DATA PROCESSING ADDENDUM
Effective Date: January 1, 2023
This Data Processing Addendum (“DPA”) consists of the Data Processing Details and the Terms and Conditions set forth below and forms a part of the Agreement.
DATA PROCESSING DETAILS
|CONTROLLER||The customer of First Orion (“Customer”) with whom First Orion has entered into a written or electronic agreement (the “Agreement”) governing Customer’s use of First Orion Services (identified either as Services” or otherwise in the Agreement and hereinafter defined as “Services”)|
|PROCESSOR||First Orion Corp. or the affiliate of First Orion Corp. that is the service provider to Customer under the Agreement (“First Orion”)|
|SUBJECT MATTER OF THE PROCESSING||The provision of the services under the Agreement (“Services”) to the Customer involving the Processing of Personal Data|
|DURATION OF THE PROCESSING||Start date – the date Personal Data is first processed by First Orion.
End date – the date of termination or expiration of the Agreement subject to any data retention period set forth therein. The frequency of the Processing is continuous and ongoing during the term of the Agreement
|NATURE AND PURPOSE OF THE PROCESSING||First Orion will process Personal Data as necessary to perform the Services described in the Agreement, as further specified in the Agreement, and as further instructed by Customer in its use of the Services.|
|CATEGORIES OF DATA SUBJECTS||Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to, Personal Data relating to the following categories of data subjects:
1. End users and customers of Customer in connection with Customer’s use of the Services
2. Customer’s employees and users authorized by Customer to access the Services
|CATEGORIES OF PERSONAL DATA||Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to, the following categories of Personal Data:
1. Phone number
The data shall not include any ‘special category’ data as defined under the GDPR.
TERMS AND CONDITIONS
“CCPA” means the California Consumer Privacy Act, Cal. Civ. Code 1798.100 et seq., and its implementing regulations as amended by the California Privacy Rights Act (“CPRA”).
“Data Protection Laws” means, with respect to a party, all data protection laws, rules, regulations and orders of governmental authority (including laws, rules, and orders of governmental authorities of the European Union (“EU”), the European Economic Area (“EEA”) and their Member States, Switzerland, the United Kingdom (“UK”), the United States of America, and the privacy and data protections laws and regulations of any other country) to the extent applicable to such party’s Processing of Personal Data under the Agreement.
“Data Subject” has the meaning given to “data subject” in accordance with Data Protection Laws.
“Customer Data” means data submitted to First Orion by Customer for Processing by the Services and Customer account data such as contact information of individuals authorized by Customer to access Customer’s account and/or use the Services. This DPA applies to First Orion’s Processing of Customer Data to the extent that such Customer Data constitutes Personal Data.
“Controller” has the meaning given to “controller” or “data controller” in accordance with Data Protection Laws.
“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
“International Data Transfer” means any disclosure of Personal Data by an organization subject to Data Protection Law to another organization located outside the European Economic Area or the UK.
“Personal Data” or “personal data” means any information relating to an identified or identifiable natural person where an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Personal Data shall be interpreted consistent with applicable Data Protection Laws, and includes at a minimum “personal information” as defined in those laws.
“Processing” and “process” have the meaning given in accordance with Data Protection Laws.
“Processor” has the meaning given to “processor” or “data processor” in accordance with Data Protection Laws.
“Security Incident” means any confirmed accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to, Personal Data transmitted stored or otherwise processed by First Orion. Security Incidents do not include unsuccessful attempts or activities that do not compromise the security of Personal Data such as unsuccessful log-in attempts, pings, port scans, denial of service attacks or other network attacks on firewalls or networked systems.
“Security Measures” means the technical and organizational security measures applied by First Orion which are found at https://firstorion.com/first-orion-security-overview/ as may be updated from time to time.
“UK Addendum” means the addendum to the 2021 EU SCCs, issued by the UK Information Commissioner under s119A(1) of the UK Data Protection Act 2018 (Version B1.0., in force March 21, 2022).
“2021 EU SCCs” means the clauses annexed to the European Commission Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as amended or replaced from time to time.
2. Processing of Personal Data
2.1 Relationship of the Parties. First Orion and Customer shall each process Personal Data in accordance with applicable Data Protection Laws. With respect to Personal Data Processed by First Orion under this DPA, the Parties agree that Customer is the Controller and First Orion is the Processor.
2.2 Purpose Limitation. First Orion shall process Personal Data as a Processor or Service Provider, as applicable, (a) for the performance of the Services in accordance with Customer’s instructions as set forth in the Agreement and this DPA and in accordance with Data Protection Laws, (b) as otherwise necessary to provide the Services (which may include responding to support requests and prevention and resolution of security, fraud and technical issues, and (c) as further instructed by the Customer in writing. Customer acknowledges that First Orion may Process Personal Data relating to the operation, support, or use of the Services for its own business purposes, such as billing, account management, data analysis, benchmarking, technical support, product development, and compliance with law. If First Orion is Processing Personal Data within the scope of the GDPR, First Orion is the Controller for such Processing and will process such data in accordance with Data Protection Laws.
2.3 Customer Instructions. Customer will ensure that its instructions comply with Data Protection Laws and that First Orion’s Processing of Personal Data in accordance with Customer’s instructions will not cause First Orion to violate Data Protection Laws. First Orion will notify Customer to the extent permitted by law if it becomes aware or reasonably believes that Customer’s data Processing instructions would violate Data Protection Laws.
2.4 Customer Compliance. Customer shall ensure that (a) it has and will continue to comply with Data Protection Laws in its use of the Services; and (b) if applicable, it has, and will continue to have, the right to transfer, or provide access to, its customers’ and end users’ Personal Data to First Orion for Processing in accordance with the terms of the Agreement and this DPA.
3.1 Sub-processors. Customer acknowledges that First Orion engages sub-processors in connection with the provision of the Services and Customer provides general authorization for First Orion to appoint sub-processors, subject to this Section 3. The engagement by First Orion of any such sub-processor shall be on written terms which impose upon the sub-processor data protection obligations to the standard required by Data Protection Laws, such as requiring the same data protection obligations referred to in Article 28(3) of the GDPR, including providing sufficient guarantees to implement appropriate technical and organizational measures. First Orion’s up-to-date sub-processors list can be found at https://firstorion.com/dpa-subprocessors/ (the “Sub-processors List”).
3.2 General Consent for First Orion Group Sub-processors. Customer grants a general authorization to First Orion to appoint affiliates of First Orion as sub-processors, conditional on the requirements detailed in Section 3.1.
3.3 Notification and Objection. First Orion will inform Customer of any intended changes concerning the addition or replacement of Sub-processors by updating the Sub-processors List. Customer agrees to receive notice of such updates by subscribing through the Sub-processor List. Customer shall notify First Orion promptly in writing within ten (10) business days after receipt of such notice if Customer has a reasonable basis to object to the use of the new sub-processor. In such an event, First Orion will use reasonable efforts to provide the Services to Customer in accordance with the Agreement without using the sub-processor. If First Orion reasonably requires use of the sub-processor and is unable to satisfy Customer as to the suitability of the sub-processor within thirty (30) days of Customer’s objection, the Customer may elect to terminate only the part of the Services or Agreement which cannot be provided by First Orion without the use of the objected-to sub-processor.
4.1 Information Security. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of the Data Subjects, First Orion shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including the Security Measures, supported by a written information security management system. Customer acknowledges that the Security Measures are appropriate in relation to the risks associated with Customer’s intended Processing, and will notify First Orion prior to any intended Processing for which its security measures may not be appropriate.
4.2 Security Incidents and Notification. Upon becoming aware of a confirmed Security Incident, First Orion will notify Customer without undue delay unless prohibited by applicable law. First Orion will promptly provide Customer with all relevant information in its possession as reasonably required by Data Protection Laws to comply with any reporting obligations of a relevant regulatory authority concerning such a Security Incident. Customer is solely responsible for complying with Security Incident notification laws applicable to Customer and fulfilling any third party notification obligations.
4.3 Personnel. First Orion will ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have been instructed in the appropriate handling of Personal Data, and are subject to appropriate statutory or contractual obligations of confidentiality.
4.4 Third Party Certification. First Orion is an ISO/IEC 27001:2013 (“Certification”) certified provider whose Information Security Management System (ISMS) has received third-party accreditation from the International Standards Organization. First Orion takes commercially reasonable steps to maintain its Certification. For the avoidance of doubt, the termination or replacement of the Certification by an alternative will not constitute a material breach of this DPA.
5. Data Subject Access Requests.
Upon Customer’s request, First Orion will provide reasonable assistance to Customer in the fulfilment of Customer’s obligations under Data Protection Laws to respond to data subject requests to exercise their rights (such as rights of data access, rectification, erasure, restriction, portability and objection to Processing), for any Personal Data that is Processed by First Orion for the purpose of providing the Services. If a data subject raises a request directly with First Orion, First Orion will promptly forward this request to Customer.
6. Return or Deletion of Customer Data.
Upon expiration or termination of the Agreement, First Orion will cease to process Personal Data and will delete all Personal Data from its systems within sixty (60) days of Customer’s request. Notwithstanding the foregoing, First Orion may retain Personal Data if required by applicable law in which case First Orion will comply with Data Protection Laws regarding the deletion and retention of such Personal Data.
7. Assistance, Reporting, and Impact Assessments
Taking into account the nature of the Processing, and the information available to First Orion, it will provide reasonable assistance to Customer, including as appropriate by implementing Security Measures and with the fulfillment of Customer’s own obligations concerning reporting requirements for Security Incidents, conducting data protection impact assessments and prior consultations with supervisory authorities as may be required in accordance with Data Protection Laws.
8. Audit Rights
Upon Customer’s written request, no more than once annually and subject to adequate confidentiality provisions, First Orion shall, in accordance with Data Protection Laws, make available to Customer such reasonable information in First Orion’s possession or control to demonstrate compliance with its obligations under Data Protection Laws.
9. International Data Transfers
9.1 Customer hereby authorizes First Orion to perform International Data Transfers:
- outside the EEA or Switzerland (1) to any country subject to a valid adequacy decision of the European Commission; (2) on the basis of an organization’s binding corporate rules approved by EEA supervisory authorities and provided that for International Data Transfers outside Switzerland, the Swiss Federal Data Protection and Information Commissioner has been duly notified thirty (30) days in advance where required; and (3) any data importer with whom First Orion has entered into the 2021 EU SCC and provided that for International Data Transfers outside Switzerland, the Swiss Federal Data Protection and Information Commissioner has been duly notified thirty (30) days in advance where required; and
- outside the UK (1) to any country subject to a valid adequacy decision of the UK government; (2) on the basis of an organization’s binding corporate rules approved by the UK Information Commissioner; and (3) to any data importer with whom First Orion has entered into the UK Addendum or other standard contractual clauses issued by the UK Information Commissioner, as appropriate.
9.2 By signing this DPA, Customer and First Orion conclude Module 2 (Controller-to-Processor) of the 2021 EU SCCs which are hereby incorporated and completed as follows:
- The “data exporter” is Customer and the “data importer” is First Orion;
- The optional docking clause under Clause 7 shall not apply;
- In Clause 9, Option 2 shall apply and the “time period” shall be 30 days;
- The optional language in Clause 11(a) shall not apply;
- In Clause 17, Option 2 shall apply and where the law of the EU Member State does not allow for third-party beneficiary rights, the 2021 EU SCCs shall be governed by the law of Ireland;
- In Clause 18(b), disputes shall be resolved by the courts of [specify Member State] ;
- Annex 1 to the 2021 EU SCCs is completed as follows:
- The information of Part A is provided in the signature page, Section 2.1 of this DPA, and in the Services description in the Agreement.
- The information of Part B is provided in the Data Processing Details of this DPA, which are supplemented as follows: the data is transferred on a continuous basis, and the subject matter, nature and duration of the Processing for transfers to (sub-) processors is not applicable;
- In Part C, the competent authority for the Processing of Personal Data relating to Data Subjects located in the EEA is the Supervisory Authority of the Customer’s country of establishment in the EEA. If Customer is not established in the EEA, the Supervisory Authority will be that of the EEA country where Customer’s EU data protection representative is located. If Customer does not have an EU data representative, the competent Supervisory Authority is one of the EEA countries where the Data Subjects are located. The competent authority for the Processing of Personal Data relating to Data Subjects located in the UK is the UK Information Commissioner.
- Annex 2 of the 2021 EU SCCs is the Security Overview and Section 4.1. of this DPA;
- Annex 3 of the 2021 EU SCCs is the Sub-processors List.
For International Data Transfers from Switzerland: (i) Data Subjects who have their habitual residence in Switzerland may bring claims under the SCCs before the courts of Switzerland and (ii) the SCCs cover Personal Data pertaining to legal entities until the entry into force of the revised Swiss Federal Act on Data Protection of 2020.
9.3 By signing this DPA, Customer and First Orion conclude the UK Addendum which is hereby incorporated and applies to International Data Transfers outside the UK. Part 1 of the UK Addendum is completed as follows: (i) in Table 1, the “Exporter” is Customer and the “Importer” is First Orion, their details are set forth in this DPA and the Agreement; (ii) in Table 2, the first option is selected and the “Approved EU SCCs” are the 2021 EU SCCs referred to in Section 10.2 of this DPA; (iii) in Table 3, Annexes 1 (A and B), II, and III to the “Approved EU SCCs” are completed as set out in section 10.1 g, 10.1.h, and 10.1.j of this DPA respectively; and (iv) in Table 4, both the “Importer” and the “Exporter” can terminate the UK Addendum.
9.4 If Customer’s compliance with Data Protection Laws applicable to International Data Transfers is affected by circumstances outside of its control, including if a legal instrument for International Data Transfers is invalidated, amended, or replaced, then the parties will work together in good faith to reasonably resolve such non-compliance.
10. Conflict. If there is any conflict or ambiguity between:
10.1 the provisions of this DPA and the provisions of the Agreement regarding Personal Data Processing, the provisions of this DPA will prevail; and
10.2 the provisions of this DPA and any provision contained in an Approved Data Transfer Mechanism and executed by First Orion and Customer, the provisions of the Approved Data Transfer Mechanism will prevail.
Notwithstanding anything to the contrary in this DPA or in the Agreement, neither party will be responsible for any fines issued or levied under Article 83 of the GDPR against the other party by a regulatory authority or governmental body in connection with such other party’s violation of the GDPR.
All notices given by First Orion to Customer under or in connection with this DPA shall be sent to Customer’s email address associated to their First Orion account or as identified in the Agreement; and any notice given by Customer to First Orion shall be sent to firstname.lastname@example.org.
13.1 Governing Law and Jurisdiction. This DPA shall be governed by and construed in accordance with the law and the jurisdiction of the country or territory which governs the Agreement provided that country or territory is an EEA Member State recognizing third party beneficiary rights, otherwise, the laws of Ireland shall apply, except as otherwise specified in this DPA or required by Data Protection Law.
13.2 Updates. First Orion may update the terms of this DPA where the changes (a) are required to comply with Data Protection Law, applicable regulation, a court order, or guidance issued by a regulator or agency; or (b) do not have a material adverse impact on Customer’s rights under the DPA. The current version of this DPA is located at https://firstorion.com/first-orion-global-privacy-and-compliance-dashboard/. First Orion will provide thirty (30) days’ notice prior to making any material change to the provisions of this DPA to Customers who have subscribed to receive email notifications. If Customer objects, Customer has the right to terminate the affected Services within thirty (30) days of receiving notice of the changes.
14. CCPA Provisions
14.1 References to “Controller,” “Data Subject,” “Personal Data,” and “Processor” shall be deemed to be references to “Business,” “Consumer,” “Personal Information,” and “Service Provider,” respectively, as defined in the CCPA.
14.2 If First Orion is Processing Personal Data within the scope of the CCPA, First Orion will process the Personal Data on behalf of Customer and will not retain, use, or disclose Personal Data outside of the parties’ direct business relationship. First Orion will not collect, use, retain, or disclose Personal Data except as permitted in the Agreement and under the CCPA, will not sell or share (as defined by the CCPA) Personal Data, and will not combine Personal Data from the Customer with Personal Data obtained from, or on behalf of, sources other than Customer other than as expressly permitted by the CCPA. First Orion will also comply with the obligations of the CCPA, provide the level of privacy protection required by the CCPA, and certifies that it understands and will comply with this DPA. If First Orion determines that it can no longer meet its obligations under the CCPA, First Orion will promptly notify Customer. Upon receiving notice from First Orion in accordance with this subsection, Customer may direct First Orion to take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Data.