Exhibit C: SCLogic Data Processing Addendum (“DPA”) U.S. Clients
Controller: The natural or legal person, public authority, agency, or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Subscriber: The individual or entity that has entered into the Agreement and agreed to the incorporation of this DPA into the Agreement.
Data Breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
Data Protection Laws: The data protection or privacy laws of any country or state regarding the Processing of Personal Data.
Data Subject: An identified or identifiable natural person.
Personal Data: Any information relating to an identifiable or identifiable natural person (‘data subject’).
Processing: Any operation or set of operations performed on personal data, whether or not by automated means. This can include collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure, or destruction.
Processor: A natural or legal person, public authority, agency, or any other body which processes personal data on behalf of the controller.
Sub Processor: Any processor engaged by the main processor for carrying out specific processing activities on behalf of the controller.
Supervisory Authority: An independent, competent public authority established or recognized under Data Protection Laws.
Purpose of the DPA
This Data Processing Addendum (“DPA”) is an integral part of the agreement between SCLogic, LLC (“SCLogic”) and Subscriber that governs the Subscriber’s usage and access to SCLogic’s Services (“Agreement”). Any capitalized terms not explicitly defined in this DPA shall have the meaning given in the Agreement.
Roles of parties involved
Subscriber and SCLogic agree that Subscriber is a Controller and SCLogic is a Processor. Each party is solely responsible for its compliance with applicable Data Protection Laws and fulfilling any related obligations to third parties, Data Subjects, and Supervisory Authorities.
Subscriber as the Controller
- Subscriber is exclusively responsible for the accuracy of Personal Data and the legality of the methods they use to obtain, disclose, and process Personal Data.
- Subscriber’s instructions for processing Personal Data will adhere to Data Protection Laws and will be appropriately authorized, ensuring all necessary rights, permissions, and consents have been obtained.
SCLogic as the Processor
- SCLogic will process Personal Data only as instructed by Subscriber in writing or as initiated by authorized users via an SCLogic online service.
- SCLogic will process Personal Data only as necessary to provide the Services and prevent or address technical problems with an SCLogic online service.
- SCLogic will process Personal Data as required by applicable law. SCLogic agrees to immediately inform Subscriber if SCLogic believes that any instruction to process Personal Data violates or would violate Data Protection Laws.
Scope and Purpose of Processing
Description of the data being processed
The data processed on behalf of the Subscriber is internal directory-type data to enable routing and delivery of items and services to the correct recipient(s). At minimum, the processed data elements may include name, department, delivery address, telephone number, and email address (for email notifications). The types of Personal Data and categories of Data Subject about whom the Personal Data relates are determined and controlled solely by the Subscriber. The processing of sensitive data elements is not necessary for the successful operation of SCLogic services.
The purpose and duration of the data processing
Processing of Personal Data by SCLogic is reasonably required to facilitate or support the provision of Services as described under the Agreement and this DPA. This Data Processing is integral to the provision of SCLogic’s services and will continue as long as the Agreement between Subscriber and SCLogic is in effect. SCLogic undertakes not to use Personal Data for any purposes other than those specified in the Agreement.
Data retention and deletion procedures
Upon the termination of the Agreement, SCLogic commits to either securely delete or return the Subscriber’s data, as per the Subscriber’s specified choice. It’s important to note that the Subscriber’s data will be preserved for a duration not exceeding 90 days following the cessation of the Agreement.
Obligations of the Processor
Compliance with all applicable laws
The Processor shall comply with all applicable data protection laws, regulations, and guidelines that govern the processing of Personal Data. This includes, but is not limited to, the General Data Protection Regulation (GDPR) in the European Union and any relevant national or regional data protection laws.
Procedures for reporting data breaches
In the event of a Data Breach, the Processor shall promptly notify the Controller without undue delay. The notification shall include all relevant details of the breach, including the nature of the incident, the types of personal data involved, the likely consequences, and any measures taken or proposed to address the breach. The Processor shall cooperate with the Controller and assist in fulfilling any obligations to notify the relevant supervisory authority or affected individuals, as required by applicable laws.
Assistance to the Controller in fulfilling individual rights requests
The Processor shall provide reasonable assistance to the Controller in responding to requests from data subjects to exercise their rights under applicable data protection laws. This may include, but is not limited to, assisting the Controller in fulfilling requests for access, rectification, erasure, restriction of processing, data portability, or objections to processing.
Data security incident response procedures
SCLogic shall maintain documented incident response procedures to respond to data security incidents effectively and promptly. These procedures will include the identification and assessment of incidents, containment and mitigation measures, notification to the relevant parties, investigation and remediation of the incident, and any necessary actions to prevent similar incidents in the future. SCLogic shall regularly test and review these procedures to ensure their effectiveness and make any necessary improvements.
SCLogic may engage Sub Processors to process personal data on the Controller’s behalf. Sub Processors may be engaged to assist with hosting, infrastructure, service, or support.
Conditions for engaging Sub Processors
SCLogic will carry out appropriate due diligence on each Sub Processor. A written agreement shall be established with each Sub
Processor which includes provisions for processing personal data that are at least as protective as those set forth in this DPA.
SCLogic’s Sub Processors
SCLogic maintains a current list of Sub Processors in the SCLogic Trust Center: https://trust.sclogic.com/. This Sub Processor list may be updated from time to time in accordance with this DPA. The Controller authorizes SCLogic to use any identified Sub Processors subject to the terms and conditions of this DPA.
Technical and Organizational Security Measures
Implementation of appropriate security measures
The Processor shall implement appropriate technical and organizational security measures to protect personal data against unauthorized or unlawful processing, accidental loss, destruction, or damage. These measures shall be designed to ensure a level of security appropriate to the risks presented by the processing and the nature of the Personal Data.
SCLogic maintains a current list of technical and organizational security measures in the SCLogic Trust Center: https://trust.sclogic.com/
Audit and Reporting
SCLogic shall conduct annual audits to verify the adequacy of its security measures and controls (“Audit”). The Audit shall be carried out by independent third-party security professionals selected by SCLogic and at SCLogic’s expense.
SCLogic annual audits shall include testing the security measures and controls of the online Services, in accordance with AICPA SOC 2 standards or other equivalent standards. The results of the Audit shall generate at least a SOC 2 report or its substantive equivalent. Additionally, penetration testing of the online Services shall be conducted, resulting in the generation of a penetration test report executive summary.
The reports generated from the Audit shall be provided to the Subscriber upon written request, subject to the confidentiality obligations of the Agreement or a mutually agreed non-disclosure agreement. Each report will specifically discuss the online Services that were commercially available at the time the report was issued. Any subsequently released Services that are covered by a report will be included in the next annual iteration of that report.
Upon the Subscriber’s written request, SCLogic shall provide reasonable assistance to the Subscriber with respect to data protection impact assessments and consultations with Supervisory Authorities, taking into account the nature of SCLogic’s Processing activities and the information available to SCLogic. If the Subscriber requires additional information for compliance with Data Protection Laws beyond the aforementioned reports, and is unable to access such information independently, the Subscriber may request an Audit, subject to the following conditions:
- Subscriber shall be responsible for any expenses incurred by or related to the Subscriber-requested Audit.
- The Subscriber shall provide SCLogic with reasonable advance notice, including the identity of the auditor and the anticipated date and scope of the Audit.
- SCLogic shall approve the auditor by providing notice to the Subscriber. Such approval shall not be unreasonably withheld.
- The Subscriber and the auditor shall take measures to prevent any damage, injury, or disruption to SCLogic’s premises, equipment, or business during the course of the Audit.
- The Subscriber shall initiate only one Audit in any calendar year, unless otherwise required by a Supervisory Authority.
The parties acknowledge and agree that the Processing of Subscriber Personal Data by SCLogic may involve an international transfer of Subscriber Personal Data to SCLogic. Subscriber acknowledges that SCLogic’s primary processing activities are conducted in the United States.
SCLogic is committed to providing the necessary safeguards for these transfers in compliance with Data Protection Laws. This includes adhering to Standard Contractual Clauses approved by relevant authorities and implementing robust technical and organizational security measures. These measures are designed to safeguard Subscriber Personal Data against unauthorized access or breaches, ensuring ongoing confidentiality, integrity, and resilience of the data processing systems.
Further details regarding these security measures can be accessed from the SCLogic Trust Center: https://trust.sclogic.com/
This data transfer provision, including all implemented measures, will be periodically reviewed to ensure continued compliance with evolving Data Protection Laws.
Data Subjects’ Rights
Procedure to handle data subjects’ requests
SCLogic will provide Subscriber access to Subscriber Personal Data via the online Services to allow Subscriber to respond to Data Subject requests.
Validated Data Subject requests for data deletion should be sent to [email protected] for prompt resolution.
Cooperation between controller and processor in fulfilling these rights
SCLogic will notify the Subscriber without undue delay, and in any event within 10 business days, following receipt and verification of any request received directly from a Data Subject relating to Personal Data controlled by the Subscriber. SCLogic may only respond directly to a Data Subject:
- To verify that such request relates to Subscriber
- With written consent of Subscriber
- As required by applicable law
Except as provided herein, SCLogic has no intention of responding to or fulfilling any Data Subject requests.
At Subscriber’s written request and to the extent Subscriber is unable to access Subscriber Personal Data on its own, SCLogic will provide reasonable assistance to Subscriber in accessing Subscriber Personal Data for Subscriber to respond to such Data Subject requests. To the extent legally permitted, Subscriber will be responsible for any expenses attributable to SCLogic’s assistance efforts outside the normal course of business.
SCLogic will notify the Controller in writing without undue delay, and within 72 hours of becoming aware of a Data Breach.
SCLogic will investigate and, as necessary, mitigate or remediate a Data Breach in accordance with SCLogic’s security incident response policies, procedures, and plans.
Subject to SCLogic’s legal obligations, SCLogic will provide the Controller with relevant Data Breach information that is in SCLogic’s possession resulting from its response measures. This information may encompass details regarding the incident’s nature, any known specific information disclosed, and pertinent mitigation or remediation efforts. The purpose of providing this Breach Information is to assist the Controller in fulfilling its obligations under Data Protection Laws following a Data Breach.
SCLogic Technical and Organizational Security Measures