DPA

This Data Processing Addendum (“DPA“), including the selected modules of the Standard Contractual Clauses and the attached Annexes, supplements the vSignify Subscription Agreement (https://www.vSignify.com/terms) or any other written agreement between CloudHew Solutions LLC (d/b/a vSignify) and the Customer, including all Orders entered into by the parties.

The vSignify Subscription Agreement, together with all Orders, is collectively referred to as the “Agreement.” This DPA governs the processing of Personal Data by vSignify as part of the services provided under the Agreement (the “Services“) and ensures compliance with Applicable Data Protection Laws. It applies solely to the extent that the Customer uses vSignify’s Services to process Personal Data that is subject to such laws. Both parties agree to comply with the obligations set forth in this DPA to the fullest extent required by law.

1. Definitions

The terms listed below shall have the meanings assigned herein. Capitalized terms not defined in this DPA shall have the meanings ascribed to them in the Agreement.

1.1 Applicable Data Protection Law

“Applicable Data Protection Law” means all international, federal, national, and state laws, regulations, and binding guidance governing privacy, data protection, and the processing of Personal Data applicable to the respective parties. This includes, without limitation:

• European Data Protection Law
• U.S. Data Protection Law
• Any future laws, amendments, or regulations related to privacy or data security applicable to the parties.

1.2 CCPA/CPRA

“CCPA” means the California Consumer Privacy Act (Cal. Civ. Code § 1798.100 et seq.), as amended by the California Privacy Rights Act (CPRA), and its implementing regulations, as updated from time to time.

1.3 Controller

“Controller” means the entity that determines the purposes and means of the processing of Personal Data, as defined under Applicable Data Protection Law.

1.4 Customer

“Customer” refers to the legal entity that has executed an Order with vSignify for the purchase and use of the Services as governed by the Agreement.

1.5 Data Subject

“Data Subject” means any identified or identifiable natural person whose Personal Data is processed pursuant to this DPA.

1.6 European Data Protection Law

“European Data Protection Law” includes:
(i) Before May 25, 2018: The EU Data Protection Directive 95/46/EC, and any national implementations thereof;
(ii) From May 25, 2018: The General Data Protection Regulation (EU GDPR) (Regulation (EU) 2016/679);
(iii) The UK GDPR and Data Protection Act 2018, as retained in UK law through the European Union (Withdrawal) Act 2018;
(iv) Directive 2002/58/EC (the “E-Privacy Directive”) and any related national legislation; and
(v) The Swiss Federal Data Protection Act (Swiss DPA).

1.7 Personal Data

“Personal Data” shall have the meaning assigned to it under Applicable Data Protection Law and generally refers to any information relating to an identified or identifiable natural person. Identifiable information includes, but is not limited to, names, identification numbers, online identifiers, location data, or any attribute unique to the physical, genetic, mental, economic, cultural, or social identity of a person.

1.8 Processor

“Processor” means the entity that processes Personal Data on behalf of the Controller, including, where applicable, any service provider under the CCPA/CPRA.

1.9 Security Incident

“Security Incident” refers to a confirmed breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data processed by vSignify or its Sub-Processors. Security Incidents do not include unsuccessful attempts or activities that do not compromise data integrity, such as failed login attempts, network scans, or denial-of-service attacks that are detected and neutralized.

1.10 Standard Contractual Clauses

“Standard Contractual Clauses” refers to:
(i) For EU GDPR: The Standard Contractual Clauses annexed to the European Commission’s Implementing Decision 2021/914 of June 4, 2021 (“EU SCCs”);
(ii) For UK GDPR: Standard data protection clauses adopted under Article 46(2)(c) or (d) of the UK GDPR (“UK SCCs”); and
(iii) For Swiss DPA: The relevant data protection clauses approved or issued by the Swiss Federal Data Protection and Information Commissioner (“Swiss SCCs”).

1.11 Sub-Processor

“Sub-Processor” means any third-party service provider engaged by the Processor to process Personal Data on behalf of and under the instructions of the Controller as part of the Services. Sub-Processors do not include employees, consultants, or contractors of vSignify performing functions similar to those performed by employees.

1.12 U.S. Data Protection Law

“U.S. Data Protection Law” refers to applicable federal and state data privacy laws governing the processing of Personal Data in the United States, including but not limited to:
(i) The CCPA/CPRA;
(ii) The Virginia Consumer Data Protection Act (VCDPA);
(iii) The Colorado Privacy Act, Connecticut Act Concerning Personal Data Privacy and Online Monitoring, and Utah Consumer Privacy Act (once effective); and
(iv) Any rules, regulations, or amendments implementing these laws.

 

2. General Data Processing Requirements

2.1 Relationship of the Parties

For the purposes of this DPA and as defined by Applicable Data Protection Law:

• Customer acts as the Controller under EU Data Protection Law and the Virginia Consumer Data Protection Act (VCDPA), and as a “business” under the CCPA.
• vSignify acts as a Processor under EU Data Protection Law and VCDPA, and as a “service provider” under the CCPA for Personal Data included in Customer Content (“Data”). vSignify processes such Data solely on behalf of the Customer, following the Customer’s instructions and this DPA.

2.2 Responsibilities of the Parties

• vSignify shall not sell Personal Data as defined by the CCPA and shall not transfer or disclose Personal Data in a manner that would constitute “selling” under the CCPA.
• Customer shall comply with all applicable privacy obligations, including:
  1. Providing proper notice to Data Subjects and obtaining valid consent, where required.
  2. Ensuring that the use of the Service does not infringe upon the rights of:
     • Data Subjects who have opted out of the sale of Personal Data, as defined by the CCPA.
     • Data Subjects who have not opted into the processing of sensitive Personal Data, as defined under the VCDPA.
• Customer, acting as a Controller or a “business” under the CCPA, is responsible for:
  i. The accuracy, quality, and legality of the Data provided.
  ii. Ensuring Data is acquired lawfully.
  iii. Providing lawful processing instructions to vSignify that comply with Applicable Data Protection Law.
  iv. Delivering all legally required notices to Data Subjects and obtaining consents necessary for processing.
  v. Ensuring that processing instructions do not breach any Applicable Data Protection Laws.
  vi. Ensuring Data is provided to vSignify for a valid “Business Purpose” under the CCPA.
• Customer shall not provide any Data that violates the Agreement or is inappropriate for the nature of the Services offered.

2.3 Processing Instructions; Purpose Limitation

2.3.1 Data Processing by vSignify as a Processor

vSignify will process Data only on documented instructions from the Customer, including those outlined in the Agreement or given in writing, and for the following purposes:

• Service Delivery: As necessary to provide and perform the Services under the Agreement.
• Execution of the Agreement: For steps required to carry out the Agreement.
• Authorized User Actions: Any processing initiated by an Authorized User through their use of the Services.
• Other Lawful Instructions: To comply with other reasonable, lawful instructions from the Customer (e.g., through email, phone, support tickets, or other communication channels).

Customer’s instructions must comply with Applicable Data Protection Law. Annex A of this DPA provides further details regarding the scope and nature of the processing.

2.3.2 Independent Processing by vSignify as a Controller

vSignify may process Personal Data as an independent Controller, solely when such processing is:

• Necessary, proportionate, and aligned with legitimate business purposes, and
• Limited to the following specific purposes:
  1. Billing, customer relationship management, support services, and marketing communications.
  2. Legal obligations: Compliance with tax regulations, dispute resolution, and other legal duties.
  3. Security monitoring: Protecting the confidentiality, integrity, and availability of the Services.
  4. Internal reporting: Financial reporting, revenue planning, and forecasting.
  5. Product development: Collecting feedback from customers to enhance and develop services.
  6. Other agreed purposes as specified in the Agreement or other terms between vSignify and Customer.

2.4 Confidentiality of Processing

vSignify shall ensure that any person authorized to process Data, including staff, agents, and subcontractors, is subject to a duty of confidentiality (whether contractual or statutory). No individual shall be permitted to process Data unless they are subject to such a confidentiality obligation.

2.5 Security Standards

vSignify shall implement and maintain appropriate technical and organizational measures to ensure the security of Data, protecting it against:

• Accidental or unlawful destruction.
• Loss, alteration, unauthorized disclosure, or access.

At a minimum, vSignify will adhere to the security standards outlined in Annex B (“Security Measures”). These measures shall include appropriate encryption, access controls, monitoring mechanisms, and incident response procedures to safeguard Data throughout its lifecycle.

3. Sub-Processors and Subcontracting

3.1. Authorization for the Engagement of Sub-Processors

Subject to the terms and conditions set forth in this Data Processing Addendum (the “DPA”), the Customer hereby provides general authorization to vSignify to utilize and disclose Data to Sub-Processors engaged in the performance of Services and related processing activities. The Customer expressly consents to the use of Sub-Processors as outlined in vSignify Sub-Processors. vSignify shall retain full liability for any breaches of its obligations under this DPA arising from the acts, errors, or omissions of its Sub-Processors, thereby ensuring the protection of the Customer’s rights and interests.

3.2. Conditions Governing the Engagement of Sub-Processors

vSignify shall not engage any third-party Sub-Processor for the processing of Data unless the following conditions are met:

(i) Data Protection Agreement Requirements:

• Each Sub-Processor is bound by a written agreement with vSignify that includes data protection terms that are at least as stringent as those contained in this DPA, commensurate with the nature of the services provided by such Sub-Processor.
• If the California Consumer Privacy Act (“CCPA”) is applicable, each agreement with a Sub-Processor must:
  1. Designate the Sub-Processor as a “service provider” or “contractor” as defined under the CCPA.
  2. Include explicit prohibitions against the sale of Customer Data or any use of Customer Data that is not expressly authorized by the CCPA.

(ii) Prior Notification and Transparency Regarding Sub-Processors:

• vSignify shall provide the Customer with prior written notice (via email or in-product notification) regarding the engagement of any new Sub-Processor. This notification shall include comprehensive details about the specific processing activities to be conducted by the Sub-Processor, including the geographic location of such processing.
• In instances where an urgent situation arises that affects the availability or security of the Services, vSignify shall not be required to furnish prior notice; however, vSignify shall notify the Customer within seven (7) business days following the engagement of the new Sub-Processor.

3.3. Customer’s Right to Object to Sub-Processors

• The Customer shall have the right to object to the engagement of a new Sub-Processor within ten (10) business days of receiving notice from vSignify. Any objections must be submitted to legal@vSignify.com (with a copy to support@vSignify.com) and must clearly articulate the reasonable grounds for such objections.
• Should the Customer raise valid objections against vSignify’s engagement of a third-party Sub-Processor based on reasonable grounds pertaining to data protection, and vSignify is unable to satisfactorily address these concerns (for example, by providing a reasonable modification to the Customer’s configuration or use of the Services to avoid Data processing by the objected-to Sub-Processor without unreasonably burdening the Customer), then vSignify shall refrain from engaging the disputed Sub-Processor. In such a case, the Customer may elect to suspend or terminate its subscription to the impacted Service without incurring any penalties.
• If the Customer does not raise any objections regarding a Sub-Processor within thirty (30) days of receiving vSignify’s notification, the Customer shall be deemed to have accepted the engagement of the Sub-Processor, and vSignify shall not be liable for any processing conducted by the Sub-Processor thereafter.

Here’s a more formal and legally rigorous rewrite of Section 4, focusing on international data transfers while ensuring that vSignify is safeguarded:

4. International Transfers of Data

4.1. Authorization for Cross-Border Transfers

In the course of performing the Services as specified in the Agreement, vSignify may transfer Personal Data to jurisdictions outside the country of origin, including, but not limited to, the United States. The Customer hereby authorizes such cross-border transfers of Personal Data and affirms that it shall comply with all obligations under Applicable Data Protection Law concerning such transfers. vSignify shall ensure that all international transfers of Personal Data are conducted in strict compliance with Applicable Data Protection Law and this DPA.

4.2. Compliance with Applicable Data Protection Laws

For any cross-border Personal Data transfers governed by Applicable Data Protection Law, the parties agree to adhere to the following:

(i) General Data Protection Regulation (GDPR):

• The Standard Contractual Clauses (the “EU SCCs”) applicable at the time of this DPA, including the current modules and terms published by the European Commission, shall govern such transfers and can be accessed at: EU Standard Contractual Clauses.

(ii) UK General Data Protection Regulation (UK GDPR):

• The UK Standard Contractual Clauses (the “UK SCCs”) shall apply for any transfers governed by UK GDPR.

(iii) Swiss General Data Protection Regulation (Swiss GDPR):

• The Swiss Standard Contractual Clauses (the “Swiss SCCs”) shall apply for any transfers governed by Swiss GDPR.

4.3. Specific Terms Related to Data Processing

4.3.1. Data Processed Under Section 2.3.1:

• The following terms shall apply:
  • Module Two of the EU SCCs will govern.
  • Clause 7: The optional docking clause shall apply.
  • Clause 9: Option 2 shall apply.
  • Clause 11: The optional language shall not apply.
  • Clause 17: The Standard Contractual Clauses shall be governed by Irish law.
  • Clause 18(b): Disputes shall be adjudicated in the courts of Ireland.
  • Annex 1 shall be populated with the information contained in Annex A (Details of Processing) of this DPA.
  • Annex 2 (Security Measures) shall be populated with the information contained in Annex B of this DPA.
  • Annex 3 (Sub-Processors) shall be populated with the information in Section 3 of this DPA.

4.3.2. Data Processed Under Section 2.3.2:

• The following terms shall apply:
  • Module One of the EU SCCs will govern.
  • Clause 7: The optional docking clause shall apply.
  • Clause 11: The optional language shall not apply.
  • Clause 17: The Standard Contractual Clauses shall be governed by Irish law.
  • Clause 18(b): Disputes shall be adjudicated in the courts of Ireland.
  • Annex 1 shall be populated with the information contained in Annex A (Details of Processing) of this DPA.
  • Annex 2 (Security Measures) shall be populated with the information contained in Annex B of this DPA.

4.4. Provisions Related to UK GDPR

For Personal Data subject to UK GDPR, the following provisions shall apply:

• The UK SCCs shall govern the transfer of such Personal Data.
• The EU SCCs shall also apply to transfers, with Table 1 to 3 of the UK SCCs populated with the relevant information derived from the EU SCCs, including the selection of the option “neither party” in Table 4. The effective date for the UK SCCs in Table 1 shall be the date of this DPA.

4.5. Provisions Related to Swiss GDPR

For Personal Data subject to Swiss GDPR, the following provisions shall apply:

• The EU SCCs shall also govern such transfers, interpreting any references to “Directive 95/46/EC” or “Regulation (EU) 2016/679” as references to the Swiss SCCs.
• References to “EU,” “Union,” “Member State,” and “Member State Law” shall be understood as references to “Switzerland” and “Swiss law,” respectively.
• References to the “competent supervisory authority” and “competent courts” shall be interpreted as referring to the Federal Data Protection and Information Commissioner (FDIPC) and the relevant courts in Switzerland, unless such interpretation makes the EU SCCs inapplicable, in which case the Swiss SCCs shall be incorporated by reference and shall apply to the relevant transfers. The pertinent Annexes of the Swiss SCCs shall be populated using the information contained in Annex A and Annex B of this DPA.

4.6. Alternative Data Transfer Mechanisms

In the event vSignify adopts an alternative data export mechanism (including any updates to or successors of the Standard Contractual Clauses that comply with Applicable Data Protection Laws), such Alternative Transfer Mechanism shall automatically supersede the transfer mechanisms described in this DPA, provided that such mechanism adheres to Applicable Data Protection Laws applicable to the European Economic Area and encompasses the jurisdictions to which the Customer’s Personal Data is transferred.

4. Cooperation and Individuals’ Rights

4.1. Assistance with Rights of Individuals
In consideration of the nature of the processing activities and the information at its disposal, vSignify shall furnish reasonable and prompt assistance to enable the Customer to effectively respond to:
(i) any request from an individual exercising rights conferred by Applicable Data Protection Law, including but not limited to rights of access, rectification, objection, erasure, and data portability, as applicable; and
(ii) any correspondence, inquiry, or complaint received from a supervisory authority, Data Subject, or any other third party in relation to the processing of the Customer’s Data.

4.2. Notification of Direct Communications
In the event that any such communications are directed to vSignify, vSignify shall, without undue delay, and in all instances within forty-eight (48) hours of receipt of such communication, provide the Customer with comprehensive details thereof. vSignify shall refrain from responding to such communications unless explicitly mandated by law or expressly authorized by the Customer.

5. Data Protection Impact Assessment

5.1. Support in Assessments and Consultations
Taking into account the nature of the processing activities and the information available to vSignify, vSignify shall provide reasonable and timely assistance to the Customer with respect to any data protection impact assessments that may be required. This assistance shall extend to facilitating consultations with relevant data protection authorities where deemed necessary under Applicable Data Protection Law.

6. Security Incident Response

6.1. Notification of Security Incidents
Upon becoming aware of a Security Incident that impacts the Data, vSignify shall:
(i) promptly notify the Customer without undue delay, and in any event no later than the earlier of:
(A) seventy-two (72) hours following confirmation of the Security Incident, or
(B) the notification timelines mandated by Applicable Data Protection Law; and
(ii) provide sufficient information and cooperation to enable the Customer to fulfill its obligations concerning data breach reporting in accordance with Applicable Data Protection Law, including adherence to the requisite timelines.

6.2. Mitigation and Response Measures
vSignify shall undertake all necessary measures and actions to contain, investigate, remedy, and mitigate the effects of the Security Incident. vSignify shall keep the Customer informed of all material developments relating to the Security Incident throughout its resolution.

6.3. Third-Party Notifications
vSignify shall not disclose any details regarding a Security Incident affecting Data to any third party, except to the extent that:
(a) such notification has been explicitly authorized by the Customer; or
(b) such notification is mandated by Applicable Data Protection Laws.

6.4. Customer’s Responsibilities
The Customer acknowledges its responsibility for the secure utilization of the Services, which encompasses, but is not limited to, safeguarding account authentication credentials and ensuring the security of Data transmitted through systems that the Customer administers and maintains, including but not limited to the use of email encryption.

8. Deletion or Return of Data

8.1. Obligation to Delete or Return Data
Upon the termination or expiration of the Agreement, or upon the Customer’s written request, vSignify shall, at the Customer’s election and in accordance with the provisions of the Security Measures and the Agreement, delete or return all Data in its possession or control, including any and all copies thereof.

8.2. Retention of Data
This obligation shall not extend to any Data that vSignify is required to retain under Applicable Data Protection Laws. In such instances, vSignify shall isolate and safeguard the Data from any further processing, except as mandated by such laws.

9. Audit Rights and Reports

9.1. Annual Third-Party Audit
vSignify shall engage an independent third party to conduct an annual audit in accordance with the SOC 2 Type II framework (or any equivalent or successor attestations or certifications). The outcome of such audits shall result in the issuance of a summary report, which vSignify shall make available to the Customer upon request. Additionally, vSignify will provide any other pertinent information regarding its information security and privacy practices as may be reasonably requested by the Customer (collectively referred to as “Reports”). All Reports shall be deemed vSignify’s Confidential Information.

9.2. Audit Rights
To the extent required for compliance with Applicable Data Protection Law, and provided that the Reports do not fulfill such compliance obligations, the Customer may conduct an audit of vSignify’s adherence to this Data Processing Agreement (DPA). This audit may be conducted by an independent third-party auditor engaged by the Customer. In the event of such an audit, vSignify shall make available all information, systems, and personnel reasonably necessary to facilitate the audit. The Customer shall not exercise its audit rights more than once per calendar year, except in instances following a Security Incident or upon directive from a regulatory authority or public body. The Customer shall provide vSignify with at least forty-five (45) days’ prior written notice of its intent to conduct an audit under this DPA, shall perform the audit during vSignify’s normal business hours, and shall take all reasonable precautions to minimize disruption to vSignify’s operations while ensuring the protection of the data (including Personal Data) belonging to vSignify’s employees, contractors, suppliers, or other users or customers. The date, scope, duration, and security and confidentiality measures applicable to the audit shall be mutually agreed upon by both the Customer and vSignify prior to the audit. The Customer acknowledges that its rights to audit a Sub-Processor’s compliance with this DPA shall be subject to the auditing provisions set forth in the data processing agreements between vSignify and such Sub-Processor. The Customer may be required to enter into a non-disclosure agreement and accept other related terms directly with the Sub-Processor to gain access to the Sub-Processor’s reports and policies.

9.3. Cost of Audits
The Customer shall reimburse vSignify for all reasonable costs and expenses incurred in connection with any audit conducted by the Customer under this DPA, except that vSignify shall provide the Reports at no charge to the Customer. The Customer agrees that its audit rights outlined in the Standard Contractual Clauses and any other Applicable Data Protection Law shall be subject to, and conducted in accordance with, the provisions set forth in this Section 9.

10. Compliance with Applicable Laws

10.1. General Compliance Obligations
vSignify shall process Data in accordance with this Data Processing Agreement (DPA) and the Applicable Data Protection Laws that govern its role under this DPA. It is expressly acknowledged that vSignify bears no responsibility for compliance with any Applicable Data Protection Laws that may uniquely apply to the Customer due to its specific business operations or industry practices. vSignify shall promptly notify the Customer if it becomes aware that the Customer’s processing instructions are in violation of any Applicable Data Protection Laws.

10.2. Compliance with the California Consumer Privacy Act (CCPA)
In relation to the CCPA, except where Section 2.3.2 is applicable, vSignify shall:
(i) adhere to the obligations imposed by the sections of the CCPA that pertain to “service providers” as defined therein;
(ii) process Data solely for the purpose of providing the Services to the Customer, in alignment with Section 1798.140(e)(5) of the CCPA; and
(iii) refrain from selling Data or retaining, using, or disclosing Data for any purposes other than those necessary to perform the Services, or as otherwise permitted under this Agreement or this DPA.

10.3. Compliance with the Virginia Consumer Data Protection Act (VCDPA)
In relation to the VCDPA, vSignify shall:
(i) comply with the sections of the VCDPA applicable to “processors” as defined therein; and
(ii) process Data solely for the provision of the Services to the Customer.

10.4. Business and Controller Responsibilities
To the extent that Section 2.3.2 is applicable, vSignify shall comply with the sections of the CCPA that pertain to a “business” and with the sections of the VCDPA that pertain to a “Controller.”

11. Indemnification for Third-Party Claims

Subject to the terms and conditions set forth in the Agreement (including the procedure for tendering indemnity claims) and the relevant provisions of this DPA, vSignify agrees to defend, indemnify, and hold harmless the Customer from and against any and all third-party claims (“Third Party Claims”) arising from vSignify’s breach of its obligations under this DPA. This indemnification shall extend to cover all reasonable costs and damages incurred by the Customer, as awarded by a court of competent jurisdiction or agreed upon in a settlement, as a direct result of such Third Party Claims.

12. Costs Allocation and Liability

12.1. Responsibility for Incident-Related Costs
Each party shall bear its own costs associated with the investigation, remediation, and mitigation of a Security Incident, to the extent that such Security Incident is caused by the negligent acts or omissions of that party.

12.2. Liability for Regulatory Costs
Each party shall also bear the costs of any fines, penalties, damages, or other amounts levied by an authorized regulatory body, governmental agency, or court of competent jurisdiction, in relation to any breach of this DPA attributable to that party.

12.3. Limitation of Liability
To the fullest extent permitted by Applicable Data Protection Law and any other relevant laws or regulations, the liability of each party under this DPA shall be limited to actual and proven damages incurred, and shall not exceed an amount equal to three (3) times the total fees paid by the Customer to vSignify for the Services rendered under the Agreement during the twelve (12) months immediately preceding the event giving rise to the claim.

13. Miscellaneous Provisions

13.1. Commencement and Duration of Obligations
The obligations imposed upon vSignify under this DPA shall commence when vSignify or its Sub-Processors initiate the processing of Data on behalf of the Customer in connection with the Services. These obligations shall remain in effect for as long as vSignify or its Sub-Processors process Data on behalf of the Customer. Any claims arising against vSignify or its Affiliates under this DPA may only be initiated by the Customer entity that is a contracting party to the Agreement. Notwithstanding anything to the contrary, this DPA shall not restrict or limit the rights of any Data Subject or the authority of any competent supervisory authority under Applicable Data Protection Laws.

13.2. Continuity of the Agreement
Except as explicitly modified by this DPA, the provisions of the Agreement shall continue to govern the provision and use of the Services, remaining in full force and effect, including, without limitation, the liability limitations set forth therein. In the event of a direct conflict between any provision in this DPA and any provision in the Agreement, the terms of this DPA shall prevail solely to the extent necessary to resolve that conflict.

13.3. No Third-Party Beneficiary Rights
Except as may be required by the Standard Contractual Clauses, this DPA does not confer any rights or benefits upon any third parties. It is intended solely for the benefit of the parties hereto, along with their respective permitted successors and assigns, and is not intended for the benefit of, nor may any provision hereof be enforced by, any other person or entity.

13.4. Dispute Resolution
Except as may be required by the Standard Contractual Clauses, the dispute resolution mechanisms, including those related to venue and jurisdiction, as set forth in the Agreement, shall govern any disputes arising out of or relating to this DPA.

 

Annex A: Details of Processing of Personal Data

This Annex A outlines specific details of the processing of Personal Data as mandated by the Standard Contractual Clauses and Article 28(3) of the GDPR. The parties acknowledge that this Annex is an integral part of the Standard Contractual Clauses.

1. List of Parties
   Data Exporter(s): Customer
   Role: Controller or Processor (when processing on behalf of a Customer Affiliate)
   Contact Information: As specified in the Agreement

Data Importer(s): CloudHew Solutions LLC (d/b/a vSignify)
Role: Processor for purposes of Section 2.3.1 and Controller for purposes of Section 2.3.2
Contact Information: As specified in the Agreement

1. Description of Transfer

1. Subject Matter and Duration of Processing
   The subject matter and duration of the processing of Customer’s Data are delineated in the vSignify Subscription Agreement, the applicable Order, and this Data Processing Agreement (DPA).
2. Nature and Purpose of Processing
   The nature and purpose of processing Customer’s Data encompass the provision of services as stipulated in the vSignify Subscription Agreement, the applicable Order, and this DPA.
3. Types of Data to be Processed
   Customer may submit contracts and related messages containing Personal Data, the extent of which is determined and controlled by the Customer. The types of Personal Data may include, but are not limited to:
   • Identification and Contact Data: Name, title, address, phone number, email address.
   • Employment Data: Employer, job title, academic and professional qualifications, geographic location, area of responsibility, affiliated organizations, industry.
   • Purchase and Usage History Data.
   • Contractual Obligation Data: Information about individuals and their business relationships with the Customer, such as employees, consultants, or customers.
   • IT Information: Computer ID, user ID and password, domain name, IP address, log files, software and hardware inventory, software usage patterns (e.g., cookies and other operational training records).
   • Financial Information: If mutually agreed upon, this may include account details and payment information.
4. Categories of Data Subjects
   Customer may submit contracts and related messages containing Personal Data concerning the following categories of Data Subjects, as determined and controlled by the Customer:
   • Employees, agents, advisors, and freelancers of the Customer (who are natural persons).
   • Users, partners, customers of the Customer, and the employees and users of those entities.
5. Obligations and Rights of Customer
   The obligations and rights of the Customer are delineated in the vSignify Subscription Agreement, applicable Order Forms, and this DPA.

1. Special Categories of Data (if applicable)
   The personal data transferred does not involve any special categories of data.
2. Processing Operations
   The personal data transferred to or accessed by the Data Importer will be utilized solely for the provision of services, which include cloud-based onboarding, training, user registration services, and support and maintenance. In this context, personal data may be accessed, processed, or disclosed by duly authorized personnel of the Data Importer or its Sub-Processors, strictly for the purpose of delivering services to the Data Exporter and in accordance with the Data Exporter’s instructions.

Annex B: Security Measures

vSignify is committed to maintaining the security and confidentiality of Personal Data processed on behalf of the Customer. The following security measures are implemented to protect such data from unauthorized access, disclosure, alteration, or destruction:

1. Access Control Measures
   • User Authentication: Strong authentication mechanisms, including multi-factor authentication, to verify the identity of users accessing systems that process Personal Data.
   • Role-Based Access Control (RBAC): Access to Personal Data is restricted based on user roles, ensuring that only authorized personnel can access specific data and systems.
   • Regular Access Reviews: Periodic audits of user access rights to ensure compliance with access policies and to remove any unnecessary access.
2. Data Encryption
   • Data in Transit: All Personal Data transmitted over public networks is encrypted using industry-standard protocols (e.g., TLS).
   • Data at Rest: Personal Data stored on servers and databases is encrypted to safeguard against unauthorized access.
3. Network Security
   • Firewalls and Intrusion Detection Systems (IDS): Robust network security measures, including firewalls and IDS, are in place to monitor and protect against unauthorized access and cyber threats.
   • Regular Security Assessments: Ongoing vulnerability assessments and penetration testing to identify and remediate potential security weaknesses.
4. Incident Response Procedures
   • Incident Management: Established protocols for identifying, reporting, and responding to security incidents affecting Personal Data, including defined roles and responsibilities.
   • Breach Notification: Timely notification procedures for informing the Customer of any Security Incidents, as detailed in the DPA.
5. Data Backup and Recovery
   • Regular Backups: Routine backups of Personal Data to ensure data availability and integrity.
   • Disaster Recovery Plan: A comprehensive disaster recovery plan to restore data and services in the event of a security breach or data loss.
6. Employee Training and Awareness
   • Security Awareness Training: Regular training programs for employees on data protection practices, security protocols, and recognizing potential security threats.
   • Policies and Procedures: Clear documentation of security policies, procedures, and best practices, accessible to all employees.
7. Compliance and Audits
   • Third-Party Audits: Annual third-party audits to assess compliance with industry standards and effectiveness of security measures (e.g., SOC 2 Type II).
   • Continuous Improvement: Ongoing review and enhancement of security measures based on audit findings, regulatory changes, and emerging threats.

Confidentiality
All policies, audit reports, and related materials concerning the security measures implemented by vSignify are considered vSignify’s Confidential Information and are protected in accordance with the confidentiality provisions outlined in the Agreement.