RTW Center Data Processing Addendum
This Data Processing Addendum (“DPA”) amends and forms part of the RTW Center Order Form (the “Order Form”) and the other terms and conditions incorporated by reference therein (collectively the Order Form and such other terms and conditions, the “Agreement”) between Sequoia Benefits and Insurance Services LLC (“Sequoia”) and the Client identified in the Order Form. This DPA prevails over any conflicting term of the Agreement but does not otherwise modify the Agreement.
- Definitions
- In this DPA:
- “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data;
- “Data Subject” means an identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
- “Personal Data” means any information relating to an identified or identifiable natural person (‘data subject’);
- “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed;
- “Processing”, means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
- “Processor” means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the controller;
- “Supervisory Authority” means an independent public authority established under applicable law tasked to monitor and enforce the Data Protection Law;
- “Client Personal Data” means any Client Data that constitutes Personal Data, the Processing of which is subject to Data Protection Law, for which Client or Client’s customers are the Controller, and which is Processed by Sequoia to provide the Services;
- “Data Protection Law” means Data Protection Directive 95/46/EC, General Data Protection Regulation (EU) 2016/679 (“GDPR”), and e-Privacy Directive 2002/58/EC (as amended by Directive 2009/136/EC), and their national implementations in the European Economic Area (“EEA”), Switzerland and the United Kingdom (Data Protection Act 2018), or any other national data protection law, each as applicable, and as may be amended or replaced from time to time;
- “Data Subject Rights” means, to the extent applicable, Data Subjects’ rights to information, access, rectification, erasure, restriction, portability, objection, and not to be subject to automated individual decision-making in accordance with Data Protection Law;
- “Services” means the services provided by Sequoia to Client under the Agreement;
- “Subprocessor” means a Processor engaged by Sequoia to Process Client Personal Data; and
- “Standard Contractual Clauses” means the clauses annexed to EU Commission Decision 2010/87/EU of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council (OJ L 39, 12.2.2010, p. 5-18).
- Capitalized terms used but not defined herein have the meaning given to them in the Agreement.
- In this DPA:
- Scope and applicability
- This DPA applies to Processing of Client Personal Data by Sequoia to provide the Services.
- The subject matter, nature and purpose of the Processing, the types of Client Personal Data and categories of Data Subjects are set out in Appendix 1.
- Client is a Controller and appoints Sequoia as a Processor on behalf of Client. Client is responsible for compliance with the requirements of Data Protection Law applicable to Controllers.
- If Client is a Processor on behalf of other Controller(s), then Client: is the single point of contact for Sequoia; must obtain all necessary authorizations from such other Controller(s); undertakes to issue all instructions and exercise all rights on behalf of such other Controller(s); and is responsible for compliance with the requirements of Data Protection Law applicable to Processors.
- Client acknowledges that Sequoia may Process Personal Data relating to the operation, support, or use of the Services for its own business purposes, such as billing, account management, data analysis, benchmarking, technical support, product development, and compliance with law. Sequoia is the Controller for such Processing and will Process such data in accordance with Data Protection Law.
- Instructions
- Sequoia will Process Client Personal Data to provide the Services and in accordance with Client’s documented instructions.
- The Controller’s instructions are documented in this DPA and the Agreement.
- Client may reasonably issue additional instructions as necessary to comply with Data Protection Law. Sequoia may charge a reasonable fee to comply with any additional instructions that are outside the scope of the Services identified in the Order Form.
- Unless prohibited by applicable law, Sequoia will inform Client if Sequoia is subject to a legal obligation that requires Sequoia to Process Client Personal Data in contravention of Client’s documented instructions.
- Personnel
- Sequoia will require that all personnel authorized to Process Client Personal Data are subject to an obligation of confidentiality.
- Security and Personal Data Breaches
- Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Sequoia will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including the measures listed in Appendix 2.
- Client acknowledges that the security measures in Appendix 2 are appropriate in relation to the risks associated with Client’s intended Processing and will notify Sequoia prior to any intended Processing for which Sequoia’s security measures may not be appropriate.
- Sequoia will notify Client without undue delay after becoming aware of a Personal Data Breach involving Client Personal Data. If Sequoia’s notification is delayed, it will be accompanied by reasons for the delay.
- Subprocessing
- Client hereby authorizes Sequoia to engage Subprocessors. A list of Sequoia’s current Subprocessors is included in Appendix 3.
- Sequoia will enter into an agreement with Subprocessors that imposes the same obligations as required by Data Protection Law.
- Sequoia will notify Client prior to any intended change to Subprocessors. Client may object to the addition of a Subprocessor based on reasonable grounds relating to a potential or actual violation of Data Protection Law by providing written notice detailing the grounds of such objection within thirty (30) days following Sequoia’s notification of the intended change. Client and Sequoia will work together in good faith to address Client’s objection. If Sequoia chooses to retain the Subprocessor, Sequoia will inform Client at least thirty (30) days before authorizing the Subprocessor to Process Client Personal Data, and Client may immediately discontinue using the relevant parts of the Services and may terminate the relevant parts of the Services within thirty (30) days.
- Assistance
- Taking into account the nature of the Processing, and the information available to Sequoia, Sequoia will assist Client, including, as appropriate, by implementing technical and organizational measures, with the fulfilment of Client’s own obligations under Data Protection Law to: comply with requests to exercise Data Subject Rights; conduct data protection impact assessments, and prior consultations with Supervisory Authorities; and notify a Personal Data Breach.
- Sequoia may charge a reasonable fee for assistance under this Section 7. If Sequoia is at fault, Sequoia and Client shall each bear their own costs related to assistance.
- Audit
- Sequoia must make available to Client all information necessary to demonstrate compliance with the obligations of this DPA and, to the extent required by Data Protection Law, allow for and contribute to audits, including inspections, as mandated by a Supervisory Authority or reasonably requested by Client and performed by an independent auditor as agreed upon by Client and Sequoia.
- Sequoia will inform Client if Sequoia believes that Client’s instruction under Section 8.a infringes Data Protection Law. Sequoia may suspend the audit or inspection or withhold requested information until Client has modified or confirmed the lawfulness of the instructions in writing.
- Sequoia and Client each bear their own costs related to an audit.
- International Data Transfers
- To the extent the Services require Sequoia to transfer Personal Data outside the EEA, Switzerland or the United Kingdom, Client hereby authorizes Sequoia to perform such data transfers to any country deemed adequate by the EU Commission; on the basis of appropriate safeguards in accordance with Data Protection Law; or pursuant to the Standard Contractual Clauses referred to in Section 9.b.
- Subject to the aforementioned Section 9.a, and to the extent the Services require the transfer of Personal Data from the EEA, Switzerland or the United Kingdom to Sequoia or its Processors in the US, Client and Sequoia agree to conclude the Standard Contractual Clauses, which are hereby incorporated into this DPA and completed as follows: the “data exporter” is Client; the “data importer” is Sequoia; the governing law in Clause 9 and Clause 11.3 of the Standard Contractual Clauses is the law of the country in which Client is established; Appendix 1 and Appendix 2 to the Standard Contractual Clauses, are Appendix 1 and 2 to this DPA respectively; and the optional indemnification clause is struck.
- If Sequoia’s compliance with Data Protection Law applicable to international data transfers is affected by circumstances outside of Sequoia’s control, including if a legal instrument for International Data Transfers is invalidated, amended, or replaced, then Client and Sequoia will work together in good faith to reasonably resolve such non-compliance.
- Notifications
- Client will send all notifications, requests and instructions under this DPA to Sequoia via email to legal@sequoia.com.
- Liability
- To the extent permitted by applicable law, where Sequoia has paid damages or fines, Sequoia is entitled to claim back from Client that part of the compensation, damages or fines, corresponding to Client’s part of responsibility for the damages or fines.
- Termination and return or deletion
- This DPA is terminated upon the termination of the Agreement.
- Client may request return of Client Personal Data up to ninety (90) days after termination of the Agreement. Unless required or permitted by applicable law, Sequoia will delete all remaining copies of Client Personal Data within one hundred eighty (180) days after returning Client Personal Data to Client.
- Modification of this DPA
- This DPA may only be modified by a written amendment signed by both Sequoia and Client.
- Invalidity and severability
- If any provision of this DPA is found by any court or administrative body of competent jurisdiction to be invalid or unenforceable, then the invalidity or unenforceability of such provision does not affect any other provision of this DPA and all provisions not affected by such invalidity or unenforceability will remain in full force and effect.
Appendix 1
Description of the Processing
1. Data Subjects
The Client Personal Data Processed concern the following categories of Data Subjects (please specify):
# |
Category |
1 |
Employees of Client, including current and former employees, as well as, temporary staff, interns, and contractors and consultants who perform services for Client. |
2. Categories of Client Personal Data
The Client Personal Data Processed concern the following categories of data (please specify):
# |
Category |
1 |
Identifiers including real name, unique personal identifier, Internet Protocol address, email address. |
2 |
Personal Records including information such as physical characteristics or description and employment. |
3 |
Professional or Employment Information including professional, or employment-related information. |
4 |
Internet Usage Information including browsing history, search history, and information regarding interaction with an Internet Web site or application. |
5 |
Geolocation Data including physical location, IP addresses or other geolocation information. |
6 |
Sensory Data including electronic support cases or similar information. |
3. Sensitive Data
The Client Personal Data Processed concern the following special categories of data (please specify):
# |
Category |
1 |
Personal Records to the extent they include medical information or health insurance information |
2 |
Consumers characteristics to the extent they include potential disability information |
4. Processing Operations
The Client Personal Data will be subject to the following basic Processing activities (please specify):
# |
Operation |
1 |
Collection |
2 |
Recording |
3 |
Storage |
4 |
Structuring |
5 |
Retrieval |
6 |
Consultation |
7 |
Use |
8 |
Disclosure by transmission |
Appendix 2
Security Measures
Sequoia will implement the following types of security measures:
1. Physical Access Control
Technical and organizational measures to prevent unauthorized persons from gaining access to the data processing systems available in premises and facilities (including databases, application servers and related hardware), where Client Personal Data are Processed, include:
- Establishing security areas, restriction of access paths;
- Establishing access authorizations for employees and third parties;
- Access control system (ID reader, magnetic card, chip card);
- Key management, card-keys procedures;
- Door locking (electric door openers etc.);
- Surveillance facilities, video/CCTV monitor, alarm system; and
- Securing decentralized data processing equipment and personal computers.
2. Virtual Access Control
Technical and organizational measures to prevent data processing systems from being used by unauthorized persons include:
- User identification and authentication procedures;
- ID/password security procedures (special characters, minimum length, change of password);
- Automatic blocking (e.g. password or timeout);
- Monitoring of break-in-attempts and automatic turn-off of the user ID upon several erroneous passwords attempts;
- Creation of one master record per user, user-master data procedures per data processing environment; and
- Encryption of archived data media.
3. Data Access Control
Technical and organizational measures to ensure that persons entitled to use a data processing system gain access only to such Client Personal Data in accordance with their access rights, and that Client Personal Data cannot be read, copied, modified or deleted without authorization, include:
- Internal policies and procedures;
- Control authorization schemes;
- Differentiated access rights (profiles, roles, transactions and objects);
- Monitoring and logging of accesses;
- Disciplinary action against employees who access Client Personal Data without authorization;
- Reports of access;
- Access procedure;
- Change procedure;
- Deletion procedure; and
4. Disclosure Control
Technical and organizational measures to ensure that Client Personal Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage on storage media (manual or electronic), and that it can be verified to which companies or other legal entities Client Personal Data are disclosed, include:
- Encryption/tunneling;
- Logging; and
- Transport security.
5. Entry Control
Technical and organizational measures to monitor whether Client Personal Data have been entered, changed or removed (deleted), and by whom, from data processing systems, include:
- Logging and reporting systems; and
- Audit trails and documentation.
6. Control of Instructions
Technical and organizational measures to ensure that Client Personal Data are Processed solely in accordance with the instructions of the Controller include:
- Unambiguous wording of the contract; and
- Criteria for selecting the Processor.
7. Availability Control
Technical and organizational measures to ensure that Client Personal Data are protected against accidental destruction or loss (physical/logical) include:
- Backup procedures;
- Remote storage;
- Anti-virus/firewall systems; and
- Disaster recovery plan.
8. Separation Control
Technical and organizational measures to ensure that Client Personal Data collected for different purposes can be Processed separately include:
- Separation of databases;
- Segregation of functions (production/testing); and
- Procedures for storage, amendment, deletion, transmission of data for different purposes.
Appendix 3
Subprocessors
# | Name | Description |
1 | Amazon Web Services | Data hosting services |
2 | Snowflake | Enterprise data warehouse software services |
3 | Sisense | Business intelligence software services |