Americas
Europe
APAC
Select Page

Data Processing Addendum For Client

Data Processing Addendum For Client

Last updated September 1, 2024

This DATA PROCESSING ADDENDUM (“DPA”) is made and entered into by and between Innova Solutions, Inc. or its Affiliate (as defined below) entering into this DPA (hereinafter, the “Company”) and the Company’s Client also entering into this DPA (hereinafter, the “Client”), as a supplement to an underlying business agreement between the parties.

  1. DefinitionsAll capitalized terms have the meanings as set forth in this Addendum, or if not defined, then as set forth within Regulation (EU) 2016/679 of the European Parliament (the General Data Protection Regulation or “GDPR”), or if not defined within the GDPR, then as defined within the United Kingdom General Data Protection Regulation (“UK GDPR”), or if not defined within the UK GDPR, then as defined within the California Consumer Privacy Act of 2018 (“CCPA”) as amended by the California Privacy Rights Act of 2020 (“CPRA”), or if not defined within the CPRA, then as defined within the Singapore Personal Data Protection Act, 2012 (“PDPA”), or if not defined within either the GDPR, the UK GDPR, the CCPA, or the CPRA, or the PDPA, then as defined within the underlying business agreement.
    • Affiliate” means any company or entity that is under common control with, a subsidiary of, or a parent company to the Company.
    • CCPA” means the California Consumer Protection Act, Cal. Civ. Code § 1798.100 et seq., and its implementing regulations.
    • CPRA” means the California Privacy Rights Act of 2020 (2020 Cal. Legis. Serv. Proposition 24, codified at Cal. Civ. Code §§ 1709.100, et seq.) and its implementing regulations, as amended or superseded from time to time.
    • PDPA” means the Personal Data Protection Act, 2012 of Singapore.
    • Applicable Laws” means (i) European Union or Member State laws with respect to any personal data in respect of which any Client is subject to EU data privacy laws; and (ii) any other applicable law with respect to any personal data in respect of which any Client is subject to any other data privacy laws.
    • Agreement” means the underlying business agreement between the parties, pursuant to which data will be processed that is subject to the CCPA, CPRA, GDPR, UK GDPR, PDPA, or other Applicable Laws.
    • Data Subject” means (i) an identified or identifiable natural person who is the subject of personal data including but not limited to the individuals who are in the EEA or whose rights are protected by the GDPR; and (ii) a “Consumer” as the term is defined in the CCPA and CPRA, and (iii) An individual who is defined under the PDPA as a natural person whether living or deceased.
    • Client Personal Information” means any data, file attachment, text, images, reports, or other information that is transferred between the parties for Services pursuant to the Agreement and that directly or indirectly identifies or relates to a Data Subject.
    • Data Protection Laws” means all data protection and privacy laws applicable to the respective party in its role in the Processing of personal data under the Agreement including without limitation, the CCPA and CPRA to the extent Client Personal Information includes that of California residents pursuant to the Agreement, the GDPR to the extent Client Personal Information includes that of EEA residents pursuant to the Agreement, the UK GDPR to the extent Client Personal Information includes that of UK residents pursuant to the Agreement, Singapore residents to the extent Client Personal Information includes that of Singapore residents pursuant to the Agreement and, to the extent applicable, the data protection or privacy laws of any other state province, or country.
    • Services” has the definition set forth in the Agreement and includes the processing of Client Personal Information pursuant to the Agreement or any applicable Statement of Work (“SOW”).
    • Controller”, “Processor” and “Processing” (including Process, Processed, and Processes) shall have their respective meanings ascribed to them in Data Protection Laws. If and to the extent that Data Protection Laws do not define such terms, then the definitions given in Data Protection Laws will apply.
    • Sub-Processor” means any other Processors engaged by the Company to Process Client Personal Information.
    • DPA” means this Data Protection Addendum.
    • EEA” means the European Economic Area and includes all countries with the EU in addition to Iceland, Liechtenstein, and Norway.
    • EU” means the European Union.
    • SCCs” means the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council of June 4, 2021.
    • US Data Protection Laws” means, to the extent applicable, federal and state laws relating to data protection, privacy, and/or the Processing of personal data in force from time to time in the United States.
    • UK” means the United Kingdom of Great Britain and Northern Ireland.
    • Member State” shall have the same meaning as in the GDPR.

    The Company is NOT established within the EEA, the UK, or in a jurisdiction that the European Commission has recognized as offering an adequate level of data protection.

    This DPA supplements the existing Agreement between the parties and except as supplemented by this DPA, the terms of the Agreement shall remain in full force and effect.

    This DPA becomes effective from the date last signed by the parties below (“Effective Date”) and remains in effect for as long as the Company Processes Client Personal Information pursuant to the Main Agreement.

  2. Role of Parties
    1. For the purposes of GDPR and PDPA, the Company acts as a Processor on behalf of the Client who acts as either: (i) a Controller; or (ii) a Processor on behalf of another Controller.
    2. For the purposes of CPRA, the Company will act as a “service provider” or “processor” (as defined under US Data Protection Laws), as applicable, in its performance of its obligations pursuant to the Agreement and this DPA.
    3. As between the Parties, Client is and remains the owner of Client Personal Information and the holder of all rights relating to Client Personal Information.
  3. Processing of Client Personal Information
    1. Each party agrees to comply with their respective obligations under applicable Data Protection Laws.
    2. The parties agree to avoid taking any action that would cause the other party to be deemed to have sold Client Personal Information under the CCPA or CPRA. In no event will the transfer of Client Personal Information, pursuant to the Agreement, result in or be construed as constituting a sale of such Client Personal Information by or to the Company.
  4. Client’s obligations
    1. The Client shall provide the Company with documented instructions regarding the processing of the Client Personal Information. The Company shall only process Client Personal Information on behalf of and in accordance with the Client’s instructions.
    2. The Client has ensured and will continue to ensure that it has the right to transfer personal data and any relevant employee data to the Company for the duration and purposes of the Agreement.
    3. Client is solely responsible for complying with incident notification requirements applicable to Client and its Data Subjects. The Client is also responsible for fulfilling third-party obligations related to any Client Personal Information Breach.
    4. If the Company receives a request from Client’s Data Subject to exercise one or more of its rights under applicable Data Protection Laws, in connection with the Services. The Company will direct the request to the Client. The Client will be responsible for handling requests from Data Subjects.
    5. The Client represents and warrants that (a) it has all necessary rights to provide the personal data to the Company for the processing to be performed in relation to the Services, and (b) it is complying with all applicable Data Protection Laws.
    6. To the extent required by applicable Data Protection Laws, the Client is responsible for ensuring that all necessary privacy notices are provided to Data Subjects, and unless another legal basis set forth in applicable Data Protection Laws supports the lawfulness of the processing, any necessary Data Subject consents to the processing are obtained and a record of such consents is maintained. If such consent is revoked by a Data Subject, the Client is responsible for communicating the fact of such revocation to the Company, and the Company remains responsible for implementing the Client’s instruction with respect to the processing of that Client Personal Information.
  5. Sub-Processing Clause
    1. The Client grants its authorization to the Company to appoint Sub-Processors, including but not limited to Affiliates of the Company, to deliver some or all Services and process Client Personal Information on its behalf in accordance with Section 6
    2. The Company may appoint Sub-Processors to process Client Personal Information on its behalf. These appointed Sub-Processors shall comply with the obligations of the Processor similar to those set out in this DPA.
    3. The Company carries out appropriate due diligence on each Sub-Processor and the appointment of the Sub-Processor is governed by the written contract which includes terms substantially equivalent to those set out in this DPA. The Company will ensure that its Sub-Processor adheres to the Company’s obligations under this DPA.
  6. Security of Processing
    1. The Processor, while considering the costs of implementation, the nature, scope, context, and purposes of the processing, as well as the varying likelihood and severity of risks to the rights and freedoms of individuals, shall implement suitable technical and organisational measures. These measures are intended to provide a level of security that is commensurate with the identified risk.
    2. The Client has assessed the security measures offered by the Company to meet the standards required by Data Protection Laws as of the Effective Date. Such technical and organisational measures are specified in Schedule 2 to this DPA and/or in the main Agreement and the Client will maintain those (or effectively similar) measures during the term of the main Agreement.
    3. The Company shall ensure that any person who is authorized by the Company to Process Client Personal Information shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).
  7. Data Subject Requests
    1. To the extent Client is unable to independently respond to a Data Subject Request, the Company shall reasonably cooperate to enable Client to respond to any requests, complaints, or other communications from Data Subjects and regulatory or judicial bodies relating to the processing of Client Personal Information under the Agreement, including requests from Data Subjects seeking to exercise their rights under Applicable Privacy Laws. If a Data Subject contacts the Company to exercise the Data Subject’s rights regarding Client Personal Information as permitted under Data Protection Laws (“Data Subject Request(s)”) and the requestor identifies as originating from Client, the Company will not respond to such request but will instead forward such request to Client without undue delay.
    2. If a Data Subject has a right to data portability with respect to Client Personal Information, the Company will ensure that the Client can obtain such data in a structured, common, and machine-readable format.
  8. Data Breach and Notification
    1. The company shall notify the Client without undue delay, in any event of discovery of any accidental or unlawful destruction, loss, alteration, or unauthorized disclosure or access to any Client Personal Information (hereinafter referred to as “Data Breach”).
    2. The Company will take all commercially reasonable measures, in accordance with its security incident management policies and procedures, to identify the cause of such Data Breach and provide Client with sufficient information to allow Client to meet its obligations under the GDPR, CPRA, or any other Applicable Laws/regulations to report or inform Data Subjects of the Data Breach.
    3. The Client is solely responsible for complying with data breach notification laws applicable to the Client and fulfilling any third-party notification obligations related to any Data Breach(es). The Company will cooperate with the Client and, if necessary, take such reasonable commercial steps as directed by the Client to assist in the investigation, mitigation, and remediation of each such Data Breach.
  9. Return & Destruction
    1. If the Client Agreement mandates the Company to delete Client Personal Information, the Company will erase that Client Personal Information within the timeframe stipulated in the Agreement, unless the law allows or obliges us to keep such Client Personal Information. If the Client Agreement doesn’t address the retention of Client Personal Information, our Company will either erase, destroy, or return all Client Personal Information to the Client and eliminate or return any existing copies once we have completed the provision of Services: (a) related to the processing; (b) when this DPA ends; (c) upon the Client’s written request; or (d) our company has fulfilled all agreed purposes in the context of the Services related to the processing activities where the Client doesn’t require us to do any further processing.
    2. The Company may retain Client Personal Information after termination of the Agreement, if the erasure or return of Client Personal Information is not possible for any reason, or if backups and/or archived copies of the Client Personal Information have been created, the Company will keep such Client Personal Information in accordance with the applicable Data Protection Laws.
    3. Upon the termination of this DPA, the Company will inform all Sub-Processors involved in its processing and ensure that they either destroy the Client Personal Information or return the Client Personal Information to the Client, as per the Client’s preference.
  10. Cross Border Data Transfer Mechanism
    If any Client Personal Information transfer between Client and the Company requires execution of Standard Contractual Clauses to comply with European Data Protection Laws (where Client is the Data Exporter), the terms and conditions of Schedule 3 will apply.
  11. Cooperation Obligations
    The parties agree to cooperate fully with each other regarding compliance obligations pursuant to this DPA. Such cooperation shall include providing information relevant to conducting necessary audits or assessments and fulfillment of Data Subject requests including, but not limited to, access, erasure, opt-out, and objection.
  12. Changes in the Law.
    The Parties may amend this DPA, as appropriate, to conform to any new or revised Data Protection Law then either party may provide written notice to the other party of that change in law. The Parties will then engage in good faith discussions and negotiations to make any necessary adjustments to this DPA to accommodate such changes as promptly as reasonably practicable.
  13. General Terms.
    This DPA constitutes the entire Agreement between the parties relating to the processing of personal data and supersedes any prior Agreements between the parties relating to the subject matter of this DPA. To the extent of any conflict between the terms of this DPA and the terms of the Agreement with respect to the subject matter of this DPA and solely where Data Protection Laws apply, the terms of this DPA will control. This DPA may only be amended in writing and signed by the parties to this Agreement. The provisions of this DPA are severable. If any provision is determined to be invalid, illegal, or unenforceable, in whole or in part, the remaining provisions and any partially enforceable provisions will remain in full force and effect. For the avoidance of doubt, as between the parties to this DPA, each party’s liability and remedies under this DPA are subject to the liability limitations and damages exclusions set forth in the Agreement. Notwithstanding the foregoing, the Company’s total liability will not exceed its insurance policy limits in the aggregate.

Schedule 1: Details of Processing

For purposes of the Standard Contractual Clauses in Schedule 3, this Schedule 1 serves as Annex I, Part B.

Categories of Client Personal Information

The Company acknowledges that categories of the Client Personal Information depend on Client’s use of the Services, and the types of personal data processed by the Company. The Client has the sole authority to decide the categories of personal data related to them.

Categories of Data Subjects

Client may provide Company with personal data, which may include without limitation, personal data relating to the following categories of data subjects: users of Services provided, administered, or operated by Client or any Client Affiliate; Client personnel; and/or third parties that have, or may have, a commercial relationship with Client.

Duration of Processing

The Processing hereunder shall occur on or after the Effective Date until the termination or expiration of the Agreement or as otherwise agreed upon in writing.

Frequency of Processing

The frequency will be on an as-needed basis under the Agreement.

Nature of Processing      

Any operation necessary for the performance of the Agreement and to comply with Client’s Processing instructions

Purposes of Processing

Performance of the Agreement and provision of the Company’s Services and related support Services.

Competent Supervisory Authority

The competent supervisory authority of the applicable Member State of Client (the data exporter for purposes of Schedule 3).

Schedule 2: Technical and organisational measures

For purposes of the Standard Contractual Clauses in Schedule 3, this Schedule 2 serves as Annex II.

  • Physical Access Controls
    • Locked doors on all entrances and exits including electronic key card access on all data processing and data center facilities.
    • Removal of data and data center access upon personnel termination or change to a new role that does not require access to fulfill obligations under the Agreement.
    • Conduct periodic access reviews and audits.
    • Video monitoring of premises, including entrances and exits via CCTV.
    • Security breach alarms.
  • Systems Access Control
    • Unique usernames for each user or personnel.
    • No sharing of accounts or identities.
    • Utilization of strong/complex passwords with minimum length requirements.
    • Utilization of multi-factor authentication for remote access.
    • Password expiration at regular intervals.
    • Forced password reset at first login.
    • Maximum failed login attempts with account lockout.
    • Strong protection for password repositories or databases, such as encryption.
    • Encryption of authentication information in transit.
    • Timeout sessions due to user inactivity.
  • Access Control
    • Approval from appropriate management personnel is required for individual access to information and systems.
    • Removal of individual access upon termination or change to a new role that does not require access to fulfill obligations under the Agreement.
    • Logging and monitoring of failed attempts to access personal data.
    • Encryption at rest for personal data, including data resting on all portable media such as laptops, backup devices, and USB drives.
    • Access control where applicable to prevent inappropriate data use.
    • Employee background checks and confidentiality Agreements.
  • Transmission Control
    • Restrictions of transfer rights for systems containing personal data.
    • Utilization of secure data transit networks such as VPN, SFTP, SSL, and email encryption.
  • Input Control (logging monitoring and auditing)
    • Logging of input actions in systems containing personal data.
    • Logging of failed attempts to edit, delete, or change personal data.
    • Auditing of actions to ensure consistency with the above requirements.
  • Availability Control
    • Written policies implementing information security controls such as firewalls, anti-virus software, application controls, IPS/IDS, monitoring & alerting, segmented networks, vulnerability management, patch management, and hardened system standards.
    • Documented disaster recovery and business continuity protocols.
    • Secure backup procedures in place with full backup availability including at backup facilities with security features that include:
      • Environmental controls.
      • Fire protection.
      • Uninterruptible power supply.
      • Physical security.
  • Separation Control
    • Logical separation of data between production, QA, and development networks.
    • Separation of duties and access for personnel processing relevant personal data and personnel not processing relevant personal data.
  • Additional Controls
    • Conducting regular security training and awareness programs for all employees.
    • Maintaining a comprehensive incident response plan to address potential security breaches promptly.
    • Implemented detailed access logging and continuous monitoring of all access points.
    • Performing regular penetration testing to identify and mitigate potential vulnerabilities.

Schedule 3 – Standard Contractual Clauses

In regard to the transfer of data for data processing occurring pursuant to the Agreement, the parties agree to be bound by the SCCs, applying the following Module:

  • If the transfer of data for data processing pursuant to the Agreement is from Controller to Controller, then Module One of the SCCs will apply;
  • If the transfer of data for data processing pursuant to the Agreement is from Controller to Processor, then Module Two of the SCCs will apply;
  • If the transfer of data for data processing pursuant to the Agreement is from Processor to Processor, then Module Three of the SCCs will apply; or
  • If the transfer of data for data processing pursuant to the Agreement is from a Processor to a Controller not otherwise subject to the GDPR, then Module Four or the SCCs will apply.

A current copy of the SCCs is located at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%‌3A32021D0914 and the specific SCCs applicable to this DPA are hereby incorporated into this DPA by reference as if fully restated herein.

  1. For purposes of selecting optional (or otherwise selectable) language in the SCCs:
    • Clause 7 will not apply.
    • For Clause 9(a), Option 2 (general written authorization for Sub-Processors) will apply with the specified time period being five (5) calendar days.
    • For Clause 11(a), the optional language (Data Subject’s ability to complain with an independent resolution body) will not apply.
    • For Clause 17, Option 2 will apply, allowing the choice of law governing claims within this DPA relating to GDPR compliance to be the EU Member State in which the data exporter is established unless such law does not allow for third-party beneficiary rights, in which case the parties agree that the choice of law governing this DPA will be the law of Ireland.
    • For Clause 18, the parties agree that any dispute arising from this DPA will be resolved by the courts of the EU Member State in which the data exporter is established unless the data exporter is not established in an EU Member State, in which case the parties agree that such dispute will be resolved in the courts of Ireland.
    • If the Client Personal Information is governed by the UK GDPR, this DPA will include the Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on February 2, 2022, as it is revised under Section 18 of those Mandatory Clauses.
  2. For the purposes of Annex I.A. to the SCCs, the identity and contact details of the parties are as set forth within the introductory paragraph or signature page(s) of the underlying Agreement and, where applicable, their data protection officer(s) and/or representative(s) in the European Union are specified within the applicable SOW.
  3. For purposes of Annex I.B. to the SCCs, if Client Personal Information is being processed pursuant to the Services, the applicable SOW will specify the nature of the data processing, categories of Data Subjects whose data is to be transferred, categories of personal data Transferred, whether sensitive data will be transferred and a description of such sensitive data, frequency of the transfer, the purpose of the Data Transfer and further processing, the period for which the Client Personal Information will be retained, and if the transfer will involve use of Sub-Processors, the subject matter, nature and duration of the sub-processing.
  4. For purposes of Annex I.C., to the SCCs, if Client Personal Information is being processed pursuant to the Services, the applicable SOW will specify the applicable supervisory authority, unless such processing is governed by the UK GDPR.
  5. For purposes of Annex II to the SCCs, if Client Personal Information is being processed pursuant to the Services, unless the SOW specifies different technical and organisational measures, the minimum technical and organisational measures will be implemented by the data importing party.
  6. For purposes of Annex III to the SCCs, if Client Personal Information is being processed pursuant to the Services, the applicable SOW will identify any Sub-Processors that are anticipated and describe the processing of Client Personal Information that will be handled by such Sub-Processors.
  7. Information provided herein or within an applicable SOW to satisfy Annexes I, II, and III to the SCCs is included as may be required by the Data Protection Laws. Nothing in Sections 8, 9, 10, and 12 of this DPA confers any right or imposes any obligation on a party to this DPA.
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.