Data Processing Addendum
The Data Processing Addendum shall be subject to the terms of the MSA.
1. Definitions
“Personal Data” means any information relating to an identified or identifiable natural person (or, to the extent that Applicable Data Privacy Laws apply to information about legal persons, an identified or identifiable legal person), or as otherwise defined in Applicable Data Privacy Laws, which is included in End User Files.
“Applicable Data Privacy Laws” means any privacy and data protection laws applicable to the Client’s Personal Data, and related implementing regulations, including but not limited to Regulation (EU) 2016/679 of 27 April 2016, General Data Protection Regulation (the “GDPR”).
“Standard Contractual Clauses” means the Standard Contractual Clauses module II Data Controller to Processor.
2. Obligations
2.1 Compliance. Each Party shall comply with all laws and regulations of the relevant jurisdictions that apply to its respective performance of obligations and exercise of rights under this Agreement or in connection with its collection, processing, and provision of Personal Data to the other Party, including all Applicable Data Privacy Laws.
2.2 Cooperation. Each Party shall cooperate and provide information to the other Party as reasonably requested in writing or required to enable the other Party to comply with Applicable Data Privacy Laws.
2.3 Client Warranty. Client warrants that it shall not process any Personal Data using the Services, or permit Intralinks to process any Personal Data, in breach or contravention of any order issued to, or limitation of processing imposed on, Client by any regulatory authority.
2.4 Intralinks’ Warranty. Intralinks warrants to Client that Intralinks does not sell Personal Data obtained under the Agreement.
2.5 Standard Contractual Clauses. At Client’s request, Intralinks shall enter into the Standard Contractual Clauses (processors) governing the processing of Client data by Intralinks’ Affiliates and will provide a copy of those Standard Contractual Clauses to Client.
2.6 TOMs. Both Intralinks and Client shall implement appropriate Technical and Organizational Measures ("TOMs") to protect Personal Data against (i) accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access and against all other unlawful forms of processing; and (ii) the risks presented by the processing of Personal Data in connection with the Services. Intralinks shall provide Client with any other information reasonably requested by Client in writing regarding Intralinks' current security practices and policies, subject to appropriate confidentiality obligations as determined in Intralinks’ sole discretion.
3. Data Processing
3.1 Data Processing Authorization. Client authorizes Intralinks to process, and Intralinks shall process, Personal Data solely as reasonably necessary for the purposes set forth in, and in the manner required by, the Agreement or as otherwise required by law (including any requirement to comply with a court warrant or order or subpoena). It is agreed that Intralinks in performing the Services and its other obligations under the Agreement shall be deemed to be acting in accordance with Client’s instructions.
3.2 Nature and Purpose of Processing. The subject-matter of the processing under the Agreement is limited to Personal Data. The duration of the processing shall be for the term of the Agreement, as determined under Section 5.1 of the Master Services Agreement. The nature and purpose of the processing shall be to provide Services pursuant to the Agreement. The types of Personal Data processed by the Services include those expressly identified in Article 4(1) and “special categories of personal data” in Article 9(1) of the GDPR, to the extent such data forms part of the Personal Data. The categories of data subjects are individuals whose personal data is contained in End User Files.
3.3 Sub-Processors. It is acknowledged and agreed by Client that Intralinks may subcontract: (i) data center and related management services; (ii) End User customer support services; (iii) administration and back-office services; and (iv) such other functions and services necessary for the performance of the Services. Client hereby consents to Intralinks transferring Personal Data to Intralinks’ Affiliates and to Intralinks’ subcontractors (each, a "Sub-processor" and collectively, "Sub-processors”) in the relevant jurisdiction(s) strictly to the extent necessary for the Intralinks’ Affiliates and Intralinks’ Sub-processors to perform the relevant services. An up-to-date list of Intralinks’ Sub-processors and their locations is available at www.intralinks.com/sub-processors. Intralinks shall ensure that any such Intralinks’ Sub-processor is bound by a written agreement containing data protection obligations not less protective than those in this Agreement (including the conclusion of Standard Contractual Clauses with Sub-processors) with respect to the protection of Personal Data to the extent applicable to the nature of the services provided by such Sub-processor. Where an Intralinks’ Sub-processor fails to fulfil its data processing obligations under this Agreement, Intralinks shall remain fully liable to Client for the performance of that Sub-processor's obligations. It is understood and agreed by both Parties that this Section 3.3 and the proposed notification process in Section 3.4 below shall fulfil Intralinks' obligations in relation to complying with Articles 28(2) and 28(3)(d) of the GDPR.
3.4 Sub-Processor Changes. Intralinks hereby agrees to provide a mechanism to notify Client of any change or addition to the Sub-processors which is available in the URL identified above as of the Contract Date. In the event of a change of any such Sub-processor, or an appointment of a new Sub-processor, which will or is likely to process Personal Data, Intralinks has provided Client with a mechanism to obtain reasonable advance notice of such change or appointment ("Change of Sub-processor Notice"). Client is required to use the mechanism in order to receive such Change of Sub-Processor Notice. Unless Client objects to the change or new appointment of such Sub-processor within ten (10) business days from the date of the Change of Sub-processor Notice, such change or appointment shall be deemed approved. Client shall be entitled to terminate this Agreement and/or any Work Order upon written notice to Intralinks where Client does not approve of the new Sub-processor. Any such notice to terminate shall not be valid if received by Intralinks after the expiry of thirty (30) calendar days from the date of the Change of Sub-processor Notice.
3.5 Security Measures and Audits. Intralinks utilizes security systems and infrastructure customary in the industry, including but not limited to redundant data centers with a full range of back-up and business recovery services and anti-virus and intrusion detection software and systems. Client acknowledges that Intralinks shall provide Client with access to the latest SOC 2 Security and Availability Report for the Services and the Standard Information Gathering ("SIG") questionnaire, which relates to controls of Intralinks. Intralinks shall provide Client a summary of the results of the audits of all of its subcontractors. Should Client request further information with reference to such audits, Intralinks shall reasonably assist with such requests. All reasonable costs and expenses incurred shall be paid for by Client. Intralinks shall provide Client with a proposal, cost estimate, and payment schedule for Client's acceptance prior to providing such information or assistance. Client acknowledges that this Section 3.5 shall satisfy the requirements of Article 28(3)(f) of the GDPR.
4. Notifications
4.1 Requests by Authorities or Client Data Subject Requests. Intralinks, to the extent permitted by Applicable Data Privacy Laws, shall notify the Client upon receiving a request from any regulatory authority for access to, or to otherwise exercise their rights in respect of, Personal Data. Upon reasonable written request by either Party and at the requesting Party’s sole expense, the other Party shall provide the requesting Party with reasonable cooperation and assistance in (i) responding to any legal or regulatory proceeding that involves Personal Data or (ii) (if Client is the requesting Party) to the extent that Client, in its use and administration of the Services, does not already have the ability to correct, amend or delete Personal Data, fulfilling Client's obligations under Applicable Data Privacy Laws to respond to requests for exercising data subject rights.
4.2 Security Breach Notification. Each Party shall notify the other Party without undue delay upon becoming aware of any unauthorized access to or acquisition, use, loss, destruction, compromise or disclosure of (i) Personal Data or (ii) End User credentials that enable access to or use of the Services (“Security Breach”). The Parties shall cooperate in providing any notifications or communications required by Applicable Data Privacy Laws.
4.3 Security Breach Communication. Except as required by Applicable Data Privacy Laws, neither Party shall name the other Party or otherwise reference the other Party in any communication to a regulatory authority or data subject relating to a Security Breach without the other Party's prior written approval of the content of that communication, which approval shall not be unreasonably withheld, conditioned or delayed.