Data Protection Addenum
This Data Processing Addendum (this "DPA") forms part of the services agreement (the “Agreement”) between Opensense, Inc. and its affiliates ("Opensense") and the entity entering the Agreement as a customer (the “Customer”) of Opensense’s services ("Services"). All capitalized terms not defined or referenced in this DPA shall have the meanings set forth in the Agreement.
1. Definitions. For the purposes of this DPA:
- 1.1. “Personal Information” means all Customer data and any authorized user’s data that, alone or in combination with other information, can be used to identify an individual person.
- 1.2. “CCPA” means the California Consumer Privacy Act of 2018, including as modified by the California Privacy Rights Act (“CPRA”) once the CPRA takes effect, together with any implementing regulations;
- 1.3. “Privacy Laws” means all local, state, national and/or foreign law, treaties, and/or regulations, including without limitation the laws and regulations of the European Union, the European Economic Area and their member states, Switzerland, the United Kingdom and the United States and its states, applicable to the processing of Personal Information under the Agreement and any laws which implement any such laws, in each case, to the extent in force, and as updated, amended or replaced from time to time;
- 1.4. The terms “Business”, “Service Provider”, “Third Party”, “Consumer”, “Sell”, “Service Provider” and “Business Purposes” shall have the meanings given to them in the CCPA.
- 2.1. This DPA is supplemental to the Agreement and sets out the roles and obligations that apply when Opensense processes Personal Information falling within the scope of Privacy Laws on behalf of Customer in the course of providing the Opensense services (“Opensense Services”). Schedule1 (Details of the Processing) of this DPA further sets out the duration, the type of Personal Information and the categories of data subjects.
- 2.2. International Provisions
- ~2.2.1. Jurisdiction specific terms. If applicable, the parties shall comply with their obligations as set out in Schedule 2 and Schedule 3 of this DPA in addition to the terms of this DPA.
- ~2.2.2. Cross-border data transfer mechanism. Wherever Personal Information is transferred outside its country of origin, Opensense will ensure such transfers are made in compliance with the requirements of Privacy Laws. Opensense shall comply with and satisfy its obligations set out in Schedule 2 of this DPA when processing Personal Information protected by applicable European Privacy Laws.
3. Compliance with Privacy Laws.
- Opensense represents and warrants to Customer that its collection, access, use, storage, processing, disposal, and disclosure of Personal Information does and shall at all times comply with all Privacy Laws.
4. Roles and Responsibilities.
- 4.1. As between Opensense and Customer, Customer is the Business for purposes of the CCPA with respect to the Personal Information that is provided to Opensense for processing under the Agreement and Opensense shall process the Personal Information as a Service Provider on behalf of Customer.
- 4.2. Customer shall be responsible for:
- ~4.2.1. Complying with all applicable laws relating to privacy and data protection in respect of its use of the Opensense Services, its processing of the Personal Information, and any processing instructions it issues to Opensense;
- ~4.2.2. Ensuring it has the right to transfer, or provide access to, the Personal Information to Opensense for processing pursuant to the Agreement and this DPA; and
- ~4.2.3. Ensuring that it shall not disclose (nor permit any data subject to disclose) any Sensitive Personal Information to Opensense for processing.
- 4.3. Opensense shall process the Personal Information only for the purposes described in the Agreement and in accordance with the lawful, documented instructions of Customer(including the instructions of any users accessing the Opensense Services on Customer's behalf) as set out in the Agreement, this DPA or otherwise in writing. Opensense shall not:
- ~4.3.1. sell the Personal Information;
- ~4.3.2. retain, use, or disclose Personal Information for any purpose other than for the specific purpose of performing the Services;
- ~ 4.3.3. retain, use, or disclose the Personal Information for a commercial purpose other than providing the Services;
- ~ 4.3.4. retain, use, or disclose the information outside of the direct business relationship between Opensense and the Customer. Opensense certifies that it understands these restrictions and will comply with them.
- 5.1. Opensense shall implement appropriate technical and organizational measures to protect the Personal Information from any unauthorized access to or use, disclosure, alteration, or destruction of Personal Information that materially compromises the privacy or security of Personal Information (a “Security Incident”).
- 5.2. Opensense shall ensure that any personnel that it authorizes to process the Personal Information shall be subject to a duty of confidentiality.
- 5.3. Upon becoming aware of a Security Incident, Opensense shall notify Customer without undue delay but no later than seventy-two(72) hours and shall provide reasonable information and cooperation to Customers so that Customer can fulfill any data breach reporting obligations it may have under applicable laws. Where possible, the notice to Customer shall describe the nature of incident, the number of individuals impacted, the type of records impacted, and any other information that may be relevant, as deemed by Opensense. Following Opensense’s notification to Customer of a Security Incident, the parties shall coordinate with each other to investigate the Security Incident.
- 5.4. The parties agree sub-processors (“Sub-processors”) may process Personal Information on Opensense's behalf provided that:
- ~5.4.1. Opensense shall maintain an up to date list of Sub-processors which it shall update with details of any change in Sub-processors at least thirty (30) days prior to any such change and shall notify Customer in advance of such change;
- ~5.4.2. Opensense imposes on such Sub-processors data protection terms that require it to protect the Personal Information to the standard required by Privacy Laws;
- ~5.4.3. Opensense remains liable for any breach of this DPA caused by a Sub-processor; and
- ~5.4.4. All such Sub-processors shall be Service Providers for purposes of the CCPA.
- 5.5. Customer may object prior to Opensense's appointment or replacement of a Sub-processor provided such objection is based on reasonable grounds relating to data protection. In such event, the parties shall cooperate in good faith to reach a resolution and if such resolution cannot be reached, then Opensense, at its discretion, will either not appoint or replace the Sub-processor or, will permit Customer to suspend or terminate the affected Opensense Service (without prejudice to any fees incurred by Customer prior to suspension or termination).
6. Cooperation and Audits.
- 6.1. Opensense shall provide reasonable assistance to Customer, insofar as this is possible and at Customer's expense, to enable Customer to respond to requests from consumers seeking to exercise their rights the CCPA. In the event such request is made directly to Opensense, Opensense shall promptly inform Customer of the same. Customer authorizes Opensense to respond to requests from data subjects or Consumers seeking to exercise their rights under the CCPA in order to clarify requests.
- 6.2. If requested and upon reasonable prior written notice from Customer, Opensense shall provide commercially reasonable assistance to Customer in completing any privacy impact assessments and/or data protection impact assessment, and any prior consultations with government authorities that Customer considers necessary to comply with applicable Privacy Laws. Customer shall be responsible for reasonable costs and expenses incurred by Opensense related to any such assistance. Upon Customer request, Opensense shall provide Customer information reasonably necessary to demonstrate compliance with applicable Privacy Laws.
- 6.3. Upon Customer’s reasonable request, and no more than once per calendar year, Opensense will make available for Customer’s inspection and audit, copies of certifications, records or reports demonstrating Opensense’s compliance with this DPA. Opensense will be assessed against industry security frameworks or standards including, but not limited to, SOC 2 Type II standards. Upon request, Opensense shall provide a summary copy of its most recent certified audit report to Customer, which reports shall be subject to Opensense’s confidentiality terms under the Agreement.
7. Return/Deletion of Data.
- Opensense retains the Personal Information for up to seven (7) years after the termination of any Agreement for the purposes of future account reactivation. Any confidentiality obligations and use restrictions in the Agreement will continue to apply to such Personal Information for the duration of retention. Notwithstanding the foregoing, upon request by Customer at the termination of the Agreement, Opensense shall delete or return to Customer the Personal Information in Opensense's possession, except to the extent such data may be required to be retained by Opensense under applicable laws.
- Each party’s liability to the other taken together in the aggregate, arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, is subject to the limitations on liability set forth in the Agreement. Opensense’s total liability for all claims from the Customer arising out of or related to the Agreement and each DPA shall apply in the aggregate for all claims under both the Agreement and all DPAs established under this Agreement.
- 9.1. Except as amended by this DPA, the Agreement will remain in full force and effect.
- 9.2. Any claims brought under this DPA shall be subject to the Agreement, including but not limited to the exclusions and limitations of liability set forth in the Agreement.
- 9.3. This DPA is incorporated into and forms part of the Agreement. For matters not addressed under this DPA, the terms of the Agreement apply. With respect to the rights and obligations of the parties vis-à-vis each other, if there is a conflict between this DPA and the Agreement, this DPA will control.
- 9.4. This DPA shall be interpreted, construed and enforced in all respects as is set forth in the Agreement. Each party irrevocably consents and submits to the exclusive jurisdiction of the courts as is set forth in the Agreement, in connection with any action to enforce the provisions of this DPA, to recover damages or other relief for breach or default under this DPA, or otherwise arising under or by reason of this DPA.
- 9.5. Customer agrees that Opensense may modify this DPA at any time provided. If Opensense makes any material modifications to this DPA, Opensense shall provide Customer with at least ten (10) days notice (or such shorter period as may be required to comply with applicable law, applicable regulation, a court order or guidance issued by a governmental regulator or agency) before the change will take effect by either: (i) sending an email to the email address of the designated account owner in Customer’s Opensense Services account; or (ii) alerting Customer via the user interface. If Customer reasonably objects to any such change, Customer may terminate the Agreement by giving written notice to Opensense within ten (10) days of notice from Opensense of the change.
SCHEDULE2: EU AND UK JURISDICTION SPECIFIC TERMS
If the CCPA applies, this Schedule 3 will apply in addition to the terms of the DPA.
1. Scope and Purpose.
To the extent that Opensense processes Personal Information protected by European Data Protection Law, then the terms set out in this Schedule 2 to the DPA will apply in addition to the terms of the DPA.
In this Schedule 2 to the DPA:
- 2.1. “Controller”, “Data Subject”, “Processing” and“ Processor” have the meaning given to them in the GDPR.
- 2.2. “European Data Protection Law” means data protection laws applicable in the Europe, including (i) General Data Protection Regulation (EU) 2016/679 (“GDPR”),and e-Privacy Directive 2002/58/EC (as amended by Directive 2009/136/EC), and their national implementations in the European Economic Area (“EEA”), (ii) GDPR as it forms part of the United Kingdom domestic law by virtue of Section 3 of the European Union (Withdrawal) Act 2018 ("UK GDPR");and (iii) Swiss Federal Data Protection Act on 19 June 1992 and its Ordinance; in each case, as may be amended, superseded or replaced.
- 2.3. “EU Personal Data” means any Personal Data processed by Opensense in connection with the Services, including its affiliates and the processing of which is subject to European Data Protection Law.
- 2.4. “SCCs” means the EU Commission’s Standard Contractual Clauses (as annexed to EU Commission Decision 2021/914/EU of 4 June 2021).
3. Parties Rights and Obligations.
Opensense will process EU Personal Data in accordance with the requirements applicable under European Data Protection Law.
4. Cross-border data transfer mechanism.
Opensense shall not transfer any EU Personal Data to any country or recipient not recognized as providing an adequate level of protection for EU Personal Data (within the meaning of applicable European Data Protection Law) unless Opensense first takes all such measures as are necessary to ensure the transfer is in compliance with applicable European Data Protection Law.
- 4.1. EU transfer. If EU Personal Data is being transferred to a recipient outside of the European Economic Area or Switzerland, then such transfer will only take place if (i) the recipient is recognized by the European Commission as providing an adequate level of protection for personal data (as described in the GDPR); or (ii) the transfer is covered by the SCCs, which shall be entered into and incorporated into this DPA by this reference and completed as follows:
- ~4.1.1. Module 2 (Controller to Processor) will apply where Opensense is a Data Controller and Customer is a Data Processor;
- ~4.1.2. Clause 7, the optional docking clause will not apply;
- ~4.1.3. Clause 9, option 2 will apply as per the terms set out in Section 5 (Sub-processors) of this DPA;
- ~4.1.4. Clause 11, the optional language will not apply;
- ~4.1.5. Clause 12, any claims brought under the EU SCCs shall be subject to the terms and conditions set forth in the Agreement.
- ~4.1.6. Clause 17, option 1 will apply, will be governed by Irish law;
- ~4.1.7. Clause 18(b) disputes shall be resolved by the Courts of Dublin, Ireland;
- ~4.1.8. Annex 1 of the EU SCCs shall be deemed completed with the information set out in Schedule 1 to this DPA;
- ~4.1.9. Annex 2 of the EU SCCs shall be deemed completed with the information set out in Schedule 4 to this DPA.
Opensense shall comply with its requirements under the SCCs. Nothing in this section 4(a) is intended to conflict with either party’s rights and responsibilities under the SCCs and, in the event of any such conflict, the SCCs shall prevail.
- 4.2. UK transfer. If Personal Data is being transferred to a recipient outside of the United Kingdom, and to the extent such Personal Data is subject to applicable Data Protection Laws in the United Kingdom (including UK GDPR and the Data Protection Act 2018, together the ‘UK Data Protection Laws), for so long as it is lawfully permitted to rely on the EU Standard Contractual Clauses for the transfer of Personal Data to processors set out in the European Commission’s decision 2010/87/EU (‘Prior C2P SCCs’), the Prior C2P SCCs shall apply between Opensense and the Customer on the following basis:
- ~4.2.1. Appendix I and II shall be deemed completed with the relevant information set out in Schedule 1 and 2 to this DPA;
- ~4.2.2. The optional illustrative indemnification clause will not apply;
Where the Prior C2P SCCs do not apply, to the extent that the Parties are lawfully permitted to rely on the EU SCCs for transfers of Personal Data from the United Kingdom subject to completion of a UK Addendum to the EU SCCs issued by the Information Commissioner’s Office under section 119A(1) of the Data Protection Act 2018, it shall then apply to the Parties.
SCHEDULE 3: CCPA/CPRA SPECIFIC TERMS
If the CCPA applies, this Schedule 3 will apply in addition to the terms of the DPA.
1. Scope and purpose.
This Schedule 3 to the DPA applies solely to the processing of Personal Information (as defined under CCPA and CPRA) that Opensense processes in the course of providing the Services under the Agreement (referred to hereafter as “California Personal Information”). The parties acknowledge and agree that Opensense is only a service provider for the purposes of the CCPA.
In this Schedule 3, capitalized terms shall have the same meaning as defined in the CCPA, unless otherwise noted. Both Parties acknowledge and agree that Customer is a Business and Opensense is the Service Provider for the purposes of the CCPA. Additionally, for the purposes of interpreting this DPA with respect to California Personal Information, the term 'Controller' is replaced with Business and Processor is replaced with Service Provider wherever those terms appear.
3. Processing restrictions.
- 3.1. California Personal Information and is processed and retained according to categories of data listed Schedule 1 and retained as specified in this DPA.
- 3.2. Opensense shall not: (i) sell California Personal Information; (ii) retain, use, or disclose California Personal Information for a commercial purpose other than for such business purpose or as otherwise permitted by the CCPA; or (iii) retain, use, or disclose California Personal Information outside of the direct business relationship with Customer.
- 3.3. Opensense certifies, represents, and warrants that it understands the rules, restrictions, requirements, and definitions of the CCPA and as set forth in this DPA. Opensense shall notify Customer if it determines that it cannot meet its obligations under the CCPA.
- 3.4. Opensense shall not collect, retain, use, share or disclose any California Personal Information except as necessary to perform the Services solely pursuant to the Agreement.
- 3.5. Opensense further agrees to take industry-standard steps to maintain the confidentiality of and protect California Personal Information. Opensense shall comply with all applicable laws, regulations and rules including, but not limited to, privacy protections under the CCPA, in its performance under the Agreement.
- 3.6. Opensense shall implement appropriate technical and organizational measures to ensure compliance with its obligation to respond to rights requests as described in the CPRA. All requests to correct, remove, or update Personal Information must be made by the Customer to firstname.lastname@example.org.
- 3.7. The Parties agree that Customer does not sell California Personal Information to Opensense because, as a Service Provider, Opensense may only use California Personal Information for the purposes of providing the Services to Customer.
SCHEDULE 4: SECURITY MEASURES
Industry-standard security practices meeting or exceeding standards noted in this DPA including Section 5, on Opensense Website (https://opensense.com/security), and as set forth in its SOC 2 Type II attestation for security ,security, availability, and process integrity measures, including submission of an annual compliance report (and supporting summary materials when reasonably requested) under NDA.