Data Processing Addendum

Version 16.0523 • Dec 27, 2023        View Previous Versions

This Data Processing Addendum (this “Addendum”) is part of the Master Terms of Service Agreement (“MSA”) between ID123 Inc, the Service Provider and Client or any other signed agreement between the Parties that incorporates this Addendum by reference and governs the Service Provider’s processing of Personal Data in its capacity as a Processor in connection with the Service Provider’s provision of the Cloud Service it provides pursuant to the MSA. This Addendum shall only apply if the Service Provider and Client have not entered into a separate data processing agreement or similar contractual arrangement with respect to the processing of Personal Data. All capitalized terms used but not defined in this Addendum have the meanings given to them in the MSA. The terms “personal data”, “data subject”, “processing”, “controller”, “processor”, “representative” and “supervisory authority” shall have the meanings given in the GDPR or UK GDPR, as applicable, in each case irrespective of whether Data Protection Law applies.

The Controller appoints the Service Provider as Processor to receive and process Personal Data on the Controller’s behalf only as is necessary to provide the Cloud Service and as may subsequently be agreed to by the parties in writing. The Controller’s instructions for the Processing of Personal Data under or in relation to this Addendum shall comply with Data Protection Laws, as applicable.  The Controller is responsible for ensuring a valid legal basis for processing the Personal Data. The legal entity agreeing to this Addendum as Controller represents that it is authorized to agree to and enter into this Addendum for, and is agreeing to this Addendum solely on behalf of, the Controller.

The Processor, shall collect, receive, process and use Personal Data on behalf of and as instructed by the Client as the Controller, in accordance with Data Protection Legislation, as applicable and will not use or process Customer Personal Data for any purpose other than in its capacity as Processor appointed by the Controller.

Processing. The subject matter and details of processing are described in “Section IV Appendix 1” of this Addendum.

Before the Controller transfers Personal Data to the Processor, or permits the Processor to access Personal Data located in a jurisdiction that requires an International Data Transfer Mechanism, the Controller shall verify whether the relevant requirements are met. If they are not met, the parties shall work together in good faith to fulfill the requirements of that International Data Transfer Mechanism. The parties shall institute and comply with any International Data Transfer Mechanism that may be required by applicable Data Protection Law.

If the Controller is established in the European Economic Area (“EEA”), Switzerland or the United Kingdom (“UK”) and transfers Personal Data to the Processor, then the Data Transfer Addendum shall: (i) apply to such transfers; (ii) take precedence over all other terms, including the terms of this Agreement, in respect of such transfers; (iii) form a legally binding contract between the data exporter and Processor as or on behalf of the data importer; and (iv) be hereby incorporated into the MSA.

With respect to Personal Data of EEA, Switzerland and UK data subjects, the Parties agree that the Processor may process Personal Data outside the EEA, Switzerland, and the UK only where the Data Protection Law requirements (including, where applicable, Articles 44 through 47 GDPR) are fulfilled, or an exception (including, where applicable, those listed in Article 49 GDPR) applies. With respect to personal data of Brazilian data subjects, the Data Controller agrees that the Service Provider may process Customer Personal Data outside of Brazil, and represents and warrants that such transfer of Customer Personal Data is compliant with the Brazilian data protection law (LGPD).

The parties will comply with their respective obligations under Data Protection Law and their respective privacy notices.

The Processor will restrict access to Personal Data to those authorized persons who need such information to provide the Services. Such authorized persons are obligated to maintain the confidentiality of any Personal Data. The Processor will not publish, disclose, or divulge (and will ensure that its personnel do not publish, disclose, or divulge) Personal Data to a third party unless the Controller has given its prior written consent.

The Processor will implement appropriate technical, administrative and organizational measures, as applicable, and as described in “Section V Appendix 2” of this Addendum, required to: (i) ensure a level of confidentiality and security appropriate to the risks represented by the processing and the nature of Personal Data; and (ii) prevent unauthorized or unlawful processing of Personal Data, accidental loss, disclosure or destruction of, or damage to, Personal Data provided by Controller and processed by the Processor. Such security measures will be at least as protective as the security requirements set forth in the MSA. When choosing security controls, the Processor will consider the state of the art, the cost of implementation, the nature, scope, context, and purposes of Personal Data processing, and the risk to data subjects of a security incident or Personal Data Breach affecting Personal Data.

Personal Data received from Client will be retained only for so long as may be reasonably required in connection with the Processor’s performance of the MSA or as otherwise required under Data Protection Law. The Processor’s obligations related to returning or deleting Personal Data will survive termination until all Personal Data has been returned or deleted in accordance with this Addendum.

The Processor will cooperate to the extent reasonably necessary in connection with the Controller’s requests related to data security, data breach notifications, data protection impact assessments and consultation with supervisory authorities and for the fulfillment of the Controller’s obligation to respond to requests for exercising a data subject’s rights under Data Protection Law. The Processor reserves the right to charge the Controller for its reasonable time for such cooperation and for the costs incurred for any special arrangements requested.

If the Processor receives a request from a data subject or a third party in connection with any government investigation or court proceeding that the Processor believes would require it to produce any Personal Data, the Processor will inform the Controller promptly in writing of such inquiry, request or complaint and cooperate with the Controller if it wishes to limit, challenge or protect against such disclosure, to the extent permitted by applicable Law. The Processor will assist the Controller, insofar as it is commercially reasonable, to fulfill Controller’s obligation to respond to requests from Data Subjects and supervisory authorities as required by Data Protection Law. The Controller shall be solely responsible for responding to any Data Subjects’ requests and if such request is made directly to the Processor, the Processor will promptly inform the Controller and will advise the Data Subjects to submit their request to the Controller.

Notwithstanding anything in the MSA to the contrary, the Processor will only process Personal Data in order to provide the Services to the Controller, in accordance with the Controller’s written instructions, as permitted by the last sentence of Section 8 below, or as required by applicable Law. The Processor will promptly inform the Controller if following an instruction would result in a violation of Data Protection Law or where the Processor must disclose Personal Data in response to a legal obligation (unless the legal obligation prohibits the Processor from making such disclosure).

The Processor is prohibited from: (a) Selling (as such term is defined in the CCPA) Personal Data, (b) retaining, using, or disclosing Personal Data for any purpose other than for the specific business purpose of performing the Controller’s documented instructions for the business purposes defined in this Addendum, including retaining, using, or disclosing the Personal Data for a commercial purpose other than performing Controller’s instructions, or (c) retaining, using, or disclosing the Personal Data outside of the direct business relationship between the parties as defined in this Agreement. The Processor certifies that it understands these restrictions. Notwithstanding the foregoing, the Processor may process Personal Data to retain or employ another person as a sub-Processor (as defined in Section10 below) in accordance with this Addendum, for internal use by the Processor to improve the quality of its services (provided that the Processor does not use the Personal Data to perform services on behalf of another person), or to detect data security incidents or protect against malicious, deceptive, fraudulent or illegal activity.

The Controller will inform the Processor if Personal Data is Sensitive Data and Controller shall obtain explicit consent from Data Subjects for the transfer of Sensitive Data for processing the extent such consent is required under Data Protection Law.

The Controller grants the Processor general authorization, as a processor, to engage other processors (“Sub-processors”) to assist in providing the Services consistent with the Agreement. The Processor will ensure each Sub-processor only accesses and uses Personal Data to the extent required to perform the obligations subcontracted to it and in accordance with this Addendum. In accordance with Data Protection Laws, the Processor will make a list of such Sub-processors accessible to the Controller in Appendix 3 prior to transferring any Personal Data to such Sub-processors. The Controller may opt-in to be notified by email in writing by the Processor of any changes to the list of Sub-processors by updating such list from time to time in order to give the Controller an opportunity to object to such changes within 30 days after being notified. If the Controller and the Processor are unable to resolve such objection, either Party may terminate the Agreement by providing written notice to the other party. The Controller shall have the right to review all sub-Processor’s activities in accordance with the Data Protection Legislation, including the right to obtain information from the Processor, upon written request, on the implementation of the data protection obligations under each Sub-Processing contract.

Where the Processor engages a Sub-processor for carrying out specific processing activities on behalf of the Controller, substantially similar data protection obligations as set out in this Addendum will be imposed on that Sub-processor by way of a contract, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of Data Protection Law. The Processor will be liable for the acts or omissions of its Sub-processors to the same extent as the Processor would be liable if performing the services of the Sub-processor directly.

Upon a request issued by a supervisory authority for records regarding Personal Data, the Processor will cooperate to provide the supervisory authority with records related to processing activities performed on the Controller’s behalf, including information on the categories of Personal Data processed and the purposes of the processing, the use of service providers with respect to such processing, any data disclosures or transfers to third parties and a general description of technical and organizational measures to protect the security of such data.

The Controller authorizes the Processor to transfer, store or process Personal Data in the United States or any other country in which the Processor or its Sub-processors maintain facilities. The Controller appoints the Processor to perform any such transfer of Personal Data to any such country and to store and process Personal Data in order to provide the Services. The Processor will conduct all such activity in compliance with the MSA, this Addendum, Data Protection Law, any applicable International Data Transfer Mechanism and Controller instructions.

Upon completion of Processors obligations in relation to processing of Personal Data under this Agreement or when instructed by the Controller, the Processor will delete any Personal Data or return it to the Controller in a secure manner and delete all remaining copies of Personal Data after such return except where otherwise required under applicable Law. Process will render any Personal Data that cannot be deleted or returned will be anonymous in such a manner that the data no longer constitutes Personal Data. The Processor will relay the Controller’s instructions to all Sub-processors. The Controller may, before termination or expiration and by way of issuing an Instruction, stipulate the reasonable secure method and format to return of any Personal Data before it is deleted. The Controller will be responsible for any additional cost arising in connection with the secure method instructed for the return of Personal Data.

In accordance with Section 7.8.1 of the MSA, after becoming aware of a Personal Data Breach, the Processor will notify the Controller without undue delay of: (a) the nature of the Personal Data Breach; (b) the number and categories of data subjects and data records affected; and (c) the name and contact details for the relevant contact person at the Processor. The Processor shall immediately investigate the Personal Data Breach, to identify, prevent, and mitigate the effects of any such Personal Data Breach, and carry out any recovery or other action necessary to remedy the Personal Data Breach. At the Controller’s request, we will promptly provide all reasonable assistance necessary to enable the notification competent authorities and/or affected Data Subjects of the relevant Security Incident, if Controller is required to do so under Data Protection Legislation.

Upon request and at the Controller’s expense, the Processor will make available to the Controller all information necessary, and allow for and contribute to audits, including reasonable inspections, conducted by the Controller or another auditor mandated by the Controller, to demonstrate compliance with Data Protection Law. For clarity, such audits or inspections are limited to the Processor’s processing of Personal Data for Client only, not any other aspect of the Processor’s business or information systems. If the Controller requires the Processor to contribute to audits or inspections that are necessary to demonstrate compliance, the Controller will provide the Processor with written notice at least 60 days in advance of such audit or inspection. Such written notice will specify the things, people, places or documents to be made available. Such written notice, and anything produced in response to it, will be considered Confidential Information and, notwithstanding anything to the contrary in the MSA, will remain Confidential Information in perpetuity or the longest time allowable by applicable Law after termination of the MSA. Such materials and derivative work product produced in response to the Controller’s request will not be disclosed to anyone without the prior written permission of the Service Provider unless such disclosure is required by applicable Law. If disclosure is required by applicable Law, the Controller will give the Processor prompt written notice of that requirement and an opportunity to obtain a protective order to prohibit or restrict such disclosure except to the extent such notice is prohibited by applicable Law or order of a court or governmental agency. The Controller will make every effort to cooperate with the Processor to schedule audits or inspections at times that are convenient to the Processor. The Processor may charge a reasonable fee for such requests except where such investigation arises from a breach of its obligations herein, to the extent permitted by applicable law. If, after reviewing the Processor’s response to Client’s audit or inspection request, the Controller requires additional audits or inspections, the Controller acknowledges and agrees that it will be solely responsible for reasonable fees and all costs incurred in relation to such additional audits or inspections.

If there is a conflict or inconsistency between this Data Processing Addendum, the Data Transfer Addendum, MSA, Product Addendum, the order of priority will be: the Data Transfer Addendum (but only to the extent it applies under section 6.a above), this Data Processing Addendum, the MSA, Product Addendum. Where individual provisions of this Addendum are invalid or unenforceable, the validity and enforceability of the other provisions of this Addendum shall not be affected.

The Service Provider may update any part or all of the terms of the Addendum as needed to comply with Data Protection Legislation and will become effective and binding upon on the renewal date of the Client’s next Product Subscription or upon Service Provider’s written agreement, whichever is sooner. If this Addendum is incorporated by reference as a web page URL, the updated version of the Addendum will be posted at the same URL and Controller will be shared with the Controller for approval in writing. If this Addendum is incorporated as part of a commercial agreement executed by the Parties, the updated version of the Addendum will be shared with the Controller for approval in writing. If the Controller does not agree with a modification in writing, the Controller shall notify the Processor in writing and the Parties will work together in good faith form a new mutually acceptable Data Processing Addendum.

The data exporter is the Disclosing Party and shall be a Controller, as defined in this Agreement, with the name, address, and contact details as provided to the Service Provider through the provision or support of the Services. The activities relevant to the data transferred under these Standard Contractual Clauses include the use of the relevant Services in accordance with the MSA and applicable Product Addendum. The data exporter shall be in the Controller role.

The data importer is the Receiving Party and shall be the Service Provider, as defined in this MSA, with the name, address and contact details as follows:

ID123 Inc., with its address at 397 Moody St. Suite 202 Waltham MA 02453

The data importer shall be in the Processor role when the activities relevant to the data transferred under these Standard Contractual Clauses include the provision of the relevant Services to Client in accordance with the MSA and applicable Product Addendum.

The data importer shall be in the Controller role where the both the exporter and importer are each an independent data controller of Personal data and independently determine the purpose and means of processing Personal Data under Data Protection Law when the activities relevant to the data transferred under these Standard Contractual Clauses include the support of the relevant Services to Client in accordance with the MSA and applicable Product Addendum.

The data processing activities carried out by Receiving Party under this Addendum are as follows:

Service Providers provision and support of the Services under the MSA and applicable Product Addendum.

For the term of this Agreement plus the period from expiry until the anonymization, return, or deletion of data in accordance with this Agreement.

Receiving Party will process Personal Data for the purposes of providing the Services in accordance with and as described in the MSA and applicable Product Addendum.

Personal Data relating to individuals provided to Receiving Party as Processor in the performance and provision of the Services to Client, by (or at the direction of) the Disclosing Party, which may include:

• Contact Information is processed in order to authenticate and communicate with Data Subjects. Contact Information includes email address, telephone number and mailing address.
• Personal Information is processed in order to enable the Controller and its end users use the Service. Personal information is processed in order to enable the Data Subject to display, transfer, proof or share all or part of their Personal Information with the Controller or a third party when using their ID Card. Personal Information includes name, gender, age, date of birth, payment information, location, education information, membership information, employment information, family relationships, pets, certifications, licenses, credentials, entitlements, identity documents, identity proofs, face photos, and signatures,
• Usage Information is processed in order to support Data Subjects and Controllers use of the Service. Usage Information includes device information, network information, actions and events taken with the app or website such as, app opens, message opens, purchases, searches, barcode scans, check-in/check-out events, verifications, payments, installs, uninstalls, shares, and registration methods, website and app usage information, email data, system usage data, application integration data, and other electronic data or communications submitted, stored, sent to, or received by end users.

Personal Data relating to individuals provided to Receiving Party as a Controller in a Controller to Controller transfer for the purpose of sale of Services to Client or support of the Services for Client, by (or at the direction of) the Disclosing Party, which may include:

• Contact Information of Client representatives, agents, referrals or partners which is processed in order to authenticate and communicate with Data Subjects in order to sell the Service to Client or support the Service for Client. Contact Information includes email address, telephone number.
• Personal Information of Client representatives, agents, referrals or partners is processed in order to enable the Controller to sell the Service to Client or support the Service for Client. Personal Information includes these representatives name, employment information, certifications, licenses, credentials, entitlements, identity documents, identity proofs, and face photos.

Sensitive Data that may be transferred to the Processor Service Provider as Processor via the Services, by or at the direction of the Data Controller, may include the following categories:

• Racial or ethnic origin, for the purpose of issuing membership cards on behalf of organizations advocating for the rights of members or non-members of particular racial or ethnic origins. • Political opinions, for the purpose of issuing political membership cards for different political organizations or membership organizations advocating certain policies. • Religious or philosophical beliefs, for the purpose of issuing religious membership cards on behalf of organized religious groups. • Trade union membership, for the purpose of issuing trade union membership cards on behalf of trade unions. • Biometric data, with the explicit consent of data subjects, or to carry out the obligations of employment or for the substantial public interest to prevent identity fraud. • Gender identity or sexual orientation, for the purpose of issuing membership cards on behalf of membership organizations advocating for gender or sexual identity rights, or at the explicit consent of the data subject in order to enable them to share their identity or pronouns with other users or institutions. • Health data, for the purpose of preventative or occupational medicine as a health patient, professional or service ID card for use to identify a disability, patient, or caregiver. Health data may also be processed for reasons of public interest in the area of public health where health credentials may be required in the course of employment or for international travel.
• If data pseudonymization cannot be applied, the Processor will only process Sensitive Data subject to the Controller receiving explicit consent from the Data Subject and the processing is subject to derogation of the law.
• Sensitive Data relating to individuals provided to Service Provider as Controller in a Controller-to-Controller transfer for the purpose of selling the Service to the Client or support of the Service for the Client, by or at the direction of the Controller, shall not be processed.

Continuous

Data subjects include EEA, Switzerland, UK, and Brazilian individuals about whom personal data is provided to Processor via the Services by (or at the direction of) the Controller. Data Subjects may be any individual with a business, personal, affiliation or institutional relationship with the Controller or customer of Controller including their customers, end users, members, suppliers, collaborators, volunteers, licensees, vendors, prospects, employees, subcontractors, guests, relatives, guardians, patients, instructors, constituents, friends, representatives.

The competent supervisory authority will be the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP).

1. The Processor shall implement and comply with a written information security program consistent with established industry standards and appropriate to the nature of the Personal Data. This program shall include administrative, technical, and physical safeguards designed to protect such information from unauthorized access, destruction, use, modification, or disclosure, as well as any anticipated threats or hazards to the security or integrity of such information. The program shall also include safeguards against unauthorized access or use that could result in substantial harm or inconvenience to the Controller, the Controller’s customers, or the Controller’s employees.
2. The Processor shall adopt and implement reasonable policies and standards related to security.
3. The Processor shall assign responsibility for information security management.
4. The Processor shall devote adequate personnel resources to information security.
5. The Processor shall carry out verification checks on permanent staff who will have access to the Personal Data.
6. The Processor shall conduct appropriate background checks and require employees, vendors, and others with access to the Personal Data to enter into written confidentiality agreements.
7. The Processor shall conduct training to make employees and others with access to the Personal Data aware of information security risks and to enhance compliance with Processor’s policies and standards related to data protection.
8. The Processor shall prevent unauthorized access to the Personal Data through the use, as appropriate, of physical and logical entry controls, secure areas for data processing, procedures for monitoring the use of data processing facilities, built-in system audit trails, use of secure passwords, network intrusion detection technology, encryption and authentication technology, secure log-on procedures, and virus protection, monitoring compliance with Processor’s policies and standards related to data protection on an ongoing basis. In particular, Processor shall implement and comply with:• Physical access control measures to prevent unauthorized access to data processing systems
   • Denial-of-use control measures to prevent unauthorized use of data protection systems
   Authorization scheme and access rights to ensure that persons entitled to use a data processing system have access only to the data to which they have a right of access, and that the Personal Data cannot be read, copied, modified, or removed without authorization
   • Data transmission control measures to ensure that the Personal Data cannot be read, copied, modified, or removed without authorization during electronic transmission, transport, or storage on data media, and transfer and receipt of records
   • Encryption in storage of any data sets in Processor’s possession, including sensitive personal data, using appropriate encryption levels based on industry-leading encryption standards
   • Ensuring that any sensitive personal data transmitted electronically (other than by facsimile) to a person outside Processor’s IT system or transmitted over a public network is encrypted using the newest supported versions of TLS 1.2 protocol to protect the security of the transmission
   • Data entry control measures to ensure Processor can check and establish whether and by whom the Customer Personal Data has been input into data processing systems, modified, or removed
   • Continuous security testing measures to ensure information security practices remain relevant, effective, and up to date, including annual penetration testing, use of system scanning tools, backup restoration tests, pre-production failovers, and conducting post-mortems on any actual incidents in order to update the relevant disaster recovery plans
   • Sub-processor supervision measures to ensure that, if Processor is permitted to use sub-processors, the Personal Data is processed strictly in accordance with the Data Controller’s instructions
9. The Processor shall take such other steps as may be appropriate under the circumstances.

To enable Service Provider deliver the Subscription, Sub-Processors are engaged to assist with certain necessary data processing activities. A list of the Sub-Processors used and the purpose for engaging them is located on the Sub-Processors Page available at https://www.id123.io /terms/sub-processors/, which is incorporated into this Addendum and may be updated from time to time subject to the terms herein.