Get Started
Close

Data Processing Addendum

This Data Processing Addendum (this “DPA”) applies to the processing of Client Personal Data, as further defined herein, and where applicable, amends and forms part of a Sequoia product order form (the “Order Form”) and the other terms and conditions incorporated by reference therein (collectively the Order Form and such other terms and conditions, the “Agreement”) between Sequoia Benefits and Insurance Services, LLC, d/b/a Sequoia (“Sequoia”), and the Client identified in the Order Form. This DPA prevails over any conflicting term of the Agreement but does not otherwise modify the Agreement.

    1. Definitions
      In this DPA:

      1. Client Personal Data” means any Client Data that constitutes Personal Data, the Processing of which is subject to Data Protection Law, for which Client or Client’s customers are the Controller, and which is Processed by Sequoia to provide the Services;
      2. Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data;
      3. Data Protection Law” means Data Protection Directive 95/46/EC, General Data Protection Regulation (EU) 2016/679 (“GDPR”), and e-Privacy Directive 2002/58/EC (as amended by Directive 2009/136/EC), and their national implementations in the European Economic Area (“EEA”), Switzerland, and the UK Privacy Law, or any other national data protection law outside the United States, each as applicable, and as may be amended or replaced from time to time; ;
      4. Data Subject” means an identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
      5. Data Subject Rights” means, to the extent applicable, Data Subjects’ rights to information, access, rectification, erasure, restriction, portability, objection, and not to be subject to automated individual decision-making in accordance with Data Protection Law;
      6. Personal Data” means any information relating to an identified or identifiable natural person (‘data subject’);
      7. Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed;
      8. Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
      9. Processor” means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller;
      10. Services” means the services provided by Sequoia to Client under the Agreement;
      11. Standard Contractual Clauses” means the clauses annexed to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (OJ L 199, 7.6.2021, p. 31-61) applicable to controller to processor transfers (Module Two); and UK Addendum, in each case, as may be subsequently amended or replaced from time to time;
      12. Subprocessor” means a Processor engaged by Sequoia to Process Client Personal Data;
      13. Supervisory Authority” means an independent public authority established under applicable law tasked to monitor and enforce the Data Protection Law;
      14. UK Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses as published by the UK Information Commissioner’s Office, including as set forth at https://ico.org.uk/media/for-organisations/documents/4019538/international-data-transfer-agreement.pdf, in each case, as may be subsequently amended or replaced from time to time; and
      15. UK Privacy Law” means all laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force in the United Kingdom, including the UK General Data Protection Regulation tailored by the UK Data Protection Act 2018 (c. 12), as may be subsequently replaced or amended from time to time (“UK GDPR”).

Capitalized terms used but not defined herein have the meaning given to them in the Agreement.

  1. Scope and applicability
    1. This DPA applies to Processing of Client Personal Data by Sequoia to provide the Services where Client Personal Data is subject to applicable Data Protection Law.
    2. The subject matter, nature and purpose of the Processing, the types of Client Personal Data and categories of Data Subjects are set out in Annex I.
    3. Client is a Controller and appoints Sequoia as a Processor on behalf of Client. Client is responsible for compliance with the requirements of Data Protection Law applicable to Controllers.
    4. If Client is a Processor on behalf of other Controller(s), then Client: is the single point of contact for Sequoia; must obtain all necessary authorizations from such other Controller(s); undertakes to issue all instructions and exercise all rights on behalf of such other Controller(s); and is responsible for compliance with the requirements of Data Protection Law applicable to Processors.
    5. Client acknowledges that Sequoia may Process Personal Data relating to the operation, support, or use of the Services for its own business purposes, such as billing, account management, data analysis, benchmarking, technical support, product development, and compliance with law. Sequoia is the Controller for such Processing and will Process such data in accordance with Data Protection Law.
    6. Client acknowledges and accepts that the Agreement remains in full force and effect as written and continues to be binding on Client, including with respect to the Services provided to Client’s international Employees.
  1. Instructions
    1. Sequoia will Process Client Personal Data to provide the Services and in accordance with Client’s documented instructions.
    2. The Controller’s instructions are documented in this DPA and the Agreement.
    3. Client may reasonably issue additional instructions as necessary to comply with Data Protection Law. Sequoia may charge a reasonable fee to comply with any additional instructions that are outside the scope of the Services identified in the Order Form.
    4. Unless prohibited by applicable law, Sequoia will inform Client if Sequoia is subject to a legal obligation that requires Sequoia to Process Client Personal Data in contravention of Client’s documented instructions.
  1. Personnel
    1. Sequoia will require that all personnel authorized to Process Client Personal Data are subject to an obligation of confidentiality.
  1. Security and Personal Data Breaches
    1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Sequoia will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including the measures listed in Annex II.
    2. Client acknowledges that the security measures in Annex II are appropriate in relation to the risks associated with Client’s intended Processing and will notify Sequoia prior to any intended Processing for which Sequoia’s security measures may not be appropriate.
    3. Sequoia will notify Client without undue delay after becoming aware of a Personal Data Breach involving Client Personal Data. If Sequoia’s notification is delayed, it will be accompanied by reasons for the delay.
  1. Subprocessing
    1. Client hereby authorizes Sequoia to engage Subprocessors. A list of Sequoia’s current Subprocessors is included in Annex III.
    2. Sequoia will enter into an agreement with Subprocessors that imposes the same obligations as required by Data Protection Law.
    3. Sequoia will notify Client prior to any intended change to Subprocessors. Client may object to the addition of a Subprocessor based on reasonable grounds relating to a potential or actual violation of Data Protection Law by providing written notice detailing the grounds of such objection within thirty (30) days following Sequoia’s notification of the intended change. Client and Sequoia will work together in good faith to address Client’s objection. If Sequoia chooses to retain the Subprocessor, Sequoia will inform Client at least thirty (30) days before authorizing the Subprocessor to Process Client Personal Data, and Client may immediately discontinue using the relevant parts of the Services and may terminate the relevant parts of the Services within thirty (30) days.
  1. Assistance
    1. Taking into account the nature of the Processing, and the information available to Sequoia, Sequoia will assist Client, including, as appropriate, by implementing technical and organizational measures, with the fulfilment of Client’s own obligations under Data Protection Law to: comply with requests to exercise Data Subject Rights; conduct data protection impact assessments, and prior consultations with Supervisory Authorities; and notify a Personal Data Breach.
    2. Sequoia may charge a reasonable fee for assistance under this Section 7. If Sequoia is at fault, Sequoia and Client shall each bear their own costs related to assistance.
  1. Audit
    1. Sequoia must make available to Client all information necessary to demonstrate compliance with the obligations of this DPA and, to the extent required by Data Protection Law, allow for and contribute to audits, including inspections, as mandated by a Supervisory Authority or reasonably requested by Client and performed by an independent auditor as agreed upon by Client and Sequoia.
    2. Sequoia will inform Client if Sequoia believes that Client’s instruction under Section 8.a infringes Data Protection Law. Sequoia may suspend the audit or inspection or withhold requested information until Client has modified or confirmed the lawfulness of the instructions in writing.
    3. Sequoia and Client each bear their own costs related to an audit.
  1. International Data Transfers
    1. To the extent the Services require Sequoia to transfer Personal Data outside the EEA, Switzerland or the United Kingdom, Client hereby authorizes Sequoia to perform such data transfers to any country deemed adequate by the EU Commission; on the basis of appropriate safeguards in accordance with Data Protection Law; or pursuant to the Standard Contractual Clauses referred to in Section 9.b.
    2. Subject to the aforementioned Section 9.a, and to the extent the Services require the transfer of Personal Data from the EEA, Switzerland or the United Kingdom to Sequoia or its Processors in the US, Client and Sequoia agree to (i) conclude the Standard Contractual Clauses, which are hereby incorporated into this DPA and completed as follows: the “data exporter” is Client as the “controller”; the “data importer” is Sequoia as the “processor”; option 2 of Clause 9 is selected and the time period is thirty (30) days; the optional language in Clause 11(a) is struck; option 2 of Clause 17 is selected and the default governing law is the law of Ireland; the forum are the courts of Ireland in Clause 18; and Annexes I, II, and III to the Standard Contractual Clauses, are Annexes I, II and III to this DPA respectively, and (ii) for the UK Privacy Laws only, the Standard Contractual Clauses substantially in the form of the UK Addendum, which are hereby incorporated into this DPA with the “data exporter” being Client as the “controller” and the “data importer” being Sequoia as the “processor”.
    3. If Sequoia’s compliance with Data Protection Law applicable to international data transfers is affected by circumstances outside of Sequoia’s control, including if a legal instrument for International Data Transfers is invalidated, amended, or replaced, then Client and Sequoia will work together in good faith to reasonably resolve such non-compliance.
  2. Notifications
    1. Client will send all notifications, requests and instructions under this DPA to Sequoia via email to legal@sequoia.com.
  3. Liability
    1. To the extent permitted by applicable law, where Sequoia has paid damages or fines, Sequoia is entitled to claim back from Client that part of the compensation, damages or fines, corresponding to Client’s part of responsibility for the damages or fines.
  4. Termination and return or deletion
    1. This DPA is terminated upon the termination of the Agreement.
    2. Client may request return of Client Personal Data up to ninety (90) days after termination of the Agreement. Unless required or permitted by applicable law, Sequoia will delete all remaining copies of Client Personal Data within one hundred eighty (180) days after returning Client Personal Data to Client.
  5. Modification of this DPA
    1. This DPA may only be modified by a written amendment signed by both Sequoia and Client.
  6. Invalidity and severability
    1. If any provision of this DPA is found by any court or administrative body of competent jurisdiction to be invalid or unenforceable, then the invalidity or unenforceability of such provision does not affect any other provision of this DPA and all provisions not affected by such invalidity or unenforceability will remain in full force and effect.

Annex I

DESCRIPTION OF THE TRANSFER

1. Data Subjects

The Client Personal Data Processed concern the following categories of Data Subjects (please specify):

# Category
1 Employees and prospective employees of Client, including current and former employees and job candidates, as well as, temporary staff, interns, and contractors and consultants who perform services for Client.

 

2. Categories of Client Personal Data

The Client Personal Data Processed concern the following categories of data (please specify):

# Category
1 Identifiers including real name, unique personal identifier, Internet Protocol address, email address.
2 Professional or Employment Information including professional, or employment-related information, salary, compensation, equity and other payroll related information.
3 Mobile Application Usage Information.
4 Geolocation Data including IP addresses.

 

3. Sensitive data

The Client Personal Data Processed concern the following special categories of data which shall be protected as detailed in Annex II (please specify):

# Category
1 Personal Records to the extent they include health insurance, wellness, or benefits information.

 

4. Frequency of Processing

The Client Personal Data shall be Processed on a continuous basis.

5. Processing operations

The Client Personal Data will be subject to the following basic Processing activities (please specify):

# Operation
1 Collection
2 Recording
3 Storage
4 Structuring
5 Retrieval
6 Consultation
7 Use
8 Disclosure by transmission

6. Purpose of Processing

The Client Personal Data shall be Processed for the purposes of providing the Services.

7. Retention Period

The Client Personal Data shall be retained in accordance with this DPA.

8. Subprocessor Transfers

The Client Personal Data shall be Processed by Subprocessors for the purposes of providing the Services for as long as this DPA is in effect.

Competent Supervisory Authority

The competent supervisory authorities shall be the relevant Member State supervisory authorities in accordance with the Standard Contractual Clauses.

Annex II

SECURITY MEASURES

Sequoia will implement the following types of security measures:

  1.  Physical access control
    Technical and organizational measures to prevent unauthorized persons from gaining access to the data processing systems available in premises and facilities (including databases, application servers and related hardware), where Client Personal Data are Processed, include:

    • Establishing security areas, restriction of access paths;
    • Establishing access authorizations for employees and third parties;
    • Access control system (ID reader, magnetic card, chip card);
    • Key management, card-keys procedures;
    • Door locking (electric door openers etc.);
    • Surveillance facilities, video/CCTV monitor, alarm system; and
    • Securing decentralized data processing equipment and personal computers.
  2. Virtual access control
    Technical and organizational measures to prevent data processing systems from being used by unauthorized persons include:

    • User identification and authentication procedures;
    • ID/password security procedures (special characters, minimum length, change of password);
    • Automatic blocking (e.g. password or timeout);
    • Monitoring of break-in-attempts and automatic turn-off of the user ID upon several erroneous passwords attempts;
    • Creation of one master record per user, user-master data procedures per data processing environment; and
    • Encryption of archived data media.
  3. Data access control
    Technical and organizational measures to ensure that persons entitled to use a data processing system gain access only to such Client Personal Data in accordance with their access rights, and that Client Personal Data cannot be read, copied, modified or deleted without authorization, include:

    • Internal policies and procedures;
    • Control authorization schemes;
    • Differentiated access rights (profiles, roles, transactions and objects);
    • Monitoring and logging of accesses;
    • Disciplinary action against employees who access Client Personal Data without authorization;
    • Reports of access;
    • Access procedure;
    • Change procedure;
    • Deletion procedure; and
    • Encryption
  4. Disclosure control
    Technical and organizational measures to ensure that Client Personal Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage on storage media (manual or electronic), and that it can be verified to which companies or other legal entities Client Personal Data are disclosed, include:

    • Encryption/tunneling;
    • Logging; and
    • Transport security.
  5. Entry control
    Technical and organizational measures to monitor whether Client Personal Data have been entered, changed or removed (deleted), and by whom, from data processing systems, include:

    • Logging and reporting systems; and
    • Audit trails and documentation.
  6. Control of instructions
    Technical and organizational measures to ensure that Client Personal Data are Processed solely in accordance with the instructions of the Controller include:

    • Unambiguous wording of the contract; and
    • Criteria for selecting the Processor.
  7. Availability control
    Technical and organizational measures to ensure that Client Personal Data are protected against accidental destruction or loss (physical/logical) include:

    • Backup procedures;
    • Remote storage;
    • Anti-virus/firewall systems; and
    • Disaster recovery plan.
  8. Separation control
    Technical and organizational measures to ensure that Client Personal Data collected for different purposes can be Processed separately include:

    • Separation of databases;
    • Segregation of functions (production/testing); and
    • Procedures for storage, amendment, deletion, transmission of data for different purposes.

    Annex III

    SUBPROCESSORS

    1. GENERAL PRODUCTS AND SERVICES

    # Name Description
    1 Amazon Web Services Data hosting services

     

    2. COMPENSATION MANAGEMENT SYSTEM

    # Name Description
    1 Amazon Web Services Data hosting services
    2 Snowflake, Inc. Enterprise data warehouse software services
    3 Salesforce Inc. Customer relationship management services

     

    3. WELLNESS BUNDLES

    # Name Description
    1 Amazon Web Services Data hosting services
    2 Snowflake, Inc. Enterprise data warehouse software services
    3 Salesforce Inc. Customer relationship management services
    4 The applicable Wellness Vendor(s) set forth in Sequoia HRX that comprise the Wellbeing Bundle Program selected by Client for its international Employees Wellness Vendor services

     

    4. WORKPLACE (RETURN TO WORK)

    # Name Description
    1 Amazon Web Services Data hosting services
    2 Snowflake, Inc. Enterprise data warehouse software services
    3 Salesforce Inc. Customer relationship management services

     

    5. FINANCIAL SERVICES

    # Name Description
    1 Amazon Web Services Data hosting services
    2 Snowflake, Inc. Enterprise data warehouse software services
    3 Salesforce Inc. Customer relationship management services
    4 The applicable Vendor(s) set forth in Sequoia HRX selected by Client for its international Employees Financial Vendor services

     

    6. SEQUOIA WEBSITE AND MOBILE APPLICATION

    # Name Description
    1 Amazon Web Services Data hosting services
    2 Snowflake, Inc. Enterprise data warehouse software services
    3 Salesforce Inc. Customer relationship management services
    4 Gainsight Product usage data analytics services

     

    7. GLOBAL CBS

    # Name Description
    1 Amazon Web Services Data hosting services