Data Processing Addendum.
Last updated on February 1, 2021.
DATA PROCESSING ADDENDUM
This Data Processing Addendum (this “DPA”) is made as of date set forth in the Agreement. This DPA is supplemental to the Agreement and sets out the terms that apply when Personal Data is Processed by Traction under the Agreement.
- For the purposes of this DPA, the following terms shall have their respective meanings set forth below and other capitalized terms used but not defined in this DPA have the same meanings as set forth in the Agreement:
- “Agreement” means the legal agreement entered into between Traction Guest Inc. and You, to which this DPA is attached or incorporated by reference, and includes the Terms and Conditions, as applicable, between the parties, in each case providing for the provision by Traction to You of the Services described therein.
- “Data Subject” means the identified or identifiable natural person subject to the Processing.
- “EEA” means the Member States of the European Union together with Iceland, Norway, and Liechtenstein.
- “EU Data Protection Legislation” means Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”)”), as well as the Personal Information Protection and Electronic Documents Act (Canada) (“PIPEDA”), the Act respecting the protection of personal information in the private sector (Québec) (the “Private Sector Act”), the Personal Information Protection Act of Alberta (the “PIPA AB”) and the Personal Information Protection Act of British-Columbia (the “PIPA BC”) (as amended, replaced or superseded).
- “Controller” means the entity which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data pursuant to the GDPR.
- “Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, and includes any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- “Processor” means an entity which Processes Personal Data on behalf of the Controller.
- “Personal Data” means any information relating to an identified or identifiable natural person and that allows that person to be identified.
- “Security Incident” means confirmed accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
- “Sensitive Data” means (a) social security number, (b) credit or debit card number (other than the truncated (last four digits) of a credit or debit card), (c) financial, genetic, biometric or health information; (d) racial, ethnic, political or religious affiliation, trade union membership, or information about sexual life or sexual orientation; (e) criminal history; (f) without limiting the foregoing any additional information that falls within the definition of “special categories of data” under EU Data Protection Legislation or any other applicable law relating to privacy and data protection.
- “Standard Contractual Clauses” means the Standard Contractual Clauses (Processors) approved by European Commission Decision C(2010)593 or any subsequent version thereof released by the European Commission (which will automatically apply).
Relationship with Agreement
- Except as amended by this DPA, the Agreement will remain in full force and effect.
- If there is a conflict between the Agreement and this DPA, the terms of this DPA will control.
- Any claims brought under this DPA shall be subject to the terms and conditions, including but not limited to, the exclusions and limitations set forth in the Agreement.
Notwithstanding anything in this DPA, Traction will have the right to collect, extract, compile, synthesize and analyze Aggregate Information (as defined in the Agreement) resulting from Your use or operation of the Services. To the extent any Aggregate Information is collected or generated by Traction, such data may be used by Traction for any lawful business purpose without a duty of accounting to You. For the avoidance of doubt, this DPA will not apply to Aggregate Information.
Roles and responsibilities
- Parties’ Roles. With respect to the Processing of Personal Data, You, as Controller or Processor, as applicable, appoint Traction, as a Processor to Process the Personal Data described in Annex A on Your behalf, it being specified that Traction and You comply with Data Protection Legislation.
- Purpose Limitation. Traction shall Process the Personal Data for the purposes described in Annex A and only in accordance with Your lawful, written and duly documented instructions, except where otherwise required by applicable law. The Agreement and this DPA sets out Your complete instructions to Traction in relation to the Processing of the Personal Data and any Processing required outside of the scope of these instructions will require prior written agreement between the parties. You acknowledge that Traction shall have a right to Process Personal Data in order to provide the Services to You, fulfill its obligations under the Agreement, and for legitimate purposes relating to the operation, support and/or use of the Services such as billing, account management, technical maintenance and support, product development, and sales and marketing. Moreover, in Alberta and British-Columbia, Traction agrees to hold and use any and all Personal Data in confidence and not to disclose the Personal Data to any third party (or permit any of its employees, agents or representatives to do so), except (i) in the ordinary course of business to carry out the permitted activities under the Agreement; (ii) as required or permitted by PIPA or other applicable law.
- Processing of Sensitive Data. You will not provide (or cause to be provided) any Sensitive Data to Traction, unless You have received the explicit consent from a Data Subject to the Processing of such Sensitive Data for the intended purposes, and the Processing of such Sensitive Data is not prohibited by law as set out in Article 9 of the GDPR. For the avoidance of doubt, this DPA will not apply to, and Traction shall have no liability with respect to, any Sensitive Data for which You have not received consent pursuant to this section 4.3.
- Description of Processing. A description of the nature and purposes of the Processing, the types of Personal Data, categories of Data Subjects, and the duration of the Processing are set out further in Annex A.
- Compliance. You shall be responsible for ensuring that:
- you have complied, and will continue to comply, with all applicable laws relating to privacy and data protection, including Data Protection Legislation, in Your use of the Services and Your own Processing of Personal Data (except as otherwise required by applicable law), including by providing notice and obtaining all consents and rights necessary under Data Protection Legislation for Traction to Process Personal Data; and
- you have, and will continue to have, the right to transfer, or provide access to, the Personal Data to Traction for Processing in accordance with the terms of the Agreement and this DPA.
- Security. Traction shall implement and maintain Personal Data in compliance with Data Protection Legislation, notably with appropriate technical and organizational measures to protect the Personal Data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access, such as, for example, the pseudonymisation and encryption of Personal Data; the ability to ensure the ongoing conﬁdentiality, integrity, availability and resilience of Processing systems and services; the ability to restore the availability and access to Personal Data in a timely manner in the event of an incident and a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the Processing.
- Security Exhibit. The technical and organizational security measures which Traction shall have in place under the Agreement are set out at Annex B to this DPA.
- Confidentiality of Processing. Traction shall ensure that any person that it authorizes to Process the Personal Data shall be subject to a duty of confidentiality (whether a contractual or a statutory duty), it being specified that the access to Personal Data is limited only to the employees of Traction who need to have access to the Personal Data for the purpose of delivering the service and who have completed a privacy training.
- Security Incidents. Upon becoming aware of a Security Incident where, according to the GDPR, is likely to result in a risk to the rights and freedoms of natural persons or, according to Canadian Privacy Laws, where there is a real risk of significant harm to the Data Subject, Traction shall notify You without undue delay and shall provide such timely information as You may reasonably require, including to enable You to fulfil any data breach reporting obligations under Data Protection Legislation. Traction shall take appropriate and commercially reasonable steps to investigate and mitigate the effects of such a Security Incident on the Personal Data under this Agreement. This section 6.2 does not apply to Security Incidents that are caused by You, including Your employees, partners, subcontractors, or agents.
To the extent that the Processing of Personal Data by Traction involves the export of such Personal Data to a third party in a country or territory outside the EEA and/or Canada such export shall be:
- to a country or territory ensuring an adequate level of protection for the rights and freedoms of Data Subjects as determined by the European Commission;
- to a third party that is a member of a compliance scheme recognised as offering adequate protection for the rights and freedoms of Data Subjects as determined by the European Commission,; or
- governed by the Standard Contractual Clauses, with You as exporter and such third party as importer. For this purpose, You appoint Traction as your agent with the authority to complete and enter into the Standard Contractual Clauses as agent for You on Your behalf.
- You agree that this DPA constitutions Your written authorization for Traction and its sub-processors to Process Personal Data anywhere in the world where Traction or its sub-processors maintain data Processing operations.
- Sub-Processors. You agree that this DPA constitutes your written authorization for Traction to engage Affiliates and third party sub-Processors (collectively, “Sub-Processors”) to Process the Personal Data on Traction’s behalf, including Sub-processors currently engaged by Traction. The Sub-Processors currently engaged by Traction and authorized by You are available at tractionguest.com/tos/processors https://tractionguest.com/tos/processors. Traction will notify you pursuant to the Agreement, of any new Sub-Processor being appointed, by changes to this website.
- Objection to Sub-Processors. You may object in writing, stating your reasonable grounds for the objection, to the appointment of an additional Sub-Processor within five (5) calendar days after receipt of Traction’s notice in accordance with the mechanism set out at Section 8.1 above. In the event that You object on reasonable grounds relating to the protection of the Personal Data, then the parties shall discuss commercially reasonable alternative solutions in good faith. If no resolution can be reached, Traction will, at its sole discretion, either not appoint such Sub-Processor, or permit You to suspend or terminate the Services in accordance with the termination provisions of the Agreement. In the event that You suspend or terminate the Services in accordance with the preceding sentence, You shall immediately pay all fees and costs then owing and all fees and costs incurred by Traction as a result of the termination.
- Sub-Processor obligations. Where a Sub-Processor is engaged by Traction as described in this Section 8, Traction shall:
- restrict the Sub-Processor’s access to Personal Data only to what is necessary to perform the subcontracted services;
- impose on such Sub-Processors data protection terms that protect the Personal Data to the standards no less stringent than those provided for by this DPA; and
- remain responsible for any breach of the DPA caused by a Sub-Processor.
- Cooperation and Data Subjects’ rights. Traction shall, taking into account the nature of the Processing, provide commercially reasonable assistance to You insofar as this is possible, to enable You to respond to requests from a Data Subject seeking to exercise their rights under EU Data Protection Legislation in the event that You do not have the ability to implement such request without Traction’s assistance. You will not request applicable information from Traction, such as access or correction requests without verifying the identity of the Data Subject. In the event that such request is made directly to Traction, Traction shall, unless prohibited by law, promptly inform You of the same. To the extent legally permitted, You shall be responsible for any costs arising from Traction’s provision of such assistance.
- Data Protection Impact Assessments. Traction shall, to the extent required by Data Protection Legislation and at Your sole expense, taking into account the nature of the Processing and the information available to Traction, provide You with commercially reasonable assistance with data protection impact assessments or prior consultations with data protection authorities that You are required to carry out under Data Protection Legislation.
Security reports and audits
- The parties acknowledge that Traction uses external auditors to comprehensively assess the adequacy of its data Processing, including the security of the systems and premises used by Traction to provide data Processing services.
- The parties further acknowledge that these audits:
- are performed at least once each year;
- are conducted by auditors selected by Traction, but otherwise conducted with all due and necessary independence and professionalism; and
- are fully documented in an audit report that affirms that Traction’s controls meet industry standards against which they are assessed (“Report”).
- At Your written request and at Your sole expense, Traction will (on a confidential basis) provide You with a summary of the Report so that You can verify Traction’s compliance with the audit standards against which it has been assessed, and this DPA.
- Traction will further provide written responses (on a confidential basis) to reasonable requests for information made by You, no more than once per year, including responses to information security and audit questionnaires that are necessary to confirm Traction’s compliance with this DPA.
- While it is the parties’ intention to rely on the provision of the Report and written responses provided under Sections 10.3 and 10.4 above to verify Traction’s compliance with this DPA, Traction shall permit You (or Your appointed third party auditors), which must be reasonably acceptable to Traction), at Your sole expense, to carry out an audit of Traction’s Processing of Personal Data under the Agreement following a Security Incident suffered by Traction, or upon the instruction of a data protection authority, to determine Traction’s compliance with this DPA. You must give Traction reasonable prior notice of such intention to audit, conduct the audit during normal business hours, and take all reasonable measures to prevent unnecessary disruption to Traction’s operations. Any such audit shall be subject to Traction’s security and confidentiality terms and guidelines. Following completion of the audit, upon request, You will promptly provide Traction with a complete copy of the results of that audit. Notwithstanding the foregoing, Traction will not be required to disclose any proprietary or privileged information, including to You or any of Your auditors, agents, or vendors.
Deletion / return of data
- Deletion or return of data: Upon the termination or expiration of the Agreement, upon Your request, provided such request is made within 60 days of the date of termination or expiration of the Agreement, Traction will make available a CSV extract of Personal Data entered into the Services, that is in Traction’s possession or control and at the end of that period, Traction may, at its option, and will, upon Your request, delete or destroy all copies of Personal Data in its possession or control, save to the extent that: (i) Traction is required by any applicable law to retain some or all of the Personal Data; (ii) Traction is reasonably required to retain some or all of the Personal Data for limited operational and compliance purposes, or (iii) Personal Data traction has been archived on back-up systems. In all such cases, Traction shall maintain the Personal Data securely and limit processing to the purposes that prevent deletion or return of the Personal Data.
General Data Protection Obligations
DESCRIPTION OF PROCESSING
Nature and purposes of Processing
Traction is a Canadian provider of Traction Guest, a cloud-based visitor management and check-in service (the “Services”). The data Processing will involve any such Processing that is necessary for the purposes set out in the Agreement, the DPA, or as otherwise agreed between the parties.
Categories of Data Subjects
Any categories of individuals whose data the Subscriber extracts, transfers, and/or loads onto the Service, which may include but is not limited to:
- Visitors to your business location who have been invited to use the customer-facing features of the Services; and
- Your past, present and prospective clients and business relationship contacts.
Categories of data
The personal data concerns the following categories of data for the Data Subjects:
- Data Subjects’ identification information (first and last name), contact information (which may include some or all of the Data Subject’s e-mail address, address, telephone number, fax number), and location; and
- Any other personal data that You choose to include in Your instance of the Services for Data Subjects to enter, notably health data for which You have received the explicit consent from a Data Subject to the Processing of such Sensitive Data for the intended purposes.
The personal data transferred to Traction for Processing is determined and controlled by You in Your sole discretion. As such, Traction has no control over the volume and sensitivity of personal data Processed through the Services by You.
Special categories of data (if appropriate)
Traction does not intentionally collect or Process any special categories of data in the provision of the Services.
You agree not to provide special categories of data to Traction at any time, unless You have received the explicit consent from a Data Subject to the Processing of such Sensitive Data for the intended purposes.
Duration of Processing
The personal data will be Processed for the term of the Agreement, or as otherwise required by law or agreed between the parties.
TRACTION SECURITY MEASURES
- Traction will monitor the networks used for Processing personal data relating to issues including but not limited to through put, memory usage, response time, system load and error events.
- Traction will adhere to change management standards when any alterations to networks are implemented.
- Traction will assess network vulnerabilities on an ongoing basis and address critical vulnerabilities within Traction’s control within a reasonable time.
- Traction will maintain documentation outlining the overall application infrastructure and Process flows of personal data.
- Traction will perform code reviews on any and all code contributed to the applications used in Processing personal information.
- Traction will follow secure coding best practices in the development life cycle of its software including employing separate environments for development, QA and production.
- Traction will assess application vulnerabilities on an ongoing basis and address critical vulnerabilities within a reasonable time.
- Traction will employ best practices when storing any data generated from the Processing of personal data. Notwithstanding the foregoing, should a customer choose to configure an integration with a third party that is not provided by, required by, or approved by Traction, unless such integration is necessary in order to use the Services, customer and not Traction is responsible for ensuring that such a third party employs data storage and Processing best practices.
- Traction will use strong encryption (TLS) for all data in transit.
- Traction will create encrypted backups of data on an ongoing basis in the event that a data restoration is necessary.
- Traction will ensure all Traction employees devices that have access to sensitive information are encrypted and monitored.
Updated Date: February 1, 2021.