This Data Processing Agreement (“DPA”) supplements the Order Form and Platform Access and Services Agreement (“Terms”) (the DPA, along with the Terms, is collectively referred to as the “Agreement”) entered into between Paramify, Inc. (“Paramify”) and the Customer (collectively with its affiliates and subsidiaries worldwide, “Customer”) the terms of this DPA are incorporated by reference therein. This DPA shall apply to all Processing of Customer Personal Data by Paramify to provide the Product as agreed to in the Order Form.
If there is any conflict between this DPA and the Terms, this DPA shall prevail solely to the extent of such conflict.
In this DPA, the following terms shall have the meanings set out below and their cognate terms shall be construed accordingly:
1.1 Customer Data has the meaning given to it in the Terms.
1.2 Customer Personal Data means any Customer Data that is Personal Data. Customer Data does not include Unnecessary Data.
1.3 Data Breach means any unauthorized interference with the availability of, or any unauthorized, unlawful or accidental loss, misuse, destruction, alteration, acquisition of, access to, disclosure of, or damage to Customer Data or Confidential Information, or any other unauthorized Processing of Personal Data that may adversely affect the privacy or security of individuals or the Customer. Data Breach does not include unsuccessful attempts or activities that do not compromise the security of Customer Data or Confidential Information, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other similar incidents.
1.4 Data Protection Laws means all applicable laws relating to privacy, security, or protection of Personal Data, as may be defined in such laws, including, the EEA Law, the California Consumer Protection Act (“CCPA”), and any subsequent supplements, amendments, or replacements to the same.
1.5 EEA means the European Economic Area and the European Union, Switzerland, and the United Kingdom of Great Britain and Northern Ireland (“UK”).
1.6 EEA Law means EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”), the GDPR as amended and incorporated into UK law under the UK European Union (Withdrawal) Act 2018 and as amended by Schedule 1 to the Data Protection, Privacy and Electronic Communications (Addendums etc.) (EU Exit) Regulations 2019 (SI 2019/419) (“UK GDPR”), the Swiss Federal Data Protection Act of 19 June 1992 and its corresponding ordinances (“Swiss DPA”) and any successor or amendments thereto (including without limitation implementation of GDPR by Member States into their national law), and any other law relating to the data protection, security, or privacy of individuals that applies in the EEA.
1.7 Personal Data means any information processed by Paramify in connection with the performance of the Product, including that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household or with a particular individual’s or household’s device; or any inferences drawn therefrom. Personal Data includes, but is not limited to, name, alias, postal address, identification number, phone number, physical address, email address, details of orders and fulfilments, location data, online identifiers such as internet protocol addresses, cookie or other unique identifiers or as otherwise defined (including under similar terms such as “personal information,” “personal health information,” “personally identifiable information,” and “sensitive personal information”) under Data Protection Laws.
1.8 Process, processed, or processing means the collection, receipt, recording, organization, structuring, alteration, use, transmission, access, sharing, provision, disclosure, distribution, copying, transfer, storage, management, retention, deletion, combination, restriction, summarizing, aggregation, correlation, inferring, derivation, analysis, adaptation, retrieval, consultation, destruction, disposal, or other handling of Personal Data.
1.9 Services means services provided by Paramify as agreed to in the Order Form.
1.10 Standard Contractual Clauses means the standard contractual clauses for international transfers published by the European Commission on June 4, 2021 governing the transfer of EEA Personal Data to Third Countries as adopted by the European Commission, the UK Information Commissioner (as they may apply for UK to Third Country transfers) or Swiss Federal Data Protection and Information Commissioner (“Swiss FDPIC”) relating to data transfers to Third Countries or any successor clauses thereto.
1.11 Third Country means countries that have not received an adequacy decision relating to data transfers from the European Commission, UK ICO, or Swiss FDPIC relating to data transfers.
1.12 The terms Controller, Data Processor, Subprocessor, Data Subjects, Sell, and Service Provider shall have the same meaning as in the applicable Data Protection Laws, and their cognate terms shall be construed accordingly.
2.1 Role of Parties. The parties acknowledge and agree that with respect to processing of Customer Personal Data, Paramify is a Data Processor, and a Service Provider and Customer is a Controller, except that if Customer is a Data Processor in which case Paramify is a Subprocessor. If Customer is a Processor of Customer Personal Data, Customer represents and warrants that Customer’s instructions and Processing of Customer Personal Data, including its appointment of Paramify as a Subprocessor, have been authorized by the respective Controller. Notwithstanding the foregoing, Paramify will be an independent Controller with respect to any Personal Data of Customer employees and other personnel using the Services or acting as administrative or business representatives with respect to the Services.
2.2 Compliance with Data Protection Laws. Each party will comply with obligations under applicable Data Protection Laws in connection with Processing of Customer Personal Data.
2.3 Purpose of Processing. The purpose of Processing under this DPA is the provision of the Services pursuant to the Agreement. Exhibit 1 (Details of Processing of Customer Personal Data) describes the subject matter and details of the Processing of Customer Personal Data.
2.4 Customer Instructions and Restrictions on Processing.
2.4.1. Paramify shall use, retain, disclose, or otherwise Process Customer Personal Data only on behalf of the Customer and for the specific business purpose of providing the Services and in accordance with Customer’s instructions, including as described in the Agreement. Paramify shall not Sell Customer Personal Data, nor use, retain, disclose, or otherwise Process Customer Personal Data outside of its business relationship with the Customer or for any other purpose except as required by law. Paramify will inform Customer if, Paramify determines that it is no longer able to meet its obligations under Data Protection Laws or where in Paramify’s reasonable opinion, any of Customer’s instructions infringes any Data Protection Laws. Customer reserves the right to take reasonable appropriate steps to discontinue and remediate unauthorized use of Customer Personal Data.
2.4.2. Paramify shall have rights to use Customer Personal Data solely (i) to the extent necessary to (a) perform its obligations under this Agreement; (b) operate, manage, test, maintain and enhance the Service including as part of its business operations; (c) to disclose aggregate statistics about the Service in a manner that prevents individual identification or reidentification of the Customer, Customer Data, any individual device, or individual person; and/or (d) protect the Service from a threat to the Service or Customer Personal Data; or (ii) if required by court order of a court or authorized governmental agency, provided that prior notice first be given to the Customer; (iii) as otherwise expressly authorized by the Customer.
2.4.3. Paramify will not combine the Customer Personal Data, with Personal Data which it receives from or on behalf of another person or persons, or collects from its own interaction with individual, provided that Paramify may combine Personal Data to perform any business purpose permitted or required under the Agreement to perform the Services.
2.4.4. Paramify certifies that it understands these restrictions and will comply with them.
3.1 Customer is solely responsible for the accuracy, quality, and legality of Customer Personal Data that Customer provides or causes to provide to the Service, including without limitation the means by which Customer collected or obtained the Personal Data. Customer will not provide or cause to provide any data or information that is not necessary for Paramify to provide Customer the Services identified in the Order Form ("Unnecessary Data"). Unnecessary Data must be removed promptly by Customer upon notice from Paramify. Customer acknowledges that Paramify is not responsible for the security of Unnecessary Data. Customer is solely responsible for the security and integrity of any Customer’s systems from where Customer Data is provided to Paramify.
3.2 Customer shall, in its use of the Services, Process Personal Data in compliance with the requirements of Data Protection Laws, including any applicable industry standards and self-regulatory programs that are binding on Customer. Customer shall be responsible for complying with any notice and consent obligations under such Data Protection Laws.
3.3 Customer understands and agrees that Customer is solely responsible for its own actions and activity in connection with the Customer Account and that Customer will keep its account login information confidential.
4.1 Each party agrees, both during and after termination of this Agreement, to hold the Confidential Information in the strictest confidence and comply with the applicable confidentiality obligations in the Terms.
5.1 Data Protection Compliance Assistance.
5.1.1 Where Paramify is acting as a Processor, Paramify will reasonably assist Customer in complying with its obligations under the applicable Data Protection Laws, including without limitation, conducting data protection impact assessments, and any consultations with the supervisory or regulatory authority.
5.1.2 Paramify shall not perform its obligations under this Agreement in such a way as to cause Customer to breach any of its obligations under applicable Data Protection Laws.
5.2 Data Subject Rights.
5.2.1 Where Paramify is acting as a Processor or Subprocessor, Paramify will promptly notify Customer in writing, and in any case without undue delay, if Paramify receives (i) any requests from a Data Subject, with respect to Customer Personal Data, including individual opt-out requests, requests for access and/or deletion and all similar individual rights requests; or (ii) any complaint or inquiry relating to the Processing of Customer Personal Data, including allegations that the Processing infringes on any individual's or third party's rights. Paramify will not respond to any such request or complaint unless expressly authorized to do so by Customer or required to respond under applicable Data Protection Laws.
5.2.2 To the extent Customer, in its use of the Services, does not have the ability to respond to a request under this Section 5, Paramify shall upon Customer’s written request provide reasonable assistance to the Customer in responding to such request.
5.2.3 Paramify shall comply with any instructions given by the Customer regarding responding to requests under this Section 5.
5.3 Subprocessors.
5.3.1 The Customer hereby consents to the use of the Subprocessors by Paramify for the purposes of providing the Services pursuant to the Agreement. The Subprocessors that are currently authorized to Process Customer Personal Data will be provided to Customer upon request.
5.3.2 Paramify must ensure that it has a written agreement in place with all Subprocessors which contains obligations on the Subprocessors which are no less onerous on the relevant Subprocessor than the obligations on Paramify under this DPA.
5.4 Staff Confidentiality. Paramify shall ensure that all employees, agents, officers, consultants, Subprocessors and any third party authorized to Process the Customer Personal Data or Confidential Information are subject to written confidentiality agreements or are under an appropriate statutory obligation of confidentiality.
5.5 Security.
5.5.1 Paramify will implement and maintain commercially reasonable administrative, technical and physical safeguards, including procedures and practices commensurate with the level of sensitivity of the Customer Personal Data and Confidential Information and the nature of its activities under the Agreement, to protect the security, confidentiality and integrity of such information Processed by Paramify or in its possession and control including such safeguards (a) designed to ensure the security of systems upon which such information is Processed; and (b) designed to prevent a Data Breach. The description of technical and organization measures designed to ensure the security of Personal Data is described more fully in Exhibit 2 (Paramify Security Measures) to the DPA.
5.6 Data Breach.
5.6.1. In the event Paramify discovers or learns of a Data Breach affecting Customer Data, Paramify shall take appropriate and prompt steps to: (a) investigate, mitigate, and remedy the Data Breach and prevent further Data Breaches, (b) notify Customer of such Data Breach without unreasonable delay; (c) furnish to Customer necessary and relevant details of the Data Breach as may be available; (d) assist Customer, as needed, in its investigation, mitigation, and remedying of the Data Breach; (e) provide information and reasonably assist Customer, as needed, in meeting Customer’s legal obligations, including any applicable obligations to notify individuals affected by the Data Breach; and (f) cooperate with Customer in any other reasonable action, step, or proceeding as may be deemed necessary by Customer in connection with the Data Breach and any dispute, inquiry or claim concerning the Data Breach.
5.6.2. Unless prohibited by an applicable statute or court order, Paramify shall notify Customer of any third-party legal process relating to any Data Breach, including, but not limited to, any legal process initiated by any governmental entity.
5.6.3. Paramify will comply with any reasonable instructions given by the Customer regarding any requests in connection with a Data Breach.
5.6.4. Paramify’s cooperation or obligation to report or respond to Data Breaches under this DPA is not and will not be interpreted as an acknowledgment by Paramify of any fault or liability of Paramify with respect to a Data Breach.
5.7 Audits.
5.7.1. Upon written request from the Customer, Paramify shall make available to the Customer once a year such information as is reasonably required by the Customer to demonstrate Paramify’s compliance with its obligations under this DPA.
5.7.2. If the Customer in its reasonable opinion determines that the information provided under Section 5.7.1 is not sufficient, Paramify will assist with Customer’s request for additional information through completing a reasonable questionnaire or request for information provided by Customer (“Questionnaire”), or a third party acting on Customer’s behalf, regarding Paramify’s compliance with this Addendum.
5.7.3. If the Customer in its reasonable opinion determines that the information provided under Section 5.7.2 is not sufficient, Paramify will allow the Customer or a third party acting on behalf of the Customer to conduct audits solely as necessary to fulfill Customer's obligations under Data Protection Laws no more than once annually.
5.7.4. Any such audit under this Section 5.7 will occur only after Customer has provided Paramify with at least 60 days’ prior written notice and during a mutually agreed upon date, time, and location. Audits must not unreasonably interfere with Paramify’s business or operations and the scope of such audit will be subject to Paramify’s reasonable pre-approval. Individuals responsible for conducting such audit shall be subject to a contract of confidentiality with Paramify. The work required by Paramify to participate in any audit may result in additional fees (at a mutually agreed upon hourly rate) to be paid by the Customer, unless otherwise agreed in writing prior to the commencement of such audit. If the audit reveals any vulnerability or inadequacy, Paramify shall correct any such vulnerability or inadequacy at its sole cost and expense and shall certify the same in writing to Customer.
5.7.5. To ensure that Paramify complies with applicable Data Protection Laws and its contractual obligations regarding data privacy and security, the Customer agrees that Paramify is not required to provide the Customer with access to the Paramify’s systems or information in a manner that may compromise the security, privacy, or confidentiality of Paramify’s other Customers’ confidential or proprietary information. Any information disclosed pursuant to this Section 5.7 will be deemed Paramify’s Confidential Information.
6.1. As of the date this DPA was last updated, all Customer Personal Data is Processed in the United States by Paramify's wholly owned subsidiary. In its role as a Processor, Paramify will not Process any Customer Personal Data subject to EEA Law outside of the United States or country recognized as “adequate” by the E.U. Commission without Customer’s written authorization.
6.2. Paramify may Process Customer Personal Data in various jurisdictions in which it operates provided Paramify reasonably cooperates with the Customer to comply with applicable data transfer restrictions and obligations required by this DPA and applicable Data Protection Laws.
6.3. To the extent Customer Personal Data that is subject to EEA Law is processed, the parties will execute appropriate data processing terms (including any transfer terms) in connection with such processing and transfer.
6.4. To the extent Data Protection Laws require any further steps to be taken in order to permit the transfer of Customer Personal Data to Paramify (including in relation to data export restrictions under applicable Data Protection Laws outside the EEA), Paramify will work with Customer in good faith (including, where reasonably necessary, by entering into contractual clauses with Customer) to ensure that the transfer of Customer Personal Data meets the requirements of Data Protection Laws. To the extent Customer Personal Data is subject to EEA Laws, the parties will execute appropriate data processing and transfer terms for such processing and transfer.
7.1. Either upon request or direction by Customer or termination or expiration of this Agreement, Paramify will (a) provide a copy of all Customer Personal Data in Paramify’s possession to the Customer and upon written verification from Customer of Customer’s receipt of such Customer Personal Data, destroy such information in accordance with this Section 7; (b) subject to Section 7.1 (a), promptly and securely destroy all such Customer Personal Data in accordance with applicable Data Protection Laws; and (c) certify in writing that it has complied with this Section 7, except to the extent that Paramify is required by applicable law to keep a copy of the Customer Personal Data and notifies Customer of the same.
7.2. Paramify agrees to comply with the terms of this DPA to the extent any Customer Personal Data is remains in its possession or control in accordance with this Section 7.1.
This Exhibit 1 includes details of the Processing of Customer Personal Data by Paramify.
Company Name - As mentioned in the applicable Order Form
Address - As mentioned in the applicable Order Form
Contact name, position, and contact information - As mentioned in the applicable Order Form
Role - Controller
Company Name - Paramify, Inc.
Address - 2250 N University Pkwy, Provo, UT 84604
Contact name, position, and contact information - As mentioned in the applicable Order Form
Role - Processor
The activities relevant to the data transferred at the Services more fully described in the Agreement and applicable ordering documents.
Categories of data subjects whose personal data is processed –
Customer may submit or give access to Customer Data to Paramify, the extent of which is determined and controlled by Customer in its sole discretion, and which may include but is not limited to Customer Data relating to the following categories of data subjects:
• Customer’s authorized users, employees, agents, or representatives
• Customer’s customers
Categories of personal data processed –
Customer may submit Customer Data to Paramify which may include the following categories of Customer Data:
As to Customer’s authorized users, employees, agents, or representatives, contact details of the individual which may include first and last name, email address and IP address.
To the extent Customer provides or causes to provide the following data to Paramify, the following categories of personal data may be processed:
• Phone numbers and postal address
Sensitive personal data processed – None
Frequency of the processing – Continuous
Nature of the processing and purpose of the data processing and further processing - The objective of Processing of Customer Data by Paramify is the performance of the Agreement and this DPA.
Period for which the personal data will be retained or criteria used to determine that period - Subject to Section 7 (Return or Deletion of Customer Personal Data) of this DPA, Paramify will process Customer Data for the duration of the Agreement, unless otherwise agreed upon in writing.
Subprocessor (subject matter, nature, and duration of processing) - In addition to the following, the subject matter, nature, and duration of the Processing more fully described in the Agreement, DPA, and accompanying order forms.
Paramify will implement and maintain a written security program with commercially reasonable administrative, technical, and physical safeguards, including procedures and practices commensurate with the level of sensitivity of the Customer Data and the nature of its activities under the Agreement, to protect the security, confidentiality, availability, and integrity of Customer Data Processed by Paramify or in its possession and control including such safeguards (a) to protect the security of systems upon which such data is Processed; and (b) designed to prevent a Data Breach.
Paramify’s personnel will not Process Customer Data without authorization. Paramify’s Personnel are obligated to maintain the confidentiality of any Customer Data and this obligation continues even after their engagement ends.
Without limiting the foregoing, Paramify will:
1. Develop and use reasonable steps to select and retain agents and subcontractors that assist Paramify in performing its obligations under the Agreement that are capable of maintaining security practices consistent with this DPA and requiring such Subprocessors to agree by written contract to comply with terms substantially similar to those contained in this DPA;
2. Conduct routine risk assessments to identify, document, and remediate material internal and external risks to the security, confidentiality, availability, and integrity of Customer Data that could result in a Data Breach, and assess the sufficiency of any security measures in place to control these risks;
3. At a minimum, the risk assessments required by subpart (2) should include assessment of risks in each area of relevant operation, including, but not limited to:
i. employee training and management;
ii. secure system design and testing;
iii. quarterly (at a minimum) security and vulnerability scans; and
iv. review, assessment, and response to internal and third-party security vulnerability reports;
4. Design and implement reasonable safeguards to control the risks identified through the risk assessments, including through reasonable and appropriate security policies and guidelines and regular testing or monitoring of the effectiveness of the safeguards’ key controls, systems, and procedures;
5. Establish and enforce written procedures that follow role based access control principles to control access to systems, networks, services, and facilities that may Process or store Customer Data and make such procedures available to Customer upon request.
6. Monitor access by Paramify personnel to Customer Data and limit any such access to those with a need to know in order to perform its obligations under the Agreement;
7. Implement multi-factor authentication for any system Processing Customer Data;
8. Implement and conduct routine security training for Paramify personnel with access to Customer Data;
9. Implement anti-malware software on any systems that Process Customer Data;
10. Commensurate with the nature and sensitivity of the Customer Data, encrypt Customer Data in transit across public networks or outside of Paramify’s physical or logical controls and at rest when stored on any device or storage media (such as servers, databases, backups, etc.) using industry standard encryption tools.
11. Provide reasonable assistance to Customer in Customer’s assessment and implementation of appropriate administrative, technical, and physical safeguards to provide an appropriate level of security of Customer Data, including (upon Customer’s reasonable request) completion of periodic assessments;
12. Automatically collect system, application, and user level logs on an ongoing basis for any network or system Processing Customer Data and retain such logs for security response for at least one year;
13. Implement, maintain, and monitor physical security controls for any processing facilities that are used for Processing Customer Data, including without limitation appropriate perimeter security that provide protection against unauthorized access, damage, or interference; and
14. Evaluate and adjust its security program in light of the results of the testing and monitoring required by subpart (2), any material changes to Paramify’s operations or business arrangements, or any other circumstances that Paramify knows or has reason to know may have a material impact on the effectiveness of its security program.
During the term of the Agreement or so long as Paramify Processes Customer Data, whichever is longer, Paramify shall implement and maintain a disaster recovery plan that ensures that all Customer Data Processed by Paramify is capable of being recovered, and that the integrity of all such recovered Customer Data is retained, in the event that Paramify's network, systems or other facilities experience a Data Breach or any significant interruption or impairment of operation or any loss, deletion, corruption, or alteration of Personal Information (“Disaster Recovery Plan”).