Skip To Content

RASi Data Processing Addendum

This Data Processing Addendum, including any applicable Schedule (the "DPA") is incorporated into and forms an integral part of the Agreement in which it is referenced, and shall be effective on the Execution Date. This DPA supplements and (in case of contradictions) supersedes the Agreement with respect to any Processing of Covered Data (each, as defined below).

To the extent that Service Provider processes any Covered Data on behalf of Client in connection with the provision of the Services, the Parties have agreed that it shall do so on the terms of this DPA.

1. Definitions. Capitalized terms used but not defined within this DPA will have the meaning set forth in the Agreement. The following capitalized terms used in this DPA will be defined as follows:

(a) "Covered Data" means Personal Data that is: (i) provided by or on behalf of Client to Service Provider in connection with the Services; or (ii) obtained, developed, produced or otherwise Processed by Service Provider, or its agents or subcontractors, for purposes of providing the Services to Client.

(b) "Data Subject" means a natural person whose Personal Data is Processed.

(c) "Deidentified Data" means data created using Covered Data that cannot reasonably be linked to such Covered Data, directly or indirectly.

(d) "Personal Data" means any data or information that: (i) is linked or reasonably linkable to an identified or identifiable natural person; or (ii) is otherwise "personal data," "personal information," "personally identifiable information," or similarly defined data or information under US Data Protection Laws.

(e) "Processing" means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means. "Process", "Processes" and "Processed" will be interpreted accordingly.

(f) "Security Incident" means an actual breach of security leading to actual theft, unplanned or unlawful data loss or destruction, or unplanned alteration of Covered Data.

(g) "Sub-processor" means an entity appointed by Service Provider to Process Covered Data on its behalf.

(h) "US Data Protection Laws" means, to the extent applicable, federal and state laws relating to data protection, the Processing of Personal Data, privacy and/or data protection in force from time to time in the United States.

2. Interaction with the Agreement. Any Processing operation as described in Section 4 of this DPA and Schedule 1 to this DPA will be subject to this DPA.

3. Role of the Parties. The Parties acknowledge and agree that for the purposes of the US Data Protection Laws, Service Provider will act as a "service provider" or "processor" (as defined in US Data Protection Laws), as applicable, in its performance of its obligations pursuant to the Agreement and this DPA.

4. Details of Data Processing.

4.1 The details of the Processing of Personal Data under the Agreement and this DPA (such as subject matter, nature and purpose of the Processing, categories of Personal Data and Data Subjects) are described in the Agreement and in Schedule 1 to this DPA.

4.2 Covered Data will only be Processed on behalf of and under the instructions of Client and in accordance with US Data Protection Laws. The Agreement and this DPA will generally constitute instructions for the Processing of Covered Data. Client may issue further written instructions in accordance with this DPA. Without limiting the foregoing, Service Provider is prohibited from:

(a) selling Covered Data or otherwise making Covered Data available to any third party for monetary or other valuable consideration;

(b) sharing Covered Data with any third party for cross-context behavioral advertising;

(c) retaining, using, or disclosing Covered Data for any purpose other than for the business purposes specified in the Agreement or as otherwise permitted by US Data Protection Laws;

(d) retaining, using, or disclosing Covered Data outside of the direct business relationship between the Parties; and

(e) except as otherwise permitted by US Data Protection Laws, combining Covered Data with Personal Data that Service Provider receives from or on behalf of another person or persons, or collects from its own interaction with the Data Subject.

4.3 Service Provider will limit access to Covered Data to personnel who have a business need to have access to such Covered Data and will ensure that such personnel are subject to obligations at least as protective of the Covered Data as the terms of this DPA and the Agreement.

4.4 Service Provider may Process Covered Data anywhere that Service Provider or its Sub-processors maintain facilities, subject to Section 5 of this DPA.

4.5 Service Provider will provide Client with information to enable Client to conduct and document any data protection assessments required under US Data Protection Laws. In addition, Service Provider will notify Client promptly if Service Provider determines that it can no longer meet its obligations under US Data Protection Laws.

4.6 Client will have the right to take reasonable and appropriate steps to ensure that Service Provider uses Covered Data in a manner consistent with Client's obligations under US Data Protection Laws.

5. Sub-Processors.

5.1 Client grants Service Provider the general authorization to engage Sub-processors, subject to Section 5.2 of this DPA.

5.2 Service Provider will (a) enter into a written agreement with each Sub-processor imposing data protection obligations that, in substance, are no less protective of Covered Data than Service Provider's obligations under this DPA; and (b) remain liable for each Sub-processor's compliance with the obligations under this DPA.

6. Data Subject Rights Requests.

6.1 As between the Parties, Client will have sole discretion and responsibility in responding to the rights asserted by any individual in relation to Covered Data under US Data Protection Laws (each, a "Data Subject Request").

6.2 Service Provider will promptly forward to Client without undue delay any Data Subject Request received by Service Provider or any Sub-processor and may advise the individual to submit their request directly to Client.

6.3 Service Provider will provide Client with reasonable assistance as necessary for Client to fulfill its obligation under US Data Protection Laws to respond to Data Subject Requests, including if applicable, Client's obligation to respond to requests for exercising the rights set out in US Data Protection Laws.

7. Security and Audits.

7.1 Service Provider will implement and maintain appropriate technical and organizational data protection and security measures designed to ensure security of Covered Data, including, without limitation, protection against unauthorized or unlawful Processing and against accidental loss, destruction, or damage of or to it. When assessing the appropriate level of security, account will be taken in particular of the nature, scope, context and purpose of the Processing as well as the risks that are presented by the Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Covered Data.

7.2 Service Provider will implement and maintain as a minimum standard the measures set out in Schedule 2.

7.3 Client will have the right to audit Service Provider's compliance with this DPA as it relates to Services delivered under the Agreement. The Parties agree that all such audits will be conducted:

(i) upon reasonable written notice to Service Provider;

(ii) only once per year, or more frequently if any audit indicates that Service Provider is in non-compliance with this DPA; and

(iii) only during Service Provider's normal business hours.

7.4 To conduct such audits, Client may engage a third-party auditor at its sole expense and subject to such auditor complying with the requirements under Section 7.3 of this DPA and provided that such auditor is suitably qualified and independent.

7.5 Client will promptly notify Service Provider of any non-compliance discovered during an audit.

7.6 Upon request, Service Provider will provide to Client documentation reasonably evidencing the implementation of the technical and organizational data security measures in accordance with industry standards. Service Provider may, in its discretion, provide data protection compliance certifications issued by a commonly accepted certification issuer which has been audited by a data security expert, or by a publicly certified auditing company. If the requested audit scope is addressed in such a certification produced by a qualified third-party auditor within 12 months of Client's audit request and Service Provider confirms there are no known material changes in the controls audited, Client agrees to accept those findings in lieu of requesting an audit of the controls covered by the report.

8. Security Incidents. Service Provider will notify Client in writing without undue delay after becoming aware of any Security Incident. Service Provider will take reasonable steps to contain, investigate, and mitigate any Security Incident, and will send Client timely information about the Security Incident and any obligation of Client under US Data Protection Laws to make any notifications to individuals, governmental or other regulatory authority, or the public in respect of such Security Incident. Service Provider shall take reasonable steps to contain, investigate, and mitigate any Security Incident, and shall, without undue delay, send Client timely information about the Security Incident, including, but not limited to, the nature of the Security Incident, the measures taken to mitigate or contain the Security Incident, and the status of the investigation. Service Provider's notification of or response to a Security Incident under this Section 8 will not be construed as an acknowledgement by Service Provider of any fault or liability with respect to the Security Incident.

9. Deletion and Return. Service Provider shall (a) if requested to do so by Client by the date of termination or expiry of the Agreement, coordinate the return a copy of all Covered Data or provide self-service functionality allowing Client to do the same; and (b) within 90 days of the termination or expiry of the Agreement, coordinate the deletion and use all reasonable efforts to coordinate and procure the deletion of all other copies of Covered Data processed by Service Provider or any Sub-processors. Notwithstanding the foregoing, Client understands and agrees that Service Provider may retained Covered Data past the expiration of the Agreement if required by applicable law or a legal obligation.

10. Contract Period. This DPA will commence on the Execution Date and, notwithstanding any termination of the Agreement, will remain in effect until, and automatically expire upon, Service Provider's deletion of all Covered Data as described in this DPA.

11. Deidentified Data. If Service Provider receives Deidentified Data from or on behalf of Client, then Service Provider will:

(i) take reasonable measures to ensure the information cannot be associated with a Data Subject;

(ii) publicly commit to Process the Deidentified Data solely in deidentified form and not to attempt to reidentify the information; and

(iii) contractually obligate any recipients of the Deidentified Data to comply with the foregoing requirements and US Data Protection Laws.

12. General

12.1 The Parties hereby certify that they understand the requirements in this DPA and will comply with them.

12.2 The Parties agree to negotiate in good faith any amendments to this DPA as may be required in connection with changes in US Data Protection Laws.

12.3 If any court or competent authority decides that any term of this DPA is held to be invalid, unlawful, or unenforceable to any extent, such term will, to that extent only, be severed from the remaining terms, which will continue to be valid to the fullest extent permitted by law.

12.4 Client's failure to enforce any provision of this DPA will not constitute a waiver of that or any other provision and will not relieve Service Provider from the obligation to comply with such provision.

12.5 This DPA and the Agreement set forth the entire understanding and agreement between the Parties with respect to the subject matter hereof.
 

Schedule 1 to Addendum 2

Details of Processing

1. Categories of Data Subjects

The categories of Data Subjects whose Personal Data are Processed: Service Provider's Client and its owners and employees.

2. Categories of Personal Data

The Processed categories of Personal Data are: The Client's employee and owner information such as name, email address, employer, address, and phone number.

3. Special categories of Personal Data (if applicable)

The Processed Personal Data includes the following special categories of data: No sensitive data is processed other than individual driver's license and social security number with Client's authorization and consent.

The applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures are: See Schedule 2.

4. Frequency of the Processing

The Processing is performed: from time to time as Client requests Service Provider's Services.

5. Subject matter and nature of the Processing

The subject matter of the Processing is: to provide the Services as described in the Agreement, such as registered agent and corporate services.

6. Purpose(s) of the Processing

The purpose of the Processing is: to provide the Services as described in the Agreement, such as registered agent and corporate services.

7. Duration

The period during which the Personal Data will be Processed, or, if that is not possible, the criteria used to determine that period: if Personal Data is not deleted upon request by Service Provider during the term of the Agreement, the duration of Processing will be as long as this DPA remains in effect or as may be required by law.

8. Sub-processor (if applicable)

For Processing by sub-processors, specify subject matter, nature, and duration of the Processing: Same as defined in Sections 5, 6, and 7 of this Schedule 1.
 

Schedule 2 to Addendum 2

Technical & Organizational Measures

Service Provider has implemented the following technical and organizational measures (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context, and purpose of the processing, as well as the risks for the rights and freedoms of natural persons:

1. Organizational management and dedicated staff responsible for the development, implementation, and maintenance of Service Provider's information security program.

2. Audit and risk assessment procedures for the purposes of periodic review and assessment of risks to Service Provider's organization, monitoring and maintaining compliance with Service Provider's policies and procedures, and reporting the condition of its information security and compliance to internal senior management.

3. Utilization of commercially available and industry standard encryption technologies for Covered Data that is:

a) being transmitted by Service Provider over public networks (i.e., the Internet) or when transmitted wirelessly; or

b) at rest or stored on portable or removable media (i.e., laptop computers, CD/DVD, USB drives, back-up tapes).

4. Data security controls which include at a minimum, but may not be limited to, logical segregation of data, logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions, (e.g., granting access on a need-to-know and least privilege basis, use of unique IDs and passwords for all users, periodic review, and revoking/changing access promptly when employment terminates or changes in job functions occur).

5. Password controls designed to manage and control password strength, expiration and usage including prohibiting users from sharing passwords and requiring that Service Provider's passwords that are assigned to its employees: (i) be at least eight (8) characters in length; (ii) not be stored in readable format on Service Provider's computer systems; (iii) must have defined complexity; (iv) must have a history threshold to prevent reuse of recent passwords; and (v) newly issued passwords must be changed after first use.

6. System audit or event logging and related monitoring procedures to proactively record user access and system activity for routine review.

7. Physical and environmental security of data center, server room facilities and other areas containing Personal Data designed to: (i) protect information assets from unauthorized physical access, (ii) manage, monitor, and log movement of persons into and out of Service Provider facilities, and (iii) guard against environmental hazards such as heat, fire, and water damage.

8. Operational procedures and controls to provide for configuration, monitoring and maintenance of technology and information systems according to prescribed internal and adopted industry standards, including secure disposal of systems and media to render all information or data contained therein as undecipherable or unrecoverable prior to final disposal or release from Service Provider's possession.

9. Change management procedures and tracking mechanisms designed to test, approve, and monitor all changes to Service Provider's technology and information assets.

10. Incident/problem management procedures design to allow Service Provider to investigate, respond to, mitigate, and notify of events related to Service Provider's technology and information assets.

11. Network security controls that provide for the use of firewall systems, and intrusion detection systems and other traffic and event correlation procedures designed to protect systems from intrusion and limit the scope of any successful attack.

12. Vulnerability assessment, patch management and threat protection technologies and scheduled monitoring procedures designed to identify, assess, mitigate, and protect against identified security threats, viruses, and other malicious code.

13. Business resiliency/continuity and disaster recovery procedures designed to maintain service and/or recovery from foreseeable emergency situations or disasters.