U.S. Data Processing Addendum
U.S. Data Processing Addendum
This US Service Provider Addendum (this “Addendum“) is made as of the date of the last signature hereto (the “Effective Date“) by and between [Controller/Business Name] (“Customer“) and S-Net Communications, Inc. (“S-NET”). Customer and S-NET are referred to individually as a “Party” and collectively as the “Parties.”
Whereas the Parties entered into a Service Order for Managed IT Services under which S-NET has agreed to perform services on behalf of Customer (the “Agreements“) and the Parties wish to amend the Agreements to address requirements imposed by applicable US state data privacy laws, the Parties agree as follows:
1. Key Definitions
- “Covered Personal Information” means any Personal Information provided by Customer to S-NET, collected by S-NET on behalf of Customer, or otherwise made available to S-NET pursuant to the Agreements.
- “Personal Information” shall be interpreted consistent with the Privacy Laws, and includes at a minimum “personal information” and “personal data” as defined in the Privacy Laws.
- “Portable Format” means to the extent technically feasible a structured, commonly used, machine readable, readily usable format that allows the consumer to transmit the Covered Personal Information to another entity or controller without hindrance, as further specified in the Privacy Laws.
- “Privacy Laws” means applicable statutes, regulations or other laws pertaining to privacy and information security, including, but not limited to, the California Consumer Privacy Act, Cal. Civ. Code 1798.100 et seq., as amended including by the California Privacy Rights Act (the “CCPA“); the Virginia Consumer Data Protection Act, Code of Virginia title 59.1, Chapter 52 (the “VCDPA“); the Colorado Privacy Act, Colorado Rev. Stat. 6-1-1301 et seq. (the “CPA“); guidance issued by the U.S. Federal Trade Commission pursuant to its authority under Section 5 of the FTC Act, 15 U.S.C. § 45; the Fair Credit Reporting Act, 15 U.S.C. § 1681 et seq.; the Children’s Online Privacy Protection Act, 15 U.S.C. § 6501 et seq.; the Gramm-Leach-Bliley Act, 15 U.S.C. § 6801 et seq.; and any other applicable federal or state laws or regulations regarding information privacy that are in effect or will come into effect during the term of the Agreements.
- The terms “business,” “business purposes,” “consumer,” “controller,” “process” or “processing,” “processor,” “sale,” “sensitive data,” “sensitive personal information,” “service provider,” “sharing,” and “verifiable consumer request” shall have the meanings given to those terms in the Privacy Laws to the extent such meanings are materially similar to the meaning of terms in CCPA, VCDPA, or CPA. In the event of a conflict in the meanings of terms among the Privacy Laws, the Parties agree that the meanings from the applicable Privacy Laws will apply.
- “Services” means the services provided by S-NET to Customer specified in the Agreements.
1. Terms of Data Processing
- Data Processing Addendum – The Parties acknowledge and agree that the details of the processing are provided in Exhibit A attached hereto, including the role of the Parties, duration of the processing, nature and purpose of processing, consideration received in exchange for processing, the type of data subject to processing, and the rights and obligations of the Parties.
- Compliance with Obligations – S-NET represents and warrants that S-NET, its employees, agents, subcontractors, and sub-processors (a) understand and shall comply with the Privacy Laws and this Addendum while providing the Services, (b) will provide the level of privacy protection required by the Privacy Laws, and (c) shall provide Customer with all reasonably-requested assistance to enable Customer to fulfill its own obligations under the Privacy Laws. Upon the reasonable request of Customer, S-NET shall make available to Customer all information in S-NET’s possession necessary to demonstrate S-NET’s compliance with this subsection.
- Audit Rights – Customer shall have the right to monitor S-NET’s compliance with this Addendum through measures that may include manual reviews, automated scans, regular assessments, audits, or technical or operational testing. S-NET shall cooperate fully with any audit initiated by Customer, provided that such audit will not unreasonably interfere with the normal conduct of S-NET’s business.
- Compliance Remediation; Termination Rights – S-NET agrees to notify Customer without undue delay if S-NET determines that it can no longer meet its obligations under applicable Privacy Laws. Upon receiving notice from S-NET in accordance with this subsection, Customer may direct S-NET to take steps as reasonable and appropriate to remediate unauthorized use of Covered Personal Information or terminate the Agreements upon thirty (30) days’ notice.
- Changes to Privacy Laws – The Parties agree to cooperate in good faith with Customer to enter into additional terms to address any modifications, amendments, or updates to applicable Privacy Laws.
- Obligations at Termination – When the Agreements expire, S-NET will discontinue processing and delete, destroy, or render unreadable Covered Personal Information without undue delay, unless otherwise instructed by Customer.
- Impact Assessments – If applicable, S-NET shall, upon the reasonable request of Customer, provide Customer with such assistance and information as is reasonably necessary to enable Customer to carry out privacy impact assessments under applicable Privacy Laws.
1. Limitations on Processing of Covered Personal Information
- Data Restrictions – S-NET will not: (a) sell or share Covered Personal Information, (b) retain, use, or disclose Covered Personal Information for any purpose other than the business purposes specified in the Agreements, such as providing the Services to Customer, (c) retain, use, or disclose Covered Personal Information outside the direct business relationship with Customer, or (d) when prohibited by applicable Privacy Laws, combine Covered Personal Information received from Customer with Personal Information that vendor receives from, or on behalf of, another person or persons, or collects from its own interactions with consumers.
- Subcontractors; Sub-processors – S-NET shall notify Customer of any intended changes concerning the addition or replacement of subcontractors or sub-processors. Further, S-NET shall ensure that S-NET’s subcontractors or sub-processors who collect, process, store, or transmit Covered Personal Information on S-NET’s behalf agree in writing to the same restrictions and requirements that apply to S-NET in this Addendum and the Agreements with respect to Covered Personal Information, as well as to comply with applicable Privacy Laws.
- Right to Object – Customer may object in writing to S-NET’s appointment of a new subcontractor or sub-processor on reasonable grounds relating to data protection by notifying S-NET in writing within 30 calendar days of receipt of notice in accordance with Section 3.5. In the event Customer objects, the Parties shall discuss Customer’s concerns in good faith with a view to achieving a commercially reasonable resolution. If no such resolution can be reached, S-NET will, in its sole discretion, either not appoint the subcontractor or sub-processor or permit Customer to terminate the Agreements, in such case refunding Customer for any prepaid unused fees.
- Re-identification – S-NET will not, and will not allow its subcontractors or sub-processors to, re-identify any de-identified, anonymized, or pseudonymized data derived from Covered Personal Information that is processed by S-NET on behalf of Customer, unless instructed by Customer in writing.
1. Consumer Requests
- Cooperation – S-NET will implement and maintain sufficient processes and procedures to provide reasonable assistance in connection with Customer’s requests to access, correct, and/or delete Covered Personal Information held by S-NET.
- Fulfillment of Consumer Requests – Within twenty (20) calendar days of a written request from Customer (email is sufficient), S-NET shall, as applicable:
- Securely erase or destroy, or cause to be erased or destroyed, specific pieces of Covered Personal Information, including any copies of such Covered Personal Information maintained by S-NET’s subcontractor(s) or sub-processor(s).
- Provide information requested by Customer about S-NET’s collection of the Covered Personal Information, including, without limitation, the categories of Covered Personal Information that were collected and categories of subcontractors or sub-processors to whom S-NET has disclosed the Covered Personal Information).
- Provide the specific pieces of Covered Personal Information that S-NET and/or one of its subcontractors or sub-processors has collected or otherwise obtained about the consumer on behalf of Customer in a Portable Format.
- Modify, and direct its subcontractors or sub-processors to modify, specific pieces of Covered Personal Information.
- Limit processing of Covered Personal Information defined in applicable Privacy Laws as “sensitive personal information” or “sensitive data,” in accordance with the instructions of Customer.
- Referral of Direct Requests – S-NET agrees to refer applicable consumer requests submitted directly to S-NET for Covered Personal Information to Customer.
1. Security Controls
- Duty of Confidentiality – S-NET, its employees, agents, subcontractors, and sub-processors are subject to a duty of confidentiality with respect to the Covered Personal Information.
- Security Measures – S-NET shall implement and maintain reasonable technical and organizational security measures, procedures, and practices appropriate to the nature of the Covered Personal Information to protect such Covered Personal Information from unauthorized access, destruction, use, modification, or disclosure (“Security Measures“).
- Access Controls – S-NET shall implement appropriate access controls restricting access to Covered Personal Information to only such employees, agents, subcontractors, and sub-processors as need to know the information in order to perform their obligations in furtherance of the Agreements.
- Security Incident – S-NET will inform Customer within twenty-four (24) hours of S-NET’s knowledge of any unauthorized access, destruction, use, modification, or disclosure (each, a “Security Incident“) of any Covered Personal Information. S-NET will provide Customer with any information and cooperation reasonably requested by Customer regarding such Security Incident. S-NET shall not provide notice of such Security Incident without the prior written consent of Customer unless required by applicable law.
- Encryption – S-NET will ensure that Covered Personal Information in S-NET’s control is sufficiently protected against unauthorized access and use, including by appropriate encryption, tokenization, or other substantially similar safeguards.
- Security Program – S-NET shall implement a comprehensive written security program that includes administrative, technical, and physical safeguards reasonably designed to ensure the confidentiality, security, and integrity of Covered Personal Information (“Security Program“). Upon Customer’s reasonable request, S-NET will provide Customer with documentation that demonstrates its compliance with this Section.
- Notification of Regulatory Inquiry – In the event that S-NET receives any regulatory inquiry or correspondence regarding Covered Personal Information in which S-NET or Customer is named (an “Inquiry“), S-NET shall, to the extent not prohibited by applicable law or any regulatory authority:
- Notify Customer of such Inquiry in writing within three (3) calendar days of receiving such Inquiry;
- Provide Customer with all copies of documents and correspondence relating to the Inquiry without unduly delay after receipt or delivery of such documents or correspondence;
- Provide Customer with a written certification at the conclusion of the Inquiry that action required by the applicable Privacy Laws has been taken in response to such Inquiry;
- Not disclose any confidential information of Customer or any affiliated party to the applicable authority without Customer’s prior written consent.
- Response to Inquiry – S-NET shall take all other measures necessary to respond to or otherwise address the Inquiry adequately and in a timely manner.
- Severability – If any provision of this Addendum shall be found to be void by a court of law, such provision shall be deemed to be severable from the other provisions of this Addendum, and the remainder of this Addendum shall be given effect, as if the Parties had not included the severed provision.
- Survival – All representations, warranties, and indemnities shall survive the termination and/or expiration of this Addendum and shall remain in full force and effect. All of a Party’s rights and privileges — to the extent they are fairly attributable to events or conditions occurring or existing on or prior to the termination and/or expiration of this Addendum — shall survive termination and shall be enforceable by that Party.
- General – Except as expressly set forth herein, the terms of the Agreements shall remain unmodified and in full force and effect. In the event of a conflict between the terms of the Agreements and the terms of this Addendum, the terms of this Addendum shall control. Headers are for convenience and do not affect the interpretation of the terms of this Addendum.
EXHIBIT A | DATA PROCESSING ADDENDUM
|Role of the Parties||For purposes of the Agreements and this Addendum, Customer is the sole Party that determines the purposes and means of processing Covered Personal Information as the “business” or “controller;” and S-NET processes Covered Personal Information on behalf of Customer as the “service provider” or “processor.”|
|Duration of the processing||S-NET agrees to process Covered Personal Information solely as instructed in the Agreements and the Addendum for the duration of the provision of the Services to Customer, and the longer of such additional period as: (i) is specified in any provisions of the Agreements regarding data retention; and (ii) is required for compliance with law.|
|Nature of the processing||Such processing as is necessary to enable the S-NET to comply with its obligations and exercise its rights under the Agreements, including collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction processing activities.|
|Purpose of the processing||S-NET agrees to process Covered Personal Information for limited and specified purposes described in the Agreements, this Addendum, or as otherwise directed by authorized personnel of Customer in writing (email acceptable).|
|Consideration in exchange for processing||The Parties acknowledge and agree that S-NET receives no monetary or other valuable consideration in exchange for the Covered Personal Information.|
|Type of data processed||The following categories of Covered Personal Information: social security number, geolocation data, biometric information, Internet or other electronic network browsing information.|
|Obligations and rights of the Parties||As set out in the Agreements.|