All capitalized terms not defined in this DPA shall have the meanings set forth in the Agreement. This DPA applies where, and only to the extent that, SIS processes your Personal Data that is protected by Applicable Privacy Laws and regulations applicable to the processing of Personal Data under this DPA. Signatures of assent of SIS and Customer to the Agreement will be deemed signature to, and acceptance and agreement of, this DPA and the Standard Contractual Clauses incorporated hereto.

Definitions

 In this DPA, the following terms (and any substantially similar terms as defined under Applicable Privacy Laws) shall have the meanings and otherwise be interpreted in accordance with Applicable Privacy Law: “Business”, “Data Controller”, “Data Processor”, “Data Subject”, “Sale”, “Service Provider”, “Share”, “Supervisory Authority”, “Process(ing)” and “Transfer”. 

1. Processing of data.

1. 1. Parties’ roles. As between SIS and the Customer, the Customer is the controller of Customer Personal Data, and SIS shall process Customer Personal Data only as a processor acting on behalf of Customer as described in Annex A (Details of Processing) of this DPA.
   2. Purpose limitation. SIS shall process Customer Personal Data only in connection with the arrangements envisaged under this DPA and in accordance with Customer’s documented lawful instructions, except where otherwise required by applicable law. Customer instructs SIS and its Sub-processors to process Customer Personal Data as reasonably necessary for the provision of the Products contemplated by the Agreement and to perform its obligations under the Agreement. Customer can select the location of the data center (for example, EU or UK) and the Customer Personal Data will not be transferred outside of this location without explicit prior written consent of Customer, however, certain limited categories of Personal Data may be shared and/or processed with SIS Affiliates and authorized sub-processors only if strictly necessary for the performance of SIS’s contractual obligations (for example, the account admin name and email for the purposes of providing support).
   3. Description of processing. A description of the nature and purposes of the Processing, the types of Personal Data, categories of Data Subjects, and the duration of the Processing are set out further in Annex A of this DPA.
   4. Sensitive Data. The Customer is responsible for ensuring that suitable safeguards are in place prior to transmitting or processing, or prior to permitting Customer’s Uses to transmit or process, any Sensitive Data via the Products. The Customer shall take such additional measures (e.g. relating to security and consent) as are necessary to protect such Sensitive Data in accordance with its obligations under all Applicable Privacy Laws.
   5. Third Countries. Currently, SIS does not transfer any Personal Data to Third-Countries or utilize sub-processors in Third Countries. Should circumstances change (for example, in respect of any existing adequacy decision) then SIS may be required to transfer Personal Data to Third Countries however any such transfer will require the explicit prior written consent of the Customer and be subject to the remaining provisions of this clause 1.5..To the extent such data is transferred under this DPA to a Third Country, the parties agree to abide by the SCCs, where applicable, for such transfers. In particular, transfers of Personal Data from the European Union, European Economic Area, Switzerland, or the United Kingdom of Great Britain and Northern Ireland (“UK”) to Third Countries are subject to the Standard Contractual Clauses, Module Three. The information required for the purposes of the SCCs is provided in Annex C of this DPA. The SCCs are hereby incorporated into the Agreement and the parties’ acceptance of this DPA shall constitute the parties’ acceptance and signing of the Standard Contractual Clauses. If the terms of the Agreement conflict with the SCCs, the terms of the SCCs will prevail. Notwithstanding the foregoing, in the event any data transfer mechanisms are approved under Applicable Privacy Laws the parties may agree to leverage such data transfer mechanisms in lieu of the Standard Contractual Clauses.
   6. Customer compliance. Customer shall, in its use of the Products, at all times process Personal Data, and provide the Instructions for the processing of Personal Data, in compliance with Applicable Privacy Laws. Customer represents and warrants that Customer has obtained or will obtain, all necessary consents, licenses and approvals for the processing of Personal Data under this DPA and, where applicable, has a valid legal basis under Applicable Privacy Laws for the processing of Personal Data under this DPA. If Customer is a Data Processor of Personal Data, Customer represents and warrants that Customer’s instructions and processing of Personal Data, including its appointment of SIS as a sub-processor, have been authorized by the respective Data Controller. Customer further represents and warrants that Customer (i) will comply with all Applicable Privacy Laws in its performance arising out of this DPA; and (ii) has reviewed SIS’s security practices and acknowledges that such practices are appropriately designed to ensure a level of security appropriate to the risk of processing hereunder.
   7. Notification obligations regarding the Customer's instructions. SIS shall promptly notify the Customer in writing without any obligation to provide legal advice, unless prohibited from doing so under Applicable Privacy Laws, if it becomes aware or believes that any data processing instruction from the Customer violates Applicable Privacy Laws.

2. Return or Deletion of Data

1. 1. Following completion of the Products, SIS shall return or delete the Personal Data as set forth under the Agreement or applicable service documentation, or provide Customer the ability to delete such Personal Data directly through the tools or functionality made available by the Service. The foregoing obligations shall not apply (a) where deletion is not permitted under applicable law (including Applicable Privacy Laws) or the order of a governmental or regulatory body; (b) where SIS retains such Personal Data for internal record keeping and compliance with any legal obligations; and (c) where SIS’s then-current data retention or similar back-up system stores Personal Data provided such data will remain protected in accordance with the measures described in the Agreement and this DPA.

3. Authorized Personnel

1. 1. SIS shall ensure that all Authorized Personnel are made aware of the confidential nature of Personal Data and have executed confidentiality agreements or are otherwise subject to binding duties of confidentiality that prohibit them from disclosing or otherwise processing any Personal Data except in accordance with the Instructions and their obligations in connection with the Products.
   2. SIS shall take commercially reasonable steps to ensure that Authorized Personnel have received data privacy security and training appropriate to the nature of their processing of Personal Data and the requirements of Applicable Privacy Laws.

4. SIS Sub-processors

• 1. Customer hereby provides SIS with general written authorization to engage Sub-processors to process (including transfer) Personal Data in connection with the Products in accordance with this Section 4.
  2. A list of SIS’s current Sub-processors (the “Sub-processor List”) is available at https://signinapp.com/terms/sub-processors/ (such URL may be updated by SIS from time to time upon notice to Customer). These Sub-processors will be deemed authorized by Customer to process Personal Data in connection with this DPA. At least thirty (30) days before enabling any new Sub-processor to access or participate in the processing of Customer Personal Data, SIS will add such Sub-processor to the Sub-processor List and notify Customer of that update. Customer may object to such an engagement on reasonable data protection grounds by providing notice to SIS within ten (10) days of receipt of the aforementioned notice from SIS.
  3. If the Customer has raised a reasonable objection to the new Sub-processor, and the parties have failed to agree on a solution within a reasonable period of time, the Customer shall have the right to terminate the Agreement with a notice period mutually determined by SIS and the Customer, without prejudice to any other remedies available under law or contract. In this event Customer shall immediately pay all fees and costs then owing to SIS up until the date of termination.
  4. If Customer does not object to the engagement of a third party in accordance with Section 4.2, that third party will be deemed an Sub-processor for the purposes of this DPA.
  5. SIS shall ensure that each Sub-processor is subject to obligations regarding the processing of Personal Data that are substantially similar to those which SIS is subject under this DPA.
  6. SIS shall be liable to Customer for any breach of this DPA caused by the acts or omissions of its Sub-processor
  7. If Customer and SIS have entered into the Standard Contractual Clauses as described in Section 6 (Transfers of Personal Data) the above authorizations will constitute Customer’s prior written consent to the subcontracting by SIS of the processing of Personal Data if such consent is required under the Standard Contractual Clauses.

5. Security of Personal Data

SIS shall implement and maintain appropriate technical and organizational measures designed to (i) ensure a level of security appropriate to the risk presented by the processing of the Personal Data; and (ii) protect the Personal Data from unauthorized access, destruction, use, modification or disclosure. Such technical and organizational measures shall include measures equal to or exceeding the measures set forth in Annex B of this DPA.

6. Transfers of Personal Data

1. 1. Only to the extent applicable, or if required by SIS to provide the Products, Customer acknowledges and agrees that SIS and its Sub-processors may process (including transfer) Personal Data in the United Kingdom of Great Britain and Northern Ireland (“UK”), the European Economic Area, the United States of America, Canada and in any other location where SIS or its Sub-processors maintains data processing operations, as set forth in the Sub-processor SIS will at all times provide an adequate level of protection for the Personal Data, in accordance with the requirements of Applicable Privacy Laws and, to the extent applicable, the requirements below.
   2. In connection with the provision of the Products to Customer, SIS may (and may authorize its Sub-processors to) receive from, process within, or transfer Personal Data to, any Third Country provided that SIS and its Sub-processors take measures to adequately protect such data consistent with Applicable Privacy Laws. Such measures may include to the extent available and applicable under such laws.
   3. The parties’ agreement to enter into and comply with the Standard Contractual Clauses which are hereby incorporated into this DPA and as further set forth in Annex C. In particular, transfers of Personal Data from the European Union, European Economic Area, Switzerland or the UK by Customer to SIS or SIS to Customer in Third Countries are subject to the Standard Contractual Clauses, Module Two (“Controller to Processor”), and Module Three (“Processor to Processor”). The information required for the purposes of the SCCs is provided in Annex C to this DPA. To the extent that any substitute or additional appropriate safeguards or transfer mechanisms under Applicable Privacy Laws are required to transfer data to a Third Country, the parties agree to implement the same as soon as practicable and document such requirements for implementation in an attachment to this DPA.
   4. The Parties acknowledge and agree that they have, taking into account, without limitation, the Personal Data and Third Countries in scope, the relevant security measures under this DPA and the relevant parties participating in the processing of such Personal Data, conducted an assessment of the appropriateness of the relevant transfer mechanism adopted hereunder and have determined that such transfer mechanism is appropriately designed to ensure Personal Data transferred in accordance with this DPA is afforded a level of protection in the destination country that is essentially equivalent to that guaranteed under the Applicable Privacy Laws.

7. Cooperation, Audit and Records Requests

1. 1. SIS shall, to the extent permitted by law, promptly notify Customer following the receipt and verification of a Data Subject Request or shall otherwise advise the Data Subject to submit their Data Subject Request to Customer directly. In either case, Customer will be responsible for responding to such a request.
   2. At the request of Customer and taking into account the nature of the processing applicable to any Data Subject Request, SIS shall apply appropriate technical and organizational measures to enable Customer to comply with Customer’s obligation to respond to such Data Subject Request and/or in demonstrating such compliance provided that (i) Customer is itself unable to respond or fulfill the request without SIS’s assistance and (ii) SIS is able to do so in accordance with all applicable laws, rules, and regulations. Customer shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by SIS.
   3. If SIS receives a subpoena, court order, warrant or other legal demand from a third party, law enforcement, foreign government, or any other public or judicial authorities seeking the disclosure of Personal Data, SIS shall, legally permitting, promptly notify Customer in writing of such request. SIS shall only comply with such third-party requests where SIS has determined it is legally required to do so, in which case SIS shall provide reasonable cooperation to Customer, at Customer’s expense, if Customer wishes to limit, challenge or protect against such disclosure, to the extent permitted by applicable laws. Customer shall assume all risk and liability in handling and responding to such third-party requests and shall indemnify SIS for all losses, costs, damages, claims, actions, suits, demands and liabilities suffered or incurred by or brought against SIS arising out of or relating to any third-party access r
   4. SIS shall, taking into account the nature of the processing and the information available to SIS provide Customer with reasonable cooperation and assistance for Customer to comply with its obligations under the Applicable Privacy Laws, including any obligations to conduct a data protection impact assessment, respond to any inquiry from or consult with any Supervisory Authority or demonstrate compliance with Applicable Privacy Law. The obligations hereunder shall only apply where required of SIS by Applicable Privacy Law and provided that Customer does not otherwise have access to the relevant information or functionality being requested. Customer shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by SIS.
   5. Upon Customer’s request and no more than once per calendar year, SIS shall make available for Customer’s review copies of all applicable attestation reports or certifications demonstrating SIS’s compliance with Applicable Privacy Laws as they relate to SIS’s processing of the Customer Personal Data hereunder. Solely where and to the extent (i) required by Applicable Privacy Laws and (ii) such copies of the attestation reports or certifications are insufficient to demonstrate SIS’s compliance with Applicable Privacy Laws as it relates to SIS’s processing of the Personal Data hereunder, SIS shall make available to the Customer additional information reasonably necessary to demonstrate compliance with such obligations and allow for and contribute to audits, including mutually agreed and managed inspections, of those data processing facilities within SIS’s control conducted by the Customer or another auditor mutually agreed upon by SIS and the
   6. Any audit or inspection authorized by Section 7.5 will occur only after the Customer has provided SIS with at least 30 days’ prior written notice and during a mutually agreed upon date, time, and location by SIS and the Customer. Audits must not unreasonably interfere with SIS’s business or operations, and the scope of such audit will be subject to SIS’s reasonable pre-approval. Individuals responsible for conducting such an audit shall be subject to a contract of confidentiality with SIS. The work required by SIS to participate in any audit may result in additional fees (at a mutually agreed upon hourly rate) to be paid by the Customer, unless otherwise agreed in writing prior to the commencement of such audit. To ensure that SIS complies with Applicable Privacy Laws and its contractual obligations regarding data privacy and security, Customer agrees that SIS is not required to provide Customer with access to SIS’s systems or information in a manner that may compromise the security, privacy, or confidentiality of SIS’s other customers’ confidential or proprietary information.
   7. Any information disclosed pursuant to this Section 7 will be deemed SIS’s Confidential Information.

8. Personal Data Breach

• 1. After becoming aware of a positively identified Personal Data Breach, SIS shall, without undue delay (but no later than 72 hours), inform Customer of the Personal Data Breach and take such steps as SIS, in its sole discretion, deems necessary and reasonable to remediate such Personal Data Breach (to the extent that remediation is within SIS’s reasonable control).
  2. SIS shall, taking into account the nature of the processing and the information reasonably available to SIS: (a) provide Customer with reasonable cooperation and assistance necessary for Customer to comply with its obligations under Applicable Privacy Laws with respect to notifying relevant regulators and/or Data Subjects affected by such Personal Data Breach; and (b) provide Customer with information in SIS’s reasonable control concerning the details of the Personal Data Breach including, as applicable, the nature of the Personal Data Breach, the categories and approximate numbers of Data Subjects and Personal Data records concerned, and the likely consequences of the Personal Data Breach.
  3. The obligations described in this Section 8 shall not apply in the event that a Personal Data Breach results from the actions or omissions of Customer. In no event will SIS’s cooperation or obligation to report or respond to a Personal Data Breach under this Section be construed as an acknowledgement by SIS of any fault or liability with respect to the Personal Data Breach.
  4. Unless prohibited by an applicable statute or court order, Customer will notify SIS of any third-party legal process relating to any Personal Data Breach, including, but not limited to, any legal process initiated by any governmental entity.

9. Miscellaneous

• 1. All notices to Customer under this DPA shall be sent by email and directed to the Customer’s designated system administrator for the Products and the “legal and privacy notices” contact if provided by Customer in conjunction with the Agreement. Customer may update these contacts at any time by emailing privacy@signinsolutions.com.
  2. The liability of SIS and its respective employees, directors, officers, Affiliates, successors, and assigns (the “SIS Parties”), arising out of or related to this DPA, whether in contract, tort, or other theory of liability, shall be subject to the ‘Exclusion of Warranties, Limitation of Liability and Indemnity’ section of the Agreement, and any reference in such section to the liability of SIS or the SIS Parties means the aggregate liability of the SIS Parties under the Agreement and this DPA together.
  3. This DPA is without prejudice to the rights and obligations of the parties under the Agreement which will continue to have full force and effect. In the event of any conflict between the terms of this DPA and the terms of the Agreement, the terms of this DPA will prevail. In the event of any conflict between the terms of this DPA and the Standard Contractual Clauses then, only insofar as the Standard Contractual Clauses apply, the Standard Contractual Clauses will prevail.
  4. Unless otherwise so required under this DPA or Applicable Privacy Law, Customer and SIS each agree that the dispute resolution provisions of the Agreement (including governing law and venue) apply to this DPA.

Annex A

Details of Processing

1. Data Exporter:

As provided under the Agreement. 

Activities relevant to the data transferred under the Clauses:
Receipt of the Products under the Agreement.

Signature and date:
As provided under the Agreement.


2. Data Importer:

Name: Sign In Solutions Inc.
Address:  150 2nd Ave N, Suite 1540 St. Petersburg FL, USA 33701

Contact information:

Jason Mordeno
Global Privacy Officer
privacy@signinsolutions.com

Activities relevant to the data transferred under the Clauses:
The provision, maintenance and securing of the Products

1. Subject matter: The subject matter of the data processing under this DPA is the Customer Personal Data.
2. Duration: As between SIS and Customer, the duration of the data processing under this DPA is until the expiration or termination of the Agreement in accordance with its terms.
3. Purpose: SIS shall only process Customer Personal Data for the following purposes: (i) processing to perform its obligations under the Agreement; and (ii) processing to comply with any other reasonable instructions provided by Customer (e.g., via email or support tickets) that are consistent with the terms of the Agreement (individually and collectively, the "Purpose").
4. Nature of the processing: SIS provides support to the Customer in their use of the Products as more particularly described in the Agreement.
5. Categories of data subjects: Customer’s employees and Users (as such term is defined in the Agreement)
6. Categories of Customer Personal Data: Customer may upload, submit or otherwise provide certain personal data to SIS, the extent of which is typically determined and controlled by Customer in its sole discretion, and may include the following types of personal data:
   - Data Subjects’ identification information (first and last name), contact information, which may include some or all of the Data Subject’s e-mail address, address, telephone number, and location and IT information (IP addresses, usage data, cookies data, online navigation data, location data, browser data) and
   - Any other personal data that you choose to include in your instance of the Products for Data Subjects to enter, notably Sensitive Data for which you have received the explicit consent from a Data Subject to the Processing of such Sensitive Data for the intended purposes and subject to Clause 1.4 of this DPA, Sensitive Data.
7. Processing Operations: Customer Personal Data will be processed in accordance with the Agreement (including this DPA) and may be subject to the following processing activities: Storage and other processing necessary to provide, maintain and improve the Products and Professional Products provided to Customer pursuant to the Agreement; and/or Disclosures in accordance with this DPA and/or as compelled by applicable law.

Annex B

Technical and Organizational Measures

SIS shall:

1. Provide a level of technical and organizational measures (including appropriate Security and Compliance Measures relating to the categories or nature of Customer Data) appropriate to protect against the harm that might result from a data breach, which shall include but not be limited to:

a. Governance, Risk and Compliance Controls

• Governance - SIS maintains a governance, risk and compliance program, that is a set of processes, policies and procedures in order to operate in accordance with relevant laws, regulations and industry standards;
• Risk - SIS manages risk frameworks that identify and manage risks to technology and data processing systems;
• Compliance - SIS maintains security and compliance processes and conducts audits that examines our controls with management and the safeguarding of customer data;
  
  

• Monitoring - SIS maintains security monitoring systems, including, but not limited to, detecting and preventing intrusion, monitoring traffic and monitoring file integrity;
• Authentication - SIS maintains effective authentication processes that are maintained to protect Customer Data (e.g., multi factor authentication for privileged access or restricted information);
• Vulnerability Management - SIS has a defined policy and process that establishes requirements for assessing and managing vulnerabilities;
  
  

• Access Points - SIS maintains the authentication and and supervision of access rights with access to the network and by applying technical policies to prevent any internal and external threats posed by the access;
• Network Management of Roles and Responsibilities - defines authorized groups, roles and responsibilities for management of network components;
• System and Security Events/Firewalls - SIS automatically logs system and security events, reviews logs on a periodic basis, issues identified are investigated and resolved in a timely manner;
  
  

• Technical and Organizational Policies - SIS has processes in place for the classification, management, access, use, destruction of data;
• Encryption - SIS encrypts data in transmit, in transit, at rest and in storage by utilizing industry standard encryption tools;
• Encryption Keys - SIS safeguards the security and confidentiality of all encryption keys associated with encrypted Customer Data;
• Role Based Access Controls - SIS practices the method of least privilege which limits user access to authorized individuals;
• Scheduled Backups - SIS backs up Customer Data on a regular basis as required by the Customer and ensuring that any back up data is subject to appropriate Security Measures as necessary to protect the confidentiality, integrity and availability of Customer Data;

Annex C

Standard Contractual Clauses

The parties agree that personal data transferred between and by the parties to Third Countries shall be subject to the Standard Contractual Clauses to the extent applicable and as further set forth under the DPA.

(A) The parties acknowledge the importance of the protection of personal data and the legal restrictions on international transfers of such data to Third Countries.

(B) Accordingly, the parties agree to abide by the GDPR, UK DPA 2018, and Swiss DPA, and other Applicable Privacy Laws recognizing the Standard Contractual Clauses or similar principles, as applicable, and enter into these standard contractual clauses to ensure that transfers of personal data to Third Countries are lawful and subject to adequate data protections. To the extent a transfer of personal data is subject to Article 3(2) of the GDPR, this Annex C shall not apply.

1. CLARIFICATION OF DEFINITIONS & TERMS

1. The terms “data controller” or “controller,” “data exporter,” “data importer,” “data processor” and “Personal Data” shall have the meaning under the GDPR, UK DPA 2018, Swiss DPA, or another Applicable Privacy Law, as applicable.
2. For transfers of Personal Data to Third Countries originating from outside the EU, references to the General Data Protection Regulation will be replaced by the Applicable Privacy Law and references to the “EU,” “Union” or “Member State” shall be replaced with the applicable originating region.
3. Section 1 Clause 1 (a) of the Standard Contractual Clauses (Definition of Data Importer): The “data importer” means SIS.
4. Section 1 Clause 1 (a) of the Standard Contractual Clauses (Definition of Data Exporter):The “data exporter” means Customer.
5. With respect to objections to Sub-processors under Section 1 Clause 9,the process set forth under Section 4 of this DPA shall apply.

2. APPLICABLE MODULES

With respect to Processing of applicable personal data:

1. When Customer is a Data Exporter and Controller, and SIS is a Data Importer and Controller – Module 1 shall apply.
2. When Customer is a Data Exporter and Controller, and SIS is a Data Importer and Processor – Module 2 shall apply.
3. When Customer is a Data Exporter and Processor, and SIS is a Data Importer and Sub-Processor – Module 3 shall apply.
4. References to Module 4 in the SCCs shall not apply and language referencing that module shall not be treated as part of this DPA.

3. AMENDMENTS OR UPDATES

To the extent that any additional appropriate safeguards under Applicable Privacy Laws recognizing the Standard Contractual Clauses or similar principles are required to export data to any Third Country, or to the extent that the Standard Contractual Clauses are substituted or replaced or not recognised under any such law, the parties agree to either promptly implement the same or agree to use another acceptable method for transfer of such data and promptly amend this Annex C as necessary to comply with such requirements.

4. CONFLICTS

If the terms of the Agreement or the DPA conflict with the Standard Contractual Clauses, the terms of the Standard Contractual Clauses will prevail.

5. STANDARD CONTRACTUAL CLAUSES

1. The Standard Contractual Clauses will be deemed incorporated into this DPA and shall apply as completed below:
2. In Clause 7, the “Docking Clause (Optional)”, will be deemed incorporated.
3. In Clause 9, Option 2 is selected, and the time period for prior notice of addition or replacement of Sub-processors will be as set forth in the DPA.
4. In Clause 11, the optional language will not apply.
5. In Clause 13, the competent supervisory authority shall be the Irish Data Protection Commission where the EU SCCs apply, the FDPIC where the Swiss DPA applies and the UK Information Commissioner where the UK Transfer Addendum applies.
6. In Clause 17, Option 2 is selected, and the Standard Contractual Clauses will be governed by the law of Ireland where the EU SCCs apply, the law of Switzerland where the Swiss DPA applies and the law of England and Wales where the UK Transfer Addendum applies.
7. In Clause 18(b), disputes will be resolved before the courts of Ireland where the EU SCCs apply, the courts of Switzerland where the Swiss DPA applies and the courts of England and Wales where the UK Transfer Addendum applies.
8. Annexes I and II of the SCCs are as set in Exhibits A and B of this DPA; and Annex III is as set forth in the Sub-processor
9. For the purposes of the UK Transfer Addendum, the Standard Contractual Clauses will be interpreted in accordance with Part 2 of the UK Transfer Addendum; Sections 9 – 11 of the UK Transfer Addendum will override Clause 5 of the EU SCCs and both the “Importer” and “Exporter” shall be able to end the UK Transfer Addendum as set out in Section 19 of the UK Transfer Addendum.

By entering into the DPA, the Parties are deemed to be signing the applicable Standard Contractual Clauses.