Data privacy and security: Outside U.S.
Ozmo Support Platform Terms and Conditions
1. DEFINITIONS
Capitalized terms used in this Exhibit that are not defined within this Section, have the meanings set forth in Section 1 of the Terms and Conditions:
“Authorized Persons” means Company’s employees, contractors, agents, and auditors who have a need to know or otherwise access Personal Information to enable Company to perform its obligations under this Agreement, and who are bound by confidentiality and other obligations sufficient to protect Personal Information in accordance with the terms and conditions of this Agreement.
“Data Subject” refers to the person identified in the Personal Information.
“Personal Information” shall
- have the same definition as provided in Article 4 of the EU General Data Protection Regulation 2016/679 (hereinafter referred to as the “GDPR”), or any applicable national implementing legislation in each case as amended, replaced or superseded from time to time, and all applicable legislation protecting the fundamental rights and freedoms of persons and their right to privacy with regard to the processing of personal data or
- have the same meaning as provided for in The Personal Information Protection and Electronic Documents Act (“PIPEDA”) of Canada; or
- refer to information provided to Company by or at the direction of Customer, or to which access was provided to Company by or at the direction of Customer, in the course of Company’s performance under this Agreement that: (i) directly or indirectly identifies an individual (including, without limitation, names, images, signatures, addresses, telephone numbers, e-mail addresses and other unique identifiers); or (ii) can be used to authenticate an individual (including, without limitation, answers to security questions and other personal identifiers), in case of both subclauses (i) and (ii), including, without limitation, all Sensitive Personal Information.
“Processing” shall mean any operation or set of operations which is performed on personal information or on sets of personal information, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Security Breach” means (i) any act or omission that materially compromises either the security, confidentiality or integrity of Personal Information or the physical, technical, administrative or organizational safeguards put in place by Company that relate to the protection of the security, confidentiality or integrity of Personal Information, or (ii) receipt of a complaint in relation to the privacy and data security practices of Company or a breach or alleged breach of these Terms and Conditions relating to such privacy and data security practices.
“Sensitive Personal Information” means any special or sensitive categories of Personal Information defined by applicable data privacy and security laws and regulations as requiring special care, additional protections, or limited processing. Sensitive Personal Information includes: (i) an individual’s government-issued identification number (including social security number, driver’s license number or state-issued identification number); (ii) financial account number, credit card number, debit card number, credit report information, with or without any required security code, access code, personal identification number or password, that would permit access to an individual’s financial account; or (iii) biometric, genetic, health or health insurance data.
2. OBLIGATIONS OF THE CUSTOMER
The Customer warrants and undertakes that:
- The personal information has been collected, processed and transferred in accordance with the laws applicable to the Data Subject.
- When required by applicable data protection laws, it will ensure that it has obtained/will obtain all necessary consents and complies with all applicable requirements under data protection laws for the processing of Customer Personal Information.
- It has used reasonable efforts to determine that the Customer is able to satisfy its legal obligations under these Terms and Conditions.
- It will provide the Company, when so requested, with copies of relevant data protection laws or references to them (where relevant, and not including legal advice) of the country in which the Customer is established.
- It will respond to enquiries from Data Subjects and the authority concerning processing of the personal information by the Company, unless the parties have agreed that the Company will so respond, in which case the Customer will still respond to the extent reasonably possible and with the information reasonably available to it if the Company is unwilling or unable to respond. Responses will be made within a reasonable time and within the timeframes provided by the applicable laws.
- It will make available, upon request, a copy of this Exhibit to those who are third party beneficiaries under Section 3, unless the clauses contain confidential information, in which case it may remove such information. Where information is removed, the Customer shall inform Data Subjects in writing of the reason for removal and of their right to draw the removal to the attention of the authority. However, the Customer shall abide by a decision of the authority regarding access to the full text of the clauses by Data Subjects, as long as Data Subjects have agreed to respect the confidentiality of the confidential information removed. Customer shall also provide a copy of the clauses to the authority where required.
3. OBLIGATIONS OF THE COMPANY
The Company warrants and undertakes that:
- It will only Process Customer Personal Information in accordance with Customer’s written instructions and its privacy policy available at https://ozmo.com/company/privacy-policy/. The parties acknowledge that the Terms and conditions, together with this Exhibit, shall be Customer’s complete and final instructions to Company in relation to the processing of Customer’s Personal Information. Any processing beyond the scope of the Terms and Conditions, will require a prior written agreement between Customer and Company on additional instructions for processing.
- It will have in place appropriate technical and organizational measures to protect the Personal Information against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, and which provide a level of security appropriate to the risk represented by the processing and the nature of the data to be protected.
- To the extent that the Processing of Customer Personal Information involves Personal Information from Data Subjects within the EEA, and given that such Personal Information will be exported to a country or territory outside of the EEA, such export shall be in accordance with and in compliance with those certain Standard Contractual Clauses approved by European Commission Decision (EU) 2021/914, and any subsequent version thereof, which are incorporated herein by reference.
- It will notify Customer of any subprocessors it may engage from time to time. Further, it will have in place procedures so that any third party it authorizes to have access to the personal information, including processors, will respect and maintain the confidentiality and security of the personal information. Any person acting under the authority of the Company, including a data processor, shall be obligated to process the personal information only on instructions from the Company. This provision does not apply to persons authorized or required by law or regulation to have access to the personal data.
- It has no reason to believe, at the time of entering into these Terms and Conditions, there is in existence in any of the local laws provisions that would have a substantial adverse effect on the guarantees provided for under these Terms and Conditions, and it will inform the Customer (which will pass such notification on to the authority where required) if it becomes aware of any such laws.
- It will identify to the Customer a contact point within its organization authorized to respond to enquiries concerning processing of the personal information, and will cooperate in good faith with the Customer and any authority concerning all such enquiries within a reasonable time.
- Upon reasonable request of the Customer, it will submit its data files and documentation needed for processing to reviewing, auditing and/or certifying by the Customer (or any independent or impartial inspection agents or auditors, selected mutually by the parties) to ascertain compliance with the warranties and undertakings in these clauses, with reasonable notice and during regular business hours. The request will be subject to any necessary consent or approval from a regulatory or supervisory authority within the country of the Company, which consent or approval the Company will attempt to obtain in a timely fashion.
- It will process the Personal Information, at its option, in accordance with the data protection laws of the country in which the Data Subject is established.
- It will not disclose or transfer the Personal Information to a third-party controller located outside of the United States unless it notifies the Customer about the transfer and the third party controller becomes a party to an agreement containing these provisions.
4. OVERSIGHT OF SECURITY COMPLIANCE; RISK ASSESSMENT
Company shall implement and maintain a risk assessment program that includes an at least annual assessment of the sufficiency of its existing safeguards in relation to its collection, storage and processing of Personal Information. Customer, upon written request, at most once per year, may obtain a copy of Company’s internal risk assessment, along with Company’s written confirmation of compliance with these Terms and Conditions, as well as all Applicable Law and industry standards. Company shall promptly and accurately respond to such a written request from Customer.
5. SECURITY BREACH PROCEDURES
- (a) Company shall:
- (i) provide Customer with the name and contact information for an employee of Company who shall serve as Customer’s primary security contact and shall be available to assist Customer twenty-four (24) hours per day, seven (7) days per week as a contact in resolving obligations associated with a Security Breach;
- (ii) notify Customer of a Security Breach as soon as practicable, but no later than twenty-four (24) hours after Company becomes aware of it; and
- (iii) notify Customer of any Security Breaches by telephone and with a copy by e-mail to Company’s primary business contact within Customer.
- (b) Immediately following Company’s notification to Customer of a Security Breach, the parties shall coordinate with each other to investigate the Security Breach. Company agrees to reasonably cooperate with Customer in Customer’s handling of the matter, including, without limitation: (i) assisting with any investigation; (ii) providing Customer with physical access to the facilities and operations affected; (iii) facilitating interviews with Company’s employees and others involved in the matter; and (iv) making available all relevant records, logs, files, data reporting and other materials required to comply with applicable law, regulation, industry standards or as otherwise reasonably required by Customer.
- (c) Company shall use its best efforts to immediately remedy any Security Breach and prevent any further Security Breach at Company’s expense in accordance with applicable privacy rights, laws, regulations and standards.
- (d) Company reserves the right, in its sole discretion, to report criminal acts relating to the use and disclosure of Personal Information to applicable Government Authorities and shall notify Customer as soon as practicable that such reporting has occurred. With respect to instances in which Company is considering notifying Government Authorities concerning civil, but not criminal, acts, Company shall notify Customer in writing and consult with Customer prior to making any such notification. The parties shall immediately endeavor in good faith to reach agreement on the need and nature of such notification. If such agreement cannot be reached within seventy-two (72) hours after Company has provided Customer with written notice, Company shall have the right to inform Government Authorities solely to the extent required by applicable law.
- (e) Company agrees to reasonably cooperate with Customer in any litigation or other formal action deemed reasonably necessary by Customer to protect its rights relating to the use, disclosure, protection and maintenance of Personal Information.
6. LIABILITY AND THIRD-PARTY RIGHTS
The parties agree that a Data Subject who has suffered damage as a result of any violation of the provisions referred to in Section 3 is entitled to receive compensation from the parties for the damage suffered. The parties agree that they may be exempted from this liability only if they prove that neither of them is responsible for the violation of those provisions.
The Customer and Company agree that they will be jointly and severally liable for damage to the Data Subject resulting from any violation. In the event of such a violation, the Customer or Company or both will be liable.
7. RETURN OR DESTRUCTION OF PERSONAL INFORMATION
At any time during the term of the Agreement, at the Customer’s written request or upon the termination or expiration of this Agreement for any reason, Company shall, and shall instruct all Authorized Persons to, promptly return to the Customer all copies, whether in written, electronic or other form or media, of Personal Information in its possession or the possession of such Authorized Persons, or securely dispose of all such copies, and certify in writing to the Customer that such Personal Information has been returned to Customer or disposed of securely within 30 days of receiving the Customer’s request. Company shall comply with all reasonable directions provided by Customer with respect to the return or disposal of Personal Information. If Company is not reasonably able to return or securely dispose of Personal Information, including, but not limited to, Personal Information stored on backup media, Company will continue to protect such Personal Information in accordance with these Terms and Conditions until such time that it can reasonably return or securely dispose of such Personal Information.