Data Processing Agreement
This Data Processing Agreement (“DPA”) is hereby entered by and between Wochit, Inc., its Affiliated companies and subsidiaries (“Wochit” or “Company”) and you, Wochit’s customer (as defined in the applicable master services agreement “MSA” or “Agreement” signed between the parties) on behalf of itself and its Affiliates (collectively “Customer”), each a “party” and collectively, the “parties”.
This DPA forms an integral part of the binding Agreement, and sets forth the parties’ responsibilities and obligations regarding the Processing of Personal Data, during the course of the Agreement.
Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement.
1.1. “Adequate Country” is a country that an adequacy decision from the European Commission.
1.2. “CCPA” means the California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100 et. Seq.
1.3. “Controller”, “Processor”, “Personal Data”, “Data Subject”, “Personal Data”, “Processing” (and “Process”), “Personal Data Breach” and “Special Categories of Personal Data” shall all have the meanings given to them in EU Data Protection Law. The terms “Personal Information”, “Business”, “Business Purpose”, “Consumer”, “California Consumer”, “Service Provider” and “Sell” shall have the meaning ascribed to them in the CCPA. “Data Subject” shall also mean and refer to “Consumer” as such term is defined in the CCPA. “Personal Data” shall also mean “Personal Information” for the purpose of this DPA.
1.4. “Customer Data” means Personal Information or Personal Data which is processed by Wochit solely on behalf of Customer, as detailed in ANNEX I.
1.5. “Data Protection Law” means any and all applicable privacy and data protection laws and regulations, including, where applicable, EU Data Protection Law and the CCPA, including, where applicable, Israeli Privacy Protection Regulations (Data Security) 5777-2017Israeli Privacy Protection Law, 5741-1981, the regulations promulgated pursuant thereto, including the Israeli Privacy Protection Regulations (Data Security), 5777-2017 and other related privacy regulations (“Israeli Law”), all as may be amended or superseded from time to time.
1.6. “EU Data Protection Law” means the (i) EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”); (ii) Regulation 2018/1725;(iii) the EU e-Privacy Directive (Directive 2002/58/EC), as amended (e-Privacy Law); (iv) any national data protection laws made under, pursuant to, replacing or succeeding (i) and (ii); and (iii) any legislation replacing or updating any of the foregoing.
1.7. “Security Incident” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data of the other party. For the avoidance of doubt, any Personal Data Breach will comprise a Security Incident.
1.8. “Standard Contractual Clauses” mean the standard contractual clauses for the transfer of Personal Data to third countries pursuant to the GDPR and adopted by the European Commission Decision 2021/914 of 4 June 2021 which is attached herein by linked reference: https://eur-lex.europa.eu/legal content/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN.
1.9. “UK GDPR” means the Data Protection Act 2018 and the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by Schedule 1 to the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (SI 2019/419).
1.10. “UK SCC” means where the UK GDPR applies, the standard data protection clauses adopted pursuant to or permitted under Article 46 of the UK GDPR for transferring Personal Data outside of the EEA or UK.
2. RELATIONSHIP OF THE PARTIES
2.1. The parties acknowledge that the Customer is the Controller of the Customer Data and Wochit, in providing the Service is acting as a Processor on behalf of Customer. For the purpose of the CCPA (and to the extent applicable), the Customer is the Business, and Wochit is the Service Provider.
2.2. The purpose, subject matter, and duration of the Processing carried out by the Processor on behalf of the Controller, the nature and purpose of the Processing, the type of Personal Data, and categories of Data Subjects are described in ANNEX I attached hereto.
3.2. Wochit represents and warrants that (i) it shall process the Personal Data on behalf of Customer, solely for the purpose of providing the Services and for the pursuit of a Business Purpose as set forth under the CCPA, all in accordance with Customer’s written instructions including as set forth in the Agreement and this DPA; and (ii) in the event the Wochit is required under applicable laws to Process Customer Data other than as instructed by Customer, Wochit shall make its best efforts to inform Customer of such requirement prior to Processing such Customer Data unless prohibited under applicable law.
3.3. Wochit shall take reasonable steps to ensure (i) the reliability of its staff and any other person acting under its supervision who may come into contact with or otherwise have access to and Process the Customer Data; (ii) that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; and (iii) ensure that such personnel is aware of their responsibilities under this DPA and any Data Protection Laws.
4. DATA SUBJECT RIGHTS
4.1. When Wochit receives a request from a Data Subject (“DSR”) or a request from an authority, with respect to Customer Data, Wochit will, unless otherwise required under applicable laws, direct the Data Subject or the authority to the Customer in order to enable the Customer to respond directly. Both parties shall provide each other with commercially reasonable cooperation and assistance in relation to the handling of a DSR.
4.2. Where applicable, Wochit shall assist the Customer to ensure that Customer Data Processed is accurate and up to date by informing the Customer without delay if Wochit becomes aware that the Customer Data it is processing is inaccurate or has become outdated.
5. DO NOT SELL PERSONAL INFORMATION
5.1. It is hereby agreed that any Processing and sharing of Personal Data between the parties is done solely in order to fulfill a Business Purpose and shall not be considered a “sale” under the CCPA.
6.1. Customer acknowledges that Wochit may transfer Personal Data to and otherwise interact with third-party data Processors (“Sub-Processor”). The Customer hereby authorizes Wochit to engage and appoint such Sub-Processors to Process Personal Data, as well as permits each Sub-Processor to appoint a Sub-Processor on its behalf. Wochit may continue to use those Sub-Processors already engaged by Wochit, as listed in ANNEX III, and Wochit may engage an additional or replace an existing Sub-Processor to process Personal Data subject to providing a 30 days prior notice to the Customer. In case the Customer has not objected to the adding or replacement of a Sub-Processor, such Sub-Processor shall be considered as approved by the Customer. In the event the Customer objects, in good faith, its sole remedy is to terminate the Agreement.
6.2. Wochit shall, where it engages any Sub-Processor, impose, through a legally binding contract between Wochit and the Sub-Processor, data protection obligations no less onerous than those set out in this DPA on the Sub-Processor. Wochit shall ensure that such contract will require the Sub-Processor to provide sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the Data Protection Law.
6.3. Wochit shall remain fully responsible for the performance of the Sub-Processors obligations, and shall notify the Customer of any failure by the Sub-Processor to fulfill its contractual obligations.
7. TECHNICAL AND ORGANIZATION MEASURES
7.1. Taking into account state of the art, the costs of implementation and the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, without prejudice to any other security standards agreed upon by the parties, Wochit shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk and in accordance with best industry practices to protect data from a Security Incident. Parties acknowledge that security requirements are constantly changing and that effective security requires frequent evaluation and regular improvements of outdated security measures. Technical and organizational measures implemented by Wochit to ensure an appropriate level of security.
7.2. The security measures are further detailed in ANNEX II.
8. SECURITY INCIDENT
8.1. Wochit will notify Customer upon becoming aware of any confirmed Security Incident involving Customer Data, as determined by Wochit in its sole discretion. Wochit will, in connection with any Security Incident affecting Customer Data: (i) take needed steps to contain, remediate, minimize any effects of and investigate any Security Incident and to identify its cause; (ii) cooperate with the Customer and provide Customer with needed assistance and information as it may reasonably require in connection with the Security Incident; (iii) notify Customer in writing of any request, inspection, audit or investigation by a supervisory authority or other authority; (iv) keep the Customer informed of all material developments in connection with the Security Incident and execute a response plan to address the Security Incident; and (v) cooperate with the Customer and assist Customer, in the Customer’s expense, with the Customer’s obligation to notify affected individuals in if required.
8.2. Wochit’s notification regarding or response to a Security Incident under this Section 8 shall not be construed as an acknowledgment by the Wochit of any fault or liability with respect to the Security Incident.
9. AUDIT RIGHTS
9.1. Wochit shall respond to inquiries from the Customer regarding the Processing of Personal Data in accordance with this DPA, further, shall make available to the Customer all information necessary to demonstrate compliance with the obligations under the EU Data Protection Laws.
9.2. Wochit shall make available, solely upon prior written notice and no more than once per year, unless in the event of a Security Incident, to a reputable auditor nominated by Customer, information necessary to reasonably demonstrate compliance with this DPA, and shall allow for audits, including inspections, by such reputable auditor solely in relation to the Processing of the Customer Data (“Audit”) in accordance with the terms and conditions hereunder. The Audit shall be subject to the terms of this DPA and standard confidentiality obligations (including towards third parties). Wochit may object to an auditor appointed by Customer in the event Wochit reasonably believes the auditor is not suitably qualified or independent, is a competitor of Wochit, or otherwise unsuitable (“Objection Notice”). The Customer will appoint a different auditor or conduct the Audit itself upon its receipt of an Objection Notice from Wochit. The Customer shall bear all expenses related to the Audit and shall (and ensure that each of its auditors shall), over the course of such Audit, avoid causing any damage, injury, or disruption to Wochit’s premises, equipment, personnel, and business. Any and all conclusions of such an Audit shall be confidential and reported back to Wochit immediately.
9.3. Any information obtained under this Section 9 shall be deemed Confidential Information and are subject to the confidentiality obligations set forth in the Agreement.
10. DATA TRANSFER
10.1. The Customer acknowledges and agrees that in order to provide the Services Wochit might transfer (or access) Customer Data from countries outside the EU Member States, the three EEA member countries (Norway, Liechtenstein and Iceland) (collectively, “EEA”), Switzerland and the United Kingdom (“UK”) as detailed herein.
10.2. The parties acknowledge that EU Data Protection Law does not require Standard Contractual Clauses or an alternative transfer solution in order for Customer Data to be processed in or transferred to an Adequate Country (“Permitted Transfers”).
10.3. In the event the Processing includes transferring of Personal Data from the EEA, Switzerland or the UK to other countries and such transfers are not performed through an alternative recognized compliance mechanism as may be adopted by Wochit for the lawful transfer of processing Personal Data outside the EEA, Switzerland or the UK, as applicable or is not exempt under Article 49 of the GDPR (collectively “Restricted Transfer”), the following shall apply:
10.3.1. In order to maintain the integrity, security and confidentiality of the Personal Data, a Restricted Transfer shall be subject, in addition to the terms of this DPA, to the terms and obligations of the Module II of the Standard Contractual Clauses in which Wochit shall be deemed as the Data Importer and the Customer shall be deemed as the Data Exporter.
10.3.2. The purpose and description of the transfer shall be detailed in ANNEX I.
10.3.3. The UK SCC shall incorporate ANNEX I, II and III herein.
10.4. The Customer further agrees that where Wochit engages a Sub-Processor, and those processing activities include a Restricted Transfer, Wochit and the Sub-Processor shall be bound by the Standard Contractual Clauses in which Wochit shall be deemed as the Data Exporter and the Sub-Processor shall be deemed as the Data Importer. For the purposes of such engagement, Wochit and the Sub-Processor will enter into Module III of the Standard Contractual Clauses.
10.5. Subject to Clause 13 of Standard Contractual Clauses, Wochit agrees to submit itself to the jurisdiction of and cooperate with the competent supervisory authority in any procedures aimed at ensuring compliance with these Standard Contractual Clauses. Notwithstanding the above the UK SCCs shall be governed by the laws of England and Wales.
10.6. Measures and assurances regarding U.S. government surveillance (“Additional Safeguards”) are further detailed in ANNEX II.
11.1. In the event of a conflict between the terms and conditions of this DPA and the Agreement, this DPA shall prevail. Except as set forth herein, all of the terms and conditions of the Agreement shall remain in full force and effect.
12. TERM & TERMINATION
12.1. This DPA shall be effective as of the Effective Date and shall remain in force until the Agreement terminates. The Customer shall be entitled to suspend the Processing of Customer Data in the event Wochit is in breach of Data Protection Laws, this DPA or a binding decision of a competent court or the competent supervisory authority.
12.2. Wochit shall be entitled to terminate this DPA or terminate the Processing of Customer Data in the event the Processing of Personal Data under the Customer’s instructions or this DPA infringe applicable legal requirements. Such termination shall be subject to informing the Customer and the Customer insists on compliance with the instructions.
12.3. Following termination of this DPA, Wochit shall, at the choice of the Customer, delete the Customer Data processed on behalf of the Customer and certify to the Customer that it has done so, or return all the Customer Data to the Customer and delete existing copies unless applicable law or regulatory requires the storage of the Customer Data. Until the data is deleted or returned, Wochit shall continue to ensure compliance with this DPA.
DETAILS OF PROCESSING AND TRANSFERRING OF CUSTOMER PERSONAL DATA
This ANNEX I includes certain details of the Processing of Customer Data as required by Article 28(3) GDPR and details of transferring Personal Data subject to the Standard Contractual Clauses and the UK SCC.
Categories of data subjects whose personal data is processed or transferred:
Customer’s Employees, Customer’s content.
Categories of personal data processed and transferred:
The following categories may be applicable:
- Employee contact information; and
- Content uploaded to the Wochit Platform by Customer.
Sensitive data processed or transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measure:
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Nature of Purpose(s) for the processing and transferring on behalf of the controller:
Hosting and providing the Services as set forth in the Agreement.
Duration of the processing:
For the duration of the Services according to the Agreement and the period from the end of the Term until deletion of all Customer Data
For transfers to (sub-) Processors, also specify subject matter, nature and duration of the processing.
The sub-processors are hosting services, storage providers, all of the above is applicable to the sub-processors.
TECHNICAL AND ORGANISATIONAL MEASURES
(I) GENERAL BACKGROUND:
This Technical and Organizational Measures Annex sets out the measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services, the measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident, the measures taken for user identification and authorization as well as the measures taken for the protection of data during storage and during transmission.
The following policies are maintained by the Company in order to ensure the measures set forth above, the policies are updated on an ongoing basis and reviewed annually for gaps:
- Information Security
- Security Incident Response
- Vulnerability Management
- Policy Management and Maintenance
- Data Request
- System Access
- Business continuance and disaster recovery
SYSTEM ACCESS CONTROL
Company’s database is accessible only by a minimal amount of Company employees and personnel, all accessible only from within the Company office. The personal data processed and stored by Company is based on cloud services and access granted through personal user authentication. Access to systems is restricted and is based on procedures to ensure appropriate approvals are provided solely to the extent required. In addition, remote access and wireless computing capabilities are restricted and require that both user and system safeguards. The systems are also protected and solely authorized employees may access the systems by using a designated password. In addition to password login, two-factor authentication (“2FA”) provides an added layer of security to Wochit database.
PHYSICAL ACCESS CONTROL
The measures for ensuring physical security of locations at which Personal Data are processed include security measures implemented in Company’s office (alarm system, security cards, CCTV, etc.) and the physical security measures taken by Company hosting providers. The Company secures access to its offices and ensures that solely authorized persons have access such as employees. All visitors which visit the Company facilities are accompanied by Wochit employees at all times. Company works with Amazon Web Services datacenter, as its main storage and hosting processor, Amazon’s security policy available here. When the Personal Data is transferred to the applicable servers it is always done in a secure and encrypted manner, encryption by default, at rest and in transit. AWS undergoes various third-party independent audits regularly and can provide verification of compliance controls for its data centers, infrastructure, and operations. This includes, but is not limited to, SSAE 16-compliant SOC 2 certification and ISO 27001 certification.
DATA ACCESS CONTROL
All access to a database, system or storage is solely with authorization hierarchy and password protection by two-factor authentication. Further, the access to the Personal Data is restricted to solely the employees that “need to know” and is protected by passwords and user names. Access to the Personal Data is secured and is highly managed by access control policies. The Company uses high level security measures to ensure that the Personal Data will not be accessed, modified, copied, used, transferred or deleted without specific authorization. The Company audits any and all access to the database and any authorized access is immediately reported and handled. Each employee is able to perform actions solely according to the permissions determined by the Company. Each access is logged and monitored, and any unauthorized access is automatically reported. Further, Company has ongoing review of which employees’ have authorizations, to assess whether access is still required. Company revokes access immediately upon termination of employment. Authorized individuals can solely access Personal Data that is established in their individual profiles.
ORGANIZATIONAL AND OPERATIONAL SECURITY
The Company educates its employees and service providers, consultants and contractors and raises awareness, risk and assessment with regards to any processing of Personal Data. Internal security testing is done on a regular basis. Further measures for internal IT and IT security governance and management have been taken and the Company’s IT team ensures security of all hardware and software by installing all updates needed, installing anti-malware software on computers to protect against malicious use and malicious software as well as virus detection on endpoints, email attachment scanning, system compliance scans, information handling options for the data exporter based on data type, network security, and system and application vulnerability scanning, use secured email transfer, etc. It is the responsibility of the individuals across the Company to comply with these practices and standards.
Wochit conducted a transfer impact assessment (“TIA”) identifying all transfers of Personal Data and is able to share the TIA upon Customer’s request. The purpose of transfer control is to ensure that Personal Data cannot be read, copied, modified or removed by unauthorized parties during the electronic transmission of these data or during their transport or storage in the applicable data center. Further, any and all transfers of the data (either between the servers, from client side to server side and between Company’s designated partners) is secured (HTTPS) and encrypted. Default encryption is implemented in transit and rest.
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident were implemented by the Company and include an automated backup procedure. The Company has a backup concept which includes automated daily backups. Periodical checks are preformed to determine that the backup have occurred. The Company has also implemented Business Continuity plans and Disaster Recovery policies so that in the event of a disaster Wochit will be able to continue to provide the services.
Personal Data and raw data are all deleted as soon as possible or legally applicable. Usually the data is provided by the Customer for the purpose of providing the services by Wochit and is deleted upon termination of the contractual obligations. However, certain data, such as financial data is required to be retained for a longer period of time.
Employees, customers, vendors and applicable processors are all signed on binding agreements all of which include applicable data provisions and data security obligations. As part of the employment process, employees undergo a screening and are provided with access to the database solely upon training to ensure he or she are well educated and responsible to handle the Personal Data. Employees are bound to comply with this Security Policy in addition to internal security policies and procedures and breaking or not complying with such shall result in disciplinary actions. To ensure the employees stay educated and up to date with applicable policies and legislation the Company holds annual compliance training which include data security education.
DATA SUBJECT REQUEST
The Company has an online mechanism to enable individuals to submit a data subject request (“DSR”), further, the Company has implemented internal policies to handle the DSR subject to applicable data protection laws and contractual obligations.
Company has ensured all documents, including without limitations, agreements, privacy policies online terms, etc. are compliant with the Data Protection Regulations, including by implementing Data Processing Agreement and where needed Standard Contractual Clauses (either pursuant to the GDPR and adopted by the European Commission Decision 2021/914 of 4 June 2021 which is attached herein by linked reference: https://eur-lex.europa.eu/legal content/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN or pursuant to the standard data protection clauses adopted pursuant to or permitted under Article 46 of the UK GDPR for transferring Personal Data outside of the EEA or UK).
Measures and assurances regarding U.S. government surveillance (“Additional Safeguards”) have been implemented due to the EU Court of Justice Case C-311/18, Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems decision (“Schrems II”), these measures include the following:
- encryption both in transit and at rest;
- As of the date of this DPA, Sentry has not received any national security orders of the type described in Paragraphs 150-202 of the Schrems II decision.
- No court has found Wochit to be the type of entity eligible to receive process issued under FISA Section 702: (i) an “electronic communication service provider” within the meaning of 50 U.S.C § 1881(b)(4) or (ii) a member of any of the categories of entities described within that definition.
- Wochit shall not comply with any request under FISA for bulk surveillance, i.e., a surveillance demand whereby a targeted account identifier is not identified via a specific “targeted selector” (an identifier that is unique to the targeted endpoint of communications subject to the surveillance).
- Wochit shall use all available legal mechanisms to challenge any demands for data access through national security process that Sentry receives, as well as any non-disclosure provisions attached thereto.
- Wochit will notify Customer if Wochit can no longer comply with the Standard Contractual Clauses or these Additional Safeguards, without being required to identify the specific provision with which it can no longer comply.
|Amazon Web Services, Inc.||410 Terry Avenue North, Seattle, WA||US||Cloud infrastructure services and Storage|
|Okta, Inc.||100 First Street, Floor 6
San Francisco, CA 94105