This Data Protection Addendum (“DPA”) is entered into as of the Effective Date (defined below) between Unanet, Inc. (“Unanet” or “Processor”) and Customer (“Customer”). Unanet and Customer may each be referred to as a “Party” and or collectively referred to as the “Parties”. To the extent applicable pursuant to the Unanet Cloud Terms & Conditions, this DPA shall be effective on the date Customer signs an Order Form with Unanet. Unless otherwise indicated, all capitalized terms used but not defined in this DPA have the meanings given to them in Regulation (EU) 2016/679, the General Data Protection Regulation (“GDPR”), or the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. (“CCPA”). The parties agree that for the purposes of this DPA, Customer is a Data Controller or Business and Unanet is a Data Processor or Service Provider.
1. Definitions. In this DPA:
“Applicable Law” means, as applicable, the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. (“CCPA”) and the General Data Protection Regulation, Regulation (EU) 2016/679 (“GDPR”). For the avoidance of doubt, if Unanet processes Personal Data that is not governed by or its processing activities are not governed by Applicable Law, such law is not applicable for purposes of this DPA. Each party is responsible only for the Applicable Law applicable to it.
“Personal Data Breach” means the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or exfiltration of, or access to, Personal Data.
“Personal Data” means includes “personal data,” “personal information,” and “personally identifiable information,” and such terms shall have the same meaning as defined by Applicable Law.
“Process” and “Processing” mean any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, creating, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Standard Contractual Clauses” means the annex found in EU Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council (available as of September 13, 2019 at data.europa.eu/eli/dec/2010/87/oj), completed as described in the “Data Transfers” section below.
“Subprocessor” means any Processor affiliate or subcontractor engaged by Unanet for the Processing of Personal Data.
2. Instructions from the Customer. Unanet will retain, use, disclose, and otherwise Process the Personal Data only as described in the Unanet Cloud Terms & Conditions, unless obligated to do otherwise by applicable law. In such case, Unanet will inform Customer of that legal requirement before the Processing unless legally prohibited from doing so. Customer will not instruct Unanet to Process Personal Data in violation of any applicable law. Unanet has no obligation to monitor the compliance of Customer’s use of the Services with Applicable Law, though Unanet will promptly inform Customer if, in Unanet’s opinion, an instruction from Customer infringes applicable law. The Unanet Cloud Terms & Conditions, including this DPA, along with Customer’s configuration of any settings or options in the Services (as Customer may be able to modify from time to time), constitute Customer’s complete and final instructions to Unanet regarding the Processing of Personal Data, including for purposes of the Standard Contractual Clauses. Without limiting the foregoing:
a.) Unanet will not Process the Personal Data in a manner inconsistent with Unanet’s role as Customer’s “Service Provider,” as such term is defined in the CCPA.
b.) Unanet will not “sell” the Personal Data, as such term is defined in the CCPA.
c.) Unanet hereby certifies that it understands the restrictions and obligations set forth in this DPA and that it will comply with them.
3. Confidentiality. Unanet will restrict access to Personal Data to those authorized persons who need such information to provide the Services. Unanet will ensure such authorized persons are obligated to maintain the confidentiality of any Personal Data.
4. Security. Unanet will implement appropriate technical and organizational measures to ensure a level of security appropriate to the Personal Data provided by Customer and Processed by Unanet.
5. Subprocessors. Customer agrees that Unanet may engage other Processors (“Subprocessors”) to assist in providing the Services consistent with the Unanet Cloud Terms & Conditions. Unanet will maintain a list of such Subprocessors and make it available to Customer upon request. Customer will have 10 calendar days from the date of such notification to object to Unanet’s use of new Subprocessors, after which time Customer will have been deemed to accept Unanet’s list of Subprocessors. Customer’s objection will be effective only if it articulates objective, justifiable reasons why it believes new Subprocessors are not able to adequately protect Personal Data in accordance with the Unanet Cloud Terms & Conditions, this DPA, or applicable data protection law. Where Unanet engages a Subprocessor for carrying out specific Processing activities on behalf of Customer, Unanet will impose contractual obligations on the Subprocessor that are substantially the same as those imposed on Unanet under this DPA. Where that Subprocessor fails to fulfill its data protection obligations, Unanet will remain liable to Customer for the performance of that Subprocessor’s obligations.
6. Data Subject Requests. To the extent legally permitted, Unanet shall promptly notify Customer if Unanet receives any requests from an individual seeking to exercise any rights afforded to them under Applicable Law regarding Personal Data. Unanet has implemented and will maintain appropriate technical and organizational measures needed to enable Customer to respond to requests from data subjects to access, correct, transmit, limit processing of, or delete any relevant Personal Data held by Unanet.
7. Recordkeeping. Upon a request issued by a supervisory authority for records regarding Personal Data, Unanet will cooperate to provide the supervisory authority with records related to Processing activities performed on Customer’s behalf. To the extent legally permissible, Unanet will inform Customer in writing of such a request and partner with Customer working in good faith to verify the legal basis of the request.
8. Cooperation. Unanet will cooperate to the extent reasonably necessary in connection with Customer’s requests related to any legally required data protection impact assessments and consultation with supervisory authorities.
9. Third Party Requests. If Unanet receives a request from a third party in connection with any government investigation or court proceeding that Unanet believes would require it to produce any Personal Data processed pursuant to the Unanet Cloud Terms & Conditions, Unanet will inform Customer in writing of such request and cooperate with Customer if Customer wishes to limit, challenge or protect against such disclosure, to the extent permitted by applicable law.
10. Transfer of Personal Data; Appointment. Customer authorizes Unanet to transfer, store or Process Personal Data in the United States or any other country in which Unanet or its Subprocessors maintain facilities. Customer appoints Unanet to perform any such transfer of Personal Data to any such country and to store and Process Personal Data in order to provide the Services. Unanet will conduct all such activity in compliance with the Unanet Cloud Terms & Conditions, this DPA, applicable law and Customer’s instructions.
11. Data Transfers Outside of the EU. To the extent that the Services involve a transfer of Personal Data originating from either party’s systems in the United Kingdom, EEA or Switzerland to either party’s systems located in countries outside the EEA or Switzerland that have not received a binding adequacy decision by the European Commission or by a competent national EEA data protection authority, such transfers are subject to applicable data transfer mechanisms.
(a) If Customer is located in the United Kingdom, EEA or Switzerland and transfers Personal Data to Unanet in the United States, for such transfer the Parties agree to be bound by the standard contractual clauses for the transfer of Personal Data to Processors established in third countries (Commission Decision 2010/87/EU) (“Standard Contractual Clauses”) available here https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32010D0087&from=en. If there is a conflict between the Standard Contractual Clauses and the Unanet Cloud Terms & Conditions, the Standard Contractual Clauses will prevail. For purposes of the Standard Contractual Clauses:
i. The clauses shall be governed by the laws of the jurisdiction from which the data is exported.
ii. Customer is the “Data Exporter” and Unanet is the “Data Importer”.
iii. The data subjects include Customer’s employees, students or other end users.
iv. The purpose of the transfer is to allow Unanet to provide the Services outlined in the Unanet Cloud Terms & Conditions.
v. The categories of Personal Data include names, email addresses, IP addresses, contact details, and social security numbers.
vi. The recipients of the Personal Data include Unanet employees with a need to Process the Personal Data.
vii. Data importer will maintain administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Personal Data uploaded to the SCC Services, as described in the Unanet Cloud Terms & Conditions.
12. Deletion or Return. At the choice of Customer, Unanet will delete or return all the Personal Data Processed in connection with the Services to Customer at any time or after the end of the provision of such Services and delete existing copies unless applicable law requires storage of the Personal Data. Unanet will relay Customer’s instructions to all Subprocessors. Notwithstanding the foregoing, this provision will not require Unanet to delete Personal Data from archival and back-up files except as provided by Unanet’s internal data deletion practices and as required by applicable law.
13. Breach Notification. Unanet will comply with the Personal Data Breach-related obligations directly applicable to it under applicable law. After becoming aware of a Personal Data Breach related to the Personal Data processed under the Unanet Cloud Terms & Conditions, Unanet will notify Customer without undue delay, to the extent known, of: (a) the nature of the data breach; (b) the number and categories of data subjects and data records affected; and (c) the name and contact details for the relevant contact person at Unanet. Unanet will not assess the contents of Customer Data in order to identify information subject to any specific legal requirements. Customer is solely responsible for complying with legal requirements for notification applicable to Customer and fulfilling any third-party notification obligations related to any Customer Personal Data Breach. Nothing shall be construed to require Unanet to violate, or delay compliance with, any legal obligation it may have with respect to a Personal Data Breach or other security incidents generally.
14. Audit No more than once annually (unless otherwise required by applicable law), Unanet shall allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer, to demonstrate Unanet’s compliance with this DPA or Article 28 of the GDPR. For clarity, such audits or inspections are limited to Unanet’s Processing of Personal Data subject to the GDPR on behalf of Customer only, not any other aspect of Unanet’s business or information systems or other customers. If Customer requires Unanet to contribute to audits or inspections that are necessary to demonstrate compliance, Customer will provide Unanet with written notice at least 60 days in advance of such audit or inspection. Such written notice will specify the things, people, places or documents to be made available. Such written notice, and anything produced in response to it (including any derivative work product such as notes of interviews), will be considered Confidential Information and, notwithstanding anything to the contrary in the Unanet Cloud Terms & Conditions, will remain Confidential Information in perpetuity or the longest time allowable by applicable law after termination of the Unanet Cloud Terms & Conditions. Such materials and derivative work product produced in response to Customer’s request will not be disclosed to anyone without the prior written permission of Unanet unless such disclosure is required by applicable law. If disclosure is required by applicable law, Customer will give Unanet prompt written notice of that requirement and an opportunity to obtain a protective order to prohibit or restrict such disclosure except to the extent such notice is prohibited by applicable law or order of a court or governmental agency. Customer will make every effort to cooperate with Unanet to schedule audits or inspections at times that are convenient to Unanet. To the extent Customer uses a third-party representative to conduct the Audit, Customer shall ensure that such third-party representative is bound by obligations of confidentiality no less protective than those contained in this Unanet Cloud Terms & Conditions. If, after reviewing Unanet’s response to Customer’s audit or inspection request, Customer requires additional audits or inspections, Customer acknowledges and agrees that it will be solely responsible for all costs incurred in relation to such additional audits or inspections.