Data Processing Addendum

This Data Processing Addendum (“DPA”) supplements and is incorporated into the Agreement entered into between Verifract, LLC or Redzone Production Systems, Ltd., as applicable, dba Redzone (“Redzone”) and the customer entering into the Agreement (“Customer”).

This DPA applies only if and to the extent Redzone’s processes Personal Data of Customer or its Users in connection with the Software Services provided by Redzone to Customer under the Agreement. This DPA does not apply to any processing of Customer Data by any third parties outside Software Services.

1. Definitions

• “Account” means Customer’s account within the Software Services in connection with which Customer stores and processes Customer Data to the Services.
• “Affiliate” means an entity that, directly or indirectly, controls, is controlled by, or is under common control with another party to this DPA, where such control is represented by a voting or similar interest representing fifty percent (50%) or more of the total then-outstanding interest of the entity in question.
• “CCPA” means the California Consumer Privacy Act of 2018, as may be amended from time to time.
• “Customer Data” means as defined in the Agreement.
• “Data Protection Laws” means all data protection and privacy laws applicable to a party in its respective role in the controlling or processing of Personal Data under the Agreement, including, where applicable, (i) the CCPA, (ii) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (“GDPR”); and (iii) the GDPR as it forms part of United Kingdom law pursuant to Section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”) and the Data Protection Act 2018.
• “Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
• “Software Services” means as defined in the Agreement.
• “SCCs” means the standard contractual clauses for the transfer of personal data to third countries approved pursuant to Commission Decision (EU) 2021/914 of 4 June 2021, a copy of which is found here.
• “Sub-processor” means any other processor engaged by Redzone to process personal data.
• “Users” means as defined in the Agreement.
• Terms Defined by Law:  The terms “personal data,” “controller,” “data subject,” “processor,” “processing,” “sensitive date,” and “special categories of personal data” (or equivalent terms used in applicable Data Protection Laws) will have the meaning given to them under applicable Data Protection Laws or if not defined thereunder, the GDPR and CCPA, respectively, and “process”, “processes” and “processed”, with respect to any Customer data, will be interpreted accordingly.
• Capitalized Terms:  Capitalized terms not defined in this DPA will have the same meaning as in the Agreement. 

2. Application and Details of Processing

2.1.  Relationship of the Parties. As between Redzone and Customer, the parties acknowledge and agree that, with respect to personal data, Customer is the controller of personal data and Redzone is a processor of personal data acting on behalf of Customer.

2.2. Details of Processing. Details of the processing of personal data under this DPA are described in Schedule 1 to this DPA.

3. Roles and Responsibilities

3.1.  Compliance with Laws. Each party will comply with all laws, rules, and regulations applicable to it and binding on it in the performance of its obligations and exercise of its rights under this DPA, including Data Protection Laws.

3.2. Customer Instructions. Redzone will process personal data only: (i) for the purpose of providing the Software Services as described in the Agreement, including processing initiated by Users in their use of the Software Services; (ii) in accordance with Customer’s documented, reasonable, and lawful instructions; or (iii) as otherwise agreed upon by the parties or required by applicable law.  The parties agree that the Agreement (including this DPA) sets out Customer’s complete and final instructions to Redzone in relation to the processing of personal data, and that processing outside the scope of the Agreement (if any) requires prior written agreement between the parties.

3.3. Customer Compliance. Customer represents and warrants that: (i) it has complied, and will continue to comply, with all applicable laws, including Data Protection Laws, with respect to any instructions related to the processing of personal data issued by Customer to Redzone and with respect to Customer’s own processing of any personal data; (ii) Customer has obtained, and will continue to obtain, all consents and rights necessary under Data Protection Laws for Redzone to process personal data in accordance with the Agreement; and (iii) Customer’s instructions to Redzone related to the processing of personal data will not violate any applicable law, rule, or regulation, including but not limited to, Data Privacy Laws.

3.4. Prohibited data. Customer will not provide (or cause to be provided) any sensitive data or special categories of personal data to Redzone for processing under the Agreement, and Redzone will have no liability whatsoever for those types of data, whether in connection with a Security Incident or otherwise.  The parties agree that any biometric data provided for the purposes of logging into the Redzone Software Services is processed by the third-party device or login-services provider and not by Redzone.

4. Security of Processing

4.1. Technical and Organization Measures. Redzone will at least implement the technical and organizational measures specified in Schedule 2 (the “Technical and Organizational Measures”) to ensure the security of the personal data. This includes protecting the personal data against Security Incident. In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purposes of processing and the risks involved for the data subjects.  Redzone may update its technical and organizational measures from time to time, provided that any updates do not materially diminish the overall protection afforded to personal data.

4.2. Confidentiality of Processing. Redzone will grant access to the personal data undergoing processing to members of its personnel only to the extent necessary for implementing, managing, and/or monitoring of the Agreement.  Redzone will ensure that persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4.3. Updates. Customer acknowledges that the Technical and Organizational Measures are subject to technical progress and development and that Redzone may update or modify its Technical and Organizational Measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Services provided to Customer.

5. Audits.

5.1.  Audit Rights. Audit Rights.  Redzone will make available to Customer all information reasonably necessary to demonstrate compliance with this DPA.  Customer may conduct an audit by itself or through an independent auditor (subject to reasonable confidentiality obligations).  At Customer’s request, Redzone will also permit and contribute to audits of the processing activities covered by this DPA at reasonable intervals or if there are reasonable indications of Redzone’s non-compliance with this DPA.

5.2. Audit Terms. Customer may request an audit including an inspection of Redzone’s premises or physical facilities upon at least 30 days prior written notice to Redzone.  The Parties will mutually agree in advance on the reasonable scope of any audit, including but not limited to, the audit start date, scope, duration, and applicable security controls.  Audits will be conducted at Customer’s sole expense and during normal business hours.  Any audits conducted in accordance with the SSC’s will be subject to the audit terms of this DPA

6. Sub-processors.

6.1. Authorized Sub-processors. Redzone has Customer’s general authorization to engage Sub-processors to process personal data on Customer’s behalf. The list of Sub-processors currently engaged by Redzone is available at: https://rzsoftware.com/redzone-sub-processors

6.2. Sub-processor Changes. Redzone will notify Customer if it adds new or replaces Sub-processors at least 10 days prior to any such changes if Customer opts in to receive such notifications by subscribing to Sub-processor updates here. Customer may object to the appointment or replacement of a Sub-processor prior to the appointment or replacement, provided that the objection is in writing and is upon reasonable grounds related to data protection. If Customer so objects, the parties agree to discuss commercially reasonable alternative solutions in good faith. If the parties cannot reach a resolution within ninety (90) days from the date of Redzone’s receipt of Customer’s written objection, Customer may discontinue the use of the affected Software Services by providing written notice to Redzone. Such discontinuation will be without prejudice to any fees owed to Redzone for services performed prior to the discontinuation of the affected Software Services. If no objection has been raised prior to Redzone appointing a new or replacing a Sub-processor, Customer will be deemed to have authorized the new Sub-processor.

6.3. Sub-processor Obligations. Redzone will: (i) enter into a written agreement with each Sub-processor imposing data protection obligations no less protective of personal data as are Redzone’s obligations under this DPA to the extent applicable to the nature of the services provided by such Sub-processor; (ii) remain liable for each Sub-processor’s compliance with the obligations under this DPA; and (iii) upon Customer’s written request and subject to any confidentiality restrictions reasonably required by Redzone, provide Customer a copy of Redzone’s agreements with Sub-processors.

7. International Transfers

7.1. Data Locations. Customer acknowledges that Redzone may transfer and process Customer personal data to and in the United States and anywhere else in the world where Redzone, its Affiliates, or its Sub-processors maintain data processing operations. Redzone will at all times ensure that such transfers are made in compliance with the requirements of Data Protection Laws and this DPA.

7.2. Transfer Mechanism; SCCs. The parties agree that the SCCs will apply to any personal data that is transferred via the Software Services from the European Economic Area or Switzerland, either directly or by onward transfer, to any country or recipient outside the European Economic Area or Switzerland that is not recognized by the European Commission (or, in the case of transfers from Switzerland, the competent authority for Switzerland) as providing an adequate level of protection for personal data.

7.3. Schedules. The Schedules to this DPA set forth certain details of Redzone’s processing of personal data in accordance with this DPA and the SCCs.

8. Data Subject Request; Assistance to Customer.

Redzone will promptly notify the Customer of any request it has received from the data subject.  Redzone will not respond to the request itself except as reasonably appropriate (for example, to direct the data subject to contact Customer), as legally required, or as authorized to do so by Customer.  If made available within the Software Services, Customer may use any self-services features of the Software Services to respond to data subject requests as required by Data Protection Laws.  Additionally, Redzone will reasonably assist Customer in fulfilling Customer’s obligations to respond to data subjects’ requests to exercise their rights, taking into account the nature of the processing, and, in doing so, will comply with the Customer’s lawful instructions.

For clarity, nothing in the DPA will restrict or prevent Redzone from responding to a data subject or data protection authority requests in relation to personal data for which Redzone is a controller (as opposed to the processor).

9.  Security Incidents.

9.1. Security Incident Notification. If Redzone becomes aware of a Security Incident, Redzone will notify Customer without undue delay, and in any case, where feasible, notify within seventy-two (72) hours after becoming aware of the Security Incident. Redzone may send notification of a Security Incident by any reasonable means, including by email to the Customer email address provided in Agreement or as an administrator within the Software Services, or by any notification means set forth in the Agreement. Redzone’s notification of a Security Incident will contain a description of: (i) the nature of the Security Incident; (ii) the Redzone point of contact for further information about the Security Incident; and (iii) the likely consequences and measures taken or proposed to be taken to address and mitigate possible adverse effects of the Security Incident.

9.2. Reporting Assistance. Redzone will provide reasonable assistance to Customer in the event Customer is required under applicable Data Protection Law to notify a regulatory authority or any data subjects impacted by a Security Incident.

9.3. Mitigation. Redzone will take reasonable steps to investigate and, as necessary, address and mitigate an actual or threatened Security Incident. Redzone’s notification or addressing of or response to a Security Incident will not be construed as an acknowledgment by Redzone of any fault or liability with respect to the Security Incident.

10. Return or Deletion of Personal Data.

Following termination of the Agreement, Redzone will, at the choice of Customer, delete or return to Customer all personal data, except to the extent applicable law requires the retention of some or all personal data. Until the data is deleted or returned, Redzone will continue to ensure compliance with this DPA.

11. Relationship to Agreement.

11.1. Governing Law. This DPA will be governed by and construed in accordance with the governing law of the Agreement and any dispute between the Parties will be subject to the exclusive jurisdiction of the forum set forth on the Agreement, unless required otherwise by applicable Data Protection Laws.

11.2. Term. This DPA will remain in effect for as long as Redzone processes personal data on behalf of Customer or until the Agreement has been terminated or expired and all Customer Data has been returned or deleted in accordance with Section 10 above.

11.3. Precedence of DPA. This DPA replaces and supersedes any existing data processing addendum, attachment, exhibit, or standard contractual clauses that Redzone and Customer may have previously entered into in connection with the Software Services.

11.4. Order of Precedence. In the event of any conflict or inconsistency between this DPA and any other part of the Agreement, the provisions of first the SCCs and then this DPA will prevail over any provisions of any documents of the Agreement to the contrary.

11.5. Agreement Unchanged. Except for any changes made by this DPA, the Agreement remains unchanged and in full force and effect.

11.6. No Third-Party Beneficiaries. No one other than a party to this DPA and a party’s successors and permitted assignees will have any right to enforce any terms of this DPA.

11.7. Updates to DPA. Redzone may update this DPA to comply with changes in applicable law, provided, however, that no such update shall materially diminish the privacy or security of personal data. Redzone will provide written notice to Customer of any changes to comply with applicable law, with those changes being effective immediately.

SCHEDULE 1

Details of Processing

1. Categories of Data Subjects. The categories of data subjects whose personal data is processed are: (i) Users or any other person who uses the Software Services by or through Customer; and (ii) other natural person whose personal data is input or uploaded to, or stored, processed, or generated by, Customer or Users as a result of their use of the Software Services.

2. Categories of Personal Data Processed. In providing the Software Services, Redzone may process the following categories of Personal Data:

a. Identifiers: Information including first and last name, username, email address, Redzone password, country, IP address, and browser and operating system configuration.

b. Employment-Related Information: Business contact information, which may include employee names, titles, functions, employer information (such as business unit or group), work telephone number and email address, work mailing address, and supervisor name.

c. Results: Data related to overall equipment effectiveness and/or statistical process controls as may relate to a data subject.

d. Technical Usage/Activity Information: Technical information automatically collected from a User’s device related to use the Software Services or any website owned or operated by Redzone, such as cookies data and device information (including identifier, name, and type of operating system). This also includes standard web information like browser type, browser data, usage data, and the pages accessed and actions taken in connection with use of the Software Services.

e. Provided Information: Any other information Customer or Users provides to Redzone when signing up for, using, or requesting support for the Software Services.

3. Sensitive Data. Redzone does not intentionally, and the parties do not anticipate that Redzone will collect or process any special categories of personal data (as defined by Data Protection Laws) in connection with the provision of the Software Services.

4. Nature of Procession. The nature of the data processing under this DPA is Redzone’s processing of personal data as set forth in the Agreement.

5. Duration of Processing. As between the parties, the duration of the data processing under this DPA is until such data is deleted or returned to Customer in accordance with the Agreement.

SCHEDULE 2

Redzone Technical and Organizational measures are listed here: https://rzsoftware.com/technical-and-organizational-measures

SCHEDULE 3

DETAILS OF STANDARD CONTRACTUAL CLAUSES

1.  Modules. For transfers of personal data from the European Economic Area or Switzerland that are subject to the SCCs, the SCCs will be deemed entered into (and incorporated into this Addendum by this reference) and completed as follows:

a. Customer is the “data exporter”; Redzone is the “data importer.”

b. Module Two (Controller to Processor) of the SCCs will apply as set forth throughout the SCCs where Customer is a controller of personal data and Redzone is the processor of personal data.

c. Module Three (Processor to Processor) of the SCCs will apply as set forth throughout the SCCs where Customer is a processor of personal data and Redzone is the processor of personal data.

2.  Optional Clauses. With respect to the optional clauses of the SSCs, the following options apply to this DPA: 

a. In Clause 7 of the SCCs, the Docking Clause will not apply.

b. In Clause 9 of the SCCs, Option 2 (general written authorization) will apply and the time period for prior notice of Sub-processor changes will be as set forth in Section 6.2 (Sub-processor Changes) of this DPA.

c. In Clause 11 of the SCCs, the optional language will not apply.

d. In Clause 17 of the SCCs, the SCCs, and only the SCCs, will be governed by the law of the EU Member State in which the data exporter is established. Where such law does not allow for third-party beneficiary rights, they shall be governed by the law of another EU Member State that does allow for third-party beneficiary rights. The Parties agree that this shall be the law of Ireland.

e. In Clause 18(b) of SCCs, any dispute arising from the SCCs, and only a dispute arising from the SCCs, will be resolved by the courts of an EU Member State.  The Parties agree that those shall be the courts of Ireland.

3. Appendix to SCCs.

With respect to Appendix to the SCCs, the following terms apply to this DPA:

a. Annex I (A) – List of the Parties:

Data Exporter:  Customer

• Contact Information: The email address(es) designated by Customer in Customer’s Order Form or account within the Software Services.
• Data Exporter Role: As set forth in Section 2 (Relationship of the Parties) of this Addendum.
• Signature and Date: By entering into the Agreement, as of the Effective Date of the Agreement, Data Exporter is deemed to have signed the SCCs incorporated herein, including their Annexes.

Data Importer:  Verifract, LLC d/b/a Redzone

• Contact Information: Redzone at it@rzsoftware.com
• Data Exporter Role: As set forth in Section 2 (Relationship of the Parties) of this DPA.
• Signature and Date: By entering into the Agreement, as of the Effective Date of the Agreement, Data Importer is deemed to have signed the SCCs incorporated herein, including their Annexes.

b. Annex I (B) – Description of Transfer. The transfer of personal data is as described in Schedule 1 of this DPA.  Transfers will be on a continuous basis.

c. Annex 1 (C) – Supervisory Authority. 

(i) As applicable to the SCCs, the supervisory authority will be: (A) if Customer is established in an EU Member State, the supervisory authority responsible for ensuring Customer’s compliance with the GDPR; or (B) if Customer is not established in an EU Member State but is within the extra-territorial scope of the GDPR, then (C) if Customer has appointed a representative, the supervisory authority of the EU Member State in which Customer’s representative is established, or (D) if Customer has not appointed a representative, the supervisory authority of the EU Member State in which the data subjects are predominantly located.

(ii) With respect to personal data that is subject to the UK GDPR or Swiss DPA, the competent supervisory authority will be the UK Information Commissioner or the Swiss Federal Data Protection and Information Commissioner (as applicable).

SCHEDULE 4

JURISDICTION-SPECIFIC TERMS

California

Where Redzone’s processing of personal data is subject to the CCPA, the following terms will apply to supplement the DPA and will control over any conflicting provisions of the DPA:

1. Except as described otherwise, where the CCPA applies to this DPA, references to: “controller” includes “Business”; “processor” includes “Service Provider”; “data subject” includes “Consumer”; “personal data” includes “Personal Information”; in each case as the latter is defined under the CCPA.

2. Any data subject rights and Redzone’s obligations with respect to those data subject rights, as described in this DPA, also apply to Consumer rights under the CCPA.

3. Redzone will process, retain, use, and disclose personal information only as necessary to provide the Software Services under the Agreement, which constitutes a “business purpose” under the CCPA.

4. Redzone agrees not to: (a) sell (as defined by the CCPA) Customer’s personal data or Users’ personal data; (b) retain, use, or disclose Customer’s personal data for any commercial purpose (as defined by the CCPA) other than providing the Software Services; or (c) retain, use, or disclose Customer’s personal data outside of the scope of the Agreement.

5. Redzone will take steps to ensure that such Sub-processors are Service Providers under the CCPA with whom Redzone has entered into a written contract containing terms substantially similar to this DPA or are otherwise exempt from the CCPA’s definition of “sale.”  Redzone conducts appropriate due diligence of its Sub-processors.

United Kingdom

Where Redzone’s processing of personal data is subject to corresponding Data Protection Laws of the United Kingdom (including the UK GDPR and Data Protection Act of 2018), the following terms will apply to supplement the DPA and will control over any conflicting provisions of the DPA:

1. References in this Addendum to GDPR will to that extent be deemed to be references to the corresponding laws of the United Kingdom (including the UK GDPR and Data Protection Act 2018).

2. When Redzone engages a Sub-processor, it will require the Sub-processor to protect Customer personal data consistent with the standard required by applicable Data Protection Laws, such as including the same data protection obligations referred to in Article 28(3) of the GDPR, including providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR; and require any appointed Sub-processor to agree in writing to only process data in a country that the European Union has declared to have an “adequate” level of protection; or to only process data on terms equivalent to the SCCs.