Read our Data Processing Addendum below
Disclo Data Processing and Security Addendum
This Data Processing Addendum (including all Schedules attached hereto), (the “DPA”) is incorporated into, and is subject to the agreement that governs the use of the Services (the “Agreement”) between Disclo, Inc. (“Disclo” or “Company”) and the entity identified as “Client” in the Agreement (“Client”). This DPA applies where Company’s Processing of Client Personal Data is subject to the Data Protection Laws. This DPA shall be effective for the term of the Agreement.
In this DPA, the following terms have the following meaning:
“CCPA” means the California Consumer Privacy Act (as amended by the California Privacy Rights Act) and its implementing regulations.
“Controller” means the entity which determines the purposes and means of Processing of Personal Data.
“Client Personal Data” means the Personal Data described under Schedule 1 to this DPA.
“Data Protection Laws” means all data protection and privacy laws, regulations, and binding obligations that are applicable to Company’s Processing of Client Personal Data under the Agreement, each as amended, repealed, consolidated or replaced from time to time. For the avoidance of doubt, Disclo does not meet any of the threshold requirements to qualify as a covered business under the CCPA but does act as a “service provider” under the CCPA and considers data protection and consumer privacy rights to be fundamental to its customer relationships. This DPA therefore will assist Client in complying with Client’s CCPA obligations, if any.
“Data Subjects” means the individuals identified in Schedule 1 to this DPA.
“GDPR” means Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (also referred to as the "EU GDPR"). The GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 and the UK Data Protection Act 2018 is collectively the "UK GDPR").
“Personal Data,” “Personal Data Breach,” “Processing,” and “Process(es)” will each have the meaning given to them under the applicable Data Protection Laws. The term “Personal Data” includes personal information, personally identifiable information, and equivalent terms as such terms may be defined by the Data Protection Laws.
“Personnel” shall mean any employee, staff member, agency worker or other full time or temporary, paid, or unpaid person working for Disclo .
“Security Measures” means the commercially reasonable technical and organizational measures Company implements as described in Schedule 2.
“Services” means those products, services, and other deliverables provided by Disclo under the Agreement.
“Standard Contractual Clauses” or “SCCs” means the contractual clauses annexed to the European Commission's Implementing Decision (EU) 2021/914 of 4 June 2021, as amended, superseded, or replaced from time to time.
“UK Addendum” means the International Data Transfer Addendum (version B1.0) issued by the Information Commissioner’s office under s.119(A) of the UK Data Protection Act 2018, as amended, superseded, or replaced from time to time.
2.1 The parties acknowledge and agree that Client is the Controller of Client Personal Data and Company is the Processor of Client Personal Data.
2.2 Company will Process Client Personal Data on behalf of and in accordance with Client’s prior written instructions,, including any instructions provided through Client’s use of the Services, unless required to do otherwise by applicable Data Protection Laws, in which case Company shall inform Client of that legal requirement before Processing Client Personal Data, unless that same law prohibits Company from doing so on important grounds of public interest Company is hereby instructed to Process Client Personal Data to the extent necessary to provide the Services as set forth in the Agreement.
2.3 Without prejudice to the foregoing, Client is responsible for determining whether the Services are appropriate for the storage and processing of Client Personal Data under Data Protection Laws and for the accuracy, quality, and legality of the Client Personal Data and the means by which it acquired Client Personal Data.
2.4 Company will provide the same level of protection for Client Personal Data as required of Client under Data Protection Laws. Company will not (a) retain, use, or disclose Client Personal Data other than as provided for in the Agreement, as needed to provide the Services, or as otherwise permitted by Data Protection Laws; (b) retain, use, or disclose any Client Personal Data outside of the direct business relationship between Client and Company unless permitted by Data Protection Laws, (c) retain, use or disclose Client Personal Data for any purpose other than the business purposes specified in this DPA or otherwise permitted by Data Protection Laws, or (d) sell or share Client Personal Data (as those terms are defined in the CCPA). Company shall comply with any applicable restrictions under Data Protection Laws on combining Client Personal Data with Personal Data that Company receives from, or on behalf of, another person or persons, or that Company collects from any interaction between it and any individual. Notwithstanding this, however, Client understands and agrees that Company may de-identify or aggregate Client Personal Data in the course of providing the Services.
2.5 A description of Company’s Processing of Client Personal Data is set forth in Schedule 1.
2.6 Client and Company will each comply with their respective obligations under the Data Protection Laws. Client will ensure its processing instructions comply with applicable laws, rules, and regulations and that the processing of all Client Personal Data by Company in accordance with Client’s instructions will not cause Company to be in breach of applicable Data Protection Laws.
3. Security and Personal Data Breach Response
3.1 Company will implement commercially reasonable technical and organizational measures, as further described in the Security Measures, that are designed to protect against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Client Personal Data. Client acknowledges that the Security Measures are subject to technical progress and development and that Company may update or modify the Security Measures from time to time provided that such updates and modifications do not result in the material degradation of the overall security of the Services purchased by Client.
3.2 Company will require Company’s Personnel who access the Client Personal Data to be under an obligation to protect the confidentiality of Client Personal Data.
3.3 After becoming aware of a verified Personal Data Breach affecting any Client Personal Data, Company will notify Client without undue delay to the extent legally permissible. Company will also (i) provide timely information relating to the Personal Data Breach as it becomes known or as it is reasonably requested by Client; and (ii) promptly take steps, deemed necessary and reasonable by Company in it sole discretion, to contain, investigate, and remediate any Personal Data Breach, to the extent that the remediation is within Company’s reasonable control. Company’s notification of, or response to, a Personal Data Breach under this section will not be construed as an acknowledgment by Company of any fault or liability with respect to the Personal Data Breach. Moreover, these obligations will not apply to a Personal Data Breach caused by Client or its Authorized Users. At Client’s request, Company will promptly provide the Client with reasonable assistance necessary to enable Client to notify Personal Data Breaches to the competent data protection authorities and/or affected Data Subjects, if Client is required to do so under the Data Protection Laws. Client is solely responsible for complying with Personal Data Breach notification requirements applicable to Client and fulfilling any third-party notification obligations related to any Personal Data Breach.
3.4 Without prejudice to Company’s obligations under this section, Client agrees that except as provided by this DPA, Client is responsible for its secure use of the Services, including securing its account authentication credentials, protecting the security of Client Personal Data when in transit to and from the Services, and taking any appropriate steps to securely encrypt or backup any Client Personal Data.
3.5 Client agrees, based on its current and intended use of the Services, that the Services, Security Measures, and any other additional security controls described in this DPA: (i) meet Client’s needs, including with respect to any security obligations of Client under applicable Data Protection Laws; and (ii) provide a level of security appropriate to the risk regarding the Client Personal Data.
4. Rights of Data Subjects and Cooperation
4.1 Client is responsible for responding to any Data Subject requests relating to Client Personal Data (“Requests”). If Company receives any Requests during the Agreement’s Term, Company will advise the Data Subject to submit the request directly to Client. To the extent Client is unable to independently retrieve, access, or delete the relevant Client Personal Data within the Services in order to respond to such Requests, Company will (at Client’s cost and taking into account the nature of the processing) provide reasonable cooperation to assist Client by appropriate technical and organizational measures, to the extent possible. In the event that Company is legally required to respond to any Request, Company will promptly notify Client and provide it with a copy of the Request unless prohibited by law to do so.
4.2 Company shall provide Client reasonable assistance to facilitate Client with any data protection impact assessments and consultations with data protection authorities, if Client is required to engage in such activities under applicable Data Protection Laws and, in each case, solely to the extent that such assistance is necessary and relates to Company’s Processing of Client Personal Data, taking into account the nature of the Processing and the information available to Company.
5. Audits and Information
5.1 Client may audit Company’s compliance with its obligations under this DPA up to once per year. In addition, Client may perform more frequent audits (including inspections) in the event: (1) Company suffers a Personal Data Breach affecting Client Personal Data; (2) Client has genuine, documented concerns regarding Company’s compliance with this DPA or the Data Protection Laws; or (3) where required by the Data Protection Laws, including where mandated by regulatory or governmental authorities with jurisdiction over Client Personal Data. Company will contribute to such audits by providing Client or Client’s regulatory or governmental authority with the information and assistance reasonably necessary to conduct the audit, including any relevant records of Processing activities applicable to the Services.
5.2 To request an audit, Client must submit a detailed proposed audit plan to Company (kai@disclo.com) at least one month in advance of the proposed audit start date. The proposed audit plan must describe the proposed scope, duration, start date of the audit, and the identity of any third party Client intends to appoint to perform the audit. Company will review the proposed audit plan and provide Client with any concerns or questions (for example, Company may object to the third party auditor as described in Section 5.3, provide an Audit Report as described in Section 5.4, or identify any requests for information that could compromise Company confidentiality obligations or security, privacy, employment, Data Protection Laws, or other relevant policies). The parties will negotiate in good faith to agree on a final audit plan at least two (2) weeks in advance of the proposed audit start date. Nothing in this Section 5 shall require Company to breach any duties of confidentiality. Further, any written responses or audit described in this Section 5 are subject to the confidentiality provisions of the Agreement.
5.3 If a third party is to conduct the audit, Company may object to the auditor if the auditor is, in Company’s reasonable opinion, not suitably qualified or independent, a competitor of Company, or otherwise manifestly unsuitable. Such objection by Company will require Client to appoint another auditor or conduct the audit itself.
5.4 If the requested audit scope is addressed in an SSAE 18/ISAE 3402 Type 2, ISO, NIST or similar audit report performed by a qualified third party auditor on Company’s systems that Process Client Personal Data (“Audit Reports”) within twelve (12) months of Customer’s audit request and Company confirms there are no known material changes in the controls audited, Client agrees to accept the Audit Report in lieu of requesting an audit of the controls covered by the report.
5.5 The audit must be conducted at a mutually agreeable time during regular business hours at the applicable facility, subject to the agreed final audit plan and Company’s health and safety or other relevant policies and may not unreasonably interfere with Company business activities.
5.6 Any audits are at Client’s expense. The parties agree that the audits described in Clause 8.9 of SCCs and Clause 12.1, in each case shall be carried out in accordance with this Section 5.
6. Deletion of Client Personal Data
6.1 Client may instruct Company to delete Client Personal Data within 90 days of the termination of the Agreement and delete existing copies unless applicable law requires otherwise. Notwithstanding the foregoing, Company may retain Client Personal Data to the extent and for the period required by applicable laws provided that Company maintains the confidentiality of all such Client Personal Data and Processes such Client Personal Data only as necessary for the purpose(s) specified in the applicable laws requiring its storage.
7. Data Processing by Sub-Processors
7.1 Client agrees that Company may engage sub-Processors to Process Client Personal Data on Client’s behalf. Company shall ensure that any such sub-Processor has entered into a written agreement containing terms no less protective as to Client Personal Data than those provided in this DPA, to the extent applicable to the nature of the services provided by such sub-Processor. . Company shall be liable for the acts and omissions of any sub-Processors to the same extent as if the acts and omissions were performed by Company.
7.2 Company shall inform Client of any intended changes concerning the addition or replacement of any sub-Processor.
7.3 If, within thirty (30) calendar days of receiving notice of a proposed new sub-Processor Client notifies Company in writing of any reasonable objections based on data protection, the parties will discuss such concerns with a view to achieving a commercially reasonable resolution. If no such resolution can be reached, Company will, at its sole discretion, either not appoint that proposed sub-Processor in respect of that Client Personal Data only or permit Client in writing to terminate the Services in accordance with the Agreement’s termination provisions without liability to either party, and Company will refund to Client a pro rata portion of any prepaid fees for the remaining portion of the Term from the date of termination.
8. Cross Border Data Transfers
8.1 To the extent Client transfers Client Personal Data subject to the EU GDPR, the parties agree to comply with the general clauses where Client is a Controller of Client Personal Data, “Module Two” (Controller to Processor) of the SCCs, which are incorporated herein by reference.
8.2 For purposes of the SCCs the parties agree that:
8.2.1 Client will act and comply with the obligations, and shall have the rights, of the “data exporter” under the SCCs, and Company will act and comply with the obligations of the “data importer” under the SCCs;
8.2.2 In Clause 7, the optional docking clause will apply;
8.2.3 In Clause 9, Option 2 will apply and the time period for prior notice of sub-Processor changes will be as set forth in Section 7 of this DPA;
8.2.4 In Clause 11, the optional language will not apply;
8.2.5 For the purpose of Clause 17, the SCCs shall be governed by the laws of Ireland;
8.2.6 For the purpose of Clause 18(b), the parties agree to submit to the jurisdiction of the courts of Ireland;
8.2.7 For the purposes of Annex I, Section A (List of Parties), (i) the data exporter’s and the data importer’s identity and contact details and, where applicable, information about their respective data protection officer and/or representative in the EEA are those set forth in the Agreement or as otherwise communicated by each party to the other party; (ii) Client is a Controller and Company is a Processor; (iii) the activities relevant to the data transferred under the SCCs relate to the provision of the Services pursuant to the Agreement; and (iv) entering into this DPA shall be treated as each party’s signature of Annex I, Section A, as of the effective date of this DPA;
8.2.8 For the purposes of Annex I, Section B (Description of Transfer): (i) Schedule 1 to this DPA describes Company’s Processing of Client Personal Data; (ii) the frequency of the transfer is continuous (for as long as Client uses the Services); (iii) Client Personal Data will be retained in accordance with section 6 of this DPA; (iv) Company uses sub-Processors to support the provision of the Services.
8.2.9 For the purposes of Annex I, Section C (Competent Supervisory Authority), the competent supervisory authority identified in accordance with Clause 13 of the SCCs is the competent supervisory authority communicated by Client to Company. If Client does not communicate a competent supervisory authority to Company, the competent supervisory authority shall be determined in accordance with the EU GDPR.
8.2.10 For the purposes of Annex II, data importer has implemented and will maintain appropriate technical and organizational measures to protect the security, confidentiality and integrity of Client Personal Data as described in the Security Measures or as otherwise made reasonably available by data importer to the data exporter.
8.2.11 For the purposes of Annex III, a current list of Company’s sub-Processors can be found at https://trust.disclo.com.
8.2.12 If and to the extent the SCCs conflict with any provision of this DPA the SCCs will prevail to the extent of such conflict.
8.3 To the extent the transfer of Client Personal Data is subject to the Swiss Federal Act on Data Protection, the following provisions apply: (i) references to “Regulation (EU) 2016/679” are interpreted as references to the Swiss FDP; (ii) references to specific Articles of “Regulation (EU) 2016/679” are replaced with the equivalent article or section of the Swiss FDPA; (iii) references to “EU,” “Union,” and “Member State” will be interpreted as references to Swiss law;” (iv) Clause 13(a) and Part C of Annex II are not used and references to the “competent supervisory authority” and “competent courts” will be interpreted as references to the “Swiss Federal Data Protection and Information Commissioner” and the “competent Swiss courts;” and (v) in Clause 17, the SCCs are governed by the laws of Switzerland; and (F) in Clause 18(b), disputes will be resolved before the competent courts of Switzerland.
8.4 With respect to transfers from Client to Company of Client Personal Data subject to the UK GDPR, the parties agree the SCCs are deemed amended as specified by the UK Addendum, which is deemed executed by the parties. The parties further agree that: (i) Tables 1-3 of the UK Addendum are deemed completed using the information contained in the Schedules; (ii) Table 4 in Part 1 of the UK Addendum is deemed completed by selecting “importer” and “exporter;” and (iii) any conflict between the terms of the Standard Contractual Clauses and the UK Addendum will be resolved in accordance with Section 10 and Section 11 of the UK Addendum
9. Liability
9.1 Each party’s liability towards the other party under or in connection with this DPA will be limited in accordance with the provisions of the Agreement. Any reference in the Agreement to the liability of a party means the aggregate liability of that party in accordance with the terms of the Agreement, including this DPA.
9.2 Client acknowledges that Company is reliant on Client for direction as to the extent to which Company is entitled to Process Client Personal Data on behalf of Client in performance of the Services. Consequently, Company will not be liable under the Agreement for any claim brought by a Data Subject arising from (a) any action or omission by Company in compliance with Client’s instructions or (b) from Client’s failure to comply with its obligations under the Data Protection Laws. Client therefore will indemnify Company if Client fails to comply with its obligations under Data Protection Laws according to the indemnification process set forth in the Agreement.
10. Miscellaneous
10.1 Section Headings. The section headings contained in this DPA are for reference purposes only and shall not in any way affect the meaning or interpretation of this DPA.
10.2 Precedence. With regard to the subject matter of this DPA, in the event of a conflict between the provisions of this DPA and the Agreement, the provisions of this DPA shall prevail. This DPA may not be modified except by an amendment signed by both parties.
10.3 Governing Law. This DPA shall be governed by and construed in accordance with the governing law and jurisdictional provisions in the Agreement, unless required otherwise by applicable Data Protection Laws.
10.4 Amendments. This DPA may not be modified except by an amendment signed by both parties.
10.5 Permitted Disclosures. Each party acknowledges that the other party may disclose this DPA and any privacy-related provisions in the Agreement to any appropriate regulator upon request.
SCHEDULE 1
Details of Processing Client Personal Data
Categories of Data Subjects. This DPA applies to the processing of Client Personal Data relating to client’s employees and other authorized users of the services (“Data Subjects”).
Types of Personal Data. The extent of the Client Personal Data processed by Company is determined and controlled by the Client in its sole discretion and includes names, mailing address, email addresses, phone numbers, , medical information, employment history, personal data contained on submitted paperwork, and any other Personal Data that may be transmitted through the services by Data Subjects.
Subject-Matter and Nature of the Processing. The subject-matter of processing of Client Personal Data by Company is the provision of the Services to the Client. Client Personal Data will be subject to those processing activities which Company needs to perform in order to provide the Services pursuant to the Agreement.
Purpose of the Processing. Client Personal Data will be processed by Company for purposes of providing the Services as set forth in the Agreement.
Duration of the Processing. Client Personal Data will be processed for the duration of the Agreement, subject to section 6 of the DPA.
Sub-Processors. A current list of Company’s sub-Processors can be found at https://trust.disclo.com.
SCHEDULE 2
Security Measures
Company has implemented and will maintain security measures, internal controls, and information security policies and procedures designed to protect Client Personal Data (collectively, the “security measures”). Company regularly monitors compliance with these safeguards. Company may update the security measures from time to time and without notice, provided that such updates and modifications do not materially decrease the overall security of the Services during the term of the Agreement.
The following security measures are in place to protect Client Personal Data processed by Company on behalf of Client:
Data Security
Company implements appropriate and reasonable technical and organizational measures to: (i) protect Client Personal Data against accidental loss or damage and unauthorized access, use, disclosure, alteration, or destruction (ii) ensure the confidentiality, security, integrity, and availability of Client Personal Data and (iii) securely dispose of Client Personal Data and tangible property containing Client Personal Data (as and when required), taking into account available technology so that such information cannot be practicably read or reconstructed. These measures include those described at https://trust.disclo.com.
Company has a business continuity and disaster recovery plan in place.
Company shall document, in a written security policy, Client’s Personal Data handling procedures designed to implement technical and organizational measures to protect Client’s Personal Data as required by the applicable Data Protection Laws and this Addendum.
Provider shall document, in a written business continuity plan, its policies and procedures to recover Client’s Personal Data and the Services following an unplanned event or circumstance resulting in an interruption of or inaccessibility to Client’s Personal Data and the Services.
Access to Client Personal Data is limited to Personnel that:
Where Personnel access Client Personal Data through the Company’s IT systems or other electronic devices, Company limits such access to Personnel who:
Company records the date, time, requestor and nature of Personnel access to (i.e., read-only or modify) Client Personal Data in a log file.
Company retains a complete audit trail of all physical and electronic access to and other Processing of Client Personal Data for a minimum of one year.
Company implements procedures to modify or revoke access permissions to Client Personal Data when Personnel leave Company or when their job responsibilities change.
Company encrypts all Client Personal Data at rest or in transit that Company Processes on behalf of Client where such Processing takes place using laptops or other portable electronic devices.
Company employs commercially reasonable efforts to ensure the secure destruction of Client Personal Data when such destruction is necessary, and consistent with the Agreement. Whenever possible, secure disposal alternatives such as on-site shredding prior to recycling or placement in secure on-site Provider trash bins with subsequent off-site shredding by a licensed contractor shall be implemented.
Storage of Client Personal Data on Company IT systems and backups of said data is encrypted when at rest consistent with commercially reasonable practices.
Passwords of Company Personnel used to access Client Personal Data are managed by mandatory use of Single-Sign on.
Access on computing devices to Client Personal Data terminates after a maximum one (1) hour of inactivity.
To protect the accuracy and integrity of Client Personal Data, all such information will be backed up regularly (no less often than weekly unless otherwise agreed by Client in writing) and the backups stored in secure, environmentally-controlled, limited-access facilities.
Transmission of Client Personal Data
All Client Personal Data is encrypted during transmission by Company Personnel. Unless required to be transmitted in another manner by a lawful order from a governmental investigative or judicial agency or requested by Client, Company will not electronically transmit Client Personal Data over publicly-accessible networks.
Regularly Monitor and Test Networks
Company regularly tests its IT systems, processes and software to ensure reasonable security measures (including, without limitation, those required under this DPA) are maintained over time. Such testing addresses security controls and access mechanisms through the use of network and application layer vulnerability assessments.
Company runs internal and external network vulnerability scans at least monthly and after any change in the network configuration (e.g., new system component installations, changes in network topology, firewall rule modifications, or product upgrades).
Company implements network intrusion detection, host-based intrusion detection, and/or intrusion prevention systems to monitor all network traffic and alert Company’s information security function of any security concerns..
Company will promptly install any security-related fixes deemed necessary and reasonable by Company in its sole discretion to contain or remediate any Personal Data Breach affecting Client Personal Data, to the extent that the remediation is within Company’s reasonable control.
