DATA PROCESSING ADDENDUM
THIS DATA PROCESSING ADDENDUM (“DPA”) forms a binding and effective part of the Agreement (as defined below) and is entered into by and between: (1) REDSIFT LIMITED, a company incorporated and registered in England and Wales with company number 09240956 whose registered office is at 3rd Floor 1 Ashley Road, Altrincham, Cheshire, United Kingdom, WA14 2DT (“Red Sift”); and (2) the entity or other person who is a counterparty to the Agreement (“Customer”), together the “Parties” and each a “Party”.
HOW AND WHEN THIS DPA APPLIES
This DPA applies where Applicable Data Protection Laws govern Red Sift’s Processing of Customer Personal Data in performance of the Services on behalf of Customer as a ‘processor’, ‘service provider’ or similar role defined under Applicable Data Protection Laws.
Accordingly, this DPA does not apply to Red Sift’s Processing of any Personal Data for its own business/customer relationship administration purposes, its own marketing, its own platform or service analytics, its own information and systems security purposes supporting the operation of the Services, nor its own legal, regulatory or compliance purposes.
1. INTERPRETATION
1.1 In this DPA the following terms shall have the meanings set out in this Section 1, unless expressly stated otherwise:
a) “Agreement” means, as applicable, the End User Licence Agreement or any similar commercial agreement(s) entered into by the Parties with respect to the use of the Services which expressly provide for the incorporation by reference of this DPA.
b) “Applicable Data Protection Laws” means the privacy, data protection and data security laws and regulations of any jurisdiction directly applicable to Red Sift’s Processing of Customer Personal Data under the Agreement (including, as and where applicable, the GDPR and State Privacy Laws). '
c) “Cross-Border Transfer” means the disclosure, grant of access or other transfer of Customer Personal Data to any person located in any country or territory outside the UK, which does not benefit from an adequacy decision from the UK Government.
d) “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
e) “Customer Personal Data” means any Personal Data Processed by Red Sift or its Sub-Processor on behalf of Customer to perform the Services under the Agreement.
f) “Data Subject” means the identified or identifiable natural person to whom Customer Personal Data relates.
g) “Data Subject Request” means the exercise by a Data Subject of its rights in accordance with Applicable Data Protection Laws in respect of Customer Personal Data and the Processing thereof.
h) “EEA” means the European Economic Area.
i) “GDPR” means, as and where applicable to Processing concerned: (i) the General Data Protection Regulation (Regulation (EU) 2016/679) (“EU GDPR”); and/or (ii) the EU GDPR as it forms part of UK law (as amended from time to time) (“UK GDPR”).
j) “Personal Data” means “personal data,” “personal information,” “personally identifiable information” or similar term defined in Applicable Data Protection Laws.
k) “Personal Data Breach” means a breach of Red Sift’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Personal Data in Red Sift’s possession, custody or control. For clarity, Personal Data Breach does not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data.
l) “Personnel” means a person’s employees, agents, consultants, contractors or other staff.
m) “Process” and inflections thereof means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
n) “Processor” means a natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Controller, including, as applicable, a “service provider” as that term may be defined by Applicable Data Protection Laws.
o) “Sensitive Data” means data revealing a Data Subject’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, sex life or sexual orientation, or other data that is subject to heightened restrictions relating to the transmission or processing of data for the jurisdictions in which Red Sift and Customer operate, such as (by way of example only) the US Health Insurance Portability and Accountability Act).
p) “Services” means those Subscription Services and activities to be supplied to or carried out by or on behalf of Red Sift for Customer pursuant to the Agreement.
q) “State Privacy Laws” means the California Consumer Privacy Act of 2018 (“CCPA”), the Colorado Privacy Act, the Virginia Consumer Data Protection Act, the Connecticut Data Privacy Act, and the Utah Consumer Privacy Act, in each case only if and to the extent applicable to Red Sift’s Processing of Customer Personal Data under the Agreement.
r) “Sub-Processor” means any third party appointed by or on behalf of Red Sift to Process Customer Personal Data.
s) “Supervisory Authority” means any governmental or regulatory body with competent authority to enforce any Applicable Data Protection Laws, including: (i) in the context of the EEA and the EU GDPR, a “supervisory authority” within the meaning given to that term in the EU GDPR; and (ii) in the context of the UK and the UK GDPR, the UK Information Commissioner’s Office.
t) “UK Transfer Tool” means either (i) the template International Data Transfer Agreement version A.1.0; or (ii) template International Data Transfer Addendum version B.1.0, in each case as issued by the UK Information Commissioner’s Office and laid before the UK Parliament in accordance with s119A of the UK Data Protection Act 2018 on 2 February 2022 and in each case as revised under the relevant Mandatory Clauses thereof set out in Part 4 or Part 2 (respectively).
1.2 Unless otherwise defined in this DPA, all capitalised terms in this DPA shall have the meaning given to them in the Agreement.
2. APPLICATION OF THIS DATA PROCESSING ADDENDUM
2.1. The front-end of this DPA applies generally to Red Sift’s Processing of Customer Personal Data under the Agreement.
2.2. Annex 2 (State Privacy Laws Annex) applies only if and to the extent Red Sift’s Processing of Customer Personal Data on behalf of Customer under the Agreement is subject to any of the State Privacy Laws.
2.3. Section 8 of this DPA applies to Red Sift’s Processing of Customer Personal Data to the extent required under Applicable Data Protection Laws for contracts with Processors, and in such cases, only in respect of Processing of Customer Personal Data subject to such laws.
3. PROCESSING OF CUSTOMER PERSONAL DATA
3.1. The Parties acknowledge and agree that the details of Red Sift’s Processing of Customer Personal Data (including the respective roles of the Parties relating to such Processing) are as described in Annex 1 (Data Processing Details) to the DPA.
3.2. Red Sift shall not Process Customer Personal Data other than: (a) on Customer’s instructions; or (b) as required by applicable laws provided that, in such circumstances, Red Sift shall inform Customer in advance of the relevant legal requirement requiring such Processing if and to the extent Red Sift is: (i) required to do so by Applicable Data Protection Laws; and (ii) permitted to do so in the circumstances. Customer instructs Red Sift to Process Customer Personal Data to provide the Services to Customer and in accordance with the Agreement. The Agreement is a complete expression of such instructions, and Customer’s additional instructions will be binding on Red Sift only pursuant to any written amendment to this DPA signed by both Parties. Where required by Applicable Data Protection Laws, if Red Sift receives an instruction from Customer that, in its reasonable opinion, infringes Applicable Data Protection Laws, Red Sift shall notify Customer.
3.3. Red Sift shall take commercially reasonable steps designed to ascertain the reliability of any Red Sift Personnel who Process Customer Personal Data, and shall enter into written confidentiality agreements with all Red Sift Personnel who Process Customer Personal Data that are not subject to professional or statutory obligations of confidentiality.
3.4. Customer shall not provide or make available (or cause to be provided or made available) any Sensitive Data to Red Sift for Processing under the Agreement, and Red Sift will have no liability whatsoever that directly or indirectly results from Customer’s breach of this Section 3.4, whether in connection with a Personal Data Breach or otherwise.
4. SECURITY
Red Sift shall implement and maintain technical and organisational measures in relation to Customer Personal Data designed to protect Customer Personal Data against Personal Data Breaches as described in Annex 3 (Security Measures) (the “Security Measures”). Red Sift may update the Security Measures from time to time, provided the updated measures do not materially decrease the overall protection of Customer Personal Data.
5. DATA SUBJECT RIGHTS
5.1. Red Sift, taking into account the nature of the Processing of Customer Personal Data, shall provide Customer with such assistance as may be reasonably necessary and technically feasible to assist Customer in fulfilling its obligations to respond to Data Subject Requests. If Red Sift receives a Data Subject Request, Customer will be responsible for responding to any such request.
5.2. Red Sift shall: (a) promptly notify Customer if it receives a Data Subject Request; and (b) not respond to any Data Subject Request, other than to advise the Data Subject to submit the request to Customer, except as required by Applicable Data Protection Laws.
6. PERSONAL DATA BREACH
6.1. Red Sift shall notify Customer without undue delay upon Red Sift’s confirmation of a Personal Data Breach affecting Customer Personal Data. Red Sift shall provide Customer with information (insofar as such information is within Red Sift’s possession and knowledge and does not otherwise compromise the security of any Personal Data Processed by Red Sift) to allow Customer to meet its obligations under Applicable Data Protection Laws to report the Personal Data Breach. Red Sift’s notification of or response to a Personal Data Breach shall not be construed as Red Sift’s acknowledgement of any fault or liability with respect to the Personal Data Breach. Customer is solely responsible for complying with notification laws applicable to Customer and fulfilling any third-party notification obligations related to any Personal Data Breaches.
6.2. If Customer determines that a Personal Data Breach must be notified to any Supervisory Authority, any other governmental authority, any Data Subject(s), the public or others under Applicable Data Protection Laws, to the extent such notice directly or indirectly refers to or identifies Red Sift, where permitted by applicable laws, Customer agrees to: (a) notify Red Sift in advance; and (b) in good faith, consult with Red Sift and consider any clarifications or corrections Red Sift may reasonably recommend or request to any such notification, which: (i) relate to Red Sift’s involvement in or relevance to such Personal Data Breach; and (ii) are consistent with applicable laws.
7. SUB-PROCESSING
7.1. Customer generally authorises Red Sift to appoint Sub-Processors in accordance with this Section 7. Information about Red Sift’s Sub-Processors, including their functions and locations is as shown in the Sub-Processor list displayed from time to time at https://redsift.com/subprocessors or any successor page. (the “Sub-Processor List”).
7.2. Red Sift shall give Customer prior written notice of the appointment of any proposed Sub-Processor, including reasonable details of the Processing to be undertaken by the Sub-Processor by including reasonable details of the Processing to be undertaken by the Sub-Processor (by providing Customer with an updated copy of the Sub-Processor List via a ‘mailshot’ or similar bulk distribution mechanism sent via email to Customer’s contact point as set out in Annex 1. If, within fourteen (14) days of receipt of that notice, Customer notifies Red Sift in writing of any objections (on reasonable grounds) to the proposed appointment: (a) Red Sift shall use reasonable efforts to make available a commercially reasonable change in the provision of the Services, which avoids the use of that proposed Sub-Processor; and (b) where: (i) such a change cannot be made within thirty (30) days from Red Sift’s receipt of Customer’s notice; (ii) no commercially reasonable change is available; and/or (iii) Customer declines to bear the cost of the proposed change, then Customer may terminate the Agreement by written notice to Red Sift as its sole and exclusive remedy.
7.3. If Customer does not object to Red Sift’s appointment of a Sub-Processor during the objection period referred to in Section 7.2, Customer shall be deemed to have approved the engagement and ongoing use of that Sub-Processor.
7.4. With respect to each Sub-Processor, Red Sift shall maintain a written contract between Red Sift and the Sub-Processor that includes terms which offer at least an equivalent level of protection for Customer Personal Data as those set out in this DPA (including the Security Measures). Red Sift shall remain liable for any breach of this DPA caused by a Sub-Processor.
8. AUDITS
8.1. Red Sift shall make available to Customer on request, such information as Red Sift (acting reasonably) considers appropriate in the circumstances to demonstrate its compliance with this DPA.
8.2. Subject to Sections 8.3 to 8.6, in the event that Customer (acting reasonably) is able to provide documentary evidence that the information made available by Red Sift pursuant to Section 8.1 is not sufficient in the circumstances to demonstrate Red Sift’s compliance with this DPA, Red Sift shall allow for and contribute to audits, including on-premise inspections, by Customer or an auditor mandated by Customer in relation to the Processing of Customer Personal Data by Red Sift.
8.3. Customer shall give Red Sift reasonable notice of any audit or inspection to be conducted under Section 8.2 (which shall in no event be less than fourteen (14) days’ notice) and shall use its best efforts (and ensure that each of its mandated auditors uses its best efforts) to avoid causing any destruction, damage, injury or disruption to Red Sift’s premises, equipment, Personnel, data, and business (including any interference with the confidentiality or security of the data of Red Sift’s other customers or the availability of Red Sift’s services to such other customers).
8.4. Prior to conducting any audit, Customer must submit a detailed proposed audit plan providing for the confidential treatment of all information exchanged in connection with the audit and any reports regarding the results or findings thereof. The proposed audit plan must describe the proposed scope, duration, and start date of the audit. Red Sift will review the proposed audit plan and provide Customer with any feedback, concerns or questions (for example, any request for information that could compromise Red Sift security, privacy, employment or other relevant policies). Red Sift will work cooperatively with Customer to agree on a final audit plan.
8.5. If the controls or measures to be assessed in the requested audit are assessed in a SOC 2 Type 2, ISO, NIST or similar audit report performed by a qualified third-party auditor within twelve (12) months of Customer’s audit request (“Audit Report”) and Red Sift has confirmed in writing that there have been no known material changes in the controls audited and covered by such Audit Report(s), Customer agrees to accept provision of such Audit Report(s) in lieu of requesting an audit of such controls or measures. Red Sift shall provide copies of any such Audit Reports to Customer upon request; provided that they shall constitute the confidential information of Red Sift, which Customer shall use only for the purposes of confirming compliance with the requirements of this DPA or meeting Customer’s obligations under Applicable Data Protection Laws.
8.6. Red Sift need not give access to its premises for the purposes of such an audit or inspection: (a)where an Audit Report is accepted in lieu of such controls or measures in accordance with Section 8.5; (b) to any individual unless they produce reasonable evidence of their identity; (c) to any auditor whom Red Sift has not approved in advance (acting reasonably); (d) to any individual who has not entered into a non-disclosure agreement with Red Sift on terms acceptable to Red Sift; (e) outside normal business hours at those premises; or (f) on more than one occasion in any calendar year during the term of the Agreement, except for any audits or inspections which Customer is required to carry out under the GDPR or by a Supervisory Authority. Nothing in this DPA shall require Red Sift to furnish more information about its Sub-Processors in connection with such audits than such Sub-Processors make generally available to their customers. Nothing in this Section 8 shall be construed to obligate Red Sift to breach any duty of confidentiality.
9. RETURN AND DELETION
9.1. Following expiration or earlier termination of the Agreement, Red Sift shall promptly return and/or delete all Customer Personal Data in Red Sift’s care, custody or control in accordance with Customer’s instructions as to the post-termination return and deletion of Customer Personal Data expressed in the Agreement. To the extent that deletion of any Customer Personal Data contained in any back-ups’ maintained by or on behalf of Red Sift is not technically feasible within the timeframe set out in Customer’s instructions, Red Sift shall (a) securely delete such Customer Personal Data in accordance with any relevant scheduled back-up deletion routines (e.g., those contained within Red Sift’s relevant business continuity and disaster recovery procedures); and (b) pending such deletion, put such Customer Personal Data beyond use.
9.2. Notwithstanding the foregoing, Red Sift may retain Customer Personal Data where required by applicable laws, provided that Red Sift shall (a) maintain the confidentiality of all such Customer Personal Data and (b) Process the Customer Personal Data only as necessary for the purpose(s) and duration specified in the applicable law requiring such retention.
10. DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION
Red Sift shall, taking into account the nature of the Processing and the information available to Red Sift, provide reasonable assistance to Customer, at Customer’s cost, with any data protection impact assessments and prior consultations with Supervisory Authorities, which Customer reasonably considers to be required by article 35 or 36 of the GDPR, in each case solely in relation to Processing of Customer Personal Data by Red Sift.
11. CUSTOMER’S RESPONSIBILITIES
11.1. Customer agrees that, without limiting Red Sift’s obligations under Section 4 (Security), Customer is solely responsible for its use of the Services, including (a) making appropriate use of the Services to maintain a level of security appropriate to the risk in respect of the Customer Personal Data; (b) securing the account authentication credentials, systems and devices Customer uses to access the Services; (c) securing Customer’s systems and devices that Red Sift uses to provide the Services; and (d) backing up Customer Personal Data.
11.2. Customer shall ensure: (a) that there is, and will be throughout the term of the Agreement, a valid legal basis for the Processing by Red Sift of Customer Personal Data in accordance with this DPA and the Agreement (including, any and all instructions issued by Customer from time to time in respect of such Processing) for the purposes of all Applicable Data Protection Laws (including Article 6, Article 9(2) and/or Article 10 of the GDPR (where applicable)); and (b) that all Data Subjects have (i) been presented with all required notices and statements (including as required by Article 12-14 of the GDPR (where applicable)); and (ii) provided all required consents, in each case (i) and (ii) relating to the Processing by Red Sift of Customer Personal Data.
11.3. Customer agrees that the Services, the Security Measures, and Red Sift’s commitments under this DPA are adequate to meet Customer’s needs, including with respect to any security obligations of Customer under Applicable Data Protection Laws, and provide a level of security appropriate to the risk in respect of the Customer Personal Data.
12. DATA TRANSFERS
12.1. Customer acknowledges and agrees that Red Sift may effect Cross-Border Transfers to third parties under or in connection with this Agreement, subject to Section 12.2 (including where Red Sift’s use of a Sub-Processor involving a Cross-Border Transfer is approved in accordance with Section 7).
12.2. Red Sift agrees that it shall not make any Cross-Border Transfer in connection with Red Sift’s Processing of Customer Personal Data as Customer’s Processor otherwise than in reliance on a ‘transfer mechanism’ under Chapter V of the GDPR for that Cross-Border Transfer, for which purpose Customer agrees that Red Sift’s entry into a UK Transfer Tool with the relevant ‘importer’ shall be sufficient in relation to any Cross-Border Transfer.
13. LIABILITY
The total aggregate liability of either Party towards the other Party, howsoever arising, under or in connection with this DPA will under no circumstances exceed any limitations or caps on, and shall be subject to any exclusions of, liability and loss agreed by the Parties in the Agreement.
14. MISCELLANEOUS
14.1. Red Sift may on notice vary this DPA to the extent that (acting reasonably) it considers necessary to address the requirements of Applicable Data Protection Laws from time to time.
14.2. In the event of any conflict or inconsistency between this DPA and the Agreement, this DPA shall prevail to the extent of such conflict or inconsistency relating to the Processing of Customer Personal Data.
