data security and making an independent determination as to whether the Services meet Customer’s requirements and legal obligations under Data Protection Laws. Customer acknowledges that the Security Measures are subject to technical progress and development and that BRT may update or modify the Security Measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Services provided to Customer.
- Subprocessing. BRT may engage such Subprocessors as BRT considers reasonably appropriate for the Processing of Customer Personal Data in accordance with this Addendum. BRT will require Subprocessors to enter into an agreement with equivalent effect to the Processing terms contained in this Addendum.
- Data Subject Rights. BRT shall promptly notify Customer if it receives a request from a Data Subject under any Data Protection Laws in respect to Customer Personal Data. In the event that any Data Subject exercises any of its rights under the Data Protection Laws in relation to Customer Personal Data, BRT will shall use reasonable commercial efforts to assist Customer in fulfilling its obligations as Controller following written request from Customer, provided that BRT may charge Customer on a time and materials basis in the event that BRT considers, in its reasonable discretion, that such assistance is onerous, complex, frequent, or time consuming.
- Personal Data Breach. In the event of a Personal Data Breach that compromises Customer Personal Data, BRT will notify Customer without undue delay after becoming aware of the Personal Data Breach. Such notification may be delivered to an email address provided by Customer or by direct communication (for example, by phone call or an in-person meeting). Customer is solely responsible for ensuring that the appropriate notification contact details are current and valid. BRT will take reasonable steps to provide Customer with information available to BRT that Customer may reasonably require to comply with its obligations as Controller to notify relevant individuals, regulators, and other third parties.
- Deletion or Return of Customer Personal Data. During the Term, subject to the terms and conditions of the Agreement, BRT will return or delete Customer Personal Data when Customer uses the functionality of the Services to request such return or deletion. Unless otherwise required by applicable Data Protection Laws, following termination or expiration of the Agreement BRT shall delete all Customer Personal Data and all copies of Customer Personal Data. Customer Personal Data, computer records, or files that have been created pursuant to BRT’s automatic archiving and back-up procedures shall be deleted as soon as reasonably practicable.
- Audits. Customer may audit BRT’s compliance with its obligations under this Addendum up to once per year by requesting a copy of BRT’s most recent Statement on Standards for Attestation Engagement No. 18 (SSAE 18) System and Organization Controls (SOC 2) Type II audit report. Such reports constitute BRT’s Confidential Information under the Agreement.
- General Terms. Except as expressly modified by the Addendum, the terms of the Agreement remain in full force and effect. The requirements of this Addendum are in addition to and not in lieu of the requirements of the Agreement. Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either: (a) amended as necessary to ensure its validity and enforceability, while preserving the intent of the provision as closely as possible or, if this is not possible, (b) construed in a manner as if the invalid or unenforceable part had never been contained therein. With regard to the subject matter of this Addendum, the provisions of this Addendum shall prevail over the Agreement with regard to data protection obligations for Customer Personal Data under Data Protection Laws. Any claims brought under or arising out of this Addendum, if applicable, will be subject to the terms and conditions, including but not limited to, the exclusions and limitations set forth in the Agreement.
BRT has implemented and will maintain a comprehensive written information security program that contains administrative, technical, and physical safeguards intended to protect personal information that are appropriate to: (1) the size, scope, and type of BRT’s business, (2) the resources available to BRT, (3) the type of information stored by BRT, and (4) the need for security and confidentiality of such information.
More specifically, BRT has implemented the following measures:
- Advanced NextGen Firewall Devices with both Host-Based and Network-Based Intrusion Detection and Automatic Threat Prevention
- Continuous monitoring and alerting of all network traffic at all layers via multiple secured and locked down SEIM and logging appliances
- Segmented and secured networks that enforce encryption-in-transit of all data both internally and externally with per-client separated database and document repository data
- Multiply redundant, enterprise grade hardware and infrastructure components with full enforcement of encryption-at-rest of all client data
- Geographically diverse data center operations with less than 60 second data replication windows
A full overview of the security measures can be found by downloading BRT’s Security and Redundancy Whitepaper and a comprehensive detail of such measures can be obtained by requesting BRT’s most recent Statement on Standards for Attestation Engagement No. 18 (SSAE 18) System and Organization Controls (SOC 2) Type II audit report.