Data Processing Addendum
Effective Date: February 12, 2019
This Data Processing Addendum (the “Addendum”) forms part of the underlying Terms of Subscription Agreement executed between Blackfynn, Inc. (“Blackfynn”) and the identified User, inclusive of any amendments thereto, pursuant to which Blackfynn provides the Services to User (the “Agreement”), to the extent the Processing of User Data is governed by Data Protection Laws and Regulations, and reflects the parties’ agreement with regard to the Processing of Personal Data (as defined below) in accordance with the requirements of the applicable Data Protection Laws and Regulations. This Addendum is governed by and subject to the terms and conditions of the Agreement. All capitalized terms not defined herein shall have the meaning set forth in the Agreement.
In the course of providing the Services to User pursuant to the Agreement, Blackfynn only Processes Personal Data on behalf of User pursuant to the Instructions. The parties agree to comply with the following provisions with respect to any Personal Data contained in User Data. Nothing in this Addendum shall alter the parties’ agreement, as set forth in the Agreement, with respect to representations, warranties, liability, indemnification, or any other commercial terms with respect to data protection or data security; in the event of any such conflict between this Addendum and the Agreement, the Addendum shall prevail only to the extent of such conflict.
1.1 “User Data” has the same meaning as in the Agreement (whether referred to as User Data or Partner Data).
1.2 “Data Controller” means the entity that determines the purposes and means of the Processing of Personal Data.
1.3 “Data Processor” means the entity that Processes Personal Data on behalf of the Data Controller.
1.4 “Data Protection Laws and Regulations” means all laws and regulations, including laws and regulations of the European Union, the European Economic Area and their member states, applicable to the Processing of Personal Data under the Agreement, and including the General Data Protection Regulation (Regulation (EU) 2016/679) (the “GDPR”) as of its effective date.
1.5 “Data Subject” means the individual to whom Personal Data relates.
1.6 “Data Subject Request” means a Data Subject’s request to access, correct, amend, transfer, block or delete that person’s Personal Data consistent with that person’s rights under Data Protection Laws and Regulations.
1.7 “GDPR Assistance Materials” means those materials Blackfynn provides to its general customer base as information on the Services’ Processing of User’s Personal Data and, where required under Data Protection Laws and Regulations, as assistance for User’s data protection impact assessment(s) and/or prior consultations with Regulators. GDPR Assistance Materials will include, at a minimum, the Blackfynn Product Privacy Statement, our Security Overview webpage, Blackfynn’s current security certifications and reports, such as its SOC 1 and SOC 2 audit reports (or comparable industry-standard successor reports), ISO/IEC 27001:2013 Certification and Privacy Shield Certification.
1.8 “Instructions” means User’s instructions to Blackfynn with respect to the Processing of Personal Data, comprising the Agreement and any written amendments to the Agreement, and any sale or work orders or amendments thereto.
1.9 “Personal Data” has the meaning set forth in Data Protection Laws and Regulations, namely (and without limitation) any information relating to an individual Data Subject, including sensitive data, to the extent such data is contained in User Data.
1.10 “Regulator” means any supervisory authority with authority under Data Protection Laws and Regulations over all or any part of the provision or receipt of the Services or the Processing of Personal Data.
1.11 “Subprocessor” means any Data Processor engaged by Blackfynn to support delivering the Services.
1.12 “Subprocessor List Page” means Blackfynn’s Subprocessors Page available at https://www.blackfynn.com/legal/subprocessors
2. Subject matter duration nature and purpose of the processing type of personal data and categories of data subjects
2.1 Subject-matter of the Processing. The Processing of Personal Data is carried out pursuant to the Agreement, including as described in the Blackfynn Services Privacy Notice and in Appendix 1 of this Addendum.
2.2 Duration of the Processing. The Processing begins and ends with performance of the Services for the User, as specified in the Instructions.
2.3 Nature and Purpose of the Processing. The purpose and object of the Processing of Personal Data by Blackfynn is to perform and provide the Services pursuant to the Instructions, as specified in the Appendix 1 of this Addendum.
2.4 Type of Personal Data and Categories of Data Subjects. The type of personal data and categories of affected Data Subjects are set out in Appendix 1 of this Addendum.
3. Instructions commitment to confidentiality
3.1 Blackfynn’s Processor Role. Blackfynn shall only Process Personal Data on behalf of the User. The User is the Data Controller or otherwise provides Instructions to Blackfynn on behalf of and as specifically authorized by the Data Controller.
3.2 Instructions. Blackfynn shall only Process Personal Data on behalf of and in accordance with the Instructions and shall protect Personal Data as User Data and/or Confidential Information. User shall ensure that its Instructions to Blackfynn comply with Data Protection Laws and Regulations. The Instructions are User’s complete and final instructions to Blackfynn for the Processing of Personal Data. Any additional or alternate instructions must be agreed upon separately with prior written agreement between User and Blackfynn.
3.3 Commitment to Confidentiality. Blackfynn shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have committed themselves to confidentiality. Blackfynn shall ensure that such confidentiality obligations survive the termination of the personnel engagement. Blackfynn restricts its personnel from Processing Data to those personnel who require such access to perform the Agreement.
4. Security of personal data
4.1 Security Controls. Blackfynn maintains appropriate administrative, organizational and technical controls as set out in Appendix 2 of this Addendum. Blackfynn may update or modify the stated security controls from time to time provided that such updates and modifications meet or exceed the stated security controls. User agrees that Blackfynn has no obligation to protect Personal Data that User elects to store outside of Blackfynn and its backup systems. User has assessed the level of security appropriate to the Processing of Personal Data in the context of its obligations under Data Protection Laws and Regulations and agrees that the security measures set out in Appendix 2 of this Addendum are consistent with such assessment.
5.1 Appointment of Subprocessors and User Consent. User acknowledges and specifically authorizes Blackfynn’s use of its Subprocessors existing as of the Effective Date, including subprocessors listed on the Subprocessors Page. User hereby gives a general authorization to further Subprocessors, provided Blackfynn follows the following procedure:
(a) Blackfynn agrees to provide notice to User of any new or replacement Subprocessor that Processes Personal Data under the Agreement thereby giving the User the opportunity to object to such changes within ten (10) days from the date of receipt of notice (Subprocessor Notice). User agrees that it will not object to any Subprocessor with which Blackfynn has executed a written agreement that obligates the Subprocessor to (i) protect such Personal Data to the same extent as is required of Blackfynn by the Agreement and this Addendum, (ii) be in compliance with applicable Data Protection Laws and Regulations.
(b) If User has reasonable grounds to object to Blackfynn’s use of a new or replacement Subprocessor, User shall notify Blackfynn promptly in writing within ten (10) days after receipt of the Subprocessor Notice and specify those grounds. Such reasonable grounds (provided that such reason does not conflict with the Conditions above) may be that the new or replacement Subprocessor is unlikely to be able to comply with the terms of the Agreement so far as they relate to the protection of Personal Data, or other reasons that are at least as important. User acknowledges that Blackfynn provides a standardized service to all customers which does not allow using different Subprocessors for different customers and, therefore, that the inability to use a particular new or replacement Subprocessor for the Services to the User may result in delay in performing the Services, inability to perform the Services or increased fees. Blackfynn will notify User in writing of any change to Services or fees that would result from Blackfynn’s inability to use a new or replacement Subprocessor to which User has objected. User may either execute a written amendment to the Agreement implementing such change or exercise its right to terminate the Agreement in accordance with the termination provisions thereof. Such termination shall not constitute termination for breach of the Agreement. This termination right shall be User’s sole and exclusive remedy for such termination of the Agreement.
5.2 Processing Restrictions. Blackfynn will require Subprocessors to only access and use Personal Data in accordance with the terms of the Agreement (including this Addendum) and will bind the Subprocessors by written obligations: (i) that require them to provide at least the level of data protection required by Data Protection Laws and Regulations and by the Agreement; and (ii) where applicable, that impose the level of data protection required by the Privacy Shied.
5.3 Liability. Blackfynn shall be liable for the acts and omissions of its Subprocessors to the same extent Blackfynn would be liable if performing the Services of each Subprocessor directly under the terms of this Addendum.
5.4 List of Current Subprocessors and Notification of New Subprocessors. A current list of Subprocessors as may be used for Processing Data is available to User without charge. Blackfynn will keep the Subprocessor list current and inclusive of any new Subprocessors and will make available to User the updated Subprocessor list upon request by User. Blackfynn shall notify User prior to using any Subprocessor not included in such list, in accordance with clause 5.1 above.
6. Rights of data subjects and cooperation with regulators
6.1 Correction, Deletion and Blocking. To the extent User, in its use of the Services, does not have the ability to correct, amend, block or delete Personal Data as required by Data Protection Laws and Regulations, Blackfynn shall provide User with assistance to comply with any reasonable request by User to facilitate such actions to the extent Blackfynn is legally permitted to do so. User shall be responsible for any costs arising from Blackfynn’s provision of such assistance.
6.2 Data Subject Requests. Blackfynn shall, to the extent legally permitted, promptly notify User if it receives a Data Subject Request. Blackfynn shall not respond to any such Data Subject request without User’s prior written consent except to confirm that the request relates to User, unless the Data Subject request relates only to that Data Subject’s registration data for accessing the Services. Blackfynn shall provide User with assistance in relation to handling of a Data Subject Request, to the extent legally permitted and to the extent User does not have access to such Personal Data through its use of the Services. If legally permitted, User shall be responsible for any costs arising from Blackfynn’s provision of such assistance.
6.3 Blackfynn shall promptly notify User of all enquiries from a Regulator that Blackfynn receives which relate to the Processing of Personal Data or the provision to or receipt of the Services by User, unless prohibited from doing so by law or by the Regulator.
6.4 Unless a Regulator requests in writing to engage directly with Blackfynn or the parties (acting reasonably and taking into account the subject matter of the request) agree that Blackfynn shall handle a Regulator request itself, User shall: (a) be responsible for all communications or correspondence with the Regulator in relation to the Processing of Personal Data and the provision or receipt of the Services; and (b) keep Blackfynn informed of such communications or correspondence to the extent permitted by law.
7. Assistance and information for data protection impact assessment notifications
7.1 The information made available as GDPR Assistance Materials is intended to assist User in complying both with its obligations under the GDPR, such as data protection impact assessment(s), prior consultation with the Regulator and other Regulator inquiries, and with any requests by User with respect to Blackfynn’s privacy practices, including any audit request (“Privacy Inquiries”). User agrees that Blackfynn’s GDPR Assistance Materials will be used to fulfill User’s Privacy Inquiries. Except as otherwise agreed to in the Agreement, in the event that User requires information in addition to the GDPR Assistance Materials, including to demonstrate compliance with this Addendum, such information shall be made available under a separately-executed audit support agreement. User shall be responsible for the costs on a time and materials basis for Blackfynn’s provision of such assistance at Blackfynn’s then-current Professional Services rates.
7.2 If Blackfynn becomes aware of a security incident which leads or is likely to lead to a material infringement of Data Protection Laws and Regulations, or of this Addendum, that compromises the security, confidentiality or integrity of Personal Data and that would require reporting to a regulatory authority (as defined under applicable Data Protection Laws and Regulations) (a “Security Incident”), Blackfynn will notify User of such Security Incident without undue delay. Blackfynn will take appropriate actions to contain, investigate and mitigate the Security Incident and work with User to provide information to User concerning the Security Incident, and will assist User with any required notifications to affected individuals, subject to any related limitations set forth in the Agreement. Notification of or response to a Security Incident under this Section will not be construed as an acknowledgement by Blackfynn of any fault or liability with respect to the Security Incident.
7.3 Except as otherwise agreed to in the Agreement, to the extent that the Security Incident is the result of Blackfynn’s failure to comply with the terms of the Agreement or this Addendum, Blackfynn shall bear the actual, reasonable costs of notifying affected individuals. Blackfynn and User shall mutually agree on the content and timing of any such notifications, in good faith and as needed to meet applicable legal requirements. Notwithstanding the preceding sentence, the parties agree that Blackfynn shall have no obligation to send notification letters or provide credit monitoring for User unless such letters are legally required or otherwise reasonably required to alert individuals of potential harm.
8. Deletion or return of personal data
8.1 Blackfynn shall return Personal Data to User or delete Personal Data in accordance with the terms of the Agreement and the policies and schedules set forth in Blackfynn’s Record Retention Policy and Schedule, which Policy and Schedule adhere to limitations required by law and regulation, including Good Clinical Practices (ICH GCP), except as required by law or as required in order to defend any actual or possible legal claim.
8.2 User acknowledges and agrees that Blackfynn shall have no liability for any losses incurred by User arising from or in connection with Blackfynn’s inability to perform the Services as a result of Blackfynn complying with a request to delete or return Personal Data made by User under this Section 8.
9. Making available information to demonstrate compliance
9.1 Distribution of GDPR Assistance Materials. Blackfynn will make available upon User request its GDPR Assistance Materials (along with such additional information as the parties may agree to as part of an audit support agreement, described in Section 7.1) to demonstrate compliance with this Addendum and Data Protection Laws and Regulations.
10. Privacy shield framework
10.1 To the extent Blackfynn receives in the United States User Data from the European Union or Switzerland, it will handle such User Data in accordance with the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework (Privacy Shield). Blackfynn will maintain certification under the Privacy Shield for the duration of the Agreement.
11.1 Nondisclosure. The terms of this Addendum are not publicly known and constitute Confidential Information under the Agreement. User may only disclose the terms of this Addendum to a data protection Regulator to the extent required by law or regulatory authority. User shall take reasonable steps to ensure that data protection Regulators do not make the terms of this Addendum public, including by marking any copies as “Confidential and Commercially Sensitive,” requesting return of any copies, and requesting prior notice and consultation before any public disclosure.
11.2 Termination. This Addendum will terminate when Blackfynn ceases to Process Personal Data, except as otherwise agreed in writing between the parties.
Appendix 1: Subject matter and details of the data processing
Subject Matter: Blackfynn’s provision of the Services to Customer. Nature and Purpose of the Processing: Blackfynn will process Customer Personal Data for the purposes of providing the Services to Customer in accordance with the Addendum.
Appendix 2: Security measures
Blackfynn will implement and maintain the Security Measures set out in this Appendix 2. Blackfynn may update or modify such Security Measures from time to time provided that such updates and modifications do not materially decrease the overall security of the Services.
1. Organizational management and dedicated staff responsible for the development, implementation and maintenance of Blackfynn’s information security program.
2. Audit and risk assessment procedures for the purposes of periodic review and assessment of risks to Blackfynn’s organization, monitoring and maintaining compliance with Blackfynn’s policies and procedures, and reporting the condition of its information security and compliance to internal senior management.
3. Data security controls which include at a minimum, but may not be limited to, logical segregation of data, restricted (e.g. role-based) access and monitoring, and utilization of commercially available and industry standard encryption technologies for Personal Data that is: a. transmitted over public networks (i.e. the Internet) or when transmitted wirelessly; or b. at rest or stored on portable or removable media (i.e. laptop computers, CD/DVD, USB drives, back-up tapes).
4. Logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions, (e.g. granting access on a need-to-know basis, use of unique IDs and passwords for all users, periodic review and revoking/changing access when employment terminates or changes in job functions occur).
5. Password controls designed to manage and control password strength, expiration and usage including prohibiting users from sharing passwords and requiring that Blackfynn’s passwords that are assigned to its employees: (i) be at least eight (8) characters in length, (ii) not be stored in readable format on Blackfynn’s computer systems; (iii) must be changed every ninety (90) days; must have defined complexity; (iv) must have a history threshold to prevent reuse of recent passwords; and (v) newly issued passwords must be changed after first use.
6. Physical and environmental security of data center, server room facilities and other areas containing Personal Data designed to: (i) protect information assets from unauthorized physical access, (ii) manage, monitor and log movement of persons into and out of Blackfynn facilities, and (iii) guard against environmental hazards such as heat, fire and water damage.
7. Change management procedures and tracking mechanisms designed to test, approve and monitor all changes to Blackfynn’s technology and information assets.
8. Incident / problem management procedures design to allow Blackfynn to investigate, respond to, mitigate and notify of events related to Blackfynn’s technology and information assets.
9. Network security controls that provide for the use of enterprise firewalls, and intrusion detection systems and other traffic and event correlation procedures designed to protect systems from intrusion and limit the scope of any successful attack.
10. Vulnerability assessment and threat protection technologies and scheduled monitoring procedures designed to identify, assess, mitigate and protect against identified security threats, viruses and other malicious code.
11. Business resiliency/continuity and disaster recovery procedures designed to maintain service and/or recovery from foreseeable emergency situations or disasters.
Blackfynn may update or modify such Security Measures from time to time provided that such updates and modifications do not materially decrease the overall security of the Services.