TRĒ AI DATA PROCESSING ADDENDUM
THIS DATA PROCESSING ADDENDUM (the “Addendum”) forms part of the Master Subscription Agreement (the “Master Agreement”), between TRĒ AI, INC. (the “Service Provider”) and the Customer under such Master Agreement, pursuant to which Service Provider provides Services to the Customer. The Customer and Service Provider are referred to in this Addendum as “Parties” and individually as a “Party”.
1. Definitions
Unless otherwise defined below, all capitalized terms used in this Addendum have the same meaning given to them in the Master Agreement and/or exhibits thereto.
“Data Controller” means the entity which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
“Data Processor” means the entity which Processes Personal Data on behalf of the Data Controller.
“European Data Protection Laws” means the European Union’s General Data Protection Regulation (EU) 2016/679 (the “GDPR”) and its national implementations in the EEA and Switzerland, and the UK General Data Protection Regulation (the “UK GDPR”), each as applicable and as amended or replaced from time to time.
“Data Protection Laws” means all local, state, national and/or foreign laws, treaties and/or regulations (as any of the foregoing may be amended or replaced from time to time) applicable to the protection and Processing of Personal Data, provided that this term encompasses only laws, rules, and regulations that a Party is subject to and that governs the Personal Data at issue.
“Data Subject” means the person to whom the Personal Data relates.
“EEA” means the European Economic Area.
“Liability” means costs, expenses, losses, obligations, damages, actions, suits, demands, settlements, judgments, awards, fines, penalties, fees (including attorney’s fees), and any other form of liability whatsoever. With respect to a Personal Data Breach, Liability includes the following: (i) computer, technology, and forensic investigation; (ii) attorney fees; (iii) public relations costs; (iv) notification of affected individuals and regulators; (v) credit and identity monitoring and restoration; (vi) call and email support; and (vii) investigation, inquiry, request, subpoena, other legal process, fine, penalty, settlement, judgment, claim, suit, lawsuit, action, cause of action, or other allegation issued or made by an individual, group or class of individuals, regulator, or any other third-party arising out of or related to the Personal Data Breach.
“Personal Data” means any data (whether referred to as personal data, personal information or another term) (A) that relates to (i) an identified or identifiable natural person or, (ii) an identified or identifiable legal entity (where such information is protected similarly as personal data under applicable Data Protection Laws), or (B) that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
“Personal Data Breach” means accidental, unauthorized or unlawful destruction, loss, alteration, disclosure of, use of, access to, or Processing Personal Data within possession, custody or control of Service Provider, or Processing of Personal Data in violation of Data Protection Laws; provided that this term does not include (i) a Personal Data Breach of Personal Data that is encrypted, as long as the decryption key also has not been compromised, or (ii) unintended or good faith processing of Personal Data by an employee of a Party, or disclosure of Personal Data by an employee of a Party or its subcontractor to another employee of a Party or its subcontractor, as long as the Personal Data is not otherwise further handled without authorization, beyond the scope of authorization, or in a manner or to an extent that compromises the confidentiality, integrity or availability of the Personal Data or violates any Data Protection Law.
“Processing” or “Process” means any operation or set of operations performed on Personal Data or sets of Personal Data, such as collecting, recording, organizing, structuring, storing, adapting or altering, retrieving, consulting, using, disclosing by transmission, disseminating or otherwise making available, aligning or combining, restricting, erasing or destroying.
“Services” are those products, services, and other deliverables provided under the Master Agreement.
“Standard Contractual Clauses” means (i) the standard contractual clauses (the “EU SCCs”) for the transfer of personal data to processors established in third countries authorized by and annexed to the European Union Commission Implementing Decision (EU) 2021/914 of 4 June 2021, and any amendments or replacements of such EU SCCs, pursuant to the GDPR, and (ii) the international data transfer agreement (the “UK IDTA”) and the international data transfer addendum (the “UK Addendum”) authorized by the UK Information Commissioner’s Office and effective 21 March 2022, and any amendments or replacements of such UK IDTA and UK Addendum, pursuant to Section 119A of the UK GDPR.
“Subprocessor” means a third-party entity engaged by Service Provider, but not specifically required or mandated by Customer, as a subcontractor to Process Personal Data under this Addendum.
“Valid Transfer Mechanism” means a data transfer mechanism permitted by European Data Protection Laws as a lawful basis for transferring Personal Data to a recipient outside of the EEA, Switzerland or the UK, which may include, without limitation, the Standard Contractual Clauses or certification under any program established between or among the governments of the EU, Switzerland, the UK and/or the U.S. for purposes of ensuring adequate protection for data transfers (including any successor programs to the EU-U.S. Privacy Shield Program, the Swiss-U.S. Privacy Shield Program, and the EU-U.S. Data Privacy Framework).
2. Processing Personal Data
2.1. Scope and Role of the Parties. This Addendum applies to the Processing of Personal Data by Service Provider in the course of providing Services under the Master Agreement. For the purposes of this Addendum: (i) Customer is the Data Controller; (ii) with respect to Personal Data for which Customer is the Data Controller, Service Provider is the Data Processor Processing such Personal Data on Customer’s behalf; (iii) with respect to Personal Data for which Customer is a Data Processor for a third party Data Controller, Service Provider is a sub-processor to Process Personal Data on the Data Controller’s behalf. For simplification purposes, Service Provider is hereinafter referred to as a Data Processor for scenario (ii) and (iii) above. To the extent Service Provider acts as a Data Processor to a third party Data Controller, (a) any notifications given by the third party Data Controller to Customer will be conveyed to Service Provider insofar as they relate to the Services provided by Service Provider; and (b) any instructions given by Customer to Service Provider relating to the Processing of Personal Data are the instructions given by the third party Data Controller.
2.2. Instructions for Processing. Service Provider shall Process Personal Data in accordance with Customer’s instructions. Customer instructs Service Provider to Process Personal Data to provide Services in accordance with the Master Agreement and this Addendum. Customer may provide additional instructions to Process Personal Data. If Service Provider believes that an additional instruction provided by Customer violates applicable Data Protection Laws, it shall inform Customer accordingly. Service Provider shall Process Personal Data obtained hereunder from Customer solely for purposes of fulfilling Service Provider’s obligations under the Master Agreement.
2.3. Compliance with Laws. Customer shall comply with Data Protection Laws applicable to Customer in its role as a Data Controller Processing Personal Data. Service Provider shall comply with Data Protection Laws applicable to Service Provider in its role as a Processor Processing Personal Data. For the avoidance of doubt, Customer is not responsible for complying with Data Protection Laws directly applicable to Service Provider as a Data Processor.
3. Subprocessors
3.1. Use of Subprocessors. Service Provider may engage Subprocessors to Process Personal Data. Service Provider shall ensure that any such Subprocessor has entered into a written agreement requiring the Subprocessor to abide by terms no less protective as to Personal Data than those provided in this Addendum. Upon Customer’s request, Service Provider will make available to Customer a summary of the Personal Data Processing activities of any such Subprocessor. Service Provider shall be liable for the acts and omissions of any Subprocessors to the same extent as if the acts and omissions were performed by Service Provider.
3.2. Notification of Subprocessors. Service Provider shall give Customer prior written notice of the appointment of any Subprocessor, including full details of the Processing to be undertaken by the Subprocessor. If Customer has any concerns about any such Subprocessor, such concerns should be communicated within 30 days of such notice and, thereafter, Service Provider and Customer shall discuss and seek to come to a mutually agreed resolution of such concerns.
4. Data Center Location and Data Transfers
4.1. Storage of Personal Data. Personal Data will be hosted in data centers located in the United States, the UK or a country in the EEA, unless the Parties otherwise expressly agree in writing.
4.2. Access to and Transfer of Personal Data. Notwithstanding Section 4.1, in order to provide the Services, Service Provider and its Subprocessors will only access Personal Data from (i) countries in the EEA; (ii) countries formally recognized by the European Commission as providing an adequate level of data protection (“Adequate Countries”); (iii) the UK; and (iv) the United States and other non-Adequate Countries, provided that Service Provider makes available to Customer a Valid Transfer Mechanism and that, with respect to access by Subprocessors, the requirements of Section 3 are met.
5. Rights of Data Subjects
5.1. Correction, Deletion, or Restriction. Service Provider will, as necessary to enable Customer or a third party Data Controller to meet its obligations under applicable Data Protection Laws, either (i) provide Customer or the third party Data Controller with its own functionality or ability to correct or delete Personal Data or restrict its Processing; or (ii) if technically possible, at Customer’s specific request, make such corrections, deletions, or restrictions on Customer’s or the third party Data Controller’s behalf if such functionality or ability is not available to Customer or the third party Data Controller (with the choice between (i) and (ii) being at Customer’s discretion). Service Provider is responsible for notifying any Subprocessors of correction, deletion, or restriction request, to the extent such a request is applicable.
5.2. Access to Personal Data. To the extent a Data Subject’s Personal Data is not accessible to Customer or the third party Data Controller, Service Provider will, as necessary to enable Customer or a third party Data Controller to meet their obligations under applicable Data Protection Laws, provide reasonable assistance to make such Personal Data available to Customer or the third party Data Controller.
5.3. Handling of Data Subject Requests. For the avoidance of doubt, Customer or the third-party Data Controller is responsible for responding to Data Subject requests for access, correction, deletion, or restriction of that person’s Personal Data (“Data Subject Request”). If Service Provider receives a Data Subject Request, Service Provider shall promptly redirect the Data Subject to Customer.
5.4. Data Portability. For the avoidance of doubt, Customer or the third-party Data Controller is responsible for responding to Data Subject’s data portability requests. To the extent a Data Subject’s Personal Data is not accessible to Customer or the third party Data Controller, Service Provider will, as necessary to enable Customer or the third party Data Controller to meet their obligations under applicable Data Protection Laws, provide such Personal Data extract in a structured, commonly used and machine-readable format.
6. Government Access Requests
Unless prohibited by applicable law or a legally binding request of law enforcement, Service Provider shall promptly notify Customer of any request by government agency or law enforcement authority for access to or seizure of Personal Data.
7. Service Provider Personnel
Service Provider shall take reasonable steps to require screening of its personnel who may have access to Personal Data and shall require such personnel to receive appropriate training on their responsibilities regarding the handling and safeguarding of Personal Data. All Service Provider personnel that handle Personal Data on behalf of Customer are required to sign confidentiality agreements with Service Provider. Such confidentiality obligations shall survive termination of employment.
8. Security
8.1. Security Program. Service Provider shall implement appropriate and reasonable technical and organizational measures designed to protect Personal Data against unauthorized access or disclosure or accidental or unlawful destruction, loss, or alteration, including, but not necessarily limited to, as set forth in Exhibit A of this DPA (“Standards”). The privacy and security controls set forth in the Standards are material terms of this DPA and incorporated herein. Such measures shall be appropriate to (i) the size, scope, and type of Service Provider’s business; (ii) the type of information that Service Provider will Process; and (iii) the need for security and confidentiality of such information.
8.2. Breach Notification. Service Provider shall promptly notify Customer of any Personal Data Breach affecting the Personal Data within possession, custody, or control of Service Provider. The notice will include: (i) the date or date range of the Personal Data Breach; (ii) the date the Service Provider discovered the Personal Data Breach; (iii) a description of the Personal Data Breach; (iv) the number of Data Subjects affected by the Personal Data Breach; (v) types of Personal Data involved in the Personal Data Breach; the likely consequences of the Personal Data Breach; and the steps that Service Provider has taken to investigate the Personal Data Breach, mitigate potential harm and possible adverse effects, and prevent further Personal Data Breaches. Service Provider will promptly supplement the notice as necessary with information about the Personal Data Breach as Service Provider obtains the information, including Service Provider’s assessment as to whether the Personal Data Breach is reportable under Data Protection Laws. Service Provider shall fully cooperate in investigations of the Personal Data Breach and provide sufficient information to allow Customer to meet its obligations under Data Protection Laws and under contract, if applicable. To the extent any applicable law requires that the affected Data Subjects or governmental authority be notified of a Personal Data Breach caused by Service Provider or any of its Subprocessors or with respect to IT systems under the control of Service Provider or any of its Subprocessors, Service Provider will cooperate with Customer in responding to such Personal Data Breach. To the extent that Customer is subject to or involved in an investigation by a governmental authority, litigation, or any inquiry, formal or informal, arising out of or related to a Personal Data Breach, Service Provider will l cooperate with Customer in responding to such event. Service Provider shall not disclose to any person, other than its attorneys and agents, information related to such Personal Data Breach without express written authorization from Customer, including by not notifying any individual affected or potentially affected by the Personal Data Breach, any local, state, or federal government authority or agency, any media outlet, or any other person or entity.
9. Audit
Service Provider shall make available, upon reasonable request, information necessary to demonstrate compliance with this Addendum.
10. Return and Deletion of Personal Data
Upon termination of the Services, Service Provider shall, at Customer’s option, return, delete or destroy all Personal Data to Customer unless applicable law requires storage of the Personal Data. In such case, Service Provider shall continue to ensure the confidentiality of all such Personal Data.
11. Indemnification; Limitations on Liability; Remedies.
Service Provider agrees to indemnify and hold harmless Customer, its subsidiaries and related companies and their officers, directors, employees, workers and agents, from and against all Liability resulting from or arising out of: (i) Service Provider’s breach of this Addendum; (ii) a Personal Data Breach that was not caused by the Customer, any Subprocessor of Customer (other than Service Provider), or any of their respective employees, agents, and representatives; provided that Service Provider’s liability to Customer for a Personal Data Breach will be limited as set forth in this section; and (iii) any claim related to the infringement of a privacy right or other similar privacy-related action caused by Service Provider, any of its Subprocessors, or any of their respective employees, agents and representatives. Service Provider shall maintain a commercially reasonable insurance policy that provide coverage for Liability arising out of or related to a Personal Data Breach and that has an overall limit of at least US$1 million. If Service Provider maintains such an insurance policy, and that insurance policy provides coverage for Liability arising out of or related to a Personal Data Breach, then Service Provider’s Liability to Customer arising out of or related to a Personal Data Breach under this paragraph will be limited to the coverage provided by that insurance policy.
Customer agrees to indemnify and hold harmless Service Provider, its subsidiaries and related companies and their officers, directors, employees, workers and agents, from and against all Liability resulting from or arising out of: (i) Customer’s breach of this Addendum; (ii) a Personal Data Breach affecting Customer or its Personal Data that was caused by Customer, any Subprocessor of Customer (other than Service Provider), and any of their respective employees, agents, and representatives; provided that Customer’s Liability to Service Provider for a Personal Data Breach will be limited as set forth in this section; and (iii) any claim related to the infringement of a privacy right or other similar privacy-related action caused by Customer. Customer shall maintain a commercially reasonable insurance policy that provide coverage for Liability arising out of or related to a Personal Data Breach and that has an overall limit of at least US$1 million. If Customer maintains such an insurance policy, and that insurance policy provides coverage for Liability arising out of or related to a Personal Data Breach, then Customer’s Liability to Service Provider arising out of or related to a Personal Data Breach under this paragraph shall be limited to the coverage provided by that insurance policy.
Notwithstanding the foregoing or anything else in this Addendum to the contrary, the liability limits in the Master Agreement shall apply to all matters under this Addendum.
12. General Provisions
12.1. Termination. The term of this Addendum will end simultaneously and automatically with the termination of the Master Agreement.
12.2 Conflict. In the event of a conflict between the provisions of this Addendum and the Master Agreement, the provisions of the Master Agreement will prevail with regard to the Parties’ data protection obligations.
12.2. Section Headings. The section headings contained in this Addendum are for reference purposes only and shall not in any way affect the meaning or interpretation of this Addendum.
12.3. Governing Law. This Addendum shall be governed by the same governing law as that of the Master Agreement.
Exhibit A
Standards
1. Encrypt drives of Service Provider’s mobile devices and laptops used to Process Personal Data.
2. Encrypt Personal Data at rest on Service Provider servers and cloud services.
3. Encrypt electronic transmission of Personal Data, including by email, file transfer protocol, and other forms of electronic transmission.
4. Encrypt Service Provider devices used to transport electronic Personal Data.
5. Implement commercially reasonable mobile device management on mobile devices (MDM) used to Process Personal Data.
6. Technologically prevent Processing of Personal Data and accessing of any Service Provider device, system or application using any device, system, or application that is not owned by the Service Provider, except personal mobile devices subject to MDM as set forth above. Implement conditional access for access to any system or application used to Process any Personal Data, including any on-site and remote access to email and networks.
7. Either (a) technologically prevent users of Service Provider devices, systems, and applications from being administrators of any devices, systems, and applications used to Process Personal Data or to access any Service Provider device, system or application, or (b) require such users to have and use non-administrator accounts to do so.
8. Technologically require all users who Process Personal Data or access any Service Provider device, system or application that contains or is used to Process Personal Data to do so only using either a biometric or a unique password containing not less than 12 characters and consisting of at least three of the following: upper case letter, lower case letter, number, and special symbol.
9. Technologically require all accounts with administrator or other privileged access to use either a biometric or a unique password containing not less than 12 characters consisting of a random sequence of upper-case letter, lower case letter, number, and special symbol characters.
10. Implement commercially reasonable MFA for Processing of Personal Data and for access to any Service Provider device, system or application that contains or is used to Process Personal Data. Ensure that MFA is required for all users, administrators, privileged accounts, and non-user accounts, that basic authentication for legacy and all other applications is disabled, and that there are no other MFA gaps.
11. In addition to commercially reasonable anti-virus, anti-malware, and anti-spyware, implement commercially reasonable advanced, activity-based threat detection and prevention (Advanced Threat Protection) on all Service Provider devices used to Process Personal Data or to access any Service Provider device, system or application that contains or is used to Process Personal Data.
12. Implement commercially reasonable firewalls on devices used to Process Personal Data or to access any Service Provider device, system or application that contains or is used to Process Personal Data.
13. Implement a commercially reasonably sandbox that analyzes links and attachments in emails sent or received on Service Provider email accounts for potentially malicious content.
14. Implement the automatic updating and patching functionality for all security applications and all other non-security applications, unless doing so with such non-security applications is significantly operationally disruptive. To the extent automatic updating and patching functionality is not implemented for such other applications, update all such applications not less than weekly for security updates, and patch such applications not less than monthly for all other types of updates and patches.
15. Implement commercially reasonable system information and event management (SIEM) applicable on Service Provider devices, systems and applications used to Process Personal Data or to access any Service Provider device, system or application.
16. Robustly configure log files for Service Provider devices, systems and applications used to Process Personal Data or to access any Service Provider device, system or application to capture access and activity, as well as potentially malicious or anomalous security events, access and activity, and retain all such data for not less than 120 days. Configure the SIEM to capture, analyze and immediately notify the Service Provider with respect to potentially malicious or anomalous security events, access and activities.
17. Retain an independent third party to conduct real-time monitoring and alerting via a 24/7/365 security operations center (SOC) with respect to at least the SIEM, Log Files, and Advanced Threat Protection applications.
18. Implement commercially reasonable network access control (NAC) for access to any Service Provider device, system or application.
19. Implement commercially reasonable systems to back up Service Provider devices, systems, and applications (including Personal Data on them), including at least one encrypted backup physically accessible to Service Provider immediately or nearly immediately after a natural or technological disaster, and one either cloud backup or failover redundant cloud system.
20. Implement a commercially reasonable cloud system that contains critical data and applications for Service Provider operations that can be operated for failover redundancy immediately or nearly immediately after a natural or technological disaster.
21. Periodically (and not less than annually) assess potential technological, administrative, and physical risks to the confidentiality, integrity, and availability of Personal Data and Service Provider devices, systems and applications, and (if necessary or appropriate) implement reasonable additional safeguards to eliminate or mitigate those risks.
22. Periodically (and not less than quarterly) provide appropriate and topical training to Service Provider employees concerning cybersecurity and privacy matters, including potential risks to the confidentiality, integrity, and availability of Personal Data and the safeguards implemented by the Service Provider to eliminate or mitigate those risks.
23. Retain an independent third party to conduct periodic (and not less than annual) internal and external vulnerability scanning or external penetration testing of Service Provider systems.
24. Retain an independent third party to conduct periodic (and not less than quarterly) scanning of the dark web for Service Provider usernames and passwords.
25. Limit physical access to Service Provider devices, systems, and applications used to Process Personal Data or to access any Service Provider device, system or application to only those employees who need such access to perform their duties for Service Provider.
26. Implement commercially reasonable monitored security with respect to the physical facilities used to house or retain Service Provider devices, systems, and applications used to Process Personal Data or to access any Service Provider device, system or application.
27. Conduct appropriate due diligence to assess the cyber security of third parties that Process Personal Data or that access any Service Provider device, system or application, and obtain appropriate contracts with such third parties.
28. Dispose of Service Provider devices containing Personal Data in compliance with National Institute of Standards and Technology Special Publication 800-88. Dispose of documents that contain Personal Data in a manner that renders them essentially unreadable and indecipherable, such as by cross-shredding, incinerating, or pulverizing.
29. Appoint and empower a qualified employee or employees to be responsible for ensuring that the Service Provider has properly assessed potential technological, administrative, and physical risks to the confidentiality, integrity, and availability of Personal Data and implemented reasonable safeguards to eliminate or mitigate those risks.
30. Implement written policies and procedures that adopt and memorialize the technological, administrative, and physical safeguards implemented by the Service Provider.
31. Implement commercially reasonable written policies and procedures to address any incidents or breaches involving Personal Data.
32. Implement commercially reasonable written policies to address natural or technological disasters and crises, including cybersecurity attacks, designed to ensure the continued operations of Service Provider within not more than 2 days after such disaster.