This Data Processing Addendum (“DPA”) supplements the Cognition360 Terms and Conditions available at cognition360.com/terms-and-conditions/ as updated from time to time between Client and Cognition360, or other agreement between Client and Cognition360 governing Client’s use of the Offerings (the “Agreement”) when the GDPR applies to your use of the Offerings to process Client Data. This DPA is an agreement between you and the entity you represent (“Client”, “you” or “your”) and the applicable Cognition360 contracting entity under the Agreement (“Cognition360”). This DPA shall be effective as of the date accepted. The terms of this DPA replace any previously applicable data processing terms as of the date of execution.
1. Cognition360 and Client have entered into an Agreement together with one or more connected statements of work, purchase orders, contracts and/or agreements (collectively the " Agreement").
2. Pursuant to the Agreement, Cognition360 has agreed to provide certain SaaS based managed offerings as described in the Terms and Services (the "Offerings").
3. The Parties wish to define their respective data protection obligations relating to Cognition360's provision of Offerings to Client in this DPA.
IN CONSIDERATION OF THE MUTUAL PROMISES BELOW AND OTHER GOOD AND VALUABLE CONSIDERATION THE SUFFICIENCY OF WHICH ARE HEREBY ACKNOWLEDGED, IT IS AGREED:
In this DPA, the following terms shall have the following meanings:
"controller", "processor", "data subject", "personal data", "processing" (and "process") "special categories of personal data" and shall have the meanings given in European Data Protection Law.
"Controller Model Clauses" means the European Commission's model clauses for the transfer of Personal Data from EU Controllers to a non-EU or EEA Controllers, the approved version of which in force at present is that set out in the European Commission's Decision 2004/915/EC of 27 December 2004, available at: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard- contractual-clauses-scc_en and as may be amended or replaced by the European Commission from time to time.
"European Data Protection Law" shall mean the applicable European data protection legislation, including, but not limited to: (a) EU Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (also known as the General Data Protection Regulation) (the “GDPR”), and (b) any and all applicable national data legislation made under or pursuant to the GDPR; in each case, as may be amended from time to time.
"End-Clients" means business end-clients and/or end-customers to whom the Client provides managed services using the support of the Offerings, where applicable.
"Processor Model Clauses" the European Commission's model clauses for the transfer of Personal Data from EU Controllers to non-EU or EEA Processors, the approved version of which in force at present is that set out in the European Commission’s Decision 2010/87/EU of 5 February 2010, which are available at https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outsideeu/model-contracts-transfer-
"Security Incident" means a breach of security leading to any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Client Personal Data.
2. Relationship of the parties
- Client (as a controller, and where applicable, a processor acting on behalf of its End-Clients) appoints Cognition360 as its processor to process the personal data that is the subject of the Agreement and as more particularly described in Annex A (the "Client Data") for the purposes of and in connection with delivering to Client the Offerings described in the Agreement (the "Permitted Purpose"). Except where otherwise required by applicable law, Cognition360 shall process the Client Data (i) in accordance with Client's documented instructions (which instructions are set out in the Agreement, this DPA and Client), (ii) for the purposes of providing the Offering as further described in Annex A.
- Each Party agrees to comply with the obligations that apply to it under European Data Protection Law with regards to its processing of the Client Data and the CRM Data.
3. International transfers
Client acknowledges and agrees that Cognition360 may transfer and process Client Data anywhere in the world where Cognition360, its affiliates or its sub-processors maintain data processing operations. Where European Data Protection Law applies to Client Data ("European Data"), Cognition360 shall not process or transfer European Data outside of the European Economic Area ("EEA"), the United Kingdom ("UK") or Switzerland unless it has taken such measures as are necessary to ensure the transfer is in compliance with European Data Protection Law. Where Cognition360 transfers to a receipting in a country that the European Commission or any applicable UK authority has not decided provides adequate protection for European Data, such measures may include (without limitation) transferring European Data out of the EEA, UK or Switzerland on the basis of (i) appropriate Model Clauses; (ii) on the basis of Cognition360 having implemented Binding Corporate Rules approved by competent EU or UK data protection authorities and/or (iii) any mechanism approved by the European Commission or other relevant data protection authority.
Where required under European Data Protection Law to transfer Client Data to Cognition360, Client and Cognition360 will be deemed to have entered into the Processor Model Clauses with Client as the 'data exporter", Cognition360 as the "data importer", Appendix 1 and Appendix 2 to the Processor Model Clauses shall be deemed completed with Annex A and Annex B of this DPA, and with the Additional Terms in the Model Clauses set out in Annex C of this DPA. The date of the Processor Model Clauses shall be the date of the DPA. It is not the intention of either party, nor the effect of this DPA, to contradict or restrict any of the provisions set out in the Processor Model Clauses. Accordingly, if and to the extent the Processor Model Clauses conflict with any provision of this DPA, the Processor Model Clauses shall prevail to the extent of such conflict.
Where Cognition360 is onward transferring Client Data outside the EEA or UK under Model Clauses, Client authorizes Cognition360 to enter into the Controller Model Clauses for the benefit of Client or its End-Clients.
Where Client is transferring European CRM Data to Cognition360 outside of the EEA, UK or Switzerland and to a country that the European Commission or any applicable UK authority has not decide provides adequate protection for European CRM data, Client and Cognition360 will be deemed to have entered into the Controller Model Clauses as follows: the Client is the "data exporter", Cognition360 is the "data importer", in Clause II of the Controller Model Clauses, option h(iii) (the data processing principles set forth in Annex A) will be deemed to have been selected, the provisions in Section 2(b) of this DPA will be deemed to be set out in Annex B, the optional illustrative commercial clauses will be deemed to have been deleted, and if there is any conflict between this DPA and the Controller Model Clauses, the Controller Model Clauses will prevail.
4. Confidentiality of processing
Cognition360 shall ensure that any person it authorizes to process the Client Data (an "Authorized Person") shall protect the Client Data in accordance with Cognition360's confidentiality obligations under the Agreement.
Cognition360 shall implement technical and organizational measures as set out in Annex B to protect the Client Data from Security Incidents.
Client consents to Cognition360 engaging third party subprocessors to process the Client Data for the Permitted Purpose provided that: (i) Cognition360 maintains an up-to-date list of its subprocessors which can be found at https://support.cognition360.com/support/solutions/articles/69000818047-list-of-sub-processors which it shall update with details of any change in subprocessors and notify Client of the same at least 10 days' prior to any such change; (ii) Cognition360 imposes data protection terms on any subprocessor it appoints that require it to protect the Client Data to the standard required by European Data Protection Law; and (iii) Cognition360 remains liable for any breach of this DPA that is caused by an act, error or omission of its subprocessor. Client may object to Cognition360's appointment or replacement of a subprocessor prior to its appointment or replacement, provided such objection is reasonable and founded on demonstrable grounds relating to the subprocessor's inability to comply with European Data Protection Law.
7. Cooperation and data subjects' rights
Cognition360 shall provide reasonable and timely assistance to Client (at Client's expense) to enable Client and/or an End-Client to respond to: (i) any request from a data subject to exercise any of its rights under European Data Protection Law (including its rights of access, correction, objection, erasure and data portability, as applicable); and
(ii) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Client Data. In the event that any such valid request, correspondence, enquiry or complaint is made directly to Cognition360, Cognition360 shall inform Client providing full details of the same in a timely fashion.
8. Data protection impact assessment
If Cognition360 believes or becomes aware that its processing of the Client Data is likely to result in a high risk to the data protection rights and freedoms of data subjects, it shall inform Client and provide reasonable cooperation to Client (at Client's expense) in connection with any data protection impact assessment that may be required under European Data Protection Law.
9. Security incidents
If it becomes aware of a confirmed Security Incident, Cognition360 shall inform Client without undue delay and shall provide reasonable information and cooperation to Client so that Client (and/or End-Client) can fulfil any data breach reporting obligations it may have under (and in accordance with the timescales required by) European Data Protection Law. Cognition360 shall further take such reasonable necessary measures and actions to remedy or mitigate the effects of the Security Incident and shall keep Client (and/or End-Client) up to date of all material developments in connection with the Security Incident.
10. Deletion or return of Client Data
Upon termination or expiry of the Agreement, Cognition360 shall (at Client's election) destroy or return to Client all Client Data in its possession or control provided that Client agrees to pay any reasonable costs associated with retrieval where retrieval by Client is otherwise possible. This requirement shall not apply to the extent that Cognition360 is required by applicable law to retain some or all of the Client Data, or to Client Data it has archived on back-up systems, which Cognition360 shall securely isolate and protect from any further processing until deletion is possible except to the extent required by such law.
- Headings in this DPA are for convenience of reference only and will not constitute a part of or otherwise affect the meaning or interpretation of this DPA.
- Annexes to this DPA will be deemed to be an integral part of this DPA to the same extent as if they had been set forth verbatim herein.
- To the extent there is any conflict or inconsistency between this DPA and any other terms of the Agreement, or contracts between the parties relating to its subject matter, the terms of this DPA shall prevail.
- The provisions of this DPA are severable. If any phrase, DPA or provision is invalid or unenforceable in whole or in part, such invalidity or unenforceability will affect only such phrase, DPA or provision, and the rest of this DPA will remain in full force and effect.
- The provisions of this DPA will endure to the benefit of and will be binding upon the Parties and their respective successors and assigns.
- This DPA shall be governed by and construed in all respects in accordance with the governing law and jurisdiction as prescribed in the Agreement.
This Annex A forms part of the DPA and describes the Client Data that Cognition360 will process on behalf of Client and/or End Client
The data exporter is (please specify briefly your activities relevant to the transfer):
Data Exporter is (i) the legal entity that has executed the DPA and, (ii) all Affiliates (as defined in the Agreement) of Client or the End-Client established within the European Economic Area (EEA), United Kingdom (UK) and Switzerland that have purchased the Cognition360 Offering.
The data importer is (please specify briefly activities relevant to the transfer):
Cognition360 provides a SaaS-based managed services platform that managed services providers use to view insights on their businesses and their interactions with their customers.
Type(s) of Personal Data processed:
Depending on the Offering chosen by the Client, Cognition360 will process on behalf of Client the following personal data:
- First Name
- Last Name
- Mailing Address
- Business Phone
- Mobile Phone
- Computer Name
- Computer IP address
- Computer MAC address
- Computer access password
- ID data
- Professional life data
- Connection data
- Localization data
In addition, Cognition360 may process, under the terms of the Agreement, personal data which the End-Client elects to host with or upload to the Client in connection with the Client's provision of services to its End-Client.
Special Categories of Personal Data (if applicable):
Client and/or End Client may submit special categories of data to the Cognition360 Offering, the extent of which is determined and controlled by the data exporter in its sole discretion, and which is for the sake of clarity Client Data with information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life.
Categories of Data Subjects:
Cognition360 will process on behalf of Client and/or End Client personal data of the following categories data subjects:
- consultants, contractors, agents and/or employees of Client;
- consultants, contractors, agents and/or employees End-Client(s); and/or
- third parties with which the End-Client conducts business.
Purposes of Processing:
As a processor, Cognition360 shall process the above Client Data only for the purposes of processing to provide
the applicable Offerings in accordance with the Agreement; and the terms of the Agreement and the parties acknowledge that this DPA shall constitute the Client's complete and final documented instructions to Cognition360 for these purposes.
This Data Security Guide describes the measures Cognition360 takes to protect Client Data. This Data Security Guide forms a part of any legal agreement into which this Data Security Guide is explicitly incorporated by reference (the “DPA”) and is subject to the terms of the DPA. Capitalized terms not otherwise denoted in this Data Security Guide will have the meaning given to them in other parts of the DPA.
TECHNICAL AND ADMINISTRATIVE SECURITY MEASURES
TECHNICAL SECURITY MEASURES
- Access Administration. Access to the Offering by Cognition360 employees and contractors is protected by authentication and authorization mechanisms. User authentication is required to gain access to production and subproduction instances. Access privileges are based on job requirements and are revoked upon termination of employment or consulting relationships. Production infrastructure includes appropriate user account and password controls (e.g. the required use of VPN connections. complex passwords with expiration dates) and is accessible for administration.
- Service Access Control. The Offering provides user and role-based access controls. Client is responsible for configuring such access controls within its instance.
- Logging and Monitoring. The production infrastructure log activities are centrally collected and are secured in an effort to prevent tampering and are monitored for anomalies by a trained Security learn.
- Firewall Systems. Industry-standard firewalls are installed and managed to protect Cognition360 systems by residing on the network to inspect all ingress connections routed to the Cognition360 environment.
- Vulnerability Management. Cognition360 conducts periodic independent security risk evaluations to detect critical information assets, assess threats to such assets and determine potential vulnerabilities and provide for remediation. When software vulnerabilities are revealed and addressed by a vendor patch, Cognition360 will obtain the patch from the applicable vendor and apply it within an appropriate timeframe in accordance withCognition360’s current vulnerability management and security patch management standard operating procedures and only after such patch is tested and determined to be safe for installation in all production systems.
- Antivirus Cognition360 updates antivirus, anti-malware and anti-spyware software on regular intervals and centrally logs events for effectiveness of such software.
- Change Control Cognition360 ensures that changes to platform, applications and production infrastructure are evaluated to minimize risk and are implemented following Cognition360's standard operating procedure.
- Data Separation Client Data shall be maintained within a logical single-tenant architecture on multi-tenant cloud infrastructure that is logically and physically separate from Cognition360's corporate infrastructure.
ADMINISTRATIVE SECURITY MEASURES
- Security Awareness and Training Cognition360 maintains a security awareness program that includes appropriate training of Cognition360 personnel on the Security Program. Training is conducted at time of hire and periodically throughout employment at Cognition360.
- Vendor Risk Management Cognition360 maintains a vendor risk management program that assesses all vendors that access, store, process or transmit Client Data for appropriate security controls and business