Data Processing Addendum
This Data Processing Addendum (the “Addendum”) forms part of the Agreement between Dataminr, Inc. (“Dataminr”) and Customer (as defined below). This Addendum incorporates the terms of the Agreement. All capitalized terms not defined herein shall have the meaning set forth in the Agreement.
1. Definitions. For the purposes of this Addendum, the following terms have the following meanings:
- “Customer Personal Data” means Personal Data that is Processed by Dataminr for the purpose of rendering Services to Customer as further described in Annex I.
- “Data Protection Laws” means any applicable law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding instrument relating to the protection of personal data, including EU/UK Data Protection Laws and US Data Protection Laws (in each case as amended, consolidated, re-enacted or replaced from time to time);
- “EU/UK Data Protection Law” means: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (the “EU GDPR”); (ii) the EU GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 and the UK Data Protection Act 2018 (collectively, the “UK GDPR”); and (iii) the EU e-Privacy Directive (Directive 2002/58/EC); in each case as may be amended or superseded from time to time;
- “Business,” “Controller”, “Data Subject”, “Process”, “Processed”, “Processing”, “Processor”, “Service Provider,” and “Supervisory Authority” shall each have the meaning ascribed to them under the applicable Data Protection Laws;
- “Third Countries” means all countries outside of the European Economic Area that have not been recognized by the European Commission (or the UK Secretary of State for transfers from the UK) as providing adequate protection for personal data;
- “SCCs” means: (i) where the EU GDPR applies, the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“EU SCCs”); and (ii) where the UK GDPR applies, the EU SCCs subject to completion of a UK Addendum to the EU Standard Contractual Clauses (“UK Addendum”) issued by the Information Commissioner’s Office under section 119A(1) of the Data Protection Act 2018; and
- “Security Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer’s Personal Data transmitted, stored or otherwise Processed by Dataminr.
- “Personal Data” includes “personal data,” “personal information,” “personally identifiable information,” and similar terms, that is processed by Dataminr in its provision of the Services to Customer under the Agreement, and such terms shall have the same meaning as defined by applicable Data Protection Laws.
- “US Data Protection Laws” means all applicable laws, regulations, and other legally binding requirements in the United States relating to privacy, data protection, data security, breach notification, or the Processing of Personal Data, including without limitation, to the extent applicable, the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. and any associated regulations and amendments, including, when effective, the California Privacy Rights Act amendments (“CCPA”) and other, similar U.S. state laws.
2. Purpose. Dataminr will not access, use or otherwise Process Customer Personal Data, except as necessary to provide the Services to the Customer. Dataminr will follow written and documented instructions received from Customer with respect to Customer Personal Data, including this Addendum and the Agreement, unless in Dataminr’s reasonable opinion, such instructions (i) are legally prohibited, (ii) require material changes to Dataminr’s performance of the Services, (iii) result in a likely violation of Data Protection Laws, and/or (iv) are inconsistent with the terms of the Agreement or Dataminr’s documentation relating to the Services.
3. Scope of Processing. For purposes of this Addendum, Customer is the Controller or Business, as applicable, and Dataminr is Customer’s Processor or Service Provider, as applicable. Dataminr shall not: (i) retain, use, or disclose Customer Personal Data outside of the direct business relationship between Customer and Dataminr; (ii) “sell” or “share” any Customer Personal Data, as such terms are defined in US Data Protection Laws, to any third party; (iii) attempt to re-identify any pseudonymized, anonymized, aggregate, or de-identified Customer Personal Data without Customer’s express written permission; or (iv) attempt to link, identify, or otherwise create a relationship between Customer Personal Data and non-Personal Data or any other data without the express written authorization of Customer. Dataminr will promptly notify Customer if Dataminr determines that (a) it can no longer meet its obligations under this Addendum; or (b) in Dataminr’s opinion, an instruction from Customer infringes applicable Data Protection Laws. Dataminr certifies that it understands and will comply with its obligations in this Addendum.
4. Customer’s Obligations. Customer shall, in its own use of the Services, Process Customer Personal Data in accordance with the requirements of Data Protection Laws. Customer is solely responsible for ensuring that: (i) the Customer Personal Data is accurate, complete, and of sufficient quality for the purposes of the Services; (ii) Customer has complied with all applicable Data Protection Laws in collecting the Customer Personal Data; and (iii) Customer has done all things required by applicable Data Protection Laws (including providing Data Subjects with all required notices and obtaining any required consents) to provide the Customer Personal Data to Dataminr and for Dataminr to Process the Customer Personal Data for the purposes of providing the Services. Customer agrees that it will not provide to Dataminr, and Dataminr will not Process, any special categories of Personal Data in the performance of the Services.
5. Dataminr’s Obligations. To the extent Dataminr Processes Customer Personal Data on behalf of Customer, it shall:
- Process Customer Personal Data only in accordance with Section 2 of this Addendum;
- Ensure that its personnel authorized to Process the Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
- Implement the appropriate technical and organizational security measures appropriate to the security risk of Processing such data;
- Comply with any applicable restrictions under US Data Protection Laws on combining Customer Personal Data with personal data that Dataminr receives from, or on behalf of, another source, or that Dataminr collects from any interaction between it and any individual;
- Upon Customer’s request, provide Customer with reasonable cooperation and assistance, as set forth in Section 5, needed to fulfill Customer’s obligations to carry out a data protection impact assessment related to Customer’s use of the Services to the extent that Customer does not otherwise have access to the relevant information, and to the extent that such information is available to Dataminr and does not put Dataminr in breach of any of its own legal obligations or duties of confidentiality; and
- To the extent legally permitted, notify Customer if it receives a request from a Data Subject to exercise its rights under Data Protection Law, and provide Customer with commercially reasonable cooperation and assistance in relation to the handling of a Data Subject’s request for access to that person’s Customer Personal Data, to the extent legally permitted and to the extent Customer does not have access to such Customer Personal Data through its use of the Services.
6. Audit. Customer acknowledges that Dataminr is audited against SOC 2 Type II standards by independent third-party auditors, and that Dataminr certifies compliance with ISO 27001 and NIST 800-171 standards. Upon Customer’s written request, Dataminr will provide a summary copy of its then current SOC 2 Type II executive summary, ISO 27001 and ISO 27701 certifications, and NIST 800-171 certification (collectively, “Reports”) to Customer, which Reports shall be subject to the confidentiality provisions of the Agreement. Upon Customer’s written request, Dataminr shall also provide written responses (also on a confidential basis) to the Shared Assessments Standardized Information Gathering Questionnaire relating to Dataminr’s Processing of Customer Personal Data.
7. Deletion or Return of Data. Customer shall notify Dataminr at least thirty days before the end of the Agreement of its intent to have Customer Personal Data returned to Customer or deleted. Upon Customer’s request, Dataminr shall make Customer Personal Data available for download in a commonly accepted format or will delete the data; provided, however, that Dataminr may retain a copy to comply with its own legal obligations.
8. Security Breaches. Dataminr will, to the extent permitted by Data Protection Laws, notify Customer of any Security Breach without undue delay upon becoming aware of such Security Breach. Dataminr will include in the notice (i) to the extent possible at the time of the notice (a) the nature of the Security Breach (including the categories and number of individuals concerned and the categories and number of records involved), (b) the likely consequences of the Security Breach, and (c) any steps Dataminr has taken or proposes to take to address the Security Breach, and (ii) a point of contact at Dataminr who Customer may contact about the Security Breach. If it is not possible for Dataminr to provide any of the information required by this Section at the time of the notice, Dataminr will provide such information to Customer as soon as possible thereafter. Dataminr will take all reasonable steps to minimize any damage resulting from the Security Breach. The obligations herein shall not apply to incidents that are caused by Customer or as a result of Dataminr strictly conforming to Customer’s instructions provided pursuant to Section 2 of this Addendum.
9. International Transfers. Dataminr may transfer and otherwise Process or have transferred or otherwise Processed Customer Personal Data to Third Countries, including by any sub-processor or Dataminr Affiliate engaged in accordance with this Addendum, provided that such transfer is made in compliance with applicable Data Protection Laws, including, if applicable, by adoption of the SCCs or such other international transfer mechanism approved under Data Protection Laws. Where necessary, the parties shall assist one another in complying with the requirements of Data Protection Laws regarding international transfer, including where necessary, assisting one another to enter into such agreements, or documentation as may be required to ensure that the obligations of Data Protection Laws regarding international transfers are met. Notwithstanding anything to the contrary herein, Dataminr may make international transfers without the consent or prior knowledge of the Customer where Dataminr is compelled by law to make such international transfers and is prohibited, by law, from advising the Customer of the same.
9.1 For Customer Personal Data transferred to Third Countries, the EU SCCs will apply as follows:
- The terms of Module Two or Module Three shall apply as applicable;
- For purposes of Clause 9, Option 2 (General Written Authorization) shall be satisfied by Section 10 of this Addendum;
- The optional language of Clause 11 (Redress) shall not apply;
- For purposes of Clause 16(d) (Termination), data exporter acknowledges and agrees that such obligations shall be satisfied by compliance with the measures described in this Addendum;
- For purposes of Clause 17 (Governing Law), the parties agree that the EU SCCs shall be governed by Irish law;
- For purposes of Clause 18(b) (Choice of forum and jurisdiction), the parties agree that any dispute arising from the EU SCCs shall be resolved by the courts of Ireland; and
- For purposes of Clauses 8.9(c)-(d) (Documentation and compliance), data exporter acknowledges and agrees that such obligations shall be satisfied by instructing data importer to comply with the audit measures described in this Addendum.
9.2 For Customer Personal Data transferred from the United Kingdom to Third Countries, where Dataminr is permitted to rely on the EU SCCs for transfers of personal data from the United Kingdom subject to completion of a UK Addendum, then the EU SCCs (as set forth in Section 9.1 of this Addendum) shall apply to such transfers subject to the following additional modifications:
- The UK Addendum shall be deemed executed between Dataminr and Customer and the EU SCCs shall be deemed amended as specified by the UK Addendum in respect of the transfer of such Customer Personal Data;
- References to the “competent supervisory authority” and “competent courts” shall be replaced with references to the “Information Commissioner” and the “courts of England and Wales”;
- For purposes of Clause 17 (Governing Law), the parties agree that the SCCs shall be governed by the laws of England and Wales; and
- For purposes of Clause 18(b) (Choice of forum and jurisdiction), the parties agree that the any dispute arising from the SCCs shall be resolved by the courts of England and Wales.
10. Sub-Processing. Customer provides general authorization for Dataminr to appoint sub-processors to Process Customer Personal Data in connection with the provision of Services, provided that Dataminr enters into a written agreement with each sub-processor containing data protections no less protective than those contained in this Addendum with respect to the protection of Customer Personal Data. Dataminr shall remain fully liable under the Data Protection Laws to Customer for the performance of its sub-processor’s obligations, subject to the terms of the Agreement between Dataminr and Customer. Sub-processors may include Dataminr Affiliates. A list of sub-processors currently engaged by Dataminr can be found at (“Sub-Processor List”). Prior to the addition of any new sub-processor, Dataminr shall provide notice to Customers who have signed up to receive updates via the mechanism indicated on the Sub-Processor List. Customer may object on legitimate grounds to the Processing of Customer Personal Data by a sub-processor. In the event that Customer objects to a sub-processor and such objection is not unreasonable, the parties will make a good-faith effort to resolve Customer’s objection. In the absence of a resolution, Dataminr will make commercially reasonable efforts to provide Customer with the Services without using such sub-processor to Process Customer Personal Data provided, however, that Customer acknowledges that this may result in new or improved Services features not being available to Customer. If Dataminr is unable to resolve Customer’s objection, Dataminr may, in its sole discretion, notify Customer of its option to terminate the Agreement.
11. Cybersecurity. Dataminr represents and warrants that it has implemented and will maintain a written information security program that incorporates administrative, technical, and physical safeguards designed to ensure the security and confidentiality of Customer Personal Data. Such safeguards are commensurate with the type and amount of Customer Personal Data Processed by Dataminr. Such safeguards further include implementing appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data, including the measures set forth in Annex II.
12. General. The parties agree that this Addendum shall replace any existing data processing addendum, attachment, exhibit or standard contractual clauses that the parties may have previously entered into in connection with the Services. Notwithstanding anything to the contrary in the Agreement or this Addendum and to the maximum extent permitted by law, each party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this Addendum (including all Annexes hereto), the SCCs or any data protection agreements in connection with the Agreement (if any), whether in contract, tort or under any other theory of liability, shall remain subject to the limitation of liability in the Master Services Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Master Services Agreement and this Addendum, including all Annexes hereto. Customer agrees that any regulatory penalties incurred by Dataminr that arise in connection with Customer’s failure to comply with its obligations under this Addendum or any laws or regulations including Applicable Data Protection Laws shall reduce Dataminr’s liability under the Agreement as if such penalties were liabilities to Customer under the Agreement. This Addendum will be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless required otherwise by Data Protection Laws. The parties agree that this Addendum may be amended only by written agreement between the parties. The parties agree to negotiate amendments to this Addendum in good faith to address changes in Data Protection Law.
ANNEX I
A. LIST OF PARTIES
Data exporter
Name: |
As listed on Order Form |
Address: |
As listed on Order Form |
Contact person’s name, position and contact details: |
As listed on Order Form |
Activities relevant to the data transferred under these Clauses: |
Processing to carry out the Services pursuant to the Agreement entered into between Dataminr and Customer |
Signature and date: |
This Annex I shall automatically be deemed executed when the Addendum is executed |
Role (controller/processor): |
Controller |
Data importer
Name: |
Dataminr, Inc. |
Address: |
6 E 32nd St 6th floor, New York, NY, 10016 |
Contact person’s name, position and contact details: |
|
Activities relevant to the data transferred under these Clauses: |
Processing to carry out the Services pursuant to the Agreement entered into between Dataminr and Customer |
Signature and date: |
This Annex 1 shall automatically be deemed executed when the Addendum is executed |
Role (controller/processor): |
Processor |
DPO (if applicable) name and contact details: |
Mason Hayes & Curran LLP |
B. DESCRIPTION OF TRANSFER
Categories of Data Subjects whose personal data is transferred |
Individuals about whom Personal Data is provided to Dataminr through the Services by (or at the direction of) Customer or Customer’s Authorized Users, which may include without limitation Customer’s personnel |
Categories of personal data transferred
|
Depending on Customer’s use of the Services, Personal Data provided to Dataminr through the Services by (or at the direction of) Customer or Customer’s Authorized Users, including but not limited to name, business email, telephone number, IP addresses, usage data, location data |
Sensitive data transferred (if applicable) |
None |
The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis) |
Continuous |
Nature of the processing |
Provision of the Services to the Customer |
Purpose(s) of the data transfer and further processing |
For the provision of the Services to the Customer |
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
|
Dataminr retains Customer Personal Data for as long as the Customer has an open account with Dataminr or as otherwise necessary to provide the Customer with the Services or to fulfill the purposes outlined in the Dataminr Privacy Policy. In some instances, Dataminr retains Customer Personal Data for longer, if doing so is necessary to comply with our legal obligations, resolve disputes or collect fees owed, or is otherwise permitted or required by applicable law, rule or regulation |
For transfers to sub-processors, also specify subject matter, nature and duration of the processing
|
A list of sub-processors currently engaged by Dataminr can be found at /legal/sub-processors The processing shall take place for the duration of the Agreement. In some instances, Dataminr retains Customer Personal Data for longer, if doing so is necessary to comply with our legal obligations, resolve disputes or collect fees owed, or is otherwise permitted or required by applicable law, rule or regulation |
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent Supervisory Authority/ies in accordance with Clause 13 of the Standard Contractual Clauses |
The data exporter’s competent supervisory authority will be determined in accordance with the GDPR |
ANNEX II
Description of the technical and organizational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.
I. Organizational Security Measures
1. Security Program. Dataminr has implemented, and will consistently update and maintain, a written and comprehensive information security program based on ISO/IEC 27001:2013 and ISO/IEC 27701:2019, as well as policies and procedures designed to detect, prevent, and mitigate the risk of data security incidents (“Security Program”). Specifically, the Security Program includes, at a minimum:
- a privacy and security risk management program, including (i) execution of a privacy and security risk assessment in collaboration with stakeholders across the organization at least annually or upon significant changes to the organization, the results of which are communicated to Dataminr top management, (ii) continuous maintenance of a privacy and security risk register, including risk treatment plans, and (iii) consideration of risks related to fraud and insider threat;
- a business continuity plan that addresses ongoing access, maintenance and storage of Customer Personal Data as well as security needs for maintaining critical business operations in the event of a disaster, which shall be tested at least annually;
- a privacy and security incident response program, including policies and procedures for reporting incidents and implementing appropriate measures to address them, which shall be tested at least annually;
- a compliance program including independent assessments conducted by qualified third parties, as set forth below;
- human resources security measures including, but not limited to, background checks, secure onboarding and offboarding of personnel, and privacy and security awareness training;
- established industry standard security and privacy requirements for telecommuting and remote access to Dataminr systems;
- rules for the acceptable use of Dataminr information assets by Dataminr personnel;
- maintenance and enforcement of data classification based on sensitivity level; and
- defined roles and responsibilities for Dataminr personnel contributing to the Security Program;
- segregation of duties to reduce opportunities for Dataminr personnel to intentionally or unintentionally modify or misuse Dataminr information assets.
2. Customer Personal Data Protection. Dataminr has implemented and will consistently update and maintain comprehensive practices for the protection of Customer Personal Data. Such practices include, at a minimum:
- limiting the processing of personal data to that which is necessary to provide the Services;
- a process for handling data subject requests, including portability and erasure requests;
- secure data deletion practices in accordance with industry standards;
- controls designed to prevent of unauthorized disclosure, alteration, or destruction of Customer Personal Data;
- networks segmentation designed to prevent unauthorized access to Customer Personal Data;
- prohibition on the use of Customer Personal Data outside of the production environment; and
- pseudonymization techniques to protect user level Customer Personal Data.
II. Physical and Environmental Security Measures
Dataminr engages Amazon Web Services (AWS) to provide third-party hosting services for its Customer platform. Dataminr shall periodically evaluate the AWS physical and environmental security measures for any facility used to process Customer Personal Data and continually monitor any changes to the physical infrastructure, business, and known threats. Physical and environmental security measures at data centers are detailed at https://aws.amazon.com/compliance/data-center/.
III. Technical Security Measures
- Overview. Dataminr shall maintain technical security measures, including tooling and processes aligned with industry standards and best practices.
- Vulnerability scanning. Dataminr shall perform vulnerability scanning and security assessments on critical applications and infrastructure on a regular basis. Identified vulnerabilities and findings will be mitigated in accordance with an established remediation schedule.
- Penetration Testing. Dataminr shall engage qualified third parties to perform annual penetration testing, an executive summary of which will be shared upon request.
- Encryption. Dataminr will encrypt all Customer Personal Data in its possession, custody, or control while at rest and in transit. Industry-standard secure encryption algorithms will be used. Dataminr pseudonymizes Customer-provided personal data, where feasible.
- Access Controls. Dataminr shall maintain role based access controls based on legitimate business need, following the principle of least privilege. A Virtual Private Network connection with Multi-Factor Authentication is required to access the production environment.
- Network Security Controls. Dataminr employs industry standard network security controls including, but not limited to firewalls/security groups, web application firewall, intrusion prevention systems, and Distributed Denial of Services (DDoS) protection.
- Logging and Monitoring. Dataminr logs and monitors actions across its platform and utilizes an intrusion detection system to generate alerts and dashboarding of anomalous activity. Such activity is triaged and handled by qualified security personnel. Events are escalated as appropriate and handled according to the Dataminr Security Incident Response Plan.
- Endpoint Detection and Response. Dataminr utilizes endpoint detection and response software that identifies malicious code on systems that collect, use, disclose, store, or retain Customer Personal Data. Notifications generated by Dataminr’s endpoint detection and response software will be monitored by qualified security personnel and escalated as appropriate.
- Software Development Life Cycle (SDLC). Dataminr maintains secure code development practices while making changes to software and infrastructure components. Dataminr’s SDLC includes requirements for documentation, testing, review, and approvals of changes. Code changes pass through a continuous integration/continuous deployment pipeline, ensuring only code that has been adequately tested is promoted to production. Dataminr maintains separate development, testing, and production environments.
- Mobile Device Management (MDM). Dataminr utilizes MDM software to ensure consistent security configurations of mobile devices such as employee laptops across its IT environment. Dataminr’s MDM enforces full disk encryption of laptops and offers the ability to remotely wipe devices in case the device has been lost or stolen.
- Asset Inventory. Dataminr maintains a current inventory of physical and electronic assets that are used for processing Customer Personal Data.
- Key Management. Dataminr maintains policies and procedures around proper handling of encryption keys and utilizes Amazon’s Key Management Service (KMS) to generate and control access to keys used for encrypting Customer Personal Data.
- Hardening. Dataminr maintains hardening standards based on CIS benchmarks to ensure that images and containers are configured in accordance with industry standards and internal requirements. Dataminr deploys customized Amazon Machine Images (AMIs) in its environment, which are frequently updated and/or replaced in order to ensure identified vulnerabilities are remediated.
- Availability. Dataminr leverages AWS’s native redundancy measures to ensure availability of its services. Dataminr stores and back-ups its critical services as code.
- Security Certifications and Attestations. Dataminr engages independent, external auditors to deliver industry standard privacy and security certifications. Dataminr maintains the following certifications: SOC 2 Type II, ISO 27001, ISO 27701, NIST 800-171, and UK Cyber Essentials Plus. Dataminr shall obtain and maintain these certifications, or similar independent certifications and audit reports, annually. Dataminr’s latest attestation reports and certifications will be made available by request. For the avoidance of doubt, such reports and certifications shall be considered Dataminr Confidential Information.