Exhibit 3 - Data Protection Agreement (“DPA”)
- Defined Terms.
“data controller”, “data processor”, “data subject”, “process/processing”, and “supervisory authority” shall have the meanings set out in the applicable Privacy Laws;
“CCPA” means the California Consumer Privacy Act of 2018.
“Data Protection Laws” means rules and regulations applicable with respect to the processing of Personal Data under the Agreement and this DPA, including the European Data Protection Laws, UK Data Protection Laws, LGPD and the CCPA, each as updated, amended or replaced from time to time.
“European Data Protection Laws” means all Privacy Laws in the European Territories and which are applicable to the Personal Data in question including, where applicable, Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (“GDPR"), the Swiss Federal Data Protection Act and its ordinances, and any applicable associated or supplementary data protection laws or regulations.
“European Territories” means collectively (i) the European Economic Area (“EEA”), namely the European Union (“EU”) Member States and Iceland, Lichtenstein and Norway, and Switzerland.
“LGPD” means the Brazilian Lei Geral de Proteção de Dados Pessoais Law n. 13.709/20.
“Personal Data” means Data that, alone or in combination with other information, is about, related to, or can be used to identify an identifiable living natural person. For clarity purposes, hashed, truncated, or encrypted versions of the foregoing that are unusable to uniquely identify an individual are not Personal Data for purposes of this DPA.
“Subprocessor” means any third party, appointed by Oversight to process a Client’s Personal Data.
“UK Data Protection Laws” means the United Kingdom (“UK”) Data Protection Act 2018 and the UK General Data Protection Regulation.
a. For purposes of this Exhibit 3 DPA, the parties agree that Client is the data controller of Personal Data and Oversight is the data processor of such data.
b. This DPA applies to the processing of Personal Data by Oversight on behalf of Client.
c. Oversight will ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
d. Oversight will take all measures required pursuant to Article 32 of the GDPR.
e. Oversight is prohibited from: (i) selling the Personal Data (as “selling” is defined in §1798.140(t) of the CCPA; (ii) retaining, using, or disclosing the Personal Data for any purpose other than for the specific purpose of performing the services specified in Agreement; and (iii) retaining, using, or disclosing the Personal Data outside of the direct business relationship between Oversight and Client.
f. Oversight shall immediately inform Client if, in its opinion, an instruction infringes the Data Protection Laws.
- Processor and Controller Roles and Responsibilities.
Oversight will process Personal Data only on documented instructions from Client and as set forth in the Agreement. Any additional or alternate instructions must be agreed to in an amendment to the Agreement. If the GDPR applies and Client is a processor, Client warrants to Oversight that Client’s instructions, including appointment of Oversight as a processor or subprocessor, have been authorized by the relevant controller.
- Processing Details. The parties acknowledge and agree that:
a. The subject-matter of the processing is limited to Personal Data within the scope Data Protection Laws;
b. The duration of the processing shall be for the duration of the term of the Agreement and until all Personal Data is deleted or returned in accordance with the terms of the Agreement;
c. Client is solely responsible for the accuracy, quality, and legality of (i) the Personal Data provided to Oversight by or on behalf of Client, and (ii) the means by which Client acquired any such Personal Data;
d. The nature and purpose of the processing shall be to provide the Services pursuant to the Agreement;
e. The categories of Personal Data processed by Oversight are set forth in Section 12 of this Exhibit 3; and
f. The types of data subjects are set forth in Section 12 of this Exhibit 3.
g. At the choice of Client, Oversight will delete or return and then delete all the Personal Data to Client after the end of the provision of the Services and securely delete existing copies unless Data Protection Laws requires the continued storage of the Personal Data.
h. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Client and Oversight shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
i. the anonymization, pseudonymization and encryption of Personal Data;
ii. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
iii. the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and
iv. a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
i. In assessing the appropriate level of security, account shall be taken of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise processed.
- Data Subject Rights.
Assistance with Requests. Oversight will make available to Client in a manner consistent with the functionality of the Services and Oversight’s role as a processor of the Personal Data of data subjects, the ability to fulfill data subject requests to exercise their rights under Data Protection Laws. Oversight shall comply with reasonable requests by Client to assist with Client’s response to such a data subject request. If Oversight receives a request from Client’s data subject to exercise one or more of its rights under Data Protection Laws in connection with the Services, Oversight will redirect the data subject to make its request directly to Client. Client will be responsible for responding to any such request. Oversight shall comply with reasonable requests by Client to assist with Client’s response to such a data subject request.
- Records of Processing Activities and Processor Responsibilities.
Oversight shall maintain all records required by Data Protection Laws (such as Article 30(2) of the GDPR) and, to the extent applicable to the processing of Personal Data on behalf of Client, make them available to Client upon request. Oversight will make available to Client all information necessary to demonstrate compliance with Processor responsibilities (such as the obligations set forth in Article 28 of the GDPR) and allow for and contribute to audits, including inspections, conducted by Client or another auditor mandated by Client.
- Data Security.
a. Oversight has implemented and maintains appropriate technical and organizational measures to protect Data and Personal Data as set forth in Exhibit 2 to the Agreement. Oversight will make available such other information as is reasonably requested by Client regarding Oversight security practices and policies. Oversight will assist Client in demonstrating compliance with the obligations pursuant to Data Protection Laws (such as Articles 32 to 36 of the GDPR), taking into account the nature of processing and the information available to Oversight.
b. If Oversight becomes aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Data or Personal Data while processed by Oversight (each a “Security Incident”), Oversight will promptly and without undue delay (1) notify Client of the Security Incident; (2) investigate the Security Incident and provide Client with detailed information about the Security Incident; (3) take reasonable steps to mitigate the effects and to minimize any damage resulting from the Security Incident.
c. Client is solely responsible for complying with its obligations under incident notification laws applicable to Client and fulfilling any third-party notification obligations related to any Security Incident; provided, however, Oversight shall make reasonable efforts to assist Client in fulfilling Client’s obligation under Data Protection Laws or other applicable law or regulation to notify the relevant supervisory authority and data subjects about such Security Incident.
- Use of Subprocessors.
The Subprocessors used by Oversight to the provide Services as of the Effective Date are listed at https://www.oversight.com/sub-processors. Oversight has entered into an agreement with each Subprocessor containing data protection obligations no less protective than those in this Agreement with respect to the protection of Client Data to the extent applicable to the nature of the Services provided by such Subprocessor. Oversight will inform Client of any intended addition of Subprocessors at least thirty (30) days in advance, thereby giving Client the opportunity to object. If Client objects to the use of a new subprocessor by notifying Oversight in writing within ten (10) business days after receipt of Oversight’s notice, Oversight will use reasonable efforts to recommend a commercially reasonable change to Client’s use of the Services to avoid processing of Personal Data by the objected-to new subprocessor without unreasonably burdening Client. If Oversight is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, Client’s sole remedy is to terminate the applicable Order Form(s) with respect only to those Services which cannot be provided by Oversight without the use of the objected-to new subprocessor by providing written notice to Oversight. Oversight is liable for the acts and omissions of its Subprocessors to the same extent Oversight would be liable if performing the services of each subprocessor directly under the terms of the Agreement.
- Data Protection Indemnity.
Each party will, at its expense, defend, and will indemnify and hold harmless the other party, its Affiliates, and their respective officers, directors, employees, or agents from and against any amounts payable (including costs, expenses or liability, including reasonable attorney’s fees and costs, related to an allegation) resulting from, any third party claim or suit, to the extent such third party claim or suit alleges loss of data or damages resulting from a failure to comply with the provisions set forth in this Exhibit 3.
- Transfer Mechanisms.
For purposes of personal data transfers from European Territories, Oversight complies with the Controller to Processor Standard Contractual Clauses incorporated herein from https://www.oversight.com/eu-standard-contractual-clauses by reference. For Personal Data transfers from countries outside the European Territories, Oversight will enter into appropriate personal data transfer agreements on request.
- Data Subjects.
Data Subjects may include:
* Personnel Client authorizes to access the Service.
* Personnel initiating, reviewing, modifying or approving Client’s corporate-spend.
* Personnel listed as attendees in Client’s expense reports.
- Categories of Data.
The categories of Personal Data transferred may contain: company name, employee name, attendee name, title, corporate email address, email contents, telephone number, userid, employee id, IP address, personnel-initiated corporate-spend details including location, personnel home country.