Pigment Data Processing Addendum
1. Data Protection
1.1. In this Data Protection Addendum:
"Data Protection Laws" means, with respect to a party, laws and regulations in any relevant jurisdiction directly applicable to such party’s processing of personal data that may include, without limitation: (i) EU Regulation 2016/679 ("GDPR"); (ii) GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (the "UK GDPR"); (iii) any laws or regulations ratifying, implementing, adopting, supplementing or replacing the GDPR; (iv) in the UK, the Data Protection Act 2018 ("DPA"); (v) any laws and regulations implementing or made pursuant to EU Directive 2002/58/EC (as amended by 2009/136/EC); (vi) in the UK, the Privacy and Electronic Communications (EC Directive) Regulations 2003; and (vii) as to Personal Data originating from California Consumers, the California Consumer Privacy Act and the California Consumer Privacy Rights Act and their implementing regulations (the “CCPA”); in each case, as updated, amended or replaced from time to time. The terms "Data Subject", "Personal Data", "processing", "processor" and "controller" will have the meanings set out in the GDPR. As to Personal Data originating from California consumers: the terms “business,” “sell,” “service provider,” and “share” will have the meanings set out in the CCPA; the term “Data Subject” shall mean and refer to the term “Consumer” as defined under the CCPA and the term “Personal Data” shall mean and refer to the term “Personal Information” as defined under the CCPA.
"DP Regulator" means any governmental or regulatory body or authority with responsibility for monitoring or enforcing compliance with the Data Protection Laws.
"Your Personal Data" means all Personal Data in Your Data processed by Us on behalf of You under or in connection with this Agreement.
1.2. Each party will comply with the provisions and obligations imposed on it by the Data Protection Laws at all times when processing Your Personal Data in connection with this Agreement, which processing will be in respect of the types of Your Personal Data, categories of Data Subjects, nature and purposes, and duration, set out in the Appendix to this Addendum.
1.3. Each party will maintain records of its processing operations that contain at least the minimum information required by the Data Protection Laws, and will make such records available to any DP Regulator on request in accordance with the applicable Data Protection Laws.
1.4. Each party acknowledges and agrees that, regarding the processing of Your Personal Data carried out under this Agreement: (i) under the GDPR, You are the controller and We are the processor and (ii) under the CCPA, You are the business and We are the service provider.
1.5. You will:
1.5.1. ensure that any instructions for the processing of Your Personal Data You issue to Us comply with the Data Protection Laws;
1.5.2. have sole responsibility for the accuracy, quality and legality of Your Personal Data and the means by which You acquired Your Personal Data; and
1.5.3. establish the legal basis for processing under Data Protection Laws, including providing all notices and obtaining all consents as may be required under Data Protection Laws in order for Us to process Your Personal Data as otherwise contemplated by this Agreement.
1.6. We will:
1.6.1. Process Your Personal Data (i) only in accordance with Your written instructions set out in this Agreement (including any executed Order Form and SoW), provided such instructions are lawful, unless otherwise required by applicable laws (in which case, unless such law prohibits such notification on important grounds of public interest, We will notify You of the relevant legal requirement before processing Your Personal Data), and (ii) only for the duration of this Agreement;
1.6.2. ensure that Our personnel who are Authorized to have access to Your Personal Data are committed to confidentiality or are under an appropriate statutory obligation of confidentiality when processing Your Personal Data;
1.6.3. taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing, implement technical and organizational measures and procedures to ensure a level of security for Your Personal Data appropriate to the risk, including the risks of accidental, unlawful or unauthorized destruction, loss, alteration, disclosure, dissemination or access, which are set out in the Security Addendum;
1.6.4. as to the GDPR and Your Personal Data that originates from the European Economic Area or the United Kingdom, not transfer Your Personal Data outside the European Economic Area or the United Kingdom unless (i) We have entered into the relevant EU standard contractual clauses (with the UK addendum if applicable) approved by the European Commission (and the UK's Information Commissioner's Office, if applicable); or (ii) the transfer is otherwise permitted by the Data Protection Laws;
1.6.5. inform You without undue delay, and no later than seventy-two (72) hours after (via the email address defined in Your Pigment workspace for data protection) becoming aware of Your Personal Data (while within Our control) being subject to a personal data breach (as defined in the Data Protection Laws);
1.6.6. not disclose any of Your Personal Data to any Data Subject other than at Your written request or as provided for in this Agreement or as required to comply with applicable laws;
1.6.7. except as required by law or in order to defend any actual or possible legal claims delete all Your Personal Data within three months of termination or expiration of this Agreement, and not make any further use of Your Personal Data;
1.6.8. subject to sub-paragraph 1.6.9 and sub-paragraph 1.13 in relation to audits, provide You and any DP Regulator with information and assistance reasonably necessary to demonstrate or ensure compliance with the obligations in this Addendum and/or the Data Protection Laws;
1.6.9. on an annual basis, at Our own expense, engage an independent third party auditor to conduct a SOC 2 or other industry standard audit. We will (upon request by You) provide a copy of Our then most recent third-party audit or certifications, as applicable, or any summaries thereof, that We generally make available to Our customers at the time of such request;
1.6.10. take such steps as are reasonably required to assist You in ensuring compliance with Your obligations under the Data Protection Laws and which are obligatory for processors and/or service providers under the Data Protection Laws;
1.6.11. notify You as soon as reasonably practicable (via the email address defined in Your Pigment workspace for data protection) if We receive a request from a Data Subject to exercise its rights under the Data Protection Laws in relation to that person's Personal Data; and
1.6.12. provide You with reasonable cooperation and assistance in relation to any request made by a Data Subject to exercise its rights under the Data Protection Laws in relation to that person's Personal Data provided that You will be responsible for Our costs and expenses arising from such cooperation and assistance.
1.7. If either We or You receive any complaint, notice or communication which relates directly or indirectly to the processing of Your Personal Data by the other or to either of our compliance with the Data Protection Laws, We or You will as soon as reasonably practicable notify the other and provide the other with commercially reasonable cooperation and assistance in relation to any such complaint, notice or communication.
1.8. You agree that We may disclose Your Personal Data to Our advisers, auditors or other third parties as reasonably required in connection with the performance of Our obligations under this Agreement. In addition, We may engage third parties to process Your Personal Data on Your behalf ("Sub-Processors"). The current list of Sub Processors is set out here.
1.9. If We engage a new Sub-Processor ("New Sub-Processor"), We will inform You of the engagement no later than thirty (30) days in advance by sending an email to the address defined in Your Pigment workspace for data protection. You may object to the engagement of a New Sub-Processor within fourteen (14) days by informing Us of Your objection and the reasons for such objection. Where Your objection is objectively reasonable in the circumstances, We will engage with You in good faith to reach a mutually acceptable solution. If a mutually acceptable solution is not reached within thirty (30) days of Us informing You of the engagement of a New Sub-Processor, You will have the right to terminate the Agreement.
1.10. We will ensure that Our contract with each New Sub-Processor will impose obligations on the New Sub-Processor that are materially equivalent to the obligations to which We are subject to under this Agreement.
1.11. Any sub-contracting or transfer of Your Personal Data pursuant to this Addendum will not relieve Us of any of Our liabilities, responsibilities and obligations to You under this Agreement and We will remain liable for the acts and omissions of Our Sub-Processors.
1.12. As to Your Personal Data that is subject to the CCPA: (i) We will not (a) sell or share Your Personal Data; (b) retain, use or disclose any of Your Personal Data for any purpose other than for the specific purpose of providing the Solution, including retaining, using, combining or disclosing any of Your Personal Data for a commercial purpose other than providing the Solution; or (c) retain, use or disclose any of Your Personal Data outside of the direct business relationship between You and Us; and (ii) the parties acknowledge and agree that Our access to Your Personal Data does not constitute part of the consideration exchanged by the parties in respect of the Agreement. We certify Our understanding of the foregoing requirements.
1.13. Subject to: (i) prior reasonable notice, not less than 14 business days; (ii) no more than once prior to each renewal of this Agreement; (iii) at Your expense; (iv) such assessment being completed within five (5) business days; and (v) during Our normal business hours; We shall provide You or Your appropriately qualified third-party representative approved by Us in writing and that has signed with Us a non-disclosure agreement acceptable to Us: (a) Our trust portal documentation or a copy of Our most recent SOC 2 Type II audit report or other industry standard audit; (b) participation in any bug bounty program or penetration testing controlled by Us, subject always to the rules of such program or penetration testing determined by Us from time to time in Our sole and absolute discretion. Any additional audit requests made by You outside of the scope of an audit provided under (a) and (b), may be considered by upon a case by case basis and if We choose to further discuss such requests, it will be explicitly subject to the following conditions: (x) following receipt of such notice, the Parties will mutually agree in advance on the details of the audit, including the reasonable cost, start date, scope, duration, and relevant security measures; (y) confidentiality controls, as We deems appropriate shall be applicable to any such audit; and (z) You or Your representative shall not: (1) access, store or delete Our other customers’ data; (2) access, store or delete the Solution’s hosting sites, underlying systems or infrastructure or the same related to Our subcontractors and other customers; or (3) any documents, information or data We consider to be commercially sensitive or a trade secret as determined by Us under Our sole and absolute discretion.
Appendix to Addendum (Data Protection Addendum)
The Personal Data processing activities carried out by Us under this Agreement may be described as follows (except as otherwise stated in an Order Form or a Statement of Work):
1. Subject matter, Nature and Purpose of processing
The subject matter, nature and purpose of the Processing is (i) as specified in the Agreement, (ii) to support You and Your service providers in implementing and using the Solution and (iii) to improve the Solution (only anonymised and/or aggregated data are processed for this purpose).
2. Categories of Personal Data
The types of Personal Data processed includes those specified in the definition of Your Data.
3. Categories of data subjects
The categories of data subjects include Your representatives, Authorized Users and any other individuals identified or identifiable by Your Data.
4. Duration
The duration of the processing shall be as set out in the Agreement.
5. Sub-Processors
Our list of Sub-Processors shall be updated by Us from time to time, in accordance with Section 1.9. of this Addendum and can be found here.