Data Protection Addendum
This Data Protection Addendum (“Addendum”) supplements the Master Purchasing Agreement (“Agreement”). All capitalized terms have meanings as in this Addendum, or if not defined, as set forth in the Agreement.
“Confidential Information” means (a) the subject and terms of any and all potential or binding business transactions between the parties covered by the terms of this Addendum and the Agreement, including the terms of this Addendum and the Agreement; and (b) all non-public, oral or written information, of whatever kind and in whatever form (including MBRDNA Data), whether or not marked as “Confidential Information” of MBRDNA, that may be obtained from any source as a result of or in connection with this Addendum and the Agreement, including without limitation: information regarding past, present or future customer or employee information; business and business activities; financial or technical information; products; services; intellectual property; research and development; processes; techniques; designs; financial planning practices; and marketing plans.
“CCPA” means the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., and its implementing regulations.
“Data Subject” means (i) an identified or identifiable natural person who is in the EEA or whose rights are protected by the GDPR; or (ii) a “Consumer” as the term is defined in the CCPA.
“EEA” means the European Economic Area.
“GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
“MBRDNA Data” means electronic data and information submitted by or for the Services.
“MBRDNA Personal Information” means any information relating to (i) an identified or identifiable natural person and, (ii) an identified or identifiable legal entity (where the information is protected similarly as personal information, personally identifiable information, or personal data under applicable Data Protection Laws), where for each (i) or (ii), the data is MBRDNA Data.
“MBRDNA Systems” means any computer, computer network, computer application, storage device, mobile computing device or software owned, licensed or leased by MBRDNA, or operated by a third party on behalf of MBRDNA, which: (a) connects to or otherwise interacts with Provider systems; or (b) is enabled or intended to access or interact with MBRDNA Data created or Processed in connection with the Agreement.
“Data Protection Laws” means any and all international, federal, state, national, provincial and local laws, regulations, directives, standards, guidelines, policies, and procedures, as amended, applicable to Provider pertaining to the security, confidentiality, or privacy of MBRDNA Personal Information. To the extent Provider is required to Process MBRDNA Personal Information of California residents on behalf of MBRDNA, the CCPA applies. To the extent Provider is required to Process MBRDNA Personal Information of EEA residents on behalf of MBRDNA, the GDPR applies.
“Process” means to perform any operation or set of operations on MBRDNA Data, including without limitation to (a) collect, receive, input, upload, download, record, reproduce, store, host, organize, combine, log, catalog, cross-reference, manage, maintain, copy, adapt, alter, translate, or make other improvements or derivative works; (b) analyze, output, consult, use, disseminate, transmit, submit, post, transfer, disclose, or otherwise provide or make available; or (c) block, erase, delete, or destroy.
“Sell” has the definition set forth in the CCPA.
“Security Measures” means Provider’s technological, physical, administrative and procedural safeguards, including, without limitation, policies, procedures, guidelines, practices standards, controls, hardware, software, firmware and physical security measures, the function or purpose of which is, in whole or part: (a) to protect the confidentiality, integrity or availability of MBRDNA Data; (b) to prevent the unauthorized use of or unauthorized access to MBRDNA Data; and/or (c) to prevent a breach or malicious infection of MBRDNA Systems.
“Security Incident” means any actual or reasonably suspected: (a) inability to access MBRDNA Data due to a malicious use, attack or exploit; (b) unauthorized or accidental access, acquisition, alteration, disclosure, use, theft, destruction or loss to or of MBRDNA Data or (c) breach of, transmission of or infiltration of malicious code into, MBRDNA Systems arising from, in whole or part, an act, error, or omission by Provider.
“Services” means the service(s) that Provider provides to MBRDNA under the terms of the Agreement or any applicable Statement of Work (“SOW”).
2. Roles of the Parties
2.1 The parties acknowledge and agree that MBRDNA has the sole and exclusive authority to determine the purposes and means of the Processing of MBRDNA Data Processed under this Addendum, and Provider is acting solely as a Data Processor, as that term is defined in the GDPR, and service provider, as that term is defined in the CCPA, on behalf and under the instructions of MBRDNA. Provider acknowledges and agrees that between Provider and MBRDNA, MBRDNA owns all MBRDNA Personal Information.
3. Data Processing.
3.1 Provider must only Process MBRDNA Data to the extent necessary to provide the Service(s) to MBRDNA and/or as set forth in the Agreement, an applicable SOW, other written instructions from MBRDNA, or otherwise as understood between the parties, and for no other purpose.
3.2 Except as explicitly provided in the Agreement, Provider must provide MBRDNA with unfettered, uninterrupted, and constant access to MBRDNA Data, and must delete, correct, or block any such data, or allow MBRDNA to do the same, upon MBRDNA’s written request.
3.3 Before any MBRDNA Data is Processed, Provider must provide to the MBRDNA information security contact an overview of the architecture and security certifications of the IT environment processing MBRDNA Personal Information.
3.4 Provider must assist MBRDNA as needed to respond to requests from authorities, Data Subjects, customers, or others to provide information (including details of the Services provided by Provider) related to Provider’s Processing of MBRDNA Personal Information.
3.5 Provider must not Sell MBRDNA Personal Information.
3.6 Provider must not retain, use, or disclose MBRDNA Personal Information for any purpose other than to perform the Services specified in the Agreement, including retaining, using, or disclosing MBRDNA Personal Information for a commercial purpose other than providing the Services specified in the Agreement.
3.7 Provider must not retain, use, or disclose MBRDNA Personal Information outside of the direct business relationship between MBRDNA and Provider.
3.8 Provider certifies that it understands and agrees to be bound by the restrictions set forth in this Section 3.
3.9 For any transfers of MBRDNA Personal Information under this Addendum from the European Union, the EEA and/or their member states, Switzerland and the United Kingdom to the United States, Provider must; (1) maintain its certification to the Privacy Shield; and (2) comply with each of the Privacy Shield principles (including, without limitation, Accountability for Onward Transfer).
4. Information Security; Compliance.
4.1 Provider must protect any MBRDNA Data in its possession from Security Incidents. Provider must, consistent with accepted industry standards, applicable Data Protection Laws, and its security obligations under this Addendum, collect and record information and maintain logs, planning documents, audit trails, records and reports concerning: (i) its Security Measures; (ii) its compliance with this Addendum; (iii) Security Incidents, (iv) its Processing of MBRDNA Personal Information; and (v) the access and use of Provider systems that contain or facilitate access to MBRDNA Data.
4.2 Provider must implement administrative, physical and technical safeguards to protect MBRDNA Data that are no less rigorous than, and must only Process MBRDNA Data in such a manner so as to comply with, accepted industry standards or Information Security Management System (ISMS), the International Organization for Standardization’s standards (ISO/IEC 27001:2013 – Information Security Management Systems – Requirements and ISO-IEC 27002:2013 – Code of Practice for International Security Management) or National Institute of Standards and Technology (NIST) 800-53 security requirements, applicable Data Protection Laws, and any other requirements of this Addendum or the Agreement. Provider must immediately notify MBRDNA if Provider knows that any written instruction by MBRDNA would cause either or both parties to violate applicable Data Protection Laws.
4.3 In the event of any conflict among any of Provider’s obligations as required in this Addendum, Provider must comply with the obligation that provides the most protective Security Measures.
4.4 At a minimum, Provider’s safeguards for the protection of MBRDNA Data, including MBRDNA Personal Information, must include: (i) limiting access to authorized employees on a need-to-know basis and subject to a duly enforceable contractual or statutory confidentiality obligation; (ii) securing business facilities, data centers, paper files, servers, back-up systems and computing equipment, including, but not limited to, all mobile devices and other equipment with information storage capability; (iii) implementing network, device application, database and platform security; (iv) securing information transmission, storage and disposal; (v) implementing authentication and access controls within media, applications, operating systems and equipment; (vi) encrypting on any mobile media; (vii) encrypting transmissions over public or wireless networks as well as data at rest; (viii) strictly segregating MBRDNA Data from information of Provider or its other customers so that MBRDNA Personal Data is not commingled with any other types of information; (ix) implementing appropriate personnel security and integrity procedures and practices, including, but not limited to, conducting background checks consistent with applicable law; (x) providing appropriate privacy and information security training to Provider’s employees; and (xi) using industry standard processes to monitor any systems that Process or could provide access to MBRDNA Data for malicious code, including, without limitation, viruses, Trojan horses, worms, and any other software code designed to permit unauthorized access by third parties or disable, erase, or otherwise harm the Services, MBRDNA Personal Data, or other software or hardware.
4.5 Provider systems used for such remote access to MBRDNA Data or MBRDNA Systems must be protected according to the requirements of this Addendum.
4.6 Provider must at all times maintain a written information security program that describes in sufficient detail Provider’s Security Measures, a written incident response plan designed to comply with the requirements of this Addendum, and any other policies or procedures that are reasonably necessary to facilitate Provider’s compliance with this Addendum. Provider must provide any of the foregoing policies upon MBRDNA’s reasonable request.
4.7 If, in the course of its engagement, Provider has access to or must Process credit, debit or other payment card information (“PCI”), Provider must at all times remain in compliance with the Payment Card Industry Data Security Standard (“PCI DSS”) requirements, including remaining aware at all times of changes to the PCI DSS and promptly implementing all procedures and practices as may be necessary to remain in compliance with the PCI DSS, in each case, at Provider’s sole cost and expense. As evidence of compliance with PCI DSS, Provider must provide a current attestation of compliance at the commencement of Services and at regular intervals. Provider must create and maintain reasonably detailed, complete, and accurate documentation describing the systems, processes, network segments, security controls, and data flows used to receive, transmit, store and secure cardholder data that it obtains pursuant to the Services. All documentation must conform to the most current version of the PCI DSS. Provider must defend, indemnify, and hold harmless MBRDNA for any and all costs and damages, including reasonable attorney’s fees, arising out of Provider’s failure to comply with this Section and/or the requirements of PCI DSS.
4.8 Provider must at all times Process MBRDNA Personal Information only in the United States of America.
4.9 Provider must obtain MBRDNA’s prior written consent before implementing any change to the Processing of MBRDNA Data that constitutes a material change in Provider’s Security Measures. Provider must use commercially reasonable efforts to provide MBRDNA at least ninety (90) days’ notice in advance of the proposed effective date of such change in order to provide MBRDNA with the right to reject such change as it applies to MBRDNA or terminate this Addendum and/or the Agreement.
4.10 Provider must assign an individual working for Provider acts as its security coordinator, who will be the security liaison between MBRDNA and Provider and (i) oversee compliance with this Addendum; (ii) receive notice of Security Incidents within the Provider’s organization; and (iii) coordinate Security Incident response and remedial action with MBRDNA. Provider must ensure that the security coordinator is sufficiently trained, qualified and experienced to be able to fulfill the functions set out in this Section and any other functions that might reasonably be expected to be carried out by the individual as a security coordinator.
4.11 During the Term, Provider must implement and maintain additional Security Measures, as mutually agreed upon by Provider and MBRDNA, in the event of: (i) any material changes to Services; (ii) any Security Incident; or (iii) any material decreases to Provider’s Security Measures; provided, that the failure of MBRDNA to make a request of Provider does not impact, eliminate or decrease Provider’s obligations under this Addendum.
4.12 Provider must cooperate with MBRDNA’s reasonable requests to assist MBRDNA with its own compliance objectives pursuant to applicable Data Protection Laws, including without limitation completing any documentation provided to Provider, performing data protection or privacy impact assessments, and complying with any Data Subjects’ requests to access, block, correct, or delete their data from Provider’s systems.
5. Security Incident Procedures.
5.1 Provider must notify MBRDNA as soon as practicable, but no later than twenty-four (24) hours after Provider becomes aware of, or reasonably believes there has been, any Security Incident.
5.2 Provider must use best efforts to immediately remedy any Security Incident and prevent any further Security Incident at Provider’s expense.
5.3 Provider must promptly preserve all relevant records, logs, files, data reporting and other materials relevant to the Security Incident, and must provide them to MBRDNA upon request. Provider must diligently investigate the Security Incident and fully cooperate with MBRDNA in its own investigation of and response to the Security Incident.
5.4 Provider must reimburse MBRDNA for all reasonable costs incurred by MBRDNA in responding to, and mitigating damages caused by, any Security Incident, including without limitation all costs of providing notice and/or credit monitoring and identity theft protection services.
5.5 Unless otherwise required by law, Provider is prohibited from informing any third party of any Security Incident without MBRDNA’s prior written consent, other than to inform a complainant that the matter has been forwarded to MBRDNA’s legal counsel. Further, Provider agrees not to include MBRDNA’s name, logo, or any other identifiable information about MBRDNA or its affiliates in any notice or public statement concerning the Security Incident without MBRDNA’s prior written consent.
6. Confidentiality; Trade Secrets.
6.1 Provider must hold the Confidential Information of MBRDNA in strict confidence and must adhere to industry best practices for securing the Confidential Information of MBRDNA so as to reasonably ensure that such Confidential Information is not lost, stolen or otherwise used, modified or accessed by any unauthorized person. Except as expressly set forth in this Addendum, Provider has the right to use MBRDNA’s Confidential Information only for the limited purpose of fulfilling its commitments and obligations to MBRDNA under this Addendum and the Agreement and for no other purpose. Except as specifically permitted elsewhere in this Addendum or by prior written consent of MBRDNA, Provider must not use, disclose or distribute to any person, firm or entity any Confidential Information and must not permit any person, firm or entity to use, disclose or distribute any Confidential Information; provided that Provider may disclose or distribute such Confidential Information to its employees who have a business need to know such Confidential Information and who are obligated by contract to protect the Confidential Information in a way that complies with this Addendum. Except in connection with the purposes identified above, Provider must not copy or otherwise reproduce, or permit to be copied or otherwise reproduced, all or any part of Confidential Information without the prior written consent of MBRDNA.
6.2 Provider acknowledges that in performing Services for MBRDNA it may have access to information that constitutes trade secret information. Provider further agrees to take whatever steps are necessary to preserve MBRDNA’s claim to such trade secret protection including, but not limited to: (1) maintaining the confidential nature of the trade secret information; (2) restricting access to employees and/or business units that have a business need to know the trade secret information; and (3) notifying employees authorized to access MBRDNA’s trade secret information that they are accessing, amongst other things, valuable trade secret information.
7. Subcontractors; Third Parties.
7.1 Provider must only provide MBRDNA Personal Information or access to the MBRDNA Personal Information to those subcontractors or other third parties to the extent necessary for Provider to perform Services for MBRDNA, and to de-identify, anonymize, and aggregate MBRDNA Personal Information. Once the subcontractor or other third party no longer needs access to the MBRDNA Personal Information in order for Provider to perform Services for MBRDNA, Provider must immediately terminate the access, or, if applicable, must immediately request that MBRDNA terminate the access.
7.2 If Provider processes MBRDNA Personal Information of EU Data Subjects, Provider must provide to MBRDNA a complete list of subcontractors who Process MBRDNA Personal Information in furtherance of Provider’s provision of Services to MBRDNA at the outset of the Agreement, and must update the list as necessary, provided that Provider must not engage a subcontractor to Process MBRDNA Personal Information except as explicitly set forth in this Addendum.
7.3 If Provider processes MBRDNA Personal Information of EU Data Subjects, Provider must not provide any subcontractor or third party (other than Provider’s regulator) access to MBRDNA Personal Information or access to Provider’s systems or network that would allow access to MBRDNA Personal Information, unless (i) Provider has received prior written consent from MBRDNA, which must not unreasonably be withheld; or (ii) access is specifically allowed under this Addendum, the Agreement, or an applicable SOW. Provider must notify MBRDNA immediately upon receipt of any request from a regulator to access MBRDNA Personal Information, including any request to access locations where information is stored.
7.4 Prior to providing any subcontractor or other third party with access to MBRDNA Personal Information, Provider must: (a) conduct a reasonable investigation of the third party’s information security measures to determine that the security is reasonable and consistent with Provider’s obligations under this Addendum; (b) ensure that the third party is obligated by law or contract to protect MBRDNA Personal Information in a way that is consistent with Provider’s obligations to protect MBRDNA Personal Information under this Addendum; and (c) ensure each subcontractor is governed by a written agreement which: (1) includes terms substantially similar to those set out in the Addendum; and (2) meet the requirements of Article 28(4) of the GDPR and Section 1798.140(v) and (w) of the CCPA. In all events, Provider is and must remain fully responsible for any act, errors or omission of any third party to whom Provider grants access to MBRDNA Personal Information with respect to compliance with this Addendum.
7.5 Provider must require subcontractors to only Process MBRDNA Personal Information pursuant to MBRDNA instructions in this Addendum and to the extent subcontractor Process MBRDNA Personal Information subject to GDPR to provide information set out in Annex 1.
8. Monitoring & Audits.
8.1 MBRDNA or its representative is entitled to monitor and audit Provider’s compliance with this Addendum. MBRDNA may also log and analyze remote access by Provider and/or its subcontractors within MBRDNA’s systems as a condition of allowing that remote access.
8.2 Upon MBRDNA’s written request, and no less than annually, Provider must permit MBRDNA or its representative permission to audit any and each of Provider’s privacy and security controls in relation to any MBRDNA Personal Information being Processed by Provider. Provider must fully cooperate with an audit by providing access to knowledgeable personnel, physical premises, documentation, infrastructure, and application software relevant to Provider’s compliance with this Addendum. Provider must make available documentation from its subcontractors to support MBRDNA’s audit upon MBRDNA’s request.
8.3 Upon MBRDNA’s written request, which must be made no more frequently than annually, Provider must, at the Provider’s expense, make available to MBRDNA a copy of Provider or Provider’s data center’s most recent SOC-2 Type 2 Report on Controls Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy or other external audit report, external penetration test, or external security assessment acceptable to MBRDNA that encompasses the controls relevant to the Processing of MBRDNA Personal Information (such reports, tests, and assessments, “Assessments”). Provider must notify MBRDNA immediately if Provider fails an Assessment.
8.4 Following any audit by MBRDNA or MBRDNA’s review of Provider’s most recent SOC-2 Type 2 Report or other external audit report, external penetration test or external security assessment, Provider must implement, as soon as reasonably practicable, any measures requested in writing by MBRDNA which MBRDNA determines are reasonably necessary for Provider to meet its obligations under this Addendum.
9. Term and Termination.
9.1 This Addendum is effective as of the Effective Date of the Agreement, and remains in effect until the later of either: (i) the duration of the Agreement; or (ii) for so long as Provider continues to Process MBRDNA Data, provided that MBRDNA may reasonably assume that Provider’s Processing activities are continuing until MBRDNA receives written confirmation from Provider to the contrary.
9.2 This Addendum may be terminated by MBRDNA for any reason upon thirty (30) days’ written notice to Provider.
9.3 Upon expiration, termination, and/or at MBRDNA’s prior written request, Provider must, at its cost, return and/or permanently delete (the choice to be made by MBRDNA) and must cause its subcontractors to do the same, including from backup and archival sources, any and all MBRDNA Data, in compliance with industry standards, applicable Data Protection Laws, and otherwise as specified in this Addendum. Provider must provide, upon MBRDNA’s request, written certification of the destruction of MBRDNA Data under this provision. To the extent MBRDNA Data is returned, data must be in a format specified by MBRDNA or, if not specified, in a platform-agnostic format.
10.1 Insurance Coverage. In addition to any insurance requirements specified in the Agreement, Provider must also maintain Privacy and Network Security (otherwise known as Cyber Liability) coverage which includes providing protection against liability for (a) system attacks, (b) denial or loss of service attacks, (c) spread of malicious software code, (d) unauthorized access and use of computer systems, (e) crisis management and customer notification expenses, (f) privacy regulatory defense and penalties and (g) liability arising from the loss or disclosure of data that would encompass MBRDNA Personal Information; with coverage limits of not less than $5,000,000 per claim.
10.2 Equitable Relief. Provider recognizes that serious injury could result to MBRDNA if Provider breaches its obligations under this Addendum. Therefore, Provider agrees that MBRDNA is entitled to a restraining order, injunction, or other equitable relief if Provider breaches its obligations under this Addendum, in addition to any other remedies and damages that would be available at law or equity.
10.3 Liability. MBRDNA’S DAMAGES ARISING FROM ANY SECURITY INCIDENT, AND/OR PROVIDER’S FAILURE TO COMPLY WITH THE OBLIGATIONS SET FORTH IN THIS ADDENDUM ARE NOT SUBJECT TO ANY LIMITATIONS OR EXCLUSIONS OF LIABILITY SET FORTH IN THE AGREEMENT. FURTHER, THE FOLLOWING REASONABLE COSTS ARE CONSIDERED DIRECT DAMAGES IF SUSTAINED BY MBRDNA ARISING OUT OF A SECURITY INCIDENT AND/OR PROVIDER’S FAILURE TO COMPLY WITH ITS OBLIBATIONS AS SET FORTH IN THIS ADDENDUM: (1) COSTS ARISING FROM PROCURING SERVICES FROM AN ALTERNATIVE SOURCE; (2) COSTS ARISING FROM CREATING OR RELOADING LOST OR DAMAGED MBRDNA PERSONAL INFORMATION; (3) COSTS ARISING FROM MBRDNA’S INVESTIGATION AND/OR REMEDIATION OF PROVIDER’S SECURITY INCIDENT, INCLUDING WITHOUT LIMITATION FORENSIC INVESTIGATION, PREPARATION AND DELIVERY OF NOTIFICATION, AND PROVISION OF CREDIT MONITORING AND IDENTITY THEFT PROTECTION SERVICES; AND (4) LEGAL FEES ASSOCIATED WITH EACH OF THE FOREGOING.
ANNEX 1: DETAILS OF PROCESSING OF MBRDNA PERSONAL INFORMATION
This Annex 1 includes certain details of the Processing of Personal Information as required by Article 28(3) of the GDPR.
1. Subject matter and duration of the Processing of Personal Information
2. The nature and purpose of the Processing of Personal Information
3. Type of Personal Information to be Processed
4. The categories of Data Subjects to whom the Personal Information relates