Data Processing Addendum
This data processing addendum (“Addendum”) between Data Science Consulting Group Ltd., a company incorporated in Israel, under company number 51-5469104 (“DSG” or “Processor“) and you or the entity you represent (“Customer” or “Controller“). This Addendum supplements the DSG’s assessAI Terms and Conditions available at https://dsg.ai/terms-conditionsas updated from time to time, between Customer and DSG or other agreement between Customer and DSG governing Customer’s use of DSG’s Service (the “Agreement”).
This Addendum shall apply only to the extent DSG Processes Personal Data subject to Data Protection Legislation.
The terms used in this Addendum shall have the meanings set forth in this Addendum. Capitalised terms not otherwise defined herein shall have the meaning given to them in the Agreement. Except as modified below, the terms of the Agreement shall remain in full force and effect.
In consideration of the mutual obligations set out herein, the parties agree that the terms and conditions set out below shall be added as an Addendum to the Agreement. Except where the context requires otherwise, references in this Addendum to the Agreement are to the Agreement as amended, and including, this Addendum.
1.1 In this Addendum, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:
1.1.1 “Applicable Laws” means (a) European Union law or any laws of a member state of the European Union in respect of which DSG or Customer is subject to; and (b) any Israeli and other applicable law in respect of which DSG or Customer is subject to;
1.1.2 “Customer Personal Data” means any Personal Data which may be processed by Processor or a Sub-processor on behalf of Customer, pursuant to or in connection with the Agreement;
1.1.3 “Data Protection Legislation” means all applicable law(s) protecting Personal Data and individuals’ right to privacy with respect to the Processing of Personal Data, including but not limited to the GDPR, UK GDPR, CCPA and Israeli Data Protection and Privacy Regulation;
1.1.4 “EU” means the European Union;
1.1.5 “EEA” means the European Economic Area. The GDPR applies to the European Economic Area (EEA), which includes all EU countries as well as Iceland, Liechtenstein and Norway;
1.1.6 “GDPR” means EU General Data Protection Regulation 2016/679;
1.1.7 “UK GDPR” means the GDPR as transposed into United Kingdom national law by operation of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019; “UK Addendum” means the UK Addendum to the EU Standard Contractual Clauses issued by the Information Commissioner’s Office under section 119A(1) Data Protection Act 2018, including any amendment or replacement formally adopted by the Information Commissioner’s Office or any other relevant Regulator.
1.1.8 “CCPA” means the California Consumer Privacy Act of 2018 and California Civil Code § 1798.100 et seq. and the California Privacy Rights Act of 2020 upon its entry into force and any regulations issued pursuant thereto;
1.1.9 “Israeli Data Protection and Privacy Regulation” means the Privacy Protection Law, 5741-1981, the Protection of Privacy Regulations (Data Security) 5777-2017 and the Protection of Privacy Regulations (Transfer of Data to Databases Outside of Israel), 2001;
1.1.10 “SCC” means the applicable model of the standard clauses for the transfer of Personal Data pursuant to the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council available at: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN and as applicable, the UK addendum (“UK Addendum”) to the European Commission’s Standard Contractual Clauses for international data transfers available at: https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf.
1.1.11 “Services” means DSG’s platform (“Platform”) and assessment services designed to enable Customer to analyse data and generate valuable business insights with regards to Customer’s compliance of artificial intelligence regulations as further defined in the Agreement;
1.1.12 “Sub-processor” means any person (excluding an employee of DSG) appointed by or on behalf of DSG to Process Personal Data on behalf of Customer in connection with the Agreement;
1.1.13 “Supervisory Authority” means (a) an independent public authority which is established by a member state of the European Union pursuant to Article 51 GDPR; and (b) any similar regulatory authority responsible for the enforcement of Data Protection Legislation;
1.1.14 “Term” means the term of the Agreement, as defined therein.
1.1.15 The terms “Controller“, “Processor“, “Data Subject“, “Member State“, “Personal Data“, “Personal Data Breach“, and “Processing” shall have the same meaning as in the GDPR or any equivalent term under the Data Protection Legislation, and their cognate terms shall be construed accordingly.
- Processing of Customer Personal Data
2.1 The parties acknowledge that Customer is the Controller and shall comply with the obligations of a Controller under the Data Protection Legislation and that DSG is acting in the capacity of a Processor. In some circumstances, Customer may additionally or alternatively be a Processor, in which case Customer appoints DSG as an authorised Sub-processor, which shall not change the obligations of the parties under this Addendum as DSG will remain a Processor in any such event. Customer will comply with all obligations applicable to a Controller pursuant to the Data Protection Legislation.
2.2 DSG shall Process Customer Personal Data on the documented instructions of Customer, unless otherwise required by an Applicable Law to which DSG is subject. In which case, DSG shall notify Customer if, in its opinion, any instruction infringes the Data Protection Legislation or other Applicable Law, unless that law prohibits such notification. Such notification will not constitute a general obligation on the part of DSG to monitor or interpret the laws applicable to Customer, and such notification will not constitute legal advice to Customer.
2.3 Customer warrants that it has all the necessary rights to provide the Personal Data to DSG for the Processing to be performed in relation to the Services, and that one or more lawful bases set forth in the Data Protection Legislation support the lawfulness of the Processing. To the extent required by the Data Protection Legislation, Customer is responsible for ensuring that all necessary privacy notices are provided to Data Subjects, and unless another legal basis set forth in the Data Protection Legislation supports the lawfulness of the Processing, that any necessary Data Subject consents to the Processing are obtained, and for ensuring that a record of such consent is maintained. Should such consent be revoked by a Data Subject, Customer is responsible for communicating the fact of such revocation to DSG, and DSG will act pursuant to Customer’s instructions as seems appropriate.
2.4 The nature of the Processing operations will depend on the scope of the Services and the nature of the Personal Data that DSG provides in light of DSG’s Services. Annex 1 to this Addendum sets out certain information which clarifies the manner in which Personal Data may be Processed by DSG. DSG warrants it is an accurate reflection of the Processing activities pursuant to this Addendum and the Agreement. Annex 1 sets out the information required to comply with some of the Data Protection Legislation provisions, such as Article 28(3) of the GDPR.
2.5 In case Customer determines that any the CCPA laws are applicable to DSG in relation to the Services provided under the Agreement and requires to impose on DSG requirements that are beyond such that are set forth in this Addendum, Customer shall notify DSG accordingly of such requirements.
2.6 In case Customer is subject to the CCPA laws, DSG certifies that it understands the rules, requirements and definitions of the CCPA laws and agrees to refrain from selling (as such term is defined in the CCPA laws) any Customer Personal Data Processed hereunder, nor take any action that would cause any disclosure of Customer Personal Data to or from DSG under the Agreement or this Addendum to qualify as “selling” such Customer Personal Data under the CCPA laws. DSG will reasonably cooperate and assist Customer with meeting Customer’s CCPA laws compliance obligations and responding to CCPA laws related inquiries, including responding to verifiable consumer requests, taking into account the nature of DSG’s Processing and the information available to DSG.
Without prejudice to any existing contractual arrangements between the parties, DSG shall ensure that any person that it authorises to Process the Personal Data on its behalf, shall be subject to a duty of confidentiality.
4.1 Taken into account the measures required by Article 32 of the GDPR or any other applicable Data Protection Legislation, and the state of the art, the costs of implementation and nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural person, DSG shall implement appropriate technical and organizational measures to ensure a level of security of the Processing of Personal Data appropriate to the risk which are at least as rigorous as those that are detailed under Annex 2. Such measures may be updated by DSG from time to time, provided that such updates shall not materially decrease the protection of Personal Data for Data Subjects.
4.2 Customer acknowledges that the security requirements are constantly changing and that effective security requires frequent evaluation and regular improvements of outdated security measures. Customer will therefore evaluate the measures implemented in accordance with section 4 on an on-going basis in order to maintain compliance with the requirements set forth in this section. The parties will negotiate in good faith, the cost, if any, to implement changes required by specific updated security requirements set forth in Data Protection Legislation or by data protection authorities of competent jurisdiction.
5.1 Customer authorises DSG to appoint (and permit each Sub-processor to appoint) Sub-processors in accordance with this Addendum and any restrictions in the Agreement.
5.2 DSG shall inform Customer via the Platform as soon as reasonably practicable of any intended changes concerning the addition or replacement of any of the authorised Sub-processors that will Process any Customer Personal Data (“New Sub-Processor”) while DSG’s Sub-processors’ list shall be made available on DSG’s website at: https://dsg.ai/list-of-sub-processors/ . If, within 14 calendar days of receipt of that notice, Customer notifies DSG in writing of any objections made on reasonable grounds, to the proposed appointment of a New Sub-Processor, the parties will endeavour to agree (acting reasonably), without undue delay, the commercially reasonable steps to be taken to ensure that the new Sub-processor is compliant Data Protection Legislation and with Article 28(4) of the GDPR.
5.3 In the absence of a resolution, DSG will make commercially reasonable efforts to provide Customer with the same level of Service described in the Agreement, without using the objected Sub-Processor to Process Customer Personal Data.
5.4 Where the Customer reasonably argues, that the risks involved with the sub-processing activities are still unacceptable, in the context of Article 28(4) and in relation to the appropriate steps, within the requisite time frame, the parties shall promptly seek to resolve the issues. Where the parties are unable to resolve the issues within such time frame, Customer’s sole remedy will be to terminate the Agreement.
5.5 With respect to each Sub-processors, DSG shall ensure that the Sub-processor is bound by data protection obligations compatible with those of DSG under this Addendum.
- Data Subject Rights
6.1 Customer shall comply with requests received from Data Subjects to exercise their rights pursuant to Chapter III of the GDPR or Data Protection Legislation.
6.2 When Customer is unable to perform according to section 6.1, and therefore requires DSG’s assistance, while taking into account the nature of the Processing, DSG shall assist Customer, upon Customer’s request and at the Customer’s cost, by using appropriate technical and organisational measures, insofar as this is possible to comply with requests to exercise data protection rights, under the Data Protection Legislation.
- Personal Data Breach
7.1 When DSG becomes aware of an incident that has a material impact on the Processing of Personal Data that is the subject to the Agreement, it shall notify Customer about the incident. DSG shall cooperate with Customer and follow Customer’s instructions with regard to such incidents, to enable Customer to perform an investigation into the incident, formulate a correct response and take suitable further steps in respect to the incident.
7.2 Where the incident is reasonably likely to require a data breach notification by Customer under the Data Protection Legislation, DSG will assist Customer, at the Customer’s cost with the notification process.
7.3 On the basis of such notification, where applicable Customer shall notify the Personal Data Breach to the competent Supervisory Authority in accordance with Article 33 of the GDPR or Data Protection Legislation, and to the extent required, shall communicate the required information regarding the Personal Data Breach to the Data Subject in accordance with Article 34 of the GDPR.
7.4 DSG shall, at Customer’s cost, cooperate with Customer and take the reasonable commercial steps which shall reasonably be instructed by Customer, to assist in the investigation and mitigation of every occurring Personal Data Breach.
- Deletion or Return of Customer Personal Data
8.1 Upon termination of this Addendum, Customer may in its discretion by written notice to DSG within 30 calendar days of the cessation date, require DSG to (a) return a complete copy of all Customer Personal Data to Customer; and (b) delete all other copies of Customer’s Personal Data Processed by Processor. DSG shall comply with any such written request within 60 calendar days of the cessation date.
8.2 Processor may retain Customer Personal Data to the extent and for such period as required by Applicable Laws.
- Audit Rights
9.1 Subject to section 9.2 and 9.3, DSG shall make available to Customer upon a reasonable request, information which is reasonably necessary to demonstrate compliance with Data Protection Legislation, such as Article 28(3) of the GDPR.
9.2 Where applicable, if Customer is not otherwise satisfied by its audit rights pursuant to the Agreement, DSG shall, at the Customer’s costs, allow for audits, including inspections, by an auditor mandated by Customer (subject to section 9.3 where auditor shall be subject to written confidentiality obligations in relation to such information) in relation to the Processing of the Customer’s Personal Data by the Processor, provided that:
9.2.1 Customer shall give DSG a reasonable notice of any audit or inspection to be conducted; and
9.2.2 Customer shall take reasonable steps to ensure (and shall procure that each of its mandated auditors) to minimize disruption to the Processor’s business, in the course of such audit or inspection, while such audits or inspections shall be conducted during normal working hours.
9.3 DSG may object to an auditor mandated by Customer if the auditor is, in DSG’s opinion, not suitably qualified or independent, a competitor of DSG, or otherwise manifestly unsuitable. In the event of such an objection, Customer shall appoint another auditor or conduct the audit itself.
10.1 Transfers out of the EEA or the UK. Information may be transferred to third party companies and individuals to facilitate DSG’s Services, who are located in a country outside of the EEA, the UK or Israel. To the extent that DSG or its Sub-processors Processes Customer Personal Data in countries outside of the EEA, the UK and Israel that do not provide an adequate level of data protection, as determined by the European Commission or other adequate authority, the applicable model of the SCC and to the extent applicable the UK Addendum shall apply and shall be incorporated herein upon execution of this Addendum by the parties or DSG shall otherwise ensure that the continuity of protection of Personal Data shall be maintained for any respective onward transfers. With respect to each such data transfer, DSG shall implement appropriate technical and organizational measures to ensure a level of security, appropriate to the risk, while taking into account the state of the art, costs of implementation and the nature, scope, context and purposes of processing as well as the likelihood of a risk to the rights and freedoms of natural persons.
10.2 Transfers out of countries with data export requirements. If the Applicable Data Protection Law require that further steps be taken in relation to any applicable data export restrictions to permit the transfer of Personal Data under the addendum to DSG (including its Sub-processors), DSG will comply with such data protection requirements including executing any applicable data transfer agreements (e.g. SCC) or an alternative solution to ensure that appropriate safeguards are in place for such transfer.
10.3 To the extent that DSG or Customer are relying on a specific statutory mechanism to normalize international data transfers and that mechanism is subsequently modified, revoked, or held in a court of a competent jurisdiction to be invalid, DSG or Customer agree to cooperate in good faith to promptly suspend the transfer or to pursue a suitable alternate mechanism that can lawfully support the transfer.
- General Terms
Liability and Indemnity
11.1 Customer shall indemnify DSG and will hold DSG harmless against all claims, losses, damages and expenses incurred by DSG arising out of a breach of this Addendum and/or the Data Protection Legislation by Customer.
Order of Precedence
11.2 With regard to the subject matter of this Addendum, in the event of inconsistencies between the provisions of this Addendum and any other agreements between the parties, including the Agreement, the provisions of this Addendum shall prevail.
Changes in Data Protection Legislation
11.3 If any variation is required to this Addendum as a result of a change in Data Protection Legislation, then either party may provide written notice to the other party of that change of law. The parties shall discuss the change in Data Protection Legislation and negotiate in good faith with a view to agreeing on any necessary variations to this Addendum to address such changes, including any resulting charges.
Governing Law and Jurisdiction
11.4 This Addendum is governed by the laws of Israel. Any disputes arising from or in connection with this Addendum, shall be brought exclusively before the competent court of Tel Aviv – Jaffa, Israel.
11.5 Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
ANNEX 1: DETAILS OF PROCESSING OF CUSTOMER PERSONAL DATA
This Annex 1 includes certain details of the Processing of Customer Personal Data as required by Article 28(3) GDPR.
Subject Matter and Duration of the Processing of Customer’s Personal Data
The subject matter and duration of the Processing of the Customer Personal Data are set out in the Agreement and this Addendum.
The nature and purpose of the Processing of Customer’s Personal Data
DSG provides Services, which include the use of a platform and assessment services, as applicable, in order to analyse Customer data to generate valuable business insights with regards to Customer’s compliance of artificial intelligence regulations. In the course of the provision of the Services, DSG may Process the Personal Data received from Customer.
Special Categories of Personal Data to be Processed
No Special Categories of Personal Data is Processed.
The Categories of Data Subject to whom the Customer’s Personal Data Relates
The categories of Data Subjects are chosen by Customer.
The Obligations and Rights of Customer and Customer Affiliates
The obligations and rights of Customer are set out in the Agreement and this Addendum.
ANNEX 2 – SECURITY MEASURES
- DSG shall establish a procedure for allowing access to Personal Data and restriction of such access. DSG shall ensure that access to Personal Data is strictly limited to those individuals who “need to know” or need to access the Personal Data and as strictly necessary for the purpose of providing the Service and shall keep record of the persons authorized to access the Personal Data subject of the Agreement.
- DSG shall take all steps reasonably necessary to ensure the reliability of the individuals who may have access to Personal Data and shall ensure that each such individual (i) is informed of the confidential nature of the Personal Data; (ii) has received appropriate training on his/her responsibilities; and (iii) is subject to written confidentiality undertakings and written security protocols.
- DSG shall implement physical measures to ensure that access to the Personal Data is granted only to authorized users.
- DSG shall maintain and implement sufficient and appropriate (based on the type of Personal Data and its sensitivity) environmental, physical and logical security measures with respect to the Personal Data and to DSG’s system’s infrastructure, data processing system, communication means, terminals, system architecture, hardware and software, in order to prevent penetration and unauthorized access to Customer’s Personal Data or to Customer’s systems or communication lines between Customer and DSG.
- DSG shall list all components (infrastructure and software) used to Process the Personal Data subject to this Agreement, including computer systems, communication equipment, and software. DSG shall use such list to continuously monitor such components and identify weaknesses and risks for the purpose of implementing appropriate security measures to mitigate them.
- DSG shall act in accordance with an appropriate written information security policy and working procedures that comply with the security requirements under this Annex and Data Protection Legislation, including with respect to backup and recovery procedures. DSG shall review its security policies and operating procedures periodically, and when material changes to the systems or Processing are made, all in order to amend them, if required.
- DSG shall take measures to record the access to the Personal Data, including monitoring the entry into the facilities where the Personal Data is Processed, as well as any equipment brought in or taken out of such facilities.
- DSG shall implement automatic control mechanism for verifying access to systems containing Personal Data, which shall include, inter alia, the user identity, date and time of access attempt, the system component attempted to be accessed, type and scope of access and if access was granted or denied. DSG shall periodically monitor the information from the control mechanism, list issues and irregularities and the measures taken to handle them. Control records shall be maintained for a minimum of 24 months.
- DSG will perform security risk surveys to systems containing Personal Data, at least once every 18 months.
- DSG will not disclose Personal Data through a public communications network or via the internet, without using industry-standard encryption methods.