These DATA PROCESSING TERMS AND CONDITIONS (“Terms and Conditions”) govern the processing of Personal Data (defined below) by ESPO Systems and/or its Affiliates (“ESPO”) in connection with the applicable business transaction for the party identified in the relevant Sales Quote, MSSP Order, or Statement of Work (“Client”).
WHEREAS, these Terms and Conditions amend and supplement all relevant Sales Quotes, MSSP Orders, and Statements of Work, including all terms, conditions and underlying agreements referenced therein, between ESPO and Client (“Agreement(s)”), and shall be incorporated into all such Agreement(s) which reference these Terms and Conditions or to which these Terms and Conditions are attached; and
WHEREAS, these Terms and Conditions contain the mandatory clauses required by the General Data Protection Regulation ((EU) 2016/679) (“GDPR”) under Article 28(3) for contracts between controllers and processors, and under Articles 28(4) and 32(4) for contracts between processors and sub-processors, and will apply to the extent ESPO Systems processes Personal Data on behalf of Client.
NOW, THEREFORE, in consideration of the premises and for other good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, the parties agree to the following Terms and Conditions:
1. DEFINITIONS. All capitalized terms not expressly defined herein shall have the meanings ascribed to them in the Agreement(s).
- “Affiliate(s)” means any entity that, directly or indirectly through one or more intermediaries, controls, is controlled by, or is under common control with a party to these Terms and Conditions.
- “Business Purposes” means as needed for ESPO to provide the Products, Services, and/or MSSP under the Agreement(s); as specified in a Statement of Work (“SOW”), Sales Quote, MSSP order, or purchase order; and/or as otherwise agreed upon between the parties in writing from time to time.
- “Data Protection Laws” means all applicable privacy and data protection laws, including the GDPR and any applicable national implementing laws, regulations and secondary legislation in any Member State of the European Union relating to the processing of Personal Data and the privacy of electronic communications, as amended, replaced or updated from time to time, including the Privacy and Electronic Communications Directive (2002/58/EC).
- “Data Subject” means an individual who is the subject of Personal Data.
- “Personal Data” means any information relating to an identified or identifiable natural person that is processed by ESPO for Client as a result of, or in connection with, the provision of the Products, Services, and/or MSSP under the Agreement(s) or any applicable Sales Quote, MSSP order, purchase order or SOW; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
- “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, the Personal Data transmitted, stored or otherwise processed by ESPO under the Agreement(s).
- “Process”, “Processes” or “Processing” means any operation or set of operations which involves use of Personal Data, whether or not by automated means, including but not limited to: collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
2. PROCESSING PURPOSES AND PERSONAL DATA TYPES.
a. Processing. ESPO and Client each acknowledge that for the purposes of the Data Protection Laws, Client is, depending on the data, a controller or a processor of the Personal Data
(“Client Personal Data”), and in regards to Client Personal Data, ESPO is the processor or sub-processor thereof.
b. Purposes. The duration, purpose of processing, and the Personal Data categories and Data Subject types that ESPO may process for Client are as follows:
i. DURATION OF PROCESSING. Term of the relevant Sales Quote, MSSP order, purchase order or SOW, or otherwise as necessary to fulfill obligations under the Agreement(s) or as
required by law.
ii. BUSINESS PURPOSES. To provide Products, Services, and/or MSSP in accordance with the Agreement(s) and any relevant Sales Quote, MSSP order, purchase order or SOW between
the parties, and/or to: (a) provide information technology Services to Client and/or Client’s employees; provide Client with security, data protection or other Services; enhance Client’s
threat defenses; and/or provide licenses to Client for Products.
iii. PERSONAL DATA CATEGORIES.
Client’s employees’ names and contact information, which may include but is not limited to business and home addresses, email addresses, phone numbers, IP addresses, user names,
and transaction history
Client’s customer names and business contact information, including addresses, email addresses, phone numbers, IP addresses
iv. DATA SUBJECT TYPES.
Current, former, prospective employees of Client
Employees or customers of Client’s clients
3. TERM AND TERMINATION.
Version 07/09/2018 2
a. Term. These Terms and Conditions will remain in full force and effect so long as: (a) the Agreement(s) remains in effect; (b) any applicable Sales Quote, MSSP order, purchase order or
SOW remains in effect, and/or (c) ESPO retains any Personal Data of Client related to the Agreement(s) or any applicable Sales Quote, MSSP order, purchase order or SOW (“Term”).
b. Termination for Cause. Either party’s failure to comply with these Terms and Conditions will constitute a material breach of the Agreement(s). In such event, the non-breaching party may
terminate the Agreement(s) effective immediately on written notice to the breaching party without further liability or obligation. In addition, if a change in any Data Protection Law
prevents either party from fulfilling all or part of its obligations under the Agreement(s), the parties will suspend the processing of Personal Data until that processing complies with the
new requirements. If the parties are unable to promptly bring the Personal Data processing into compliance with the Data Protection Laws, either party may terminate the Agreement(s),
including any active SOW(s), on written notice to the other party.
c. Sections Surviving Termination. Any of these Terms and Conditions that expressly or by implication are meant to survive termination of the Agreement(s) or any applicable Sales Quote,
MSSP order, purchase order or SOW, including but not limited to any provision related to protection of Personal Data, will remain in full force and effect upon termination.
d. Data Return and Destruction. At Client’s request, ESPO will give Client a copy of or access to all or any requested part of the Client Personal Data in ESPO’s possession or control in the
format and on the media reasonably specified by Client. Upon termination or expiration of the Agreement(s), including any applicable Sales Quote, MSSP order, purchase order or SOW
for any reason, and upon written direction of Client, ESPO will securely delete, destroy, or return and not retain, all or any Client Personal Data in ESPO’s control or possession related to
the Agreement(s) or any applicable Sales Quote, MSSP order, purchase order or SOW. ESPO agrees that it will certify in writing after it has completed destruction of the Client Personal
Data once such destruction is complete.
4. REPRESENTATIONS AND WARRANTIES.
ESPO represents and warrants that it will:
a. process Personal Data only to the extent and in such manner as is necessary for the Business Purposes and that it will not process the Personal Data for any other purpose or in a way
that does not comply with the Agreement(s), these Terms and Conditions, or the Data Protection Laws;
b. take appropriate technical and organizational measures to prevent the unauthorized or unlawful processing of, accidental loss or destruction of, or damage to, Client Personal Data in its
control or possession, and will ensure a level of security appropriate to: (A) the harm that might result from such unauthorized or unlawful processing or accidental loss, destruction or
damage, (B) the nature of the Personal Data protected, and (C) comply with all applicable Data Protection Laws.
c. ensure that all personnel who have access to and/or process Client Personal Data are obliged to keep the Client Personal Data confidential and not to disclose it to third parties unless
such disclosure is specifically authorized by Client, or as required by law;
d. promptly comply with any request or instruction of Client requiring ESPO to amend, transfer, delete or otherwise process the Personal Data, or to stop, mitigate or remedy any
unauthorized processing; and
e. promptly notify Client of any changes to Data Protection Laws that may adversely affect ESPO’s performance of the Agreement(s) or any applicable Sales Quote, MSSP order, purchase
order or SOW.
Client represents and warrants that it:
a. will comply with all relevant Data Protection Laws; and
b. in its capacity as a data controller, has obtained necessary consent to collect the personal data provided to ESPO for processing hereunder.
5. PROCESSOR PERSONNEL.
a. Employee training. ESPO will ensure that all of its employees who handle Client Personal Data have undertaken training on the Data Protection Laws, and are aware of ESPO’s duties and
obligations under: (i) the Data Protection Laws; (ii) the Agreement(s), including any applicable Sales Quote, MSSP order, purchase order or SOW; and (iii) these Terms and Conditions.
b. Background Checks. ESPO will conduct background checks on all of its employees with access to the Client Personal Data, consistent with applicable law.
c. Subcontractors. Each party consents to ESPO’s use of Affiliates and subcontractors for the processing of Client Personal Data in connection with the Business Purposes; provided that
ESPO shall inform Client of any new sub-processor it intends to engage, to allow Client to object to the engagement of any such sub-processor. ESPO shall require all of its sub-
processors to abide by substantially the same obligations as are required under these Terms and Conditions and ESPO remains responsible at all times for its Affiliates’ and sub-
processors’ compliance with the terms herein.
6. SECURITY STANDARDS. ESPO has implemented and will maintain appropriate technical and organizational measures to protect against unauthorized or unlawful processing, loss, destruction of, or damage to the Client Personal Data in ESPO’s control or possession, appropriate to: (a) the harm that might result there from; and (b) the nature of the Personal Data to be protected, having regard to the state of technological development and the cost of implementing any such measures. ESPO will review its security measures, at least annually, to ensure such measures remain current and complete.
7. PERSONAL DATA BREACH.
a. Loss or Destruction. ESPO will promptly and without undue delay notify Client if any Client Personal Data in ESPO’s control or possession is lost or destroyed, or becomes damaged,
corrupted, or unusable.
b. Notification. ESPO will, as soon as practicable and without undue delay, notify Client if it becomes aware of any Personal Data Breach of the Client Personal Data in ESPO’s control or
possession, and shall provide Client with a description of the nature of the Personal Data Breach, including approximate number of Data Subjects and Personal Data records concerned,
likely consequences, and description of measures taken or proposed to mitigate possible adverse effects. ESPO will not inform any third party of any such Personal Data Breach without
first obtaining Client’s prior written consent, except when required to do so by law. ESPO agrees that Client, or where Client is acting as a processor on behalf of a controller, that
controller, has the sole right to determine: (a) whether to provide notice of the Personal Data Breach to any Data Subjects, supervisory authorities, regulators, law enforcement agencies
or others, as required by law or regulation or, as applicable, in Client’s or the third-party controller’s discretion, including the contents and delivery method of the notice; and (b) whether
to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy.
c. Remedy and Assistance. Immediately following any Personal Data Breach of the Client Personal Data in ESPO’s control or possession, the parties will coordinate with each other to
investigate the matter. ESPO will reasonably cooperate with Client, including (i) assisting with any investigation; (ii) facilitating interviews with employees, former employees and others
involved in the matter; (iii) making available all relevant records, logs, files, data reporting and other materials required to comply with all Data Protection Laws or as otherwise reasonably
required by Client; and (iv) taking reasonable and prompt steps to mitigate the effects and to minimize any damage resulting from such Personal Data Breach.
d. Expense. Each party will cover all expenses associated with its performance of its obligations required under this Section.
8. CROSS-BORDER TRANSFERS OF PERSONAL DATA. Client consents to ESPO’s processing of Personal Data outside the European Economic Area (“EEA”), specifically in the United States of America. In order to comply with the Data Protection Laws, the parties agree to (i) comply with, and execute as necessary, the latest version of the Standard Contractual Clauses/EU Model Clauses, which are hereby incorporated by reference (where Client is the entity exporting Personal Data to ESPO outside the EEA), and (ii) take all other actions required by law to legitimize the transfer.
9. DATA SUBJECT REQUESTS AND THIRD PARTY RIGHTS.
a. Data Subject and Supervisory Authority Requests. ESPO will, at no additional cost, take such technical and organizational measures as may be appropriate, and promptly provide such
information as may reasonably be required, to enable Client to comply with: (i) the rights of Data Subjects under the Data Protection Laws, including Data Subject access rights, the right
to rectify and erase Personal Data, the right to object to the processing and automated processing of Personal Data, and the right to restrict the processing of Personal Data, and (ii)
information or assessment notices served on Client by any supervisory authority under the Data Protection Laws. ESPO will notify Client within five (5) business days if it receives a
request from a Data Subject for access to their Personal Data or to exercise any of their related rights under the Data Protection Laws.
b. Compliance Notification and Cooperation. ESPO will notify Client as soon as practicable if it receives any complaint, notice or communication that relates directly or indirectly to the
processing of Client Personal Data or to Client’s compliance with the Data Protection Laws. ESPO will give Client its reasonable co-operation and assistance in responding to any such
complaint, notice, communication or Data Subject request.
c. Disclosure. ESPO shall not disclose the Client Personal Data to any Data Subject or to any third party, other than at Client’s or the relevant data controller’s direct request or instruction,
unless otherwise required by law.
10. RECORDS AND AUDIT.
a. Records. ESPO will keep detailed, accurate and up-to-date written records regarding any processing of Client Personal Data. ESPO will ensure records are sufficient to enable Client to
verify compliance with the obligations under these Terms and Conditions, and ESPO will provide Client with copies of such records upon thirty (30) days prior written request.
b. Annual Assessments. At least once a year, ESPO will conduct audits of its Personal Data processing practices and the information technology and information security controls for all
facilities and systems used in complying with its obligations under these Terms and Conditions. ESPO agrees that it will promptly address any exceptions noted in its audit reports.
11. INDEMNIFICATION. Except to the extent caused by the acts, errors, or omissions of the Indemnified Party (defined below), each party (“Indemnifying Party”) agrees to indemnify and defend at its own expense the other party and, as applicable, the controller of the Personal Data, including their respective directors, officers, employees, subcontractors, and agents (each an “Indemnified Party”) against all costs, claims, damages or expenses incurred by an Indemnified Party due to any material failure by the Indemnifying Party or its employees or agents to comply with (a) any of its material obligations under these Terms and Conditions, or (b) the Data Protection Laws. Notwithstanding the foregoing, (i) in no event shall either party be liable for more than its proportionate share of fault; and (ii) in no event shall ESPO’s aggregate liability for all claims arising from or related to these Terms and Conditions exceed the amount of fees actually paid by Client to ESPO during the twelve (12) months preceding the date of the claim.
a. Notices. Any notice permitted or required under these Terms and Conditions shall be deemed to have been given if it is in writing and (i) personally served or delivered, (ii) mailed by
registered or certified mail (return receipt requested), or (iii) delivered by a national overnight courier service with confirmed receipt, to the parties at the addresses set forth in the
relevant Agreement. Each party may change its notice address by giving similar notice.
b. Severability. In the event a court of competent jurisdiction holds any of these Terms and Conditions invalid or unenforceable, the remainder of the Terms and Conditions will continue in
full force and effect. The parties shall in good faith negotiate a mutually acceptable and enforceable substitute for the unenforceable provision, which substitute shall be as consistent as
possible with the original intent of the parties.
c. No Waiver. The failure by either party to enforce any of these Terms and Conditions shall not be deemed a waiver of such provisions or any subsequent breach thereof.
d. Remedies not Exclusive. No remedy made available under these Terms and Conditions is intended to be exclusive unless expressly stated otherwise herein.
e. Entire Agreement. These Terms and Conditions along with the Agreement(s) and any amendments thereto contain the entire understanding between the parties with respect to the
subject matter hereof and may not be changed except by a separate writing signed by both parties. During the term of the Agreement(s), purchase orders, acknowledgment forms, or
similar routine documents may be used. The parties agree that any provisions of such routine documents, which purport to add to or change, or which conflict with these Terms and
Conditions or the Agreement(s) shall be deemed deleted and have no force or effect.
f. Interpretation and Construction. The section headings in these Terms and Conditions are for reference purposes only and shall not be deemed a part of the Terms and Conditions. The
wording herein is the wording chosen by the parties to express their mutual intent, and no rule of strict construction shall be applied against either party.
g. Conflicts. In the event of conflict or ambiguity between any of these Terms and Conditions and the provisions of the Agreement(s), these Terms and Conditions will prevail with regard to
the subject matter contained herein. In addition, in the case of conflict or ambiguity between any of the provisions of the Agreement(s) and any executed Standard Contractual Clauses,
the provisions of the executed Standard Contractual Clauses will prevail.