PARTIES AND BACKGROUND
(A) 360 Privacy (“360 Privacy”) has entered into a Subscription Agreement or other agreement with Client (“Client”) (each a “Party” and collectively the “Parties”) governing Client’s use of the Services (the “Agreement”). This Data Processing Agreement (the “DPA”) is incorporated into, and is subject to the terms and conditions of, the Agreement and shall be effective and replace any previously applicable data processing and security terms as of the effective date of the Agreement (“Effective Date”).
(B) To the extent that 360 Privacy processes any Client Personal Data (as defined below) on behalf of the Client (or, where applicable, the Client Affiliate) in connection with the provision of the Services, the Parties have agreed that it shall do so on the terms of this DPA.
1. DEFINITIONS
1.1 Capitalized terms used but not defined within this DPA shall have the meaning set forth in the Agreement. The following capitalized terms used in this DPA shall be defined as follows:
“Applicable Data Protection Laws” means all applicable laws, rules, regulations and governmental requirements relating to the privacy, confidentiality, or security of Personal Data, as they may be amended or otherwise updated from time to time.
“Client Personal Data” means the Personal Data processed by 360 Privacy on behalf of Client or Client Affiliate in connection with the provision of the Services, which may also include Personal Data of Client and Client Affiliate’s Authorized Users.
“Personal Data” means any information relating to an identified or identifiable individual or device, or is otherwise “personal data,” “personal information,” “personally identifiable information” and similar terms, and such terms shall have the same meaning as defined by applicable data protection laws.
“Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to (including unauthorized internal access to), Client Personal Data.
“Sub-processor” means 360 Privacy Affiliates and third-party processors appointed by 360 Privacy to process Client Personal Data.
“US Data Protection Laws” means, to the extent applicable, federal and state laws relating to data protection, employee monitoring, the processing of Personal Data, privacy and / or data protection in force from time to time in the United States.
The terms “controller”, “processor”, “data subject”, “process” (or “processing”), “supervisory authority”, “sell” and “service provider” shall have the same meaning as set out in
Applicable Data Protection Laws.
2. INTERACTION WITH THE AGREEMENT
2.1 This DPA supplements and (in case of contradictions) supersedes the Agreement with respect to any processing of Client Personal Data.
2.2 With respect to Client Affiliates, by entering into the Agreement, Client warrants it is duly authorised to enter into the DPA for and on behalf of any such Client Affiliates and, each Client Affiliate shall be bound by the terms of this DPA as if they were Client. Client acknowledges and agrees that it shall be solely responsible for each Client Affiliate’s compliance with the terms and conditions of this DPA and shall be fully liable to 360 Privacy for the acts and omissions of each Client Affiliate.
2.3 Client represents and warrants that it is duly authorized by each Client Affiliate on whose behalf 360 Privacy processes Client Personal Data in accordance with this DPA to (a) provide such Client Personal Data to 360 Privacy and permit such processing by 360 Privacy on behalf of the Client Affiliate, and to act on behalf of the Client Affiliate in the administration and conduct of any claims arising in connection with this DPA; and (b) receive and respond to any notices or communications under this DPA on behalf of Client Affiliate.
2.4 Client shall be the only point of contact for all communication between the Client Affiliates and 360 Privacy.
3. ROLE OF THE PARTIES
3.1 The Parties acknowledge and agree that:
(a) for the purposes of US Data Protection Laws, 360 Privacy will act as a “service provider” or “processor” in its performance of its obligations pursuant to the Agreement.
(i) In general, Client acts as a controller, whereas 360 Privacy acts as a processor.
(ii) In certain cases, Client acts as a processor on behalf of Client’s customers where Client and Client’s customer have concluded a data processing agreement in relation to the processing of Client Personal Data of Authorized Users.
3.2 Client represents and warrants that:
(a) Client shall comply with its obligations under Applicable Data Protection Laws;
(b) Client has provided all notices, and obtained all consents and rights necessary under law for 360 Privacy to process Client Personal Data and provide Services contemplated under the Agreement;
(c) Client ensures and shall ensure at all times that there is a sufficient legal basis for 360 Privacy’s processing as permitted under this DPA;
(d) Client will in all cases limit its provision of Client Personal Data to 360 Privacy to the amount and kinds of data adequate, relevant, and necessary for performing the Services; and
(e) Client shall immediately notify 360 Privacy and cease use of the Services in the event that, and to the extent required, any authorization or legal basis for processing Client Personal Data of Authorized Users has been revoked or terminated.
4. DETAILS OF DATA PROCESSING
4.1 The details of data processing (such as subject matter, nature and purpose of the processing, categories of Client Personal Data and data subjects) are described in the Agreement and in Schedule 1.
4.2 Client acknowledges and agrees that, as part of providing the Services, 360 Privacy may use and process Client Personal Data for its internal business purposes, such as: to enhance, analyze, develop or troubleshoot 360 Privacy’s products and services; to comply with applicable laws (including law enforcement requests or compulsory disclosures); to help ensure the internal security of 360 Privacy’s products and services and prevent fraud or mitigate risk; and/or for any other purposes contemplated or permitted by the Agreement, this DPA, or by applicable law (each of the foregoing, along with the provision of Services, the “Permitted Service Purposes”).
4.3 Client Personal Data will only be processed on behalf of and under the instructions of Client and in accordance with the Permitted Service Purposes and Applicable Data Protection Laws. The Agreement and this DPA shall generally constitute Client’s instructions for the processing of Client Personal Data. Client may issue additional instructions as needed. Client is solely responsible for determining the lawfulness of the documented instructions it provides to 360 Privacy.
4.4 As required by Applicable Data Protection Laws and as otherwise permitted by law, 360 Privacy shall notify Client if 360 Privacy determines that it can no longer meet its obligations under Applicable Data Protection Laws or this DPA.
4.5 Subject to Applicable Data Protection Laws, Client acknowledges that 360 Privacy may transfer and process Client Personal Data to and in the United States. To the extent that that 360 Privacy is a recipient of Client Personal Data protected by Applicable Data Protection Laws regulating the cross-border transfer of Personal Data, in a country that is not recognized as providing an adequate level of protection for Personal Data, the Parties agree to implement an appropriate transfer mechanism, including but not limited to Standard Contractual Clauses. Schedules 1-3 are incorporated herein to supplement the requirements of any such data transfer mechanism, shall supplement the documented instructions to 360 Privacy, and provide additional details as Applicable Privacy Laws may require.
5. SUB-PROCESSORS
5.1 Client grants 360 Privacy general authorization to engage Sub-processors, subject to clause 5.2, and consents to the engagement of 360 Privacy’s current Sub-processors which are listed in Schedule 1 of this DPA as of the Effective Date.
5.2 360 Privacy shall (i) enter into a written agreement with each Sub-processor imposing data protection obligations designed to support 360 Privacy’s obligations under this DPA to the extent applicable to the nature of the services provided by such Sub-processor; and (ii) remain liable for each Sub-processor’s compliance with the obligations under this DPA.
5.3 360 Privacy shall provide Client with at least thirty (30) days’ notice of any proposed changes to the Sub-processors it uses to process Client Personal Data (including any addition or replacement of any Sub-processors). Client may object to 360 Privacy’s use of a new Sub-processor by providing 360 Privacy with written notice of the objection within fifteen (15) days after 360 Privacy has provided notice to Client of such proposed change (an “Objection”). In the event Client objects to 360 Privacy’s use of a new Sub-processor, Client and 360 Privacy will work together in good faith to find a mutually acceptable resolution to address such Objection. If the Parties are unable to reach a mutually acceptable resolution within a reasonable timeframe, Client shall be entitled, as its sole and exclusive remedy, to limit its further provision of Client Personal Data to 360 Privacy. During any such Objection period, 360 Privacy may suspend the affected portion of the Services.
6. DATA SUBJECT RIGHTS REQUESTS
6.1 As between the Parties, Client shall have sole discretion and responsibility in responding to the rights asserted by any individual in relation to Client Personal Data (“Data Subject Request”).
6.2 360 Privacy will (taking into account the nature of the processing of Client Personal Data) provide Client with support through the Services or other reasonable assistance as necessary for Client to fulfill its obligation under Applicable Data Protection Laws to respond to Data Subject Requests.
7. SECURITY AND AUDITS
7.1 360 Privacy will implement and maintain appropriate technical and organizational data protection and security measures designed to ensure security of Client Personal Data, including, without limitation, protection against unauthorized or unlawful processing (including, without limitation, unauthorized or unlawful disclosure of, access to and/or alteration of Client Personal Data) and against accidental loss, destruction, or damage of or to it. When assessing the appropriate level of security, account shall be taken in particular of the nature, scope, context and purpose of the processing as well as the risks that are presented by the processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed.
7.2 360 Privacy will implement and maintain as a minimum standard the measures set out in Schedule 3. 360 Privacy may update or modify the security measures set out in Schedule 2 from time to time, including (where applicable) following any review by 360 Privacy, provided that such updates and/or modifications do not reduce the level of protection afforded to the Client Personal Data by 360 Privacy under this DPA.
7.3 360 Privacy shall make available to Client all information necessary to demonstrate compliance with this DPA and 360 Privacy's obligations under Applicable Data Protection Laws with respect to its use of Client Personal Data, and shall allow for and contribute to audits and inspections by Client, or a mutually agreed-upon qualified independent third-party assessor, in relation to the processing of Personal Data by Client, by providing once annually upon Client's written request a copy of relevant audits and certification relating to Client Personal Data handling provided by 360 Privacy. In the event that a supervisory authority conducting an investigation, audit or review of Client requires additional information regarding 360 Privacy's operation, 360 Privacy will reasonably cooperate reasonably with the same and as mutually agreed upon by the Parties in writing.
8. SECURITY INCIDENTS
360 Privacy will promptly notify Client in writing in the event of any breach of this DPA, Applicable Data Protection Laws or any instruction by Client in connection with the processing of Client Personal Data under this DPA. Without limiting the generality of the foregoing, 360 Privacy shall notify Client in writing without undue delay and in any event, no later than within seventy-two (72) hours after confirmation of any Security Incident, and reasonably cooperate in the investigation of any such Security Incident and any obligation of Client under Applicable Data Protection Laws to make any notifications to individuals, supervisory authorities, governmental or other regulatory authority, or the public in respect of such Security Incident. 360 Privacy shall take reasonable steps to contain, investigate, and mitigate any Security Incident, and shall, without undue delay, send Client timely information about the Security Incident, including, but not limited to, the nature of the Security Incident, the measures taken to mitigate or contain the Security Incident, and the status of the investigation. 360 Privacy’s obligation to report or respond to a Security Incident under this section is not and will not be construed as an acknowledgment by 360 Privacy of any fault or liability of 360 Privacy with respect to such Security Incident.
9. DELETION AND RETURN
360 Privacy shall, at Client’s discretion, within ninety (90) days of the date of termination or expiry of the Agreement, delete and use all reasonable efforts to procure the deletion of all other copies of Client Personal Data processed by 360 Privacy or any Sub-processors. In the case no determination has been made by Client, 360 Privacy shall assume that Client wishes to have the data deleted.
10. CUSTOMER PERSONAL DATA SUBJECT TO US DATA PROTECTION LAWS
To the extent that the processing of Client Personal Data is subject to US Data Protection Laws, the U.S. Data Protection Laws, the CCPA Addendum set out in Schedule 4 shall apply.
11. GENERAL
11.1 The Parties hereby certify that they understand the requirements in this DPA and will comply with them.
11.2 This DPA and the Agreement set forth the entire agreement between the Parties with respect to the subject matter of this DPA.
Schedule 1
DETAILS OF PROCESSING
A. List of Parties
1. Data Exporter
Name: The Client, as defined in Agreement
Address: The Client’s Address, as defined in the Agreement
Contact person’s name: As defined in the Agreement
Activities relevant to the data transferred: Processing of Personal Data in connection with Client’s user of 360 Privacy Subscription Services under the Agreement
2. Data Importer
Name: 360 Privacy, LLC
Address: 750 Old Hickory Blvd. Bldg 1, Ste. 254, Brentwood, TN 37027
Contact person’s name: Gavin Quinn, Chief Product Officer, 360 Privacy, LLC, gquinn@360privacy.io
Activities relevant to the data transferred: Processing of Personal Data in connection with Client’s user of 360 Privacy Subscription Services under the Agreement
B. Description of Transfer
3. Categories of data subjects
- Client employees
- Client’s customers
4. Categories of personal data
- Name
- Location Data
- Contact information
5. Special categories of personal data (if applicable)
- none.
6. Frequency of the transfer
- One-time transfer
7. Subject matter and nature of the processing
360 Privacy collects personal information for the purpose of identifying third-party entities, including data brokers, sellers, aggregators, and, where applicable, information on the dark web. This enables 360 Privacy to initiate requests for takedowns and removal actions on Client’s behalf.
8. Purpose(s) of the data transfer and further processing
Identifying third-party entities, including data brokers, sellers, aggregators, and, where applicable, information on the dark web. This enables 360 Privacy to initiate requests for takedowns and removal actions on Client’s behalf.
9. Duration
Subject to the 'Deletion or Return of Personal Data' section of this DPA, we will process Client Personal Data for the duration of the Agreement, unless otherwise agreed in writing.
Schedule 2
SUB-PROCESSORS
This following provides information about the sub-processors that 360 Privacy has engaged in accordance with the 360 Privacy Data Processing Agreement to provide processing activities on Client Personal Data (as defined in the DPA) on behalf of customers.
1. Sub-processor
For transfers to sub-processors, specify subject matter, nature, and duration of the processing:
Amazon Web Services, Inc. : Hosting and Infrastructure for on-demand cloud computing platforms and APIs
Google, LLC : Data hosting provider
Microsoft : Office productivity services
The Sub-processors may have access to the Personal Data for the term of this DPA or until the service contract with the respective Sub-processor is terminated or the access by the Sub-processor has been excluded as agreed between 360 Privacy and Client.
Schedule 3
SECURITY CONTROLS
360 Privacy has implemented the following technical and organizational controls (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context, and purpose of the processing, as well as the risks for the rights and freedoms of natural persons:
1. Organizational management and dedicated staff responsible for the development, implementation, and maintenance of 360 Privacy’s information security program.
2. Audit and risk assessment procedures for the purposes of periodic review and assessment of risks to 360 Privacy’s organization, monitoring and maintaining compliance with 360 Privacy’s policies and procedures, and reporting the condition of its information security and compliance to internal senior management (including to executives and Board of Directors). Such measures include, at a minimum, annual internal and external audits of the program through penetration testing.
3. Utilization of commercially available and industry standard encryption technologies for Personal Data that is:
a. Being transmitted by 360 Privacy over public networks (i.e., the internet) or when transmitted wirelessly; or
b. At rest or stored on portable or removable media (i.e., laptop computers, CD/DVD, USB drives, back-up tapes).
4. Data security controls which include at a minimum, but may not be limited to, logical segregation of data, logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions, (e.g., granting access on a need-to-know and least privilege basis, use of unique IDs and passwords for all users, periodic review, and revoking/changing access promptly when employment terminates or changes in job functions occur).
5. Password controls designed to manage and control password strength, expiration and usage including prohibiting users from sharing passwords and requiring that 360 Privacy’s passwords that are assigned to its employees: (i) be at least twelve (12) characters in length, (ii) not be stored in readable format on 360 Privacy’s computer systems; (iii) must have defined complexity; (iv) must have a history threshold to prevent reuse of recent passwords; and (v) newly issued passwords must be changed after first use.
6. System audit or event logging and related monitoring procedures to proactively record user access and system activity for routine review.
7. Physical and environmental security of areas containing Personal Data designed to: (i) protect information assets from unauthorized physical access, (ii) manage, monitor, and log movement of persons into and out of 360 Privacy facilities, and (iii) guard against environmental hazards such as heat, fire, and water damage.
8. Operational procedures and controls to provide for configuration, monitoring and maintenance of technology and information systems according to prescribed internal and adopted industry standards, including secure disposal of systems and media to render all information or data contained therein as undecipherable or unrecoverable prior to final disposal or release from 360 Privacy’s possession.
9. Change management procedures and tracking mechanisms designed to test, approve, and monitor all changes to 360 Privacy’s technology and information assets.
10. Network security controls that provide for the use of firewall systems, intrusion detection systems, and other traffic and event correlation procedures designed to protect systems from intrusion and limit the scope of any successful attack.
11. Vulnerability assessment, patch management and threat protection technologies and scheduled monitoring procedures designed to identify, assess, mitigate, and protect against identified security threats, viruses, and other malicious code.
12. Business resiliency/continuity and disaster recovery procedures in an effort to maintain service and/or recovery from foreseeable emergency situations or disasters.
Schedule 4
CCPA ADDENDUM
As stipulated in clause 10 of the DPA, this CCPA Addendum shall apply to any processing by 360 Privacy of Client Personal Data subject to the California Consumer Privacy Act of 2018, California Civil Code § 1798.100 et seq., as amended, including, by the California Privacy Rights Act of 2020 and as amended or supplemented in the future with any amendments and implementing regulations thereto ("CCPA”).
1. To the extent required by the CCPA, 360 Privacy is prohibited from:
a. selling Client Personal Data or otherwise making Client Personal Data available to any third party for monetary or other valuable consideration;
b. sharing Client Personal Data with any third party for cross-behavioural advertising;
c. retaining, using or disclosing Client Personal Data for any purpose other than for the business purposes specified in the Agreement or as otherwise permitted by the CCPA;
d. retaining, using or disclosing Client Personal Data outside of the direct business relationship between the Parties; and
e. combining the Client Personal Data which the 360 Privacy receives from or on behalf of the Client, with Personal Data which it receives from or on behalf of another Client.
2. For the avoidance of doubt, 360 Privacy shall comply with all obligations for “service providers” and/or “processors” under Applicable Data Protection Laws, including, without limitation, those obligations for service providers contained in § 7051 of the CCPA regulations (as such section may be revised, updated, and amended from time to time).
360 PRIVACY //
DATA
PROCESSING
AGREEMENT
© 2024 by 360 Privacy