DATA PROCESSING ADDENDUM
THIS DATA PROCESSING ADDENDUM (“DPA”) to the Agreement (as defined below) is entered into as of the Addendum Effective Date by and between ARTA Shipping, Inc., with its principal business address at 160 Varick Street, Suite 3-130, New York, NY 10013, USA (“Arta”); and the client identified on the Agreement (“Client”), together the “Parties” and each a “Party.”
- This Arta DPA reflects the parties’ agreement with respect to the terms governing the Processing of Personal Data under the Arta Master Services Agreement (“Agreement”). This DPA is an amendment to the Agreement and is effective upon its incorporation into the Agreement, which incorporation may be specified in the Agreement, an Order or an executed amendment to the Agreement. Upon its incorporation into the Agreement, the DPA will form a part of the Agreement.
- The term of this DPA shall follow the term of the Agreement. Terms not otherwise defined herein shall have the meaning as set forth in the Agreement. In this DPA, the following terms shall have the meanings set out in this Section 1, unless expressly stated otherwise:
1. “Addendum Effective Date” means the effective date of the Agreement.
2. “Agreement” means the ARTA Master Services Agreement entered into by and between the Parties.
3. “Applicable Data Protection Laws” means the privacy, data protection and data security laws and regulations of any jurisdiction directly applicable to the Arta’s Processing of Customer Personal Data under the Agreement, including, where applicable, GDPR, CCPA, and other U.S. state laws.
4. “CCPA” means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (the “CPRA”) and any binding regulations promulgated thereunder.
5. “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
6. “Customer Personal Data” means any Personal Data Processed by Arta or its Sub-Processor on behalf of Client to perform the Services under the Agreement.
7. “Data Subject” means the identified or identifiable natural person to whom Customer Personal Data relates.
8. “Data Subject Request” means the exercise by a Data Subject of its rights in accordance with Applicable Data Protection Laws in respect of Customer Personal Data and the Processing thereof.
9. “Deidentified Data” means data Processed by Arta or its Sub-Processor on behalf of Client to perform the Services under the Agreement that cannot reasonably be used to infer information about, or otherwise be linked to, an identified or identifiable natural person, or device linked to such person.
10. “EEA” means the European Economic Area.
11. “GDPR” means, as and where applicable to Processing concerned: (i) the General Data Protection Regulation (Regulation (EU) 2016/679) (“EU GDPR”); and/or (ii) the EU GDPR as it forms part of UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018 (as amended, including by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019) (“UK GDPR”), including, in each case (i) and (ii) any applicable national implementing or supplementary legislation (e.g., the UK Data Protection Act 2018), and any successor, amendment or re-enactment, to or of the foregoing. References to “Articles” and “Chapters” of, and other relevant defined terms in, the GDPR shall be construed accordingly.
12. “Personal Data” means any information provided to Arta by Client that is protected as “personal data,” “personal information,” “personally identifiable information” or similar term defined in Applicable Data Protection Laws, except that Personal Data does not include the contact information pertaining to Client’s personnel or representatives who are business contacts of Client (where Arta acts as a controller of such information).
13. “Personal Data Breach” means a breach of Arta’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Personal Data in Arta’s possession, custody or control. For clarity, Personal Data Breach does not include unsuccessful attempts or activities that do not compromise the security of Personal Data (such as unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems).
14. “Personnel” means a person’s employees, agents, consultants or contractors.
15. “Process” and any inflection thereof means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
16. “Processor” means a natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Controller.
17. “Restricted Transfer” means the disclosure, grant of access or other transfer of Customer Personal Data to any person located in: (i) in the context of the EEA, any country or territory outside the EEA which does not benefit from an adequacy decision from the European Commission (an “EEA Restricted Transfer”); and (ii) in the context of the UK, any country or territory outside the UK, which does not benefit from an adequacy decision from the UK Government (a “UK Restricted Transfer”), which would be prohibited without a legal basis under Chapter V of the GDPR.
18. “SCCs” means the standard contractual clauses approved by the European Commission pursuant to implementing Decision (EU) 2021/914.
19. “Services” means those services and activities to be supplied to or carried out by or on behalf of Arta for Client pursuant to the Agreement.
20. “Sub-Processor” means any third party appointed by or on behalf of Arta to Process Customer Personal Data.
21. “Supervisory Authority”: (i) in the context of the EEA and the EU GDPR, shall have the meaning given to that term in the EU GDPR; and (ii) in the context of the UK and the UK GDPR, means the UK Information Commissioner’s Office.
22. “UK Transfer Addendum” means the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of the UK Mandatory Clauses included in Part 2 thereof (the “UK Mandatory Clauses”).
- All capitalized terms used in this DPA that are not otherwise defined in this DPA shall have the meaning given to them in the Agreement.
SCOPE OF THIS DATA PROCESSING ADDENDUM
- This DPA applies generally to Arta’s Processing of Customer Personal Data under the Agreement.
- The Parties acknowledge and agree that the details of Arta’s Processing of Customer Personal Data (including the respective roles of the Parties relating to such Processing) are as described in Annex 1 (Data Processing Details) to this DPA.
- Annex 2 (European Annex) to this DPA applies only if and to the extent Arta’s Processing of Customer Personal Data under the Agreement is subject to the GDPR.
- Annex 3 (California Annex) to this DPA applies only if and to the extent Arta’s Processing of Customer Personal Data under the Agreement is subject to the CCPA with respect to which Client is a “business” (as defined in the CCPA).
- Section 9 (Compliance Assistance; Audits) of this DPA applies to Arta’s Processing of Customer Personal Data to the extent required under any requirements concerning contracts with Processors under Applicable Data Protection Laws.
PROCESSING OF CUSTOMER PERSONAL DATA
- Arta shall not Process Customer Personal Data other than on Client’s written instructions or as required or permitted by applicable laws. For purposes of the Services and this DPA, Arta shall be considered a “processor” or “service provider” as defined under Applicable Data Protection Laws.
- Client instructs Arta to Process Customer Personal Data to provide the Services to Client and in accordance with the Agreement (including this DPA). The Agreement is a complete expression of such instructions, and Client’s additional instructions will be binding on Arta only pursuant to any written amendment to this DPA signed by both Parties. Where required by Applicable Data Protection Laws, if Arta receives an instruction from Client that, in its reasonable opinion, infringes Applicable Data Protection Laws, Arta shall notify Client.
- The Parties acknowledge that Arta’s Processing of Customer Personal Data authorized by Client’s instructions stated in the Agreement (including this DPA) are integral to the Services and the business relationship between the Parties. Access to Personal Data does not form part of the consideration exchanged between the Parties in respect of the Agreement or any other business dealings.
- Arta shall take commercially reasonable steps to ascertain the reliability of any Arta Personnel who Process Customer Personal Data and, where required by applicable laws, shall enter into written confidentiality agreements with all Arta Personnel who Process Customer Personal Data but are not subject to professional or statutory obligations of confidentiality.
- Arta shall implement and maintain technical and organizational measures in relation to Customer Personal Data that are designed to protect Customer Personal Data against Personal Data Breaches as described in Annex 4 (Security Measures) (the “Security Measures”).
- Arta may update the Security Measures from time to time, provided the updated measures do not materially decrease the overall protection of Customer Personal Data.
DATA SUBJECT REQUESTS
- Taking into account the nature of the Processing of Customer Personal Data by Arta, Arta shall provide Client with such assistance by implementing appropriate technical and organizational measures as Client may reasonably request to assist Client in fulfilling its obligations under Applicable Data Protection Laws to respond to Data Subject Requests.
- Arta shall:
1. promptly notify Client if it receives a Data Subject Request; and
2. not respond to any Data Subject Request, other than to advise the Data Subject to submit the request to Client, except on the written instructions of Client or as required by Applicable Data Protection Laws.
PERSONAL DATA BREACH
Breach notification and assistance
- Arta shall notify Client without undue delay upon Arta’s confirmation of a Personal Data Breach affecting Customer Personal Data. Arta’s notification of or response to a Personal Data Breach shall not be construed as Arta’s acknowledgement of any fault or liability with respect to the Personal Data Breach.
- To the extent the Personal Data Breach resulted from Arta’s breach of its security obligations under the Agreement, Arta shall provide Client with reasonably requested information (insofar as such information is within Arta’s possession and knowledge and does not otherwise compromise the security of any Personal Data Processed by Arta or the Arta’s other confidentiality or nondisclosure obligations, including any imposed by a law enforcement, a Supervisory Authority, or other governmental authority) to allow Client to meet its obligations under the Applicable Data Protection Laws to report the Personal Data Breach. If the Personal Data Breach did not result from Arta’s breach of its security obligations under the Agreement, Arta shall reasonably cooperate with Client; provided, however, Client shall reimburse Arta for any costs incurred by Arta. Client is solely responsible for complying with notification laws applicable to Client and fulfilling any third-party notification obligations related to any Personal Data Breaches.
Notification to Arta
- If Client determines that a Personal Data Breach must be notified to any Supervisory Authority or other governmental authority, any Data Subject(s), the public or others under Applicable Data Protection Laws, to the extent such notice directly or indirectly refers to or identifies Arta, where permitted by applicable laws, Client agrees to:
1. notify Arta in advance in writing; and
2. in good faith, consult with Arta and consider any clarifications or corrections Arta may reasonably recommend or request to any such notification, which: (i) relate to Arta’s involvement in or relevance to such Personal Data Breach; and (ii) are consistent with applicable laws.
- Client generally authorizes Arta to appoint Sub-processors in accordance with this Section 8. Without limitation to the foregoing, Client authorizes the engagement of the Sub-processors listed as of the effective date of the Agreement at the Sub-processor Site, as defined below.
- Information about Sub-processors, including their functions and locations, is available at: https://arta.io/legal/sub-processors/ (as may be updated by Arta from time to time, subject to Arta’s obligations pursuant to Section 8.4 below) or such other website address as Arta may provide to Client from time to time (the “Sub-processor Site”).
- When engaging any Sub-processor, Arta will enter into a written contract with such Sub-processor containing data protection obligations not less protective than those in this DPA with respect to Customer Personal Data and to the extent applicable to the nature of the services provided by such Sub-processor. As between the Parties, Arta shall be liable for the acts and omissions of all Sub-processors under or in connection with this DPA to the same extent Arta would be liable under the terms of this DPA if performing such services itself directly.
- When Arta engages any Sub-processor after the effective date of the Agreement, Arta will notify Client of the engagement (including the name and location of the relevant Sub-processor and the activities it will perform) by updating the Sub-processor Site or by other written means at least 15 days before such Sub-processor Processes Customer Personal Data. If Client objects to such engagement in a written notice to Arta within 15 days after being notified of the engagement on reasonable grounds relating to the protection of Customer Personal Data, Client and Arta will work together in good faith to consider a mutually acceptable resolution to such objection. If the Parties are unable to reach a mutually agreeable resolution within a reasonable timeframe, Client may, within 30 days of its initial notification of its objection to Arta, as its sole and exclusive remedy, terminate the Agreement and cancel the Services by providing written notice to Arta and pay Arta for all amounts due and owing under the Agreement as of the date of such termination. If Client does not object to Arta’s appointment of a Sub-processor during the objection period referred to in this Section 8.4, Client shall be deemed to have approved the engagement and ongoing use of that Sub-processor.
COMPLIANCE ASSISTANCE; AUDITS
- Taking into account the nature of the Processing of Customer Personal Data by Arta and the information available to Arta, Arta shall provide such information and assistance to Client as Client may reasonably request (insofar as such information is available to Arta and the sharing thereof does not compromise the security, confidentiality, integrity or availability of any data Processed by Arta) to help Client meet its obligations under Applicable Data Protection Laws, including in relation to the security of Customer Personal Data, the reporting and investigation of Personal Data Breaches, the demonstration of Client’s compliance with such obligations and the performance of any data protection assessments and consultations with Supervisory Authorities or other government authorities regarding such assessments in relation to Arta’s Processing of Customer Personal Data, including those required under Articles 35 and 36 of the GDPR.
- Subject to Section 9.4 below, Arta shall make available to Client such information as Client may reasonably request for Arta to demonstrate compliance with Applicable Data Protection Laws and this DPA. Without limitation of the foregoing, Client may conduct (in accordance with Section 9.3), at its sole cost and expense, and Arta will reasonably cooperate with, reasonable audits (including inspections, manual reviews, automated scans and other technical and operational testing that Client is entitled to perform under Applicable Data Protection Laws), in each case, whereby Client or a qualified and independent auditor appointed by Client using an appropriate and accepted audit control standard or framework may audit Arta’s technical and organizational measures in support of such compliance and the auditor’s report is provided to Client and Arta upon Client’s request.
- Client shall give Arta reasonable advance notice of any such audits. Arta need not cooperate with any audit (a) performed by any individual or entity who has not entered into a non-disclosure agreement with Arta on terms acceptable to Arta in respect of information obtained in relation to the audit; (b) conducted outside of Arta’s normal business hours at the relevant site; or (c) on more than one occasion in any calendar year during the term of the Agreement, except for any additional audits that Client is required to perform under Applicable Data Protection Laws. The audit must be conducted in accordance with Arta’s safety, security or other relevant policies, must not impact the security, confidentiality, integrity or availability of any data Processed by Arta and must not unreasonably interfere with Arta’s business activities. Client shall not conduct any scans or technical or operational testing of Arta’s applications, websites, services, networks or systems without Arta’s prior approval (which shall not be unreasonably withheld).
- If the controls or measures to be assessed in the requested audit are assessed in a SOC 2 Type 2, ISO, NIST or similar audit report performed by a qualified and independent third-party auditor pursuant to a recognized industry standard audit framework within twelve (12) months of Client’s audit request (“Audit Report”) and Arta has confirmed in writing that there have been no known material changes to the controls audited and covered by such Audit Report(s), Client agrees to accept provision of such Audit Report(s) in lieu of requesting an audit of such controls or measures. Arta shall provide copies of any such Audit Reports to Client upon request.
- Such Audit Reports and any other information obtained by Client in connection with an audit under this Section 9 shall constitute the confidential information of Arta, which Client shall use only for the purposes of confirming compliance with the requirements of this DPA or meeting Client’s obligations under Applicable Data Protection Laws. Nothing in this Section 9 shall be construed to obligate Arta to breach any duty of confidentiality.
RETURN AND DELETION
- Upon written request, after the expiration or earlier termination of the Agreement, Arta shall, to the fullest extent technically possible in the circumstances, either (i) return and/or delete all Customer Personal Data in Arta’s care, custody or control in accordance with Client’s instructions as to the post-termination return and deletion of Customer Data expressed in the Agreement, or subject to Section 11.5, Client’s further instructions or (ii) irreversibly anonymize or deidentify all Customer Personal Data in Arta’s care, custody or control.
- Notwithstanding the foregoing, Arta may retain Customer Personal Data where required by law (or in the case of Customer Personal Data subject to the GDPR, the laws of the UK or European Union, as applicable), provided that Arta shall (a) maintain the confidentiality of all such Customer Personal Data and (b) Process the Customer Personal Data only as necessary for the purpose(s) and duration specified in the applicable law requiring such retention.
- Client agrees that, without limiting Arta’s obligations under Section 5 (Security), Client is solely responsible for its use of the Services, including (a) making appropriate use of the Services to maintain a level of security appropriate to the risk in respect of the Customer Personal Data; (b) securing the account authentication credentials, systems and devices Client uses to access the Services; (c) securing Client’s systems and devices that Arta uses to provide the Services; and (d) backing up Customer Personal Data.
- Client shall ensure:
1. that there is, and will be throughout the term of the Agreement, a valid legal basis for the Processing by Arta of Customer Personal Data in accordance with this DPA and the Agreement (including, any and all instructions issued by Client from time to time in respect of such Processing) for the purposes of all Applicable Data Protection Laws (including Article 6, Article 9(2) and/or Article 10 of the GDPR (where applicable)); and
2. that (and is solely responsible for ensuring that) all required notices have been given to, and all consents and permissions have been obtained from, Data Subjects and others as required by Applicable Data Protection Laws, relating to the Processing by Arta of Customer Personal Data.
- Client agrees that the Services, the Security Measures, and Arta’s commitments under this DPA are adequate to meet Client’s needs, including with respect to any security obligations of Client under Applicable Data Protection Laws, and provide a level of security appropriate to the risk in respect of the Customer Personal Data.
- Client shall not, and agrees to ensure its Authorized Users do not, provide or otherwise make available to Arta any Customer Personal Data that contains any (a) protected health information subject to the Health Insurance Portability and Accountability Act (HIPAA) or other information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a healthcare professional; (b) health insurance information; (c) biometric information; (d) credentials to any financial accounts; (e) tax return data; (f) precise geolocation; (g) data revealing racial or ethnic origin, religious beliefs, sex life or sexual orientation, union membership, citizenship, or immigration status; (h) genetic data; (i) data collected from a known child; (j) any information that constitutes a special category of personal data (as defined in GDPR) and/or data relating to criminal convictions and offences (together, “Restricted Data”). Arta may collect government identification numbers for purposes of complying with legal requirements for shipping and customs. Client represents and warrants that any government identification data that it provides to Arta has been collected and Processed legally in accordance with Applicable Data Protection Laws and Client has obtained all necessary consents and provided all necessary notices to transfer such data to Arta.
- Except to the extent prohibited by applicable law, Client shall compensate Arta at Arta’s then-current professional services rates for, and reimburse any costs reasonably incurred by Arta in the course of providing, cooperation, information or assistance requested by Client pursuant to Sections 6 (Data Subject Requests), 9 (Compliance Assistance; Audits), and 10.1 (in Return and Deletion) of this DPA, beyond providing self service features included as part of the Service.
DEIDENTIFIED, ANONYMIZED OR AGGREGATED DATA
- To the extent Arta processes or generates any Deidentified Data, Arta shall (i) take reasonable measures to ensure that such data cannot be associated with a natural person, and (ii) publicly commit to maintaining and using Deidentified Data only in a de-identified fashion and without attempting to re-identify such data.
- If Arta’s creation and/or use of aggregated, anonymized or deidentified personal information is subject to Applicable Data Protection Laws, then Arta’s creation and/or use of such data, including but not limited to Deidentified Data, shall be permitted only to the extent such data constitutes “aggregate consumer information” or has been “deidentified” (as such terms are defined under the Applicable Data Protection Laws).
The total aggregate liability of either Party towards the other Party, howsoever arising, under or in connection with this DPA and the SCCs (if and as they apply) will under no circumstances exceed any limitations or caps on, and shall be subject to any exclusions of, liability and loss agreed by the Parties in the Agreement; provided that, nothing in this Section 13 will affect any person’s liability to Data Subjects under the third-party beneficiary provisions of the SCCs (if and as they apply).
CHANGE IN LAWS
Arta may on notice vary this DPA to the extent that (acting reasonably) it considers necessary to address the requirements of Applicable Data Protection Laws from time to time, including by varying or replacing the SCCs in the manner described in Paragraphs 2.1 and 2.2 of Annex 2 (European Annex).
INCORPORATION AND PRECEDENCE
- This DPA shall be incorporated into and form part of the Agreement with effect from the Agreement Effective Date.
- In the event of any conflict or inconsistency between:
1. this DPA and the Agreement, the Agreement shall prevail; or
2. any SCCs entered into pursuant to Paragraph 2 of Annex 2 (European Annex) and this DPA and/or the Agreement, the SCCs shall prevail in respect of the Restricted Transfer to which they apply.
Data Processing Details
Arta / ‘DATA IMPORTER’ DETAILS
CLIENT / ‘DATA EXPORTER’ DETAILS
DETAILS OF PROCESSING
Annex 2 – European Annex
DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION
- Taking into account the nature of the Processing of Customer Personal Data by Arta and the information available to Arta, Arta shall provide reasonable assistance to Client, at Client’s cost, with any data protection impact assessments and prior consultations with Supervisory Authorities which Client reasonably considers to be required of it by Article 35 or Article 36 of the GDPR, in each case solely in relation to Processing of Customer Personal Data by Arta.
EEA Restricted Transfers
- To the extent that any Processing of Customer Personal Data under this DPA involves an EEA Restricted Transfer from Client to Arta, the Parties shall comply with their respective obligations set out in the SCCs, which are hereby deemed to be:
1. populated in accordance with Part 1 of Attachment 1 to this Annex 2 (European Annex); and
- entered into by the Parties and incorporated by reference into this DPA.
UK Restricted Transfers
- To the extent that any Processing of Customer Personal Data under this DPA involves a UK Restricted Transfer from Client to Arta, the Parties shall comply with their respective obligations set out in the SCCs, which are hereby deemed to be:
1. varied to address the requirements of the UK GDPR in accordance with the UK Transfer Addendum and populated in accordance with Part 2 of Attachment 1 to this Annex 2 (European Annex); and
- entered into by the Parties and incorporated by reference into this DPA.
Adoption of new transfer mechanism
- Arta may on notice vary this DPA and replace the relevant SCCs and/or UK Transfer Addendum with:
1. any new form of the relevant SCCs and/or UK Transfer Addendum or any replacement therefore prepared and populated accordingly (e.g., standard data protection clauses adopted by the European Commission for use specifically in respect of transfers to data importers subject to Article 3(2) of the EU GDPR); or
2. another transfer mechanism, that enables the lawful transfer of Customer Personal Data by Client to Arta under this DPA in compliance with Chapter V of the GDPR.
Provision of full-form SCCs
- In respect of any given Restricted Transfer, if requested of Client by a Supervisory Authority, Data Subject or further Controller (where applicable) – on specific written request (made to the contact details set out in Annex 1 (Data Processing Details); accompanied by suitable supporting evidence of the relevant request), Arta shall provide Client with an executed version of the relevant set(s) of SCCs responsive to the request made of Client (amended and populated in accordance with Attachment 1 to this Annex 2 (European Annex) in respect of the relevant Restricted Transfer) for countersignature by Client, onward provision to the relevant requestor and/or storage to evidence Client’s compliance with Applicable Data Protection Laws.
- When complying with its transparency obligations under Clause 8.3 of the SCCs, Client agrees that it shall not provide or otherwise make available, and shall take all appropriate steps to protect Arta’s and its licensors’ trade secrets, business secrets, confidential information and/or other commercially sensitive information.
- Where applicable, for the purposes of Clause 10(a) of Module Three of the SCCs, Client acknowledges and agrees that there are no circumstances in which it would be appropriate for Arta to notify any third-party controller of any Data Subject Request and that any such notification shall be the sole responsibility of Client.
- For the purposes of Clause 15.1(a) of the SCCs, except to the extent prohibited by applicable law and/or the relevant public authority, as between the Parties, Client agrees that it shall be solely responsible for making any notifications to relevant Data Subject(s) if and as required.
- The terms and conditions of Section 8 of this DPA apply in relation to Arta’s appointment and use of Sub-processors under the SCCs. Any approval by Client of Arta’s appointment of a Sub-processor that is given expressly or deemed given pursuant to Section 8 constitutes Client’s documented instructions to effect disclosures and onward transfers to any relevant Sub-processors if and as required under Clause 8.8 of the SCCs.
- The audits described in Clauses 8.9(c) and 8.9(d) of the SCCs shall be subject to any relevant terms and conditions detailed in Section 9 of this DPA.
- Certification of deletion of Customer Personal Data as described in Clauses 8.5 and 16(d) of the SCCs shall be provided only upon Client’s written request.
Attachment 1 TO EUROPEAN ANNEX
POPULATION OF SCCs
PART 1: POPULATION OF THE SCCs
SIGNATURE OF THE SCCs
Where the SCCs apply in accordance with Paragraph 2.1 of Annex 2 (European Annex) to the DPA, (a) each of the Parties is hereby deemed to have signed the SCCs at the relevant signature block in Annex I to the Appendix to the SCCs; and (b) those SCCs are entered into by and between the Parties with effect from (i) the Addendum Effective Date; or (ii) the date of the first EU Restricted Transfer to which they apply in accordance with Paragraph 2.1 of Annex 2 (European Annex) to the DPA, whichever is earlier.
The following modules of the SCCs apply in the manner set out below (having regard to the role(s) of Customer set out in Attachment 1 to Annex 2 (European Annex) to the DPA): Module Two of the SCCs applies to any EEA Restricted Transfer involving Processing of Customer Personal Data in respect of which Customer is a Controller in its own right.
POPULATION OF THE BODY OF THE SCCs
- For each Module of the SCCs, the following applies as and where applicable to that Module and the Clauses thereof:
1. The optional ‘Docking Clause’ in Clause 7 is not used and the body of that Clause 7 is left intentionally blank.
2. In Clause 9:
1. OPTION 2: GENERAL WRITTEN AUTHORISATION applies, and the minimum time period for advance notice of the addition or replacement of Sub-Processors shall be the advance notice period set out in Section 8.4 of the DPA; and
2. OPTION 1: SPECIFIC PRIOR AUTHORISATION is not used and that optional language is deleted; as is, therefore, Annex III to the Appendix to the SCCs.
3. In Clause 11, the optional language is not used and is deleted.
4. In Clause 13, all square brackets are removed and all text therein is retained.
5. In Clause 17: OPTION 1 applies, and the Parties agree that the SCCs shall be governed by the law of Ireland in relation to any EEA Restricted Transfer; and OPTION 2 is not used and that optional language is deleted.
6. For the purposes of Clause 18, the Parties agree that any dispute arising from the SCCs in relation to any EEA Restricted Transfer shall be resolved by the courts of Ireland, and Clause 18(b) is populated accordingly.
- In this Paragraph 3, references to “Clauses” are references to the Clauses of the SCCs.
POPULATION OF ANNEXES TO THE APPENDIX TO THE SCCs
- Annex I to the Appendix to the SCCs is populated with the corresponding information detailed in Annex 1 (Data Processing Details) to the DPA, with: Customer being ‘data exporter’; and Arta being ‘data importer’.
- Part C of Annex I to the Appendix to the SCCs is populated as below:
1. Where Customer is established in an EU Member State, the competent supervisory authority shall be the supervisory authority of that EU Member State in which Customer is established.
2. Where Customer is not established in an EU Member State, Article 3(2) of the GDPR applies and Customer has appointed an EU representative under Article 27 of the GDPR: the competent supervisory authority shall be the supervisory authority of the EU Member State in which Customer’s EU representative relevant to the processing hereunder is based (from time-to-time).
3. Where Customer is not established in an EU Member State, Article 3(2) of the GDPR applies, but Customer has not appointed an EU representative under Article 27 of the GDPR: the competent supervisory authority shall be the supervisory authority of the EU Member State notified in writing to Arta’s contact point for data protection identified in Annex 1 (Data Processing Details) to the DPA, which must be an EU Member State in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located.
- Annex II to the Appendix to the SCCs is populated as below:
- Please refer to Section 5 of the DPA and the Security Measures described therein.
- In the event that Customer receives a Data Subject Request under the EU GDPR and requires assistance from Arta, Customer should email Arta’s contact point for data protection identified in Annex 1 (Data Processing Details) to the DPA.
Sub-Processors: When Arta engages a Sub-Processor under these Clauses, Arta shall enter into a binding contractual arrangement with such Sub-Processor that imposes upon them data protection obligations which, in substance, meet or exceed the relevant standards required under these Clauses and the DPA – including in respect of:
- applicable information security measures;
- notification of Personal Data Breaches to Arta;
- return or deletion of Customer Personal Data as and where required; and
- engagement of further Sub-Processors.
PART 2: UK RESTRICTED TRANSFERS
UK TRANSFER ADDENDUM
- Where relevant in accordance with Paragraph 2.2 of Annex 2 (European Annex) to the DPA, the SCCs also apply in the context of UK Restricted Transfers as varied by the UK Transfer Addendum in the manner described below –
1. Part 1 to the UK Transfer Addendum. The Parties agree:
1. Tables 1, 2 and 3 to the UK Transfer Addendum are deemed populated with the corresponding details set out in Annex 1 (Data Processing Details) to the DPA and the foregoing provisions of this Attachment 1 to Annex 2 (European Annex) (subject to the variations effected by the UK Mandatory Clauses described in (b) below); and
2. Table 4 to the UK Transfer Addendum is completed by the box labelled ‘Data Importer’ being deemed to have been ticked.
2. Part 2 to the UK Transfer Addendum. The Parties agree to be bound by the UK Mandatory Clauses of the UK Transfer Addendum.
- As permitted by Section 17 of the UK Mandatory Clauses, the Parties agree to the presentation of the information required by ‘Part 1: Tables’ of the UK Transfer Addendum in the manner set out in Paragraph 1.1 of this Part 2; provided that the Parties further agree that nothing in the manner of that presentation shall operate or be construed so as to reduce the Appropriate Safeguards (as defined in Section 3 of the UK Mandatory Clauses).
- In relation to any UK Restricted Transfer to which they apply, where the context permits and requires, any reference in the DPA to the SCCs, shall be read as a reference to those SCCs as varied in the manner set out in Paragraph 1.1 of this Part 2.
Annex 3 – California Annex
- In this Annex, the terms “business,” “business purpose,” “commercial purpose,” “consumer,” “sell,” “share,” and “service provider” shall have the respective meanings given thereto in the CCPA; and “personal information” shall mean Customer Personal Data that constitutes “personal information” as defined in and that is subject to the CCPA.
- The business purposes and services for which Arta is Processing personal information are for Arta to provide the services to and on behalf of Customer as set forth in the Agreement, as described in more detail in Annex 1 (Data Processing Details).
- It is the Parties’ intent that with respect to any personal information, Arta is a service provider. Arta (a) acknowledges that personal information is disclosed by Customer only for the limited and specific purposes described in the Agreement; (b) shall comply with applicable obligations under the CCPA and shall provide the same level of privacy protection to personal information as is required by the CCPA; (c) agrees that Customer has the right to take reasonable and appropriate steps under Section 9 (Compliance Assistance; Audits) of this DPA to help ensure that Arta’s use of personal information is consistent with Customer’s obligations under the CCPA; (d) shall notify Customer in writing of any determination made by Arta that it can no longer meet its obligations under the CCPA; and (e) agrees that Customer has the right, upon notice, including pursuant to the preceding clause, to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information.
- Arta shall not (a) sell or share any personal information; (b) retain, use or disclose any personal information for any purpose other than for the business purposes specified in the Agreement, including retaining, using or disclosing the personal information for a commercial purpose other than the business purpose specified in the Agreement, or as otherwise permitted by CCPA; (c) retain, use or disclose the personal information outside of the direct business relationship between Arta and Customer; or (d) combine personal information received pursuant to the Agreement with personal information (i) received from or on behalf of another person, or (ii) collected from Arta’s own interaction with any consumer to whom such personal information pertains.
- Arta shall implement reasonable security procedures and practices appropriate to the nature of the personal information received from, or on behalf of, Customer, in accordance with Section 5 (Security) of the DPA.
- When Arta engages any Sub-processor, Arta shall notify Customer of such Sub-processor engagements in accordance with Section 8 (Sub-Processing) of the DPA.
Annex 4 – Security Measures
As from the Addendum Effective Date, Arta will implement and maintain the Security Measures as set out in this Annex 4.
- Organizational management and dedicated staff responsible for the development, implementation and maintenance of Arta’s information security program.
- Access Control and preventing unauthorized product access.
1. Outsourced processing: Arta hosts its Service with outsourced cloud infrastructure providers. Additionally, Arta maintains contractual relationships with vendors in order to provide the Service in accordance with this DPA. Client relies on contractual agreements, privacy policies, and vendor compliance programs in order to protect data processed or stored by these vendors.
2. Authentication: Vendor implements a uniform password policy for its customer products. Customers who interact with the products via the user interface must authenticate before accessing non-public customer data.
3. Authorization: Customer data is stored in multi-tenant storage systems accessible to Customers via only application user interfaces and application programming interfaces. Customers are not allowed direct access to the underlying application infrastructure. The authorization model in each of Vendor’s products is designed to ensure that only the appropriately assigned individuals can access relevant features, views, and customization options. Authorization to data sets is performed through validating the user’s permissions against the attributes associated with each data set.
4. Application Programming Interface (API) access: Vendor’s product API may be accessed using an Oauth authorization.
- Preventing Unauthorized Product Use.
1. Vendor implements industry standard access controls and detection capabilities for the internal networks that support its products.
2. Access controls: Network access control mechanisms are designed to prevent network traffic using unauthorized protocols from reaching the product infrastructure. The technical measures implemented differ between infrastructure providers and include Virtual Private Cloud (VPC) implementations, security group assignment, and traditional firewall rules.
- Limitations of Privilege & Authorization Requirements.
1. Product access: A subset of Vendors’ employees have access to the products and to customer data via controlled interfaces. The intent of providing access to a subset of employees is to provide effective customer support, to troubleshoot potential problems, to detect and respond to security incidents and implement data security.
- Transmission Control
1. In-transit: Vendor makes HTTPS encryption (also referred to as SSL or TLS) available on every one of its login interfaces and for free on every customer site hosted on the Vendor products. Vendor’s HTTPS implementation uses industry standard algorithms and certificates.
2. At-rest: Vendor stores user passwords following policies that follow industry standard practices for security.
- Input Control
1. Detection: Vendor designed its infrastructure to log extensive information about the system behavior, traffic received, system authentication, and other application requests. Vendor personnel, including security, operations, and support personnel, are responsive to known incidents.
2. Response and tracking: Vendor maintains a record of known security incidents that includes description, dates and times of relevant activities, and incident disposition. Suspected and confirmed security incidents are investigated by security, operations, or support personnel; and appropriate resolution steps are identified and documented. For any confirmed incidents, Vendor will take appropriate steps to minimize product and Customer damage or unauthorized disclosure.
- Availability Control.
1. Infrastructure availability: The infrastructure providers use commercially reasonable efforts to ensure a minimum of 99.00% uptime.
2. Fault tolerance: Backup and replication strategies are designed to ensure redundancy and fail-over protections during a significant processing failure.
3. Online replicas and backups: Where feasible, production databases are designed to replicate data between no less than 1 primary and 1 secondary database. All databases are backed up and maintained using at least industry standard methods.
4. Vendor’s products are designed to ensure redundancy and seamless failover. The server instances that support the products are also architected with a goal to prevent single points of failure. This design assists Vendor operations in maintaining and updating the product applications and backend while limiting downtime.
Vendor may update the Security Measures from time to time in accordance with Section 5.2 (in Security) of the DPA.