This Data Processing Policy (“DPP”) forms part of the Services Agreement between Faith Technologies Inc. (“FTI”) and Customer (the “Agreement”) under which FTI provides the Service to Customer. (FTI and Customer are sometimes referred to herein each as a “Party” and collectively as the “Parties”).
In the course of providing products and/or services to Customer pursuant to this DPP, FTI may Process Personal Data on behalf of Customer and the Parties agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith.
The terms of this DPP will be effective and replace any previously applicable data processing terms as of the date of execution.
Designated Data Center Location: United States
In this DPP, the following terms shall have the following meanings:
“Additional Products” means products, services and applications (whether made available by FTI or a third party) that are not part of the Service.
“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
“Customer Audit Program” means FTI’s optional, fee-based customer audit program as described in the Order Form for Audit Program.
“Data Controller”, “Data Processor”, “Data Subject”, “Personal Data” and “Processing or Process” (and “Process”) shall have the meanings given in Applicable Data Protection Law. The term “Personal Data” shall be deemed to include concepts of “Personal information” or “Personally Identifiable Information” if and as those terms may be defined under Applicable Data Protection Law.
“EU Data Protection Laws” means: (i) up to 25 May 2018, the Data Protection Directive 95/46/EC; and (ii) from 25 May 2018 onwards, the General Data Protection Regulation (EU) 2016/679 (“GDPR”).
“Data Protection Laws” means all data protection laws applicable to the Processing of Personal Data under this DPP, including local, state, national and/or foreign laws, treaties, and/or regulations, EU Data Protection Laws, and implementations of EU Data Protection Laws into national law.
“Personal Data Breach” means (i) a ‘personal data breach’ as defined in the GDPR affecting Personal Data, and (ii) any Security Breach affecting Personal Data.
“Subprocessor” means a FTI Affiliate or third-party entity engaged by FTI or a FTI Affiliate as a Data Processor under this DPP.
“Valid Transfer Mechanism” means a data transfer mechanism permitted by USA Data Protection Laws as a lawful basis for transferring Personal Data to a recipient outside the USA.
SECTION 1. PROCESSING PERSONAL DATA
1.1 Scope and Role of the Parties. This DPP applies to the Processing of Personal Data by FTI in the course of providing the Service. For the purposes of this DPP, Customer and its Affiliates are the Data Controller(s) and FTI is the Data Processor, Processing Personal Data on Customer’s behalf.
1.2 Instructions for Processing. FTI shall Process Personal Data in accordance with Customer’s documented instructions. Customer instructs FTI to Process Personal Data to provide the Service in accordance with the Agreement (including this DPP). Customer may provide additional instructions to FTI to Process Personal Data, however FTI shall be obligated to perform such additional instructions only if they are consistent with the terms and scope of the Agreement and this DPP.
1.2.1. Customer Instructions. FTI shall inform Customer immediately (i) if, in its opinion, an instruction from Customer constitutes a breach of contract and/or (ii) if FTI is unable to follow Customer’s instructions for the Processing of Personal Data.
1.2.2. Customer’s Processing of Personal Data. Customer shall, in its use of the Services, Process Personal Data in accordance with the requirements of Data Protection Laws and Regulations, including any applicable requirement to provide notice to Data Subjects of the use of FTI as Processor (including where the Customer is a Processor, by ensuring that the ultimate Controller does so). For the avoidance of doubt, Customer’s instructions for the Processing of Personal Data shall comply with Data Protection Laws and Regulations. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data. Customer specifically acknowledges and agrees that its use of the Services will not violate the rights of any Data Subject, including those that have opted-out from sales or other disclosures of Personal Data, to the extent applicable under Data Protection Laws and Regulations
1.2.3 FTI’s Processing of Personal Data. FTI shall treat Personal Data as Confidential Information and shall Process Personal Data on behalf of and only in accordance with Customer’s documented instructions for the following purposes: (i) Processing in accordance with the Agreement and applicable Order Form(s); (ii) Processing initiated by Users in their use of the Services; and (iii) Processing to comply with other documented reasonable instructions provided by Customer (e.g., via email) where such instructions are consistent with the terms of the Agreement.
1.2.4. Details of the Processing. The subject-matter of Processing of Personal Data by FTI is the performance of the Services pursuant to the Agreement. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this DPP.
1.3 Compliance with Laws. FTI shall comply with all Data Protection Laws applicable to FTI in its role as a Data Processor Processing Personal Data. For the avoidance of doubt, FTI is not responsible for complying with Data Protection Laws applicable to Customer or Customer’s industry such as those not generally applicable to online service providers. Customer shall comply with all Data Protection Laws applicable to Customer as a Data Controller.
SECTION 2. SUBPROCESSORS
2.1 Use of Subprocessors. Customer agrees that FTI and their Affiliates may engage Subprocessors to Process Personal Data. FTI or their relevant Affiliate shall ensure that such Subprocessor has entered into a written agreement requiring the Subprocessor to abide by terms no less protective than those provided in this DPP. Upon Customer’s request, FTI will make available to Customer a summary of the data processing terms. For the avoidance of doubt, the data processing terms that apply to FTI Affiliates when Processing Personal Data as a Subprocessor are those set out in this DPP. FTI shall be liable for the acts and omissions of any Subprocessors to the same extent as if the acts or omissions were performed by FTI.
SECTION 3. DATA CENTER LOCATION AND DATA TRANSFERS
3.1 Storage of Personal Data. Personal Data will be housed in data centers located in the Designated Data Center Location set forth herein unless the parties otherwise expressly agree in writing.
3.2 Access to Personal Data. Notwithstanding Section 3.1, in order to provide the Service FTI and its Subprocessors will only access Personal Data from (i) countries in the EEA, (ii) countries or territories formally recognized by the European Commission as providing an adequate level of data protection (“Adequate Countries”) and (iii) the United States provided, in this case, that FTI makes available to Customer a Valid Transfer Mechanism. When FTI or its Subprocessors access Personal Data from outside the Designated Data Center Location for the purposes set forth above, Customer agrees that Personal Data may be temporarily stored in that country.
SECTION 4. RIGHTS OF DATA SUBJECTS
4.1 Correction, Deletion or Restriction. FTI will, at its election and as necessary to enable Customer to meet its obligations under applicable Data Protection Laws, either (i) provide Customer the ability, via written notice to correct or delete Personal Data or restrict its Processing; or (ii) make such corrections, deletions, or restrictions on Customer’s behalf if such functionality is not available within the Service.
4.2 Access to Personal Data. To the extent a Data Subject’s Personal Data is not accessible to Customer through the Service, FTI will, as necessary to enable Customer to meet its obligations under applicable Data Protection Laws, provide reasonable assistance to make such Personal Data available to Customer.
4.3 Handling of Data Subject Requests. For the avoidance of doubt, Customer is responsible for responding to Data Subject requests for access, correction, deletion or restriction of that person’s Personal Data (“Data Subject Request”). If FTI receives a Data Subject Request, FTI shall promptly redirect the Data Subject to Customer.
4.4 Data Portability. During the term of the Agreement, Customer may extract Personal Data from the Service in accordance with the Documentation and the relevant provisions of the Agreement, including so that Customer can provide the Personal Data to an individual who makes a data portability request under EU Data Protection Laws.
SECTION 5. GOVERNMENT ACCESS REQUESTS
Unless prohibited by applicable law or a legally binding request of law enforcement, FTI shall promptly notify Customer of any request by government agency or law enforcement authority for access to or seizure of Personal Data.
SECTION 6. FTI PERSONNEL
FTI shall take reasonable steps to require screening of its personnel who may have access to Personal Data and shall require such personnel (i) to receive appropriate training on their responsibilities regarding the handling and safeguarding of Personal Data; and (ii) to agree to comply with confidentiality obligations which shall survive the termination of employment.
SECTION 7. PERSONAL DATA BREACH
In the event FTI becomes aware of a Personal Data Breach it shall without undue delay notify Customer in accordance with the Security Breach provisions of the Agreement. To the extent Customer requires additional information from FTI to meet its Personal Data Breach notification obligations under applicable Data Protection Laws, FTI shall provide reasonable assistance to provide such information to Customer taking into account the nature of Processing and the information available to FTI.
SECTION 8. SECURITY PROGRAM
FTI shall implement appropriate technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
8.1. Controls for the Protection of Customer Data. FTI shall maintain appropriate technical and organizational measures for protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Customer Data), confidentiality and integrity of Customer Data. FTI regularly monitors compliance with these measures. FTI will not materially decrease the overall security of the Services during a subscription term.
8.2. Audit. If Customer requests an Audit, at the Customers sole expense, FTI shall make available to Customer information to demonstrate compliance with the obligations set out in this DPP, including those obligations required by applicable Data Protection Laws and Regulations, as set forth in this section 8.2.
8.2.1. On-Site Audit. Customer may contact FTI to request an on-site audit of FTI’s Processing activities covered by this DPP (“On-Site Audit”). An On-Site Audit may be conducted by Customer either itself or through a Third-Party Auditor (as defined below in section 8.2.3) selected by Customer when:
(i) the information available pursuant to section “Third-Party Certifications and Audits” is not sufficient to demonstrate compliance with the obligations set out in this DPP and its Schedules;
(ii) Customer has received a notice from FTI of a Customer Data Incident; or
(iii) such an audit is required by Data Protection Laws and Regulations or by Customer’s competent supervisory authority.
Any On-Site Audits will be limited to Customer Data Processing and storage facilities operated by FTI or any of FTI’s Affiliates. Customer acknowledges that FTI operates a multi-tenant cloud environment. Accordingly, FTI shall have the right to reasonably adapt the scope of any On-Site Audit to avoid or mitigate risks with respect to, and including, service levels, availability, and confidentiality of other FTI customers’ information.
8.2.2. Reasonable Exercise of Rights. An On-Site Audit shall be conducted by Customer or its Third-Party Auditor:
(i) acting reasonably, in good faith, and in a proportional manner, taking into account the nature and complexity of the Services used by Customer;
(ii) up to one time per contract period with at least three weeks’ advance written notice. If an emergency justifies a shorter notice period, FTI will use good faith efforts to accommodate the On-Site Audit request; and
(iii) during FTI’s normal business hours, under reasonable duration and shall not unreasonably interfere with FTI’s day-to-day operations.
Before any On-Site Audit commences, Customer and FTI shall mutually agree upon the scope, timing, and duration of the audit and the reimbursement rate for which Customer shall be responsible. All reimbursement rates shall be reasonable, taking into account the resources expended by or on behalf of FTI.
8.2.3. Third-Party Auditor. A Third-Party Auditor means a third-party independent contractor that is not a competitor of FTI. An On-Site Audit can be conducted through a Third Party Auditor if:
(i) prior to the On-Site Audit, the Third-Party Auditor enters into a non-disclosure agreement containing confidentiality provisions no less protective than those set forth in the Agreement to protect FTI’s proprietary information; and
(ii) the costs of the Third-Party Auditor are at Customer’s expense.
8.2.4. Findings. Customer must promptly provide FTI with information regarding any non-compliance discovered during the course of an On-Site Audit.
8.3 Security of Processing. Customer is solely responsible for making an independent determination as to whether the technical and organizational measures meet Customer’s requirements and agrees that (taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of the Processing of its Personal Data as well as the risks to individuals) the security measures and policies implemented and maintained by FTI provide a level of security appropriate to the risk with respect to its Personal Data. Personal data breaches will be handled in accordance with section 9 of this DPP.
SECTION 9. CUSTOMER DATA INCIDENT MANAGEMENT AND NOTIFICATION
FTI maintains security incident management policies and procedures and shall notify Customer without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data, including Personal Data, transmitted, stored or otherwise Processed by FTI or its Sub-processors of which FTU becomes aware (a “Customer Data Incident”). FTI shall make reasonable efforts to identify the cause of such Customer Data Incident and take such steps as FTI deems necessary and reasonable to remediate the cause of such a Customer Data Incident to the extent the remediation is within FTI’s reasonable control. The obligations herein shall not apply to incidents that are caused by Customer or Customer’s Users.
SECTION 10. RETURN AND DELETION OF PERSONAL DATA
Upon termination of the Service, FTI shall return and delete Personal Data in accordance with the relevant provisions of the Agreement.
SECTION 11. ADDITIONAL PRODUCTS
Customer acknowledges that if it installs, uses, or enables Additional Products that interoperate with the Service but are not part of the Service itself, then by such actions Customer is instructing FTI to cause the Service to allow such Additional Products to access Personal Data as required for the interoperation of those Additional Products with the Service. Such separate Additional Products are not required to use the Service and may be restricted for use as determined by Customer’s system administrator. This DPP does not apply to the Processing of Personal Data by Additional Products which are not part of the Service.
SECTION 12. GENERAL PROVISIONS
12.1 Customer Affiliates. Customer is responsible for coordinating all communication with FTI on behalf of its Affiliates with regard to this DPP. Customer represents that it is authorized to issue instructions as well as make and receive any communications or notifications in relation to this DPP on behalf of its Affiliates.
12.2 Disclosure of DPP Terms. Customer or its Affiliates may only disclose the terms of this DPP to a regulator or supervisory authority to the extent required by law or such regulator or supervisory authority, such as for the purpose of notifications or approvals. Furthermore, Customer shall take reasonable endeavors to ensure that such regulator or supervisory authority do not make this DPP public, including: (i) marking copies of this DPP as “Confidential and Commercially Sensitive”; (ii) requesting return of this DPP once the regulatory notification has been completed or approval granted; and (iii) requesting prior notice and consultation before any disclosure of this DPP by the regulator or supervisory authority.
12.3 Termination. The term of this DPP will end simultaneously and automatically at the later of (i) the termination of the Agreement or, (ii) when all Personal Data is deleted from FTI’s systems.
12.4 Conflict. This DPP is subject to the non-conflicting terms of the Agreement. With regard to the subject matter of this DPP, in the event of inconsistencies between the provisions of this DPP and the Agreement, the provisions of this DPP shall prevail with regard to the parties’ data protection obligations.
12.5 Customer Affiliate Enforcement. Customer’s Affiliates may enforce the terms of this DPP directly against FTI, subject to the following provisions:
(i) if it were a party to the Agreement (each an “Affiliate Claim”) directly against FTI on behalf of such Affiliate, except where the Data Protection Laws to which the relevant Affiliate is subject require that the Affiliate itself bring or be party to such Affiliate Claim; and
(ii) for the purpose of any Affiliate Claim brought directly against FTI by Customer on behalf of such Affiliate in accordance with this Section, any losses suffered by the relevant Affiliate may be deemed to be losses suffered by Customer.
12.6 Remedies. Customer’s remedies (including those of its Affiliates) with respect to any breach by FTI or its Affiliates of the terms of this DPP, and the overall aggregate liability of FTI and its Affiliates arising out of, or in connection with the Agreement (including this DPP) will be subject to any aggregate limitation of liability that has been agreed between the parties under the Agreement (the “Liability Cap”). For the avoidance of doubt, the parties intend and agree that the overall aggregate liability of FTI and its Affiliates arising out of, or in connection with the Agreement (including this DPP) shall in no event exceed the Liability Cap.
12.7 Miscellaneous. The section headings contained in this DPP are for reference purposes only and shall not in any way affect the meaning or interpretation of this DPP.
12.8. Limitation Of Liability. Each party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPP, and all DPPs between Authorized Affiliates and FTI, whether in contract, tort or under any other theory of liability, is subject to the ‘Limitation of Liability’ section of the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and all DPPs together.
For the avoidance of doubt, FTI’s and its Affiliates’ total liability for all claims from Customer and all of its Authorized Affiliates arising out of or related to the Agreement and all DPPs shall apply in the aggregate for all claims under both the Agreement and all DPPs established under the Agreement, including by Customer and all Authorized Affiliates, and, in particular, shall not be understood to apply individually and severally to Customer and/or to any Authorized Affiliate that is a contractual party to any such DPP.
SECTION 13. PROFESSIONAL SERVICES
The terms of this DPP apply to Professional Services, and solely with respect to Professional Services this Section 14 amends specified terms of the DPP as set forth below. For purposes of interpreting the DPP terms for the Professional Services, “Agreement” means Professional Services Agreement, and “Service” means Professional Services.
13.1 Definitions. The following definitions apply to Professional Services.
“Professional Services Agreement” means any agreement between the parties for the provision of consulting or professional services, including but not limited to the following agreements or terms: the Foundation Tenant Service Terms, the Professional Services Agreement, the Delivery Assurance terms, the Professional Services Addendum, and/or the Consulting and Training Addendum and Amendment.
“Professional Services” means the professional or consulting services provided to Customer under a Professional Services Agreement.
“Professional Services Data” means electronic data or information that is provided to FTI under a Professional Services Agreement for the purpose of being input into the FTI Service, or Customer Data accessed within or extracted from the Customer’s tenant to perform the Professional Services.
“Personal Data” means any Professional Services Data that is related to an identified or identifiable person.
“SFTP Server” means a secure file transfer protocol server provided and controlled by FTI that may be used to transfer the Professional Services Data between Customer and FTI for implementation purposes.
13.2 Notification of Third-Party Subprocessors. This Section 13.2 replaces Sections 2.2 and 2.3. For the avoidance of doubt, Sections 2.2 and 2.3 continue to apply to FTI’s use of Affiliates as Subprocessors for Professional Services.
Notification of and Objection Right to Subprocessors: FTI shall make available to Customer upon Customer request a list of third-party Subprocessors authorized to Process Personal Data for the applicable Professional Services engagement. Customer may object to such Subprocessors via a mutually agreed upon SOW.
13.3 Data Center Location and Data Transfers
13.3.1 This Section 13.3.1 replaces Section 3.1 “Storage of Personal Data” in its entirety:
SFTP Server Location: The SFTP Server will be housed in data centers located in the Designated Data Center Location unless the parties otherwise expressly agree in writing.
13.3.2 This Section 13.3.2 replaces Section 3.2 “Access to Personal Data” in its entirety.
Processing Professional Services Data. To provide the Professional Services, FTI and its Subprocessors will only Process Personal Data in (i) countries in the USA, (ii) countries formally recognized by the USA Commission as providing an adequate level of data protection (“Adequate Countries”), and provided FTI makes available to Customer a Valid Transfer Mechanism, (iii) the United States and (iv) other countries where Customer and/or its Affiliates are located.
13.4 Rights of Data Subjects
13.4.1 This Section 13.4.1 replaces Section 4.2 “Access to Personal Data” in its entirety.
Access to Personal Data. To the extent a Data Subject’s Personal Data is not accessible to Customer through the SFTP Server, FTI will, as necessary to enable Customer to meet its obligations under applicable Data Protection Laws, provide reasonable assistance to make such Personal Data available to Customer.
13.4.2 Section 4.4 “Data Portability” shall not apply.
13.5 Audit. This Section 13.5 replaces Section 9 “Audit” in its entirety.
Audit. In the event that Customer, a regulator, or data protection authority requires an inspection or audit relating to the Professional Services that Customer cannot obtain through its own access to the SFTP Server or Professional Services Data, such inspection and/or audit shall be made available in accordance with FTI’s Customer Audit Program.
13.6 Deletion of Professional Services Data. This Section 13.6 replaces Section 10 “Return and Deletion of Personal Data” in its entirety.
Deletion of Professional Services Data. Subject to the Customer’s prior written request, FTI will delete the Professional Services Data by deletion of Customer’s files on the SFTP Server; provided, however, that FTI will not be required to remove copies of the Professional Services Data from its backup media and servers until such time as the backup copies are scheduled to be deleted, provided further that in all cases FTI will continue to protect the Professional Services Data in accordance with this Exhibit.
Prospective, current and former employees and other workers, as well as related persons.
CATEGORIES OF DATA
Prospective, current and former employee data: Such employee data as is necessary for human resources and benefits processing, including name; contact information (including home and work address; home and work telephone numbers; mobile telephone numbers; web address data; instant messenger data; home and work email address); marital status; ethnicity; citizenship information; visa information; national and governmental identification information; drivers’ license information; passport information; banking details; military service information; religion information; birth date and birth place; gender; disability information; employee identification information; education, language(s) and special competencies; certification information; probation period and employment duration information; job or position title; business title; job type or code; business site; company, supervisory, cost center and region affiliation; work schedule and status (full-time or part-time, regular or temporary); compensation and related information (including pay type and information regarding raises and salary adjustments); payroll information; allowance, bonus, commission and stock plan information; leave of absence information; employment history; work experience information; information on internal project appointments; accomplishment information; training and development information; award information; membership information.
Related person’s data: Name and contact information of dependents or beneficiaries (including home address; home and work telephone numbers; mobile telephone numbers); date of birth; gender; emergency contacts; beneficiary information; dependent information).