fbpx

Data Protection Agreement

  1. SCOPE, ORDER OF PRECEDENCE, AND TERM
    1. This Data Processing Agreement (“DPA”) is part of any and all agreements, purchase orders, statements of work and other contractual documents (each, an “Agreement”) between Company, on the one hand, and Intertrust Technologies Corporation, Intertrust Cloud Services Corporation, or an affiliate thereof (“Intertrust”) on the other. Each of Company and Intertrust is individually a “party”, and they are, collectively, the “parties.”. By entering into the Agreement, the parties enter into this DPA.
    2. The effective date of this DPA is the date of the Agreement, or the date that Company first begins using the Services, whichever is earlier.
    3. This DPA applies only to the extent that Intertrust receives, stores, or processes personal data in connection with the Services.
    4. In the event of a conflict between this DPA and the Agreement, the DPA will control to the extent necessary to resolve the conflict. In the event the parties use an International Data Transfer Mechanism and there is a conflict between the obligations in that International Data Transfer Mechanism and this DPA, the International Data Transfer Mechanism will control.
    5. The term of this DPA is coterminous with the Agreement, except for obligations that survive past termination as specified below.
    6. Intertrust may update the terms of this DPA from time to time, provided, however, that Intertrust will provide at least thirty (30) days prior written notice to Company of any update. Notice of such updates shall be provided by posting updated versions of this DPA at https://www/intertrust.com/DPA. Updates may be because of (a) changes in Data Protection Law; (b) a merger, acquisition, or other similar transaction; or (c) the release of new products or services or material changes to any of the existing Services.
    7. The parties acknowledge that this DPA includes additional or distinct confidentiality, information security, and use obligations with respect to certain categories of information. In the event of any conflict between the obligations and restrictions set forth in this DPA and those set forth in the Agreement, the terms of this DPA shall apply.
  2. DEFINITIONS
    1. Capitalized terms not defined in this DPA will have the meanings set forth in the Agreement, to the extent that meanings for such capitalized terms are set forth in the Agreement.
    2. Capitalized terms for which meanings are not set forth below in this section and which are defined in the European Union General Data Protection Regulation (GDPR) shall have the meanings set forth in said GDPR.
    3. Certain common terms are defined, but not capitalized, for ease of reading.
    4. “Aggregated Data” means information that relates to a group or category of data subjects, from which individual data subject identities have been removed, that is not linked and cannot reasonably be linked to any individual data subject.
    5. “Business,” “Sale,” “Service Provider,” and “Third Party have the definitions given to them in the California Consumer Privacy Act (CCPA).
    6. “consent” means a data subject’s freely given, specific, informed, and unambiguous indication of the data subject’s wishes by a statement or by a clear affirmative action signifying agreement to the processing of personal data relating to him or her.
    7. “Controller” means the entity that determines the purposes and means of the processing of personal data. “Controller” includes analogous terms in other Data Protection Law, such as the CCPA-defined term “Business” or “Third Party,” as context requires.
    8. “Data Exporter” means the party that (1) has a corporate presence or other stable arrangement in a jurisdiction that requires an International Data Transfer Mechanism and (2) transfers personal data, or makes personal data available to, the Data Importer. This term also describes a party that receives personal data from a third party and further discloses that personal data to the Data Importer (an “onward transfer”). For example, if Company obtains personal data from a third party, located in the EEA, and then further discloses that personal data to Intertrust in the United States, then the disclosure from Company to Intertrust is a transfer of personal data from a Data Exporter (Company) to a Data Importer (Intertrust).
    9. “Data Importer” means the party that is (1) located in a jurisdiction that is not the same as the Data Exporter’s jurisdiction and (2) receives personal data from the Data Exporter or is able to access personal data made available by the Data Exporter. This term includes a party that receives personal data from the Data Exporter in an onward transfer.
    10. “Data Protection Law” means all data protection and privacy laws applicable to the processing of personal data under the Agreement, including Regulation 2016/679 (General Data Protection Regulation) (“GDPR”), UK Data Protection Act 2018 (c. 12) (UK GDPR), and Cal. Civ. Code 1798.100 et seq. (California Consumer Privacy Act) (“CCPA”).
    11. “data subject” means an identified or identifiable natural person.
    12. “De-identified Data” means a data set that does not contain any personal data. Aggregated data is De-identified Data. To “De-identify” means to create De-identified Data from personal data.
    13. “EEA” means the European Economic Area.
    14. “Inquiry” means any type of request (including a request to obtain a copy of personal data) or inquiry related to the Services from a governmental, legislative, judicial, law enforcement, or regulatory authority (e.g. the Federal Trade Commission, the Attorney General of a U.S. state, a European data protection authority, a law enforcement authority, or an agency that is part of a government’s surveillance or intelligence apparatus).
    15. “International Data Transfer Mechanism” means the special protections that some jurisdictions require two or more parties that transfer information across international borders to adopt to make the transfer lawful, e.g., Standard Contractual Clauses, Binding Corporate Rules, or statutory obligations that require the parties to adopt certain technical, organizational, or contractual measures. “Transfer,” in the context of an International Data Transfer Mechanism, means to disclose or move personal data from a storage location in one jurisdiction to another, or to permit a party in one jurisdiction to access personal data that the other party stores in another jurisdiction that requires an International Data Transfer Mechanism.
    16. “personal data” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a data subject. This definition of “personal data” includes the subject matter within the definitions of analogous terms in any Data Protection Law, including the CCPA-defined term “Personal Information,” as context requires.
    17. “personnel” means a party’s employees, agents, temporary workers, and contractors.
    18. “process” or “processing” means any operation or set of operations that a party performs on data, including collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure, or destruction.
    19. “Processor” means an entity that processes personal data on behalf of another entity. “Processor” includes the subject matter within the definitions of analogous terms in any Data Protection Law, including the CCPA-defined term “Service Provider,” as context requires.
    20. “Pseudonymized Data” means information that cannot be attributed to a specific individual without the use of additional information, provided that such additional information is kept separately and subject to appropriate technical and organizational measures to ensure that it is not attributed to the individual.
    21. “Security Incident” means an event that is related to the information systems or personal data that Intertrust or its Sub-processors process in connection with the Agreement, that could cause or has caused an accidental, unlawful, or unauthorized destruction, loss, alteration, disclosure of, or provision of access to personal data, that qualifies as a reportable personal data breach under applicable Data Protection Law.
    22. “Sensitive Data” means the following types and categories of data: data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership; genetic data; biometric data; data concerning health, including protected health information governed by the Health Insurance Portability and Accountability Act; data concerning a natural person's sex life or sexual orientation; government identification numbers (e.g., SSNs, driver’s licenses, etc.); payment card information; nonpublic personal information governed by the Gramm-Leach-Bliley Act; an unencrypted identifier in combination with a password or other access code that would permit access to a data subject’s account; and precise geolocation.
    23. “Services” refers to and includes all elements of Intertrust’s performance that are either pursuant to, or in relation to, the Agreement.
    24. “Sub-processor” means a Processor engaged by a party who is acting as a Processor.
  3. DESCRIPTION OF THE PARTIES’ PERSONAL DATA PROCESSING ACTIVITIES AND STATUSES OF THE PARTIES
    1. Schedule 1 describes the purposes of the parties’ processing, the types or categories of personal data involved in the processing, and the categories of data subjects affected by the processing.
    2. Schedule 1 lists the parties’ statuses under relevant Data Protection Law for each processing activity relevant to the Services.
  4. INTERNATIONAL DATA TRANSFER
    1. Before Company transfers personal data to Intertrust, or permits Intertrust to access personal data located in a jurisdiction that requires an International Data Transfer Mechanism, Company will notify Intertrust of the relevant requirement and the parties will work together in good faith to fulfill the requirements of that International Data Transfer Mechanism.
    2. The parties will comply with any International Data Transfer Mechanism that may be required by applicable Data Protection Law. The parties agree to abide by the transfer mechanisms in Schedule 1, which describe the International Data Transfer Mechanisms that the parties anticipate using at the outset of the Agreement.
    3. If the International Data Transfer Mechanism on which the parties rely is invalidated or superseded, the parties will work together in good faith to find an alternative. If the parties are unable to find an alternative within 60 days, or another period as agreed in writing, either of them may terminate the Agreement.
  5. DATA PROTECTION GENERALLY
    1. Compliance. The parties will comply with their respective obligations under Data Protection Law.
    2. Intertrust’s Lawful Basis of Processing of Personal Data. Company represents and warrants that it has the consent or other lawful basis necessary to collect and transfer to Intertrust all personal data used or transferred in connection with the Services. Company represents and warrants that it will not send (or cause to be sent) Sensitive Data to Intertrust. If a data subject revokes consent to Intertrust’s processing of their personal data, or otherwise exercises a right to opt out or object, then, consistent with its obligations under Data Protection Law, Company will be responsible for ceasing disclosure of that data subject’s personal data to Intertrust (if that would be the result of compliance with the data subject’s request).
    3. Cooperation.
      1. Data Subject Requests. The parties will provide each other with reasonable assistance to enable each to comply with their obligations to respond to data subjects’ requests to exercise the rights to which those data subjects may be entitled under Data Protection Law.
      2. Governmental and Regulatory Requests. If either party receives or becomes aware of an Inquiry, the receiving party will notify the other party without undue delay, unless such notification is prohibited by applicable law, and if the Inquiry is a request for a copy of personal data, seek to limit its response to only the personal data necessary to comply with applicable law. If notification is prohibited by applicable law, the receiving party will use reasonable efforts to obtain a waiver of the prohibition. In any event, the receiving party will document the Inquiry (including any reasons why it is unable to provide relevant information to the other party), be prepared to make such documentation available to a relevant governmental authority and retain such documentation at least for the duration of the Agreement, unless doing so is prohibited by applicable law or regulation. If requested by the receiving party, the other party will provide the receiving party with information relevant to the Inquiry to enable the receiving party to respond to the Inquiry.
      3. Other Requirements of Data Protection Law. Upon request, the parties will provide relevant information to each other to fulfill their respective obligations (if any) to conduct data protection impact assessments or prior consultations with data protection authorities.
    4. Confidentiality. The parties will ensure that their employees, independent contractors, and agents are subject to an obligation to keep personal data confidential and have received training on data privacy and security that is commensurate with their responsibilities and the nature of the personal data.
    5. De-identified, Anonymized, or Aggregated Data. The parties may create Anonymized Data, Aggregated Data, or De-identified Data from personal data and process the Anonymized Data, Aggregated Data, or De-identified Data for any purpose.
    6. Retention. Subject to Section 7.6 of this DPA or an express provision of the Agreement to the contrary, a party may retain personal data obtained pursuant to the Agreement for as long as it has a business purpose or for the longest time allowable by applicable law.
  6. DATA SECURITY
    1. Security Controls. Each party will maintain a written information security policy that defines security controls that are based on the party’s assessment of risk to personal data that the party processes and the party’s information systems. When a party chooses security controls, it will consider the state of the art; cost of implementation; the nature, scope, context, and purposes of personal data processing; and the risk to data subjects of a Security Incident or Personal Data Breach affecting personal data. Intertrust’s security controls are described in Schedule 2.
  7. INTERTRUST'S OBLIGATIONS AS A PROCESSOR OR SERVICE PROVIDER
    1. Intertrust will have the obligations set forth in this Section 7 if it processes the personal data of data subjects in its capacity as Company’s Processor or Service Provider; for clarity, these obligations do not apply to Intertrust in its capacity as a Controller, Business, or Third Party, to the extent, if any, to which it acts in such role.
    2. Scope of Processing.
      1. Intertrust will process personal data obtained pursuant to the Agreement solely to provide Services to Company and carry out Intertrust’s obligations under the Agreement and Company’s instructions, which are contained in the Agreement and this DPA. Intertrust will not process such personal data for any other purpose, unless required by applicable law. Intertrust will notify Company if it believes that it cannot follow Company’s instructions or fulfill its obligations under the Agreement because of a legal obligation to which it is subject, unless Intertrust is prohibited by law from making such notification.
      2. Intertrust is prohibited from: (a) Selling (as defined in the CCPA) personal data obtained pursuant to the Agreement from Data Subjects subject to the CCPA; (b) retaining, using, or disclosing personal data obtained pursuant to the Agreement for any purpose other than for the specific business purpose of performing Company’s documented instructions for the business purposes defined in the Agreement, including retaining, using, or disclosing the personal data for a commercial purpose other than performing Company’s instructions; or (c) retaining, using, or disclosing the personal data obtained pursuant to the Agreement outside of the direct business relationship between the parties as defined in the Agreement. Intertrust certifies that it understands these restrictions.
      3. Regardless of the foregoing prohibitions, the parties agree that Intertrust may, and Company instructs Intertrust to, process personal data for the following activities that are necessary to support the Services: detect Security Incidents; protect against fraudulent or illegal activity; effectuate repairs; and maintain or improve the quality of the Services.
      4. Processing any Company personal data outside the scope of the Agreement will require prior written agreement between Intertrust and Company.
      5. With regard to processing subject to the CCPA, Intertrust will not combine the personal data received by Intertrust pursuant to the Agreement with personal data received outside of the scope of the Agreement.
    3. Data Subjects’ Requests to Exercise Rights. Intertrust will promptly inform Company if Intertrust receives a request from a data subject to exercise their rights with respect to their personal data under applicable Data Protection Law. Company will be responsible for responding to such requests. Intertrust will not respond to such data subjects except to acknowledge their requests. Intertrust will provide Company with commercially reasonable assistance, upon request, to help Company to respond to a data subject’s request.
    4. Intertrust’s Sub-processors.
      1. Existing Sub-processors. Company agrees that Intertrust may use the Sub-processors listed at https://www.Intertrust.com/subprocessors.
      2. Use of Sub-processors. Company grants Intertrust general authorization to engage additional Sub-processors if Intertrust and those Sub-processors enter into agreements that include at least the following elements: the Sub-processors are prohibited from (1) processing personal data for any purpose other than carrying out Intertrust’s obligations under the Agreement; (2) Selling (as defined in the CCPA) personal data; (3) retaining, using, or disclosing personal data for any purpose other than for the specific business purpose of performing Company’s documented instructions for the business purposes defined in the Agreement, including retaining, using, or disclosing the personal data for a commercial purpose other than performing Company’s instructions; or (4) retaining, using, or disclosing the personal data outside of the direct business relationship between the parties as defined in the Agreement.
      3. Notification of Additions or Changes to Sub-processors. Notice of additional Sub-processors will be provided by posting updated lists of Sub-processors at https://www.Intertrust.com/subprocessors. Company may object to Intertrust’s use of a new Sub-processor by notifying Intertrust promptly in writing within thirty (30) days of the addition of such new Sub-processor to the linked webpage. If Company reasonably objects to the addition or replacement of Sub-processor, Intertrust will immediately cease using that Sub-processor to provide Services to Company, or, if it is not commercially reasonable to do so, the parties will enter into good faith negotiations to resolve the matter. If the parties are unable to resolve the matter within 15 days of Company’s reasonable objection (which deadline the parties may extend by written agreement), Intertrust will stop providing the Services to Company, and Company may terminate the Agreement. The parties agree that Intertrust has sole discretion to determine whether Company’s objection is reasonable; however, the parties agree that Company’s objection is presumptively reasonable if (1) the Sub-processor is a competitor of Company and Company has a reason to believe that Sub-processor could obtain a competitive advantage from the personal data Intertrust discloses to it, or (2) Company anticipates that Intertrust’s use of the Sub-processor would be contrary to law applicable to Company.
      4. Liability for Sub-processors. Intertrust will be liable for the acts or omissions of its Sub-processors to the same extent as Intertrust would be liable if performing the services of the Sub-processors directly under the DPA.
    5. Security Incident.
      1. Intertrust will notify Company without undue delay but no later than twenty-four (24) hours of a Security Incident affecting any personal data Intertrust processes in connection with the Agreement. Notifications will be delivered to Company contact information provided in the Agreement.
      2. Intertrust will provide Company with the following information about the Security Incident as soon as practicable and on an ongoing basis until the Security Incident has been contained: (a) the nature of the Security Incident; (b) the number and categories of data subjects and data records affected; (c) the name and contact details for the relevant contact person at Intertrust; and (d) information necessary for Company to fulfill any obligations it has to investigate or notify authorities, except that Intertrust reserves the right to redact information that is confidential or competitively sensitive.
      3. Immediately following Intertrust’s notification, the parties will coordinate with each other to investigate the Security Incident. Intertrust agrees to reasonably cooperate with Company in the conduct of its investigation, including making available all relevant records, logs, files, data reporting and other materials required to comply with applicable law, regulation, industry standards or as otherwise reasonably required by Company.
      4. Intertrust will take reasonable steps to identify the root cause of any Security Incident and take reasonable steps to prevent any further Security Incident, at Intertrust’s expense, in accordance with applicable laws, regulations, and standards.
    6. Deletion and Return of Personal Data. At the expiration or termination of the Agreement and upon written request by Company to Intertrust (delivered to Intertrust pursuant to the notice provisions of the Agreement), Intertrust will, without undue delay, (1) return all Company personal data (including copies thereof) to Company and/or (ii) destroy all Company personal data (including copies thereof), unless applicable law requires otherwise or the parties otherwise expressly agree in writing. For any Company personal data that Intertrust retains after expiration or termination of this Agreement (for example, because Intertrust is legally required to retain the information), Intertrust will continue to comply with the data security and privacy provisions of this DPA and Intertrust will De-identify such personal data to the extent feasible and consistent with the requirements or agreements referenced in this paragraph.
    7. Audits.
      1. Scope. The terms of this Section 7.7 apply notwithstanding anything to the contrary. Company agrees that Intertrust’s obligations under this Section 7.7 are limited to the personal data Intertrust processes in connection with the Services pursuant to the Agreement.
      2. Request. Within a reasonable time after receipt of a reasonable, written request that includes a statement of reasons for the request, Intertrust will make available to Company applicable documentation that is responsive to such request, including third-party audit reports or certifications to the extent they are available. To the extent that such documentation does not satisfy Company’s request, Intertrust will provide Company or Company’s designated third party (which Company agrees may not be a competitor to Intertrust) with the information and reasonable and commensurate access to facilities necessary to demonstrate compliance with Data Protection Law.
      3. Access to Facilities. If Company is entitled to access Intertrust’s facilities pursuant to the provisions of this Section 7.7 (the “Inspection”), Company will provide Intertrust with written notice at least 60 days in advance. Such written notice will specify the things, people, places, or documents to be made available, and justify the need for such availability. Such written notice, and anything produced in response to it (including any derivative work product such as notes of interviews), will be considered confidential information and will remain confidential information in perpetuity or the longest time allowable by applicable law after termination of the Agreement. Such materials and derivative work product produced in response to the Inspection will not be disclosed to anyone without the prior written permission of Intertrust unless such disclosure is required by applicable law. If disclosure is required by applicable law, Company will give Intertrust prompt written notice of that requirement and, if feasible, an opportunity to seek a protective order to prohibit or restrict such disclosure except to the extent such notice is prohibited by applicable law or order of a court or governmental agency. Company agrees to negotiate in good faith with Intertrust before seeking to exercise the right to conduct an audit or Inspection more frequently than once per twelve (12) month period. Company will make every effort to cooperate with Intertrust to schedule the Inspection at a time that is convenient to Intertrust. Company agrees that if it uses a third party to conduct the Inspection, the third party will sign a non-disclosure agreement with Intertrust. Company agrees that the Inspection will only examine Intertrust’s architecture, systems, policies, records of processing, data protection impact assessments, and procedures relevant to its obligations as set forth in the Agreement and the processing of personal data carried out by Intertrust to provide the Services to Company. Company agrees that Intertrust shall be allowed to protect or redact the names and identifying or proprietary information of other Intertrust customers during the Inspection.
    8. Limitation of Liability. Intertrust’s and its affiliates’ liability arising out of or related to this DPA, and all DPAs between Company and Intertrust, whether in contract, tort, or under any other theory of liability, is subject to the limitations and exclusions of liability provisions of the Agreement, and any reference in such provisions to the liability of a party means the aggregate liability of that party and all of its affiliates under the Agreement and all DPAs together.

Schedule 1: Description of the Processing; Sub-processors; Jurisdiction-Specific Clausesd

  1. DESCRIPTION OF THE PROCESSING
    1. See Exhibit 1 (Description of the Processing) at the end of this document.
  2. JURISDICTION-SPECIFIC OBLIGATIONS AND INFORMATION FOR INTERNATIONAL TRANSFERS
    1. Generally. The parties agree that, for any jurisdiction not listed below that requires an International Data Transfer Mechanism, they hereby enter into and agree to be bound by the EEA Standard Contractual Clauses for transfers of personal data from that jurisdiction unless (1) the parties otherwise agree in writing or (2) a jurisdiction promulgates its own International Data Transfer Mechanism, in which case the parties hereby agree to negotiate an update to this DPA to incorporate such International Data Transfer Mechanism.
    2. European Economic Area.
      1. “EEA Standard Contractual Clauses” means the European Union standard contractual clauses for international transfers from the European Economic Area to third countries, Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
      2. For transfers from the EEA that are not subject to an adequacy decision or exception, the parties hereby incorporate the EEA Standard Contractual Clauses by reference and, by signing this DPA, also enter into and agree to be bound by the EEA Standard Contractual Clauses. The parties agree to select the following options made available by the EEA Standard Contractual Clauses.
        • Clause 7: The parties opt to include Optional Clause 7.
        • Clause 9, Module 2(a): The parties select Option 2. The time period is five days
        • Clause 9, Module 3(a): The parties select Option 2. The time period is five days.
        • Clause 11(a): The parties do not select the independent dispute resolution option.
        • Clause 17: The parties select Option 1. The parties agree that the governing jurisdiction is Ireland.
        • Clause 18: The parties agree that the forum is Ireland.
        • Annex I(A): The data exporter is the Data Exporter (defined above) and the data importer is the Data Importer (defined above). The statuses of the parties as Controllers or Processors are described in Exhibit 1.
        • Annex I(B): The parties agree that Exhibit 1 describes the transfer.
        • Annex I(C): The competent supervisory authority is the Irish Data Protection Commission.
        • Annex II: The parties agree that Schedule 2 describes the technical and organizational measures applicable to the transfer.
        • Annex III: The parties agree that Exhibit 1 describes the relevant Sub-processors and their roles in processing personal data.
    3. Switzerland. The parties agree to the following modifications to the EEA Standard Contractual Clauses to make them applicable to transfers of personal data from Switzerland.
        • The parties adopt the GDPR standard for all data transfers from Switzerland.
        • Clause 13 and Annex I(C): The competent authorities under Clause 13, and in Annex I(C), are the Federal Data Protection and Information Commissioner and, concurrently, the EEA member state authority identified above.
        • Clause 17: The parties agree that the governing jurisdiction is Ireland.
        • Clause 18: The parties agree that the forum is Ireland. The parties agree to interpret the EEA Standard Contractual Clauses so that data subjects in Switzerland are able to sue for their rights in Switzerland in accordance with Clause 18(c).
        • The parties agree to interpret the EEA Standard Contractual Clauses so that “data subjects” includes information about Swiss legal entities until the revised Federal Act on Data Protection becomes operative.
    4. United Kingdom.
      1. “IDTA” means the International Data Transfer Agreement issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as modified by the UK Information Commissioner’s Office from time to time.
      2. For transfers from the United Kingdom that are not subject to an adequacy decision or exception, the parties hereby incorporate the IDTA by reference and, by signing this DPA, also enter into and agree to be bound by the Mandatory Clauses of the IDTA.
      3. Pursuant to Sections 5.2 and 5.3 of the IDTA, the parties agree that the following information is relevant to Tables 1 – 4 of the IDTA and that by changing the format and content of the Tables neither party intends to reduce the Appropriate Safeguards (as defined in the IDTA).
          • Table 1: The parties’ details, key contacts, data subject contacts, and signatures are as set forth in the Agreement.
          • Table 2:
              • The UK country’s law that governs the IDTA is: England and Wales
              • The primary place for legal claims to be made by the parties is: England and Wales.
              • The statuses of the Data Exporter and Data Importer are described in Exhibit 1.
              • The Data Importer represents and warrants that the UK GDPR does apply to its processing of personal data under the Agreement.
              • The relationship among the agreements setting forth data protection terms among the parties, including this Section, the DPA, and the Agreement, is described in Section 1 of the DPA.
              • The duration that the parties may process personal data is set forth in the DPA.
              • The IDTA is coterminous with the DPA. Neither party may terminate the IDTA before the DPA ends unless one of the parties breaches the IDTA or the parties agree in writing.
              • The Data Importer may transfer personal data to another organization or person (who is a different legal entity) if such transfer complies with the IDTA’s applicable Mandatory Clauses.
              • The parties will review the Security Requirements listed in Table 4, and the supplementary measures described in Schedule 3, to this DPA each time there is a change to the Transferred Data, Purposes, Importer Information, transfer impact assessment, transfer risk assessment, or risk assessment.
          • Table 3:
              • The categories of personal data, Sensitive Data, data subjects, and purposes of processing are described in Exhibit 1. Such description may only be updated by written agreement of the parties.
          • Table 4:
              • The security measures adopted by the parties are described in Schedule 2 of this DPA. Such security measures may only be updated by written agreement of the parties.
      4. The parties agree to adopt the additional technical, organizational, and/or contractual protections that may be required by their transfer impact assessment described in Schedule 3 of this DPA.

Schedule 2: Technical and Organizational Security Measures

    Description of the technical and organisational security measures implemented by the Data Importer in accordance with Section 6 of this DPA:
  1. Purpose: This Schedule 2 sets forth the information security program and infrastructure policies that Intertrust will meet and maintain in order to protect Company personal data from unauthorized use, access or disclosure, during the term of the Agreement.
  2. Information Security Management Program (the “ISMP”): Intertrust represents that it will maintain throughout the term of the Agreement a written information security management program designed to protect and secure Company personal data from unauthorized access or use. The ISMP will be documented and updated based on changes in applicable legal and regulatory requirements related to privacy and data security practices and industry standards.
  3. Standards: Intertrust incorporates commercially reasonable and appropriate methods and safeguards to protect the security, confidentiality, and availability of Company personal data.
  4. Information Security Policies: Intertrust will implement, maintain, and adhere to its internal information security and privacy policies that address the roles and responsibilities of Intertrust’s personnel who have access to Company personal data in connection with providing the Services. All Intertrust personnel with access to Company personal data will receive regular (at least annual) training on the ISMP.
  5. Information Security Infrastructure:
      • Access Controls: Intertrust will ensure appropriate access controls are in place to protect Company personal data. Intertrust agrees that it shall maintain, throughout the term of the Agreement and at all times while Intertrust has access to or possession of Company personal data, appropriate access controls (physical, technical, and administrative) and shall maintain such access controls in accordance with Intertrust’s policies and procedures.
      • Authorized Persons: Intertrust will limit access to Company personal data solely to Intertrust personnel who have a need to access the Company personal data in connection with the Services or as otherwise required by applicable law.
      • Access Justification/Authorization Process: Intertrust has a process in place that is designed to ensure that only authorized persons (technical and non-technical) are granted access to Company personal data.
      • Encryption: Intertrust will encrypt Company personal data which is at rest, should it reside outside of the production security zone. Intertrust will use at a minimum an AES algorithm for encryption of such Company personal data at rest with a default value of 256 bit strength. For Company personal data in transit, Intertrust agrees to use encryption unless Company uses a method of transmission which does not support encryption (such as unencrypted FTP, email, etc.).
      • Network and Host Security: Intertrust has commercially reasonable network intrusion detection and firewalls in place. Intertrust uses reasonable efforts to ensure that the systems it uses to provide the Services are patched or secured to mitigate the impact of security vulnerabilities within a reasonable time after Intertrust has actual or constructive knowledge of any critical or high-risk security vulnerabilities.
      • Data Management: Intertrust will have adequate information security infrastructure controls in place for Company personal data obtained, transported, and retained by Intertrust. Intertrust will destroy, delete, or otherwise make irrecoverable Company personal data upon the disposal or repurposing of storage media containing such Company personal data. Company personal data is logically separated from the content of other Intertrust customers.
      • Physical Security: Physical security safeguards include physical safety and security safeguards at any facilities operated by Intertrust or used in the course of providing the Services.
  6. Disaster Recovery: Intertrust implements and maintains disaster recovery capabilities designed to minimize disruption to the Services in accordance with the Agreement.
  7. Furthermore, Intertrust uses a secure, third-party solution to facilitate transfers of personal and confidential data to and from its clients.

Schedule 3: Supplementary Measures

  1. ADOPTION AND MAINTENANCE OF SUPPLEMENTARY MEASURES
    1. The parties agree to adopt the supplementary measures identified in this Schedule 3 (if any).
    2. If the provisions in this Schedule 3 conflict with an International Data Transfer Mechanism, the terms that are more protective of data subjects will apply.
    3. Data Importer represents and warrants that, prior to transferring personal data:
      1. 1.3.1. It will notify Data Exporter of changes to relevant laws or facts and circumstances applicable to Data Importer that could cause Data Exporter to no longer comply with an applicable International Data Transfer Mechanism; and
      2. 1.3.2. It will keep a record of its processing of personal data in connection with the processing activities described in Exhibit 1 and provide that record to Data Exporter upon request.
    4. Data Exporter represents and warrants that, prior to transferring personal data:\
      1. 1.4.1. It conducted any “transfer impact assessment,” “transfer risk assessment,” or other assessment required by applicable Data Protection Law to determine whether it can lawfully transfer personal data to Data Importer (collectively “TIA”);
      2. It will cooperate with a relevant data protection authority, at that authority’s request, in connection with the parties’ personal data processing activities under their chosen International Data Transfer Mechanism, including by providing the authority with its TIA and any relevant supporting information;
      3. It will assist Data Importer with Data Importer’s reasonable requests for assistance with passing on notices or other information to and from relevant data subjects; and
      4. It will notify Data Importer of changes to relevant facts and circumstances that could affect the lawfulness of the personal data transfers described in Schedule 1.
    5. Data Exporter agrees that it is solely responsible for carrying out a TIA. Unless Data Importer violates a representation or warranty in Section 1.3 of this Schedule 3, Data Importer will not be liable to Data Exporter for third-party claims (including claims by regulatory authorities) against Data Exporter in connection with Data Exporter’s TIA.
  2. SUPPLEMENTARY MEASURES
    1. The Data Importer represents and warrants that it has adopted the following supplementary measures to ensure that the personal data it processes is protected in a manner that is equivalent to the protections available to data subjects in the country from which the personal data originated.
      • Intertrust applies encryption to personal data at rest and in transit (unless Company uses a method of transmission which does not support encryption, such as unencrypted FTP, email, etc.).

Exhibit 1: Description of the Processing

For all processing, the frequency of transfer is continuous.
For all processing, no categories of sensitive data are processed.
Processing Activity (nature and purpose of the processing; categories of data subjects) Status of the Parties as Controllers or Processors Status of the Parties as Data Exporters or Importers Categories of Personal Data Processed Intertrust’s Sub-processors that support the processing activity Applicable Module of EEA Standard Contractual Clauses
Intertrust processes personal data to provide the Services, or in connection with the Services receives personal data from Company, or collects personal data on Company’s behalf, from the end-users of Company’s digital content distribution service. Company is a Controller. Intertrust is a Processor. Company is the Data Exporter. Intertrust is the Data Importer. Any personal data Company discloses to Intertrust or that Intertrust collects on Company’s behalf, including usage data, device identifiers, end-user identifiers. https://www.intertrust.com/subprocessors Module 2
Module 3, if Company acts as a Processor to another Processor.
Intertrust receives from Company personal data of Company’s employees, personnel, contractors, or agents to provide professional services in support of the Services. Company is a Controller. Intertrust is a Processor. Company is the Data Exporter. Intertrust is the Data Importer. Name, email address, other contact information, and end-user unique ID. For clarity, Intertrust is a Processor with respect to any personal data that Company provides about its customers or end-users. https://www.intertrust.com/subprocessors Module 2
Module 3, if Company acts as a Processor to another Processor
Intertrust processes account data in support of its obligations under the Agreement. Company is a Controller. Intertrust is a Processor. Company is the Data Exporter. Intertrust is the Data Importer. Data that relates to the accounts that Company’s personnel may create in connection with using the Services, including the names or contact information of individuals authorized by Company to access Company’s account and billing information of individuals that Company has associated with its account. Analytical and usage information and logs that Intertrust generates when Company’s personnel use the Services. Data that Intertrust may need to collect for the purpose of identity verification. https://www.intertrust.com/subprocessors Module 2