This Data Processing Agreement and its Annex (“DPA”) reflects the parties’ agreement with respect to the Processing of Personal Data by Binary Defense Systems, Inc. (“Binary Defense”) on behalf of Client in connection with the Services under the Master Services Agreement or applicable SOWs between Binary Defense and Client (collectively, the “Agreement”).
This DPA is incorporated into the Agreement, or SOW(s) if no Master Services Agreement exists between the Parties, and in case of any conflict or inconsistency with the terms of the Agreement, this DPA shall take precedence. The term of this DPA shall follow the term of the Agreement. Terms not otherwise defined herein shall have the meaning as set forth in the Agreement. References to the Agreement shall include applicable SOWs and this DPA.
“California Personal Information” means Personal Data that is subject to the protection of the CCPA.
“CCPA” means California Civil Code Sec. 1798.100 et seq. (also known as the California Consumer Privacy Act of 2018).
“Consumer”, “Business”, “Sell” and “Service Provider” shall have the meanings given to them in the CCPA.
“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
“Data Protection Laws” means all applicable worldwide legislation relating to data protection and privacy as amended from time to time.
“Data Subject” means the individual to whom Personal Data relates.
“Europe” means the European Union, the European Economic Area and/or their member states, Switzerland and the United Kingdom.
“European Data” means Personal Data that is subject to the protection of European Data Protection Laws.
“European Data Protection Laws” means data protection laws applicable in Europe, including: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (“GDPR”); (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector; and (iii) applicable national implementations of (i) and (ii); or (iii) in respect of the United Kingdom, any applicable national legislation that replaces or converts in domestic law the GDPR or any other law relating to data and privacy as a consequence of the United Kingdom leaving the European Union; and (iv) Swiss Federal Data Protection Act on 19 June 1992 and its Ordinance; in each case, as may be amended, superseded or replaced.
“Instructions” means the written, documented instructions issued by a Controller to a Processor to perform a specific or general action with regard to Personal Data.
“Personal Data” means any information relating to an identified or identifiable individual that is protected as personal data, personal information or personally identifiable information under applicable Data Protection Laws.
“Personal Data Breach” means a successful breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed by Binary Defense.
“Privacy Shield” means the EU-U.S. and Swiss-US Privacy Shield self-certification program operated by the U.S. Department of Commerce and approved by the European Commission pursuant to its Decision of July, 12 2016 and by the Swiss Federal Council on January 11, 2017 respectively.
“Privacy Shield Principles” means the Privacy Shield Principles (as supplemented by the Supplemental Principles) contained in Annex II to the European Commission Decision of July 12, 2016.
“Processing” means any operation or set of operations which is performed on Personal Data, encompassing the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction or erasure of Personal Data. The terms “Process”, “Processes” and “Processed” will be construed accordingly.
“Processor” means a natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Controller.
“Sub-Processor” means any Processor engaged by Binary Defense or its affiliates to assist in fulfilling Binary Defense’s obligations with respect to the provision of the Services under the Agreement.
2. Client Compliance with Laws.
Client agrees that it shall be solely responsible for: (i) the accuracy, quality, and legality of Client Data and the means by which Client acquired Personal Data; (ii) complying with all necessary transparency and lawfulness requirements under applicable Data Protection Laws for the collection and use of the Personal Data, including obtaining any necessary consents and authorizations; (iii) ensuring it has the right to transfer, or provide access to, the Personal Data to Binary Defense for Processing in accordance with the terms of the Agreement; (iv) ensuring that its Instructions to Binary Defense regarding the Processing of Personal Data comply with applicable laws; and (v) complying with all laws applicable to any emails or other content created, sent or managed through the Services, including those relating to obtaining consents (where required) to send emails, the content of the emails and its email deployment practices. Client shall inform Binary Defense without undue delay if it is not able to comply with its responsibilities under this sub-section (a) or applicable Data Protection Laws.
3. Binary Defense Obligations
a) Compliance with Instructions. Binary Defense will be entitled to rely on Client’s Instructions and shall only Process Personal Data for the purposes described in this DPA or as otherwise agreed within the scope of Client’s lawful Instructions. Binary Defense is not responsible for compliance with any Data Protection Laws applicable to Client or Client’s industry that are not generally applicable to Binary Defense.
b) Conflict of Laws. If Binary Defense becomes aware that it cannot Process Personal Data in accordance with Client’s Instructions due to a legal requirement under any applicable law, Binary Defense will (i) promptly notify Client of that legal requirement to the extent permitted by the applicable law; and (ii) where necessary, cease all Processing (other than merely storing and maintaining the security of the affected Personal Data) until such time as Client issues new Instructions with which Binary Defense is able to comply. Binary Defense will not be liable to Client under the Agreement for any failure to perform the applicable Services until such time as Client issues new lawful Instructions.
c) Security. Binary Defense maintains appropriate technical and organizational measures to protect Personal Data from Personal Data Breaches consistent with its maintenance of a SOC 2, Type 2 certification. Client may request Binary Defense’s certification upon request, not to exceed once per year. Binary Defense may modify the security measures at its discretion.
d) Confidentiality. Binary Defense ensures that any personnel whom Binary Defense authorizes to Process Personal Data on its behalf are subject to appropriate confidentiality obligations with respect to Personal Data.
e) Personal Data Breaches. Binary Defense will notify Client without undue delay after it becomes aware of any Personal Data Breach and shall provide timely information relating to the Personal Data Breach as it becomes known or as reasonably requested by Client. At Client’s request, Binary Defense will promptly provide Client with such reasonable assistance as necessary to enable Client to notify relevant Personal Data Breaches to competent authorities and/or affected Data Subjects, if Client is required to do so under Data Protection Laws.
f) Deletion or Return of Personal Data. Upon termination or expiration of the Agreement, Binary Defense will delete any Client Data from its assets, except to the extent it is required to retain pursuant to applicable law and data retention policies.
4. Data Subject Requests.
Upon Client’s written request, Binary Defense shall provide reasonable assistance to Client to respond to any Data Subject Requests or requests from data protection authorities relating to the Processing of Personal Data under the Agreement. Client shall reimburse Binary Defense for Binary Defense’s costs arising from this assistance. Client shall be solely responsible for responding substantively to any such Data Subject Requests or communications involving Personal Data.
Client agrees that Binary Defense may engage Sub-Processors to Process Personal Data on Client’s behalf. Binary Defense has currently appointed certain Sub-Processors. The list of Sub-Processors may be provided upon request.
6. Data Transfers.
Client acknowledges and agrees that Binary Defense may access and Process Personal Data on a global basis as necessary to provide the Services. Personal Data will be transferred to and Processed by Binary Defense in the United States and to other jurisdictions where Binary Defense and Sub-Processors have operations. Binary Defense shall ensure such transfers are made in compliance with the requirements of Data Protection Laws.
7. Additional Provisions for European Data.
When Processing European Data in accordance with Client’s Instructions, the parties acknowledge and agree that Client is the Controller of European Data and Binary Defense is the Processor. If Binary Defense believes that an Instruction of Client infringes European Data Protection Laws, it will inform Client without delay, provided that Client is ultimately responsible for ensuring that Instructions comply with European Data Protection Laws. At Client’s expense, Binary Defense will provide reasonable assistance to Client with any data protection impact assessments, and prior consultations with supervisory authorities or other competent data privacy authorities to the extent required by European Data Protection Laws.
8. Standard Contractual Clauses.
Binary Defense agrees to abide by and process European Data in compliance with the Standard Contractual Clauses. To the extent that Binary Defense relied on its self-certification under EU-US Privacy Shield as a legal basis for transfers of Personal Data, in light of the judgment of the Court of Justice of the EU in Case C-311/18, Binary Defense shall now instead rely on the terms of this DPA and/or the Standard Contractual Clauses. If and to the extent the Standard Contractual Clauses (where applicable) conflict with any provision of this DPA, the Standard Contractual Clauses will prevail to the extent of such conflict.
9. Additional Provisions for California Personal Information.
When processing California Personal Information in accordance with Client’s Instructions, the parties acknowledge and agree that Client is a Business and Binary Defense is a Service Provider for the purposes of the CCPA. Binary Defense will process California Personal Information as a Service Provider strictly for the purpose of performing the Services under the Agreement (the “Business Purpose”). Binary Defense uses service data for its own legitimate Business Purpose. The parties agree that Binary Defense shall not (a) sell California Personal Information; (b) retain, use, or disclose California Personal Information for a commercial purpose other than for the Business Purpose or as otherwise permitted by the CCPA; or (c) retain, use, or disclose California Personal Information outside of the business relationship between Client and Binary Defense.
10. General Provisions
a) Severability. If any individual provisions of this DPA are determined to be invalid or unenforceable, the validity and enforceability of the other provisions of this DPA shall not be affected.
b) Limitation of Liability. Each party and each of their affiliates’ liability arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, shall be subject to the limitations and exclusions of liability set out in the Agreement and any reference in such section to the liability of a party means aggregate liability of that party and all of its affiliates under the Agreement.
c) Governing Law. This DPA shall be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless required otherwise by Data Protection Laws.
Annex 1 – Details of Processing
A. Nature and Purpose of Processing: Binary Defense will Process Personal Data as necessary to provide the Services pursuant to the Agreement, as further specified in the SOW, and as further Instructed by Client and agreed by Binary Defense.
B. Duration of Processing: Subject to the Client’s right to request the deletion or return of Personal Data, Binary Defense will Process Personal Data for the duration of the Agreement, unless otherwise agreed in writing.
C. Categories of Data Subjects: Client may submit Personal Data of its employees, subcontractors, and third party partners and agents in the course of receiving and using the Services, the extent of which is determined and controlled by Client in its sole discretion.
D. Categories of Personal Data: Client may submit the following categories of Personal Data in connection with the Services: i: Contact Information; and ii: other Personal Data submitted by, sent to, or received by Client, or Client’s end users, in connection with Services.
E. Special categories of data (if appropriate): The parties do not anticipate the transfer of special categories of data.
F. Processing operations: Personal Data may be subject to the following Processing activities: (i) Storage and other Processing necessary to provide, maintain and improve the Services provided to Client; and (ii) Disclosure in accordance with the Agreement and as compelled by applicable laws.
4836-4248-7754, v. 1