Wellness Bundle Data Processing Addendum

This Data Processing Addendum (this “DPA”) amends and forms part of the Wellness Bundle Order Form (the “Order Form”) and the other terms and conditions incorporated by reference therein (collectively the Order Form and such other terms and conditions, the “Agreement”) between Sequoia Benefits and Insurance Services, LLC, d/b/a Sequoia Consulting Group (“Sequoia”), and the Client identified in the Order Form. This DPA prevails over any conflicting term of the Agreement but does not otherwise modify the Agreement.

Appendix 1

Description of the Processing

1. Data Subjects

The Client Personal Data Processed concern the following categories of Data Subjects (please specify):

#

Category

1

Employees of Client, including current and former employees, as well as, temporary staff, interns, and contractors and consultants who perform services for Client.

2. Categories of Client Personal Data

The Client Personal Data Processed concern the following categories of data (please specify):

#

Category

1

Identifiers including real name, unique personal identifier, Internet Protocol address, email address.

2

Professional or Employment Information including professional, or employment-related information.

3

Mobile Application Usage Information.

4

Geolocation Data including IP addresses.

3. Sensitive Data

The Client Personal Data Processed concern the following special categories of data (please specify):

#

Category

1

Personal Records to the extent they include medical information or health insurance information

2

Consumers characteristics to the extent they include potential disability information

 4. Processing Operations

The Client Personal Data will be subject to the following basic Processing activities (please specify):

#

Operation

1

Collection

2

Recording

3

Storage

4

Structuring

5

Retrieval

6

Consultation

7

Use

8

Disclosure by transmission

Appendix 2

Security Measures

Sequoia will implement the following types of security measures:

1. Physical Access Control

Technical and organizational measures to prevent unauthorized persons from gaining access to the data processing systems available in premises and facilities (including databases, application servers and related hardware), where Client Personal Data are Processed, include:

  • Establishing security areas, restriction of access paths;
  • Establishing access authorizations for employees and third parties;
  • Access control system (ID reader, magnetic card, chip card);
  • Key management, card-keys procedures;
  • Door locking (electric door openers etc.);
  • Surveillance facilities, video/CCTV monitor, alarm system; and
  • Securing decentralized data processing equipment and personal computers.

2. Virtual Access Control

Technical and organizational measures to prevent data processing systems from being used by unauthorized persons include:

  • User identification and authentication procedures;
  • ID/password security procedures (special characters, minimum length, change of password);
  • Automatic blocking (e.g. password or timeout);
  • Monitoring of break-in-attempts and automatic turn-off of the user ID upon several erroneous passwords attempts;
  • Creation of one master record per user, user-master data procedures per data processing environment; and
  • Encryption of archived data media.

3. Data Access Control

Technical and organizational measures to ensure that persons entitled to use a data processing system gain access only to such Client Personal Data in accordance with their access rights, and that Client Personal Data cannot be read, copied, modified or deleted without authorization, include:

  • Internal policies and procedures;
  • Control authorization schemes;
  • Differentiated access rights (profiles, roles, transactions and objects);
  • Monitoring and logging of accesses;
  • Disciplinary action against employees who access Client Personal Data without authorization;
  • Reports of access;
  • Access procedure;
  • Change procedure;
  • Deletion procedure; and
  • Encryption.

4. Disclosure Control

Technical and organizational measures to ensure that Client Personal Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage on storage media (manual or electronic), and that it can be verified to which companies or other legal entities Client Personal Data are disclosed, include:

  • Encryption/tunneling;
  • Logging; and
  • Transport security.

5. Entry Control

Technical and organizational measures to monitor whether Client Personal Data have been entered, changed or removed (deleted), and by whom, from data processing systems, include:

  • Logging and reporting systems; and
  • Audit trails and documentation.

6. Control of Instructions

Technical and organizational measures to ensure that Client Personal Data are Processed solely in accordance with the instructions of the Controller include:

  • Unambiguous wording of the contract; and
  • Criteria for selecting the Processor.

7. Availability Control

Technical and organizational measures to ensure that Client Personal Data are protected against accidental destruction or loss (physical/logical) include:

  • Backup procedures;
  • Remote storage;
  • Anti-virus/firewall systems; and
  • Disaster recovery plan.

8. Separation Control

Technical and organizational measures to ensure that Client Personal Data collected for different purposes can be Processed separately include:

  • Separation of databases;
  • Segregation of functions (production/testing); and
  • Procedures for storage, amendment, deletion, transmission of data for different purposes.

 

Appendix 3

Subprocessors

#Name Description
1Amazon Web ServicesData hosting services
2SnowflakeEnterprise data warehouse software services
3SisenseBusiness intelligence software services
4The applicable Wellness Vendor(s) set forth in Sequoia HRX that comprise the Wellbeing Bundle Program selected by Client for its international Employees.
Get a Demo