Data Processing Addendum.

Last updated on September 27, 2021.

DATA PROCESSING ADDENDUM

This Data Processing Addendum (this “DPA”) is made as of date set forth in the Agreement. This DPA is supplemental to the Agreement and sets out the terms that apply when Personal Data is Processed by Traction Guest under the Agreement.

  1. Definitions

    1. For the purposes of this DPA, the following terms shall have their respective meanings set forth below and other capitalized terms used but not defined in this DPA have the same meanings as set forth in the Agreement:
      1. “Agreement” means the legal agreement entered into between Traction Guest Inc. and You, to which this DPA is attached or incorporated by reference, and includes the Terms and Conditions, as applicable, between the parties, in each case providing for the provision by Traction to You of the Services described therein.
      2. “Data Subject” means the identified or identifiable natural person subject to the Processing.
      3. “EEA” means the Member States of the European Union together with Iceland, Norway, and Liechtenstein.
      4. “Data Protection Legislation” means Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”)”), as well as the Personal Information Protection and Electronic Documents Act (Canada) (“PIPEDA”), the Act respecting the protection of personal information in the private sector (Québec) (the “Private Sector Act”), the Personal Information Protection Act of Alberta (the “PIPA AB”) and the Personal Information Protection Act of British-Columbia (the “PIPA BC”) (as amended, replaced or superseded).
      5. “Controller” means the entity which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data pursuant to the GDPR.
      6. “Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, and includes any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
      7. “Processor” means an entity which Processes Personal Data on behalf of the Controller.
      8. “Personal Data” means any information relating to an identified or identifiable natural person and that allows that person to be identified.
      9. “Security Incident” means confirmed accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
      10. “Sensitive Data” means (a) social security number, (b) credit or debit card number (other than the truncated (last four digits) of a credit or debit card), (c) financial, genetic, biometric or health information; (d) racial, ethnic, political or religious affiliation, trade union membership, or information about sexual life or sexual orientation; (e) criminal history; (f) without limiting the foregoing any additional information that falls within the definition of “special categories of data” under EU Data Protection Legislation or any other applicable law relating to privacy and data protection.
      11. “Standard Contractual Clauses” means the Standard Contractual Clauses approved by European Commission Decision (EU) 2021/915 or any subsequent version thereof released by the European Commission (which will automatically apply).
  2. Relationship with Agreement

    1. Except as amended by this DPA, the Agreement will remain in full force and effect.
    2. If there is a conflict between the Agreement and this DPA, the terms of this DPA will control.
    3. Any claims brought under this DPA shall be subject to the terms of, including but not limited to, the exclusions and limitations set forth in the Agreement.
  3. Aggregate Information

    Notwithstanding anything in this DPA, Traction Guest will have the right to collect, extract, compile, synthesize and analyze Aggregate Information (as defined in the Agreement) resulting from Your use or operation of the Services. To the extent any Aggregate Information is collected or generated by Traction Guest, such data may be used by Traction Guest for any lawful business purpose without a duty of accounting to You. For the avoidance of doubt, this DPA will not apply to Aggregate Information.

  4. General Data Protection Obligations

  5. Roles and responsibilities

    1. Parties’ Roles. With respect to the Processing of Personal Data, You, as Controller or Processor (as applicable) appoint Traction Guest as a Processor to Process the Personal Data described in Annex A on Your behalf, it being specified that Traction Guest and You shall comply with applicable Data Protection Legislation.
    2. Purpose Limitation. Traction Guest shall Process the Personal Data for the purposes described in Annex A and only in accordance with Your lawful, written and duly documented instructions, except where otherwise required by Applicable Law. The Agreement and this DPA sets out Your complete instructions to Traction Guest in relation to the Processing of the Personal Data and any Processing required outside of the scope of these instructions will require prior written agreement between the parties. You acknowledge that Traction Guest shall have a right to Process Personal Data in order to provide the Services to You, fulfill its obligations under the Agreement, and for legitimate purposes relating to the operation, support and/or use of the Services such as billing, account management, technical maintenance and support, product development, and sales and marketing. Traction Guest agrees to hold and use, any and all, Personal Data in confidence and not to disclose the Personal Data to any third party (or permit any of its employees, agents or representatives to do so), except (i) in the ordinary course of business to carry out the permitted activities under the Agreement; (ii) as required or permitted by applicable law.
    3. Processing of Sensitive Data. You will not provide (or cause to be provided) any Sensitive Data to Traction Guest, unless You have received the explicit consent from a Data Subject to the Processing of such Sensitive Data for the intended purposes, and the Processing of such Sensitive Data is not prohibited by law as set out in Article 9 of the GDPR.  For the avoidance of doubt, this DPA will not apply to, and Traction Guest shall have no liability with respect to, any Sensitive Data for which You have not received consent pursuant to this section 4.3.
    4. Description of Processing. A description of the nature and purposes of the Processing, the types of Personal Data, categories of Data Subjects, and the duration of the Processing are set out further in Annex A.
    5. Compliance. You shall be responsible for ensuring that:
      1. you have complied, and will continue to comply, with all Applicable Laws relating to privacy and data protection, including Data Protection Legislation, in Your use of the Services and Your own Processing of Personal Data (except as otherwise required by Applicable Law), including by providing notice and obtaining all consents and rights necessary under Data Protection Legislation for Traction Guest to Process Personal Data; and
      2. you have, and will continue to have, the right to transfer, or provide access to, the Personal Data to Traction Guest for Processing in accordance with the terms of the Agreement and this DPA.
  6. Data Security

    1. Security. Traction Guest shall implement and maintain Personal Data in compliance with Data Protection Legislation, notably with appropriate technical and organizational measures to protect the Personal Data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access such as, for example, the encryption of Personal Data; practice of least privilege and levels of access controls; the ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services; the ability to restore the availability and access to Personal Data in a timely manner in the event of an incident and a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the Processing.
    2. Security Exhibit. The technical and organizational security measures which Traction Guest shall have in place under the Agreement are set out at Annex B to this DPA.
  7. Additional security

    1. Confidentiality of Processing. Traction Guest shall ensure that any person that it authorizes to Process the Personal Data shall be subject to a duty of confidentiality (whether a contractual or a statutory duty), it being specified that the access to Personal Data is limited only to the employees of Traction Guest who need to have access to the Personal Data for the purpose of delivering the service and who have completed a privacy training.
    2. Security Incidents. Upon becoming aware of a Security Incident where, according to the GDPR, is likely to result in a risk to the rights and freedoms of natural persons or, where there is a real risk of significant harm to the Data Subject, Traction Guest shall notify You without undue delay and shall provide such timely information as You may reasonably require, including to enable You to fulfil any data breach reporting obligations under Data Protection Legislation. Traction Guest shall take appropriate and commercially reasonable steps to investigate and mitigate the effects of such a Security Incident on the Personal Data under this Agreement. This section 6.2 does not apply to Security Incidents that are caused by You, including Your employees, partners, subcontractors, or agents.
  8. International Transfers

    To the extent that the Processing of Personal Data by Traction Guest involves the export of such Personal Data to a third party in a country or territory outside of the EEA and/or Canada, such export shall be:

    1. to a country or territory ensuring an adequate level of protection for the rights and freedoms of Data Subjects as determined by the European Commission;
    2. to a third party that is a member of a compliance scheme recognised as offering adequate protection for the rights and freedoms of Data Subjects as determined by the European Commission,; or
    3. governed by the Standard Contractual Clauses, with You as exporter and such third party as importer. For this purpose, You appoint Traction Guest as your agent with the authority to complete and enter into the Standard Contractual Clauses as agent for You on Your behalf; and
    4. You agree that this DPA constitutes Your written authorization for Traction Guest and its Sub-Processors to Process Personal Data anywhere in the world where Traction Guest or its Sub-Processors maintain data Processing operations.
  9. Sub-Processing

    1. Sub-Processors. You agree that this DPA constitutes your written authorization for Traction to engage Affiliates and third party sub-processors (collectively, “Sub-Processors”) to Process the Personal Data on Traction Guest’s behalf, including Sub-Processors currently engaged by Traction Guest. The Sub-Processors currently engaged by Traction and authorized by You are available at tractionguest.com/tos/processors. Traction Guest will notify you of any new Sub-Processors being appointed by updates to its webpage referenced in this Section 8.1.
    2. Objection to Sub-Processors. You may object in writing, stating your reasonable grounds for the objection, to the appointment of any additional Sub-Processors within five (5) calendar days after receipt of Traction Guest’s notice as set out in Section 8.1 above. In the event that You object on reasonable grounds relating to the protection of the Personal Data, then the parties shall discuss commercially reasonable alternative solutions in good faith. If no resolution can be reached, Traction will, at its sole discretion, either not appoint such Sub-Processor, or permit You to suspend or terminate the Services in accordance with the termination provisions of the Agreement. In the event that You suspend or terminate the Services in accordance with the preceding sentence, You shall immediately pay all fees and costs then owing to Traction Guest and all fees and costs incurred by Traction Guest as a result of the termination.
    3. Sub-Processor obligations. Where a Sub-Processor is engaged by Traction Guest as described in this Section 8, Traction Guest shall:
      1. restrict the Sub-Processor’s access to Personal Data only to what is necessary to perform the subcontracted services;
      2. impose on such Sub-Processors data protection terms that protect the Personal Data to the standards no less stringent than those provided for by this DPA; and
      3. remain responsible for any breach of the DPA caused by a Sub-Processor.
  10. Cooperation

    1. Cooperation and Data Subjects’ rights. Traction Guest shall, taking into account the nature of the Processing, provide commercially reasonable assistance to You insofar as it is possible or permissible under Data Protection Legislation, to enable You to respond to requests from a Data Subject seeking to exercise their rights under Data Protection Legislation. You will not request applicable information from Traction Guest, such as access or correction requests, without verifying the identity of the Data Subject. In the event that such request is made directly to Traction Guest, Traction Guest shall, unless prohibited by law, promptly inform You of the same. To the extent legally permitted, You shall be responsible for any costs arising from Traction Guest’s provision of such assistance.
    2. Data Protection Impact Assessments. Traction Guest shall, to the extent required by Data Protection Legislation and at Your sole expense, taking into account the nature of the Processing and the information available to Traction Guest, provide You with commercially reasonable assistance with data protection impact assessments or prior consultations with data protection authorities that You are required to carry out under Data Protection Legislation.
  11. Security reports and audits

    1. The parties acknowledge that Traction Guest uses external auditors to comprehensively assess the adequacy of its data Processing, including the security of the systems and premises used by Traction Guest to provide data Processing services.
    2. The parties further acknowledge that these audits:
      1. are performed at least once each year;
      2. are conducted by auditors selected by Traction Guest, but otherwise conducted with all due and necessary independence and professionalism; and
      3. are fully documented in an audit report that affirms that Traction Guest’s controls meet industry standards against which they are assessed (“Report”).
    3. At Your written request and at Your sole expense, Traction Guest will (on a confidential basis) provide You with a summary of the Report.
    4. Traction Guest will further provide written responses (on a confidential basis) to reasonable requests for information made by You, no more than once per year, including responses to information security and audit questionnaires that are necessary to confirm Traction Guest’s compliance with this DPA.
    5. Traction Guest shall permit You (or Your appointed third party auditors, which must be reasonably acceptable to Traction Guest), at Your sole expense, to carry out an audit of Traction Guest’s Processing of Personal Data under the Agreement following a Security Incident suffered by Traction Guest, or upon the instruction of a data protection authority, to determine Traction Guest’s compliance with this DPA. You must give Traction Guest reasonable prior written notice of such intention to audit, conduct the audit during normal business hours, and take all reasonable measures to prevent unnecessary disruption to Traction Guest’s operations. Any such audit shall be subject to Traction Guest’s security and confidentiality terms and guidelines. Following completion of the audit, upon request, You will promptly provide Traction Guest with a complete copy of the results of that audit. Notwithstanding the foregoing, Traction Guest will not be required to disclose any proprietary or privileged information, including to You or any of Your auditors, agents, or vendors.
  12. Deletion / return of data

    1. Deletion or return of data. Upon the termination or expiration of the Agreement, Traction Guest will delete or destroy all copies of Personal Data in its possession or control, save to the extent that: i) Traction is required by any applicable law to retain some or all of the Personal Data; (ii) Traction is reasonably required to retain some or all of the Personal Data for limited operational and compliance purposes, or (iii) Personal Data traction has been archived on back-up systems. In all such cases, Traction Guest shall maintain the Personal Data securely and limit processing to the purposes that prevent deletion or return of the Personal Data. You may, within 30 days of termination of expiration of the Agreement, request a copy of the Personal Data inputted into the Services by You, provided such data is in Traction Guest’s possession or control at the time of the request, and Traction Guest shall make available, a CSV extract data format, of Your Personal Data.

ANNEX A


DESCRIPTION OF PROCESSING

Nature and purposes of Processing

Traction is a Canadian provider of Traction Guest, a cloud-based visitor management and check-in service (the “Services”).  The data Processing will involve any such Processing that is necessary for the purposes set out in the Agreement, the DPA, or as otherwise agreed between the parties.

Categories of Data Subjects

Any categories of individuals whose data the Subscriber extracts, transfers, and/or loads onto the Service, which may include but is not limited to:

  • Visitors to your business location who have been invited to use the customer-facing features of the Services; and
  • Your past, present and prospective clients and business relationship contacts.

Categories of data

The personal data concerns the following categories of data for the Data Subjects:

  • Data Subjects’ identification information (first and last name), contact information (which may include some or all of the Data Subject’s e-mail address, address, telephone number, fax number), and location; and
  • Any other personal data that You choose to include in Your instance of the Services for Data Subjects to enter, notably health data for which You have received the explicit consent from a Data Subject to the Processing of such Sensitive Data for the intended purposes.

The personal data transferred to Traction for Processing is determined and controlled by You in Your sole discretion. As such, Traction has no control over the volume and sensitivity of personal data Processed through the Services by You.

Special categories of data (if appropriate)

Traction does not intentionally collect or Process any special categories of data in the provision of the Services.

You agree not to provide special categories of data to Traction at any time,  unless You have received the explicit consent from a Data Subject to the Processing of such Sensitive Data for the intended purposes.

Duration of Processing

The personal data will be Processed for the term of the Agreement, or as otherwise required by law or agreed between the parties.

ANNEX B


TRACTION SECURITY MEASURES

Network Controls

  1. Traction will monitor the networks used for Processing personal data relating to issues including but not limited to through put, memory usage, response time, system load and error events.
  2. Traction will adhere to change management standards when any alterations to networks are implemented.
  3. Traction will assess network vulnerabilities on an ongoing basis and address critical vulnerabilities within Traction’s control within a reasonable time.

Application Controls

  1. Traction will maintain documentation outlining the overall application infrastructure and Process flows of personal data.
  2. Traction will perform code reviews on any and all code contributed to the applications used in Processing personal information.
  3. Traction will follow secure coding best practices in the development life cycle of its software including employing separate environments for development, QA and production.
  4. Traction will assess application vulnerabilities on an ongoing basis and address critical vulnerabilities within a reasonable time.

Data Controls

  1. Traction will employ best practices when storing any data generated from the Processing of personal data. Notwithstanding the foregoing, should a customer choose to configure an integration with a third party that is not provided by, required by, or approved by Traction, unless such integration is necessary in order to use the Services, customer and not Traction is responsible for ensuring that such a third party employs data storage and Processing best practices.
  2. Traction will use strong encryption (TLS) for all data in transit.
  3. Traction will create encrypted backups of data on an ongoing basis in the event that a data restoration is necessary.
  4. Traction will ensure all Traction employees devices that have access to sensitive information are encrypted and monitored.

Updated date: September 27, 2021.