DATA PROCESSING ADDENDUM
EU STANDARD CONTRACTUAL CLAUSES
BY EXECUTING AN ORDER FORM AND/OR STATEMENT OF WORK THAT REFERENCES THIS DATA PROCESSING ADDENDUM (“DPA” OR “ADDENDUM”, TOGETHER WITH Forma’S MASTER TERMS AND CONDITIONS, THIS “AGREEMENT”), YOU AGREE YOU HAVE READ AND ARE BOUND BY THE TERMS OF THIS DPA, WHICH IS INCORPORATED IN AND FORMS A PART OF THE AGREEMENT. IF YOU ARE ENTERING INTO THIS AGREEMENT ON BEHALF OF A COMPANY OR OTHER LEGAL ENTITY, YOU REPRESENT THAT YOU HAVE THE AUTHORITY TO BIND SUCH ENTITY TO THIS AGREEMENT, IN WHICH CASE THE TERM “CUSTOMER” WILL REFER TO SUCH ENTITY. IF YOU DO NOT HAVE SUCH AUTHORITY, OR IF YOU DO NOT AGREE WITH THIS AGREEMENT, YOU MUST NOT ACCEPT THIS AGREEMENT AND MAY NOT USE THE Forma PLATFORM. IN THE EVENT OF A CONFLICT BETWEEN THE TERMS OF THE AGREEMENT AND THIS DPA, THE TERMS OF THE DPA WILL APPLY.
This DPA is made as of the Effective Date of the Agreement between Forma, Inc. DBA Forma, a Delaware corporation with a place of business at 47000 Warm Springs Blvd, Suite 1-170, Fremont, CA 94539 (“Forma”), and the Customer identified in the applicable Order Form (“Customer”).
HOW THIS DPA APPLIES
Forma provides services to Customer under the Agreement. Pursuant to the Agreement, Forma may from time to time process Personal Data (as defined below) for which Customer may be a “Controller” as defined by Applicable Data Protection Law (defined below), including the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”) and the retained version of the GDPR as it forms part of the law of England by virtue of the European Union (Withdrawal) Act 2018, as amended (“UK GDPR”). When processing such Personal Data, Forma may be a “Processor” as defined by Applicable Data Protection Law.
Because such processing may, from time to time, require the maintenance and implementation of appropriate technical and organizational safeguards, and because such processing may, from time to time, involve the transfer of Personal Data from the European Economic Area (EEA) and/or United Kingdom (UK) to the United States, Customer and Forma have agreed to execute this DPA in order to ensure that adequate safeguards are established with respect to the protection of Personal Data.
- Definitions. All capitalized words not defined below will have the meaning set forth in the Agreement.
- “Applicable Data Protection Law” means privacy and data protection laws, regulations, and binding decisions by a Supervisory Authority or other applicable governmental entity applicable to Customer or Forma, respectively.
- “DPA Effective Date” means the Effective Date of the Agreement.
- “Personal Data” means all data which is defined as ‘personal data’ or ‘sensitive data’ as described under Applicable Data Protection Law, and which is provided by the Customer to Forma and is accessed, stored, or otherwise Processed by Forma pursuant to the Agreement.
- “Processing”, “Controller,” “Data Subject,” “Supervisory Authority,” and “Processor” have the same meaning set forth in the GDPR.
- “Standard Contractual Clauses” mean the standard data protection clauses annexed to the EU Commission Implementing Decision 2021/914 of June 4, 2021 for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.
- “Security Practices Summary” means summary documentation of Forma’s security practices (including without limitation third-party security attestations and certifications, as applicable) that Forma makes generally available to its customers, as may be updated by Forma from time to time. A copy of the Security Practices Summary, current as of the DPA Effective Date, is incorporated into Appendix 2 to this DPA.
- “Subprocessor” means a third party sub-contractor Forma may retain from time to time that Processes Personal Data to provide services to Forma necessary for Forma to perform its obligations under the Agreement.
2. Applicability. Except as otherwise expressly set forth herein, this DPA applies (i) when Personal Data of data subjects located in the EEA, the UK or Switzerland is processed by Forma on behalf of Customer or (ii) where Customer is established in the EEA, UK or Switzerland. Customer will at all times act as the “Controller” as defined by Applicable Data Protection Law, and Forma will at all times act as the “Processor” as defined by Applicable Data Protection Law.
3. Processing of Personal Data. With respect to the processing of Personal Data, Forma will:
- process Personal Data only in accordance with Applicable Data Protection Law and upon documented instructions from Customer, including as set forth in the Agreement and this DPA, unless otherwise required by applicable law to which Forma is subject; in such a case, Forma will inform Customer of the relevant legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
- implement and maintain appropriate technical and organizational measures to ensure a level of security for Personal Data consistent with Applicable Data Protection Law, such measures to be described in the Security Practices Summary, as may be updated from time to time; provided, however, that Forma will not materially degrade the level of security in effect as of the DPA Effective Date;
- ensure that those of Forma’s personnel who process Personal Data have a “need-to-know” such Personal Data in order to fulfill Forma’s obligations under the Agreement and are subject to confidentiality obligations to use and protect such Personal Data as required under the Agreement and this DPA;
- promptly notify Customer upon Forma’s or its Subprocessors’ receipt of any request, dispute or claim directly from a Data Subject (including, without limitation, requests related to the exercise of that Data Subject’s rights under Applicable Data Privacy Law with respect to Personal Data), and not respond to such request, dispute or claim unless and until Customer provides written consent to such response to Forma;
- notify Customer without undue delay (and in no case later than is required under Applicable Data Protection Law) if Forma or its Subprocessors reasonably suspects or knows of any accidental or unlawful destruction or accidental loss, alteration, or unauthorized disclosure or access of Personal Data (a “Data Breach”), and , taking into account the nature of Forma’s processing and the information available to Forma, provide reasonable assistance to Customer with respect to any Data Breach (including without limitation cooperating with Customer with respect to notification of Supervisory Authorities and communicating to Data Subjects regarding a Data Breach);
- provide reasonable assistance to Customer where processing performed by Forma is relevant to a data protection impact assessment or prior consultation with a Supervisory Authority;
- To the extent Forma engages any Subprocessors, abide by the terms set forth in subsections 4.3 below;
- promptly notify Customer upon Forma’s or its Subprocessors’ receipt of any request for disclosure of Personal Data from a Supervisory Authority, government entity or court of law of a competent jurisdiction, or pursuant to a subpoena (unless otherwise prohibited by law);
- promptly notify Customer upon Forma’s or its Subprocessors’ determination that it can no longer meet its obligation to provide the level of protection to Personal Data required under the Agreement and this DPA;
- upon notice by Customer, where Customer has reasonably determined Forma is no longer processing data in accordance with the Agreement and this DPA, take reasonable and appropriate steps to stop and remediate such unauthorized processing;
- at the choice of Customer, delete or return all Personal Data to Customer after the end of Forma’s provision of services and delete existing copies unless applicable law requires storage of the Personal Data; and
- with respect to a request for audit or inspection relating to Forma’s compliance with the terms of this DPA, abide by the terms set forth in subsections 4.5 below.
4. Standard Contractual Clauses.
- To the extent that the processing of Personal Data under this Agreement involves transfers of Personal Data out of the EEA from Customer to Forma in the United States, Forma and the Customer enter into and agree to be bound by the provisions of Module 2 of the Standard Contractual Clauses, incorporated herein by reference and completed as follows: the “data exporter” is Customer; the “data importer” is Forma; the optional docking clause in Clause 7 is not implemented; Clause 9(a) option 2 is implemented and the time period therein is specified as twenty (20) days; the optional redress clause in Clause 11(a) is struck; Clause 13(a) paragraph 1 is implemented; Clause 17 option 2 is implemented and the governing law is the law of the Republic of Ireland; the court in Clause 18(b) are the Courts of the Republic of Ireland; Annex 1 and 2 to module 2 of the Standard Contractual Clauses are Appendix 1 and 2 to this Addendum respectively.
- To the extent an adequate transfer safeguard is required under the UK GDPR for the transfer of Personal Data by Customer from the United Kingdom to Forma in the United States, the Customer and the Forma enter into and agree to be bound by the provisions of Module 2 of the Standard Contractual Clauses, as incorporated herein by reference and completed as set out in Section 4.1, with the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner, Version B1.0 (“UK Addendum”), also incorporated herein by reference and completed as follows: the start date in Table 1 is the Effective Date of the Agreement; the Parties’ details in Table 1 are as set forth above in this DPA; the key contacts of each Party in Table 1 are as set forth in Section A of Appendix 1 herein; in Table 2, the first box (stating “the version of the Approved EU SCCs which this Addendum is appended to, detailed below, including the Appendix Information”) is selected and the effective date of the Agreement is inserted; in Table 3, the list of Parties, description of transfer, and technical and organizational measures are as set forth in Appendix 1 and 2 hereto; and in Table 4, the “Importer” and “Exporter” boxes are selected. In the event the UK Addendum applies, the Parties agree that their execution of the Agreement shall also constitute their execution of the UK Addendum. Pursuant to Clause 9 (a) of the Standard Contractual Clauses:
- Customer acknowledges and agrees that Forma may retain Subprocessors for the purposes of providing services under the Agreement, and hereby provides general authorization to the use of Subprocessors as described herein. In addition, Customer hereby provides general authorization to the use of those Subprocessors engaged by Forma as of the DPA Effective Date.
- Upon written request from Customer (not more than once annually, unless required by a Supervisory Authority), Forma will provide to Customer a list of its then-current Subprocessors (the “Subprocessor List”). Forma shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub-processors at least ten (10) days in advance. Customer will have ten (10) days after receipt of the Subprocessor List to provide written notice to Forma of any objections Customer has with respect to one or more Subprocessors. Forma will have a commercially reasonable time after the receipt of any such objection to either (i) provide clarification to Customer regarding the Subprocessor’s processing activities, security profile, and compliance with Applicable Data Protection Law, and thereafter receive Customer’s authorization to use such Subprocessor (such authorization not to be unreasonably withheld) or (ii) make reasonable changes to Forma’s processing in order to accommodate the objection, and gain Customer’s approval of such changes. If Forma is unable to comply with (i) or (ii), Customer may terminate any services provided by Forma to Customer that involve processing by objected-to Subprocessors.
- Forma agrees to be liable for the acts and omissions of its Subprocessors to the same extent as Forma would be if performing the services of its Subprocessors under the terms of the Agreement.
- Pursuant to Clause 9 (c) of the Standard Contractual Clauses:
- Customer agrees that the copies of the Subprocessor agreements may be provided only upon reasonable request, and only once annually (unless requested by a Supervisory Authority).
- Customer agrees that such copies may be provided in summary form or, upon reasonable request from Customer, in a form with all commercial information and clauses unrelated to data privacy and security redacted by Forma.
- Pursuant to Clause 8.9 of the Standard Contractual Clauses an “audit” as described therein will be carried out as follows:
- Upon written request by Customer, and subject to the confidentiality obligations of the Agreement, Forma will make available to Customer the security information Forma generally makes available to its customers.
- In the event an on-site review is required by a Supervisory Authority or is otherwise reasonably requested by Customer, Customer and Forma will mutually agree upon the scope, timing, and duration of such on-site review. On-site audits will be carried out at Customer’s expense.
- Processing of Personal Information Pursuant to CCPA. To the extent Forma acts in the role of a “Service Provider”, as defined under the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 and its implementing regulations (collectively, “CCPA”), in connection with processing “Personal Information” (as defined under CCPA) on Customer’s behalf, the terms set forth in this Section 5 shall apply. Capitalized terms used but not defined in this Section 5 shall have meanings assigned to such terms in the CCPA. With respect to Forma’s role as a Service Provider, the Parties agree as follows:
- Forma shall not Sell or Share Personal Information it collects pursuant to the Agreement;
- Customer is disclosing Personal Information to Forma only for specified Business Purposes set forth in the Agreement, which include provision of Forma’s platform, software and services relating to administration of benefits to those individuals that Customer assigns to use Forma’s platform, software and services.
- Forma shall not retain, use, or disclose the Personal Information that it collected pursuant to the Agreement for any purposes other than: (a) the Business Purposes specified in the Agreement, which include provision of Forma’s platform, software and services relating to administration of benefits to those individuals that Customer assigns to use Forma’s platform, software and services; or (b) as otherwise permitted by the CCPA.
- Forma shall not retain, use, or disclose the Personal Information that it collected pursuant to the Agreement for any Commercial Purpose other than the Business Purposes specified in the Agreement, unless expressly permitted by the CCPA.
- Forma shall not retain, use, or disclose the Personal Information that it collected pursuant to the Agreement outside the direct business relationship between Forma and Customer, unless expressly permitted by the CCPA.
- Forma shall comply with all applicable sections of the CCPA, including, with respect to the Personal Information that it collected pursuant to the Agreement, providing the same level of privacy protection as required of Businesses by the CCPA. As part of the foregoing obligation, Forma will implement reasonable security procedures and practices appropriate to the nature of the Personal Information received from, or on behalf of, Customer to protect the Personal Information from unauthorized or illegal access, destruction, use, modification, or disclosure.
- Subject to conditions set forth below, Forma will grant Customer the right to take reasonable and appropriate steps to ensure that Forma uses the Personal Information that it collected pursuant to the Agreement in a manner consistent with Customer’s obligations under the CCPA. Specifically, Customer may request to review Forma records directly relating to its use of Personal Information that it collected pursuant to the Agreement, provided that: (a) Customer must provide reasonable advance notice (of no less than 30 days) to Forma of any such requested review; (b) Customer may make such request no more than once annually; (c) in advance of Customer’s review, the Parties shall mutually agree upon the scope, timing, and duration of the review; (d) to the extent Customer will access any of Forma’s confidential and/or proprietary information in the review, Customer shall be bound by confidentiality obligations set forth in the Agreement or other terms reasonably specified by Forma to protect the confidentiality of such information; and (e) the review shall be conducted at Customer’s expense.
- Forma shall notify Customer if it makes a determination that it can no longer meet its obligations under the CCPA.
- Forma shall grant Customer the right, upon notice, to take reasonable and appropriate steps to stop and remediate any unauthorized use of Personal Information by Forma.
- Forma shall provide reasonable assistance to Customer, upon Customer’s request, to enable Customer to comply with Consumer requests made pursuant to the CCPA.
- This DPA shall remain in full force and effect until the earlier of:
- the expiration or termination of the Agreement;
- the mutual agreement of the parties to terminate.
- In the event of a conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses will apply.
A. LIST OF PARTIES
Data exporter(s): The legal entity that has executed the Standard Contractual Clauses as the data exporter, which is identified as the Customer in the Order Form. The Order Form is incorporated by reference herein, including without limitation the following Customer Information, as listed in the Order Form:
(1) Name: Customer Name, as set forth in the Order Form
Address: Customer Address, as set forth in the Order Form
Contact person’s name, position and contact details: As set forth in the Order Form
Activities relevant to the data transferred under these Clauses: Data exporter may submit, for processing by Data importer, Personal Data of its employees, agents, contractors and/or advisors who wish to use Forma’s platform and services for administering and participating in employee benefits programs.
Signature and date: As set forth in the Order Form
Role (controller/processor): Controller
Data importer(s): The legal entity that has executed the Standard Contractual Clauses as the data importer (also referred to herein as Forma).
(1) Name: Forma, Inc. DBA Forma
Address: 47000 Warm Springs Blvd, Suite 1-170, Fremont, CA 94539
Contact person’s name, position and contact details: Max Hsieh, CTO, max@Forma.ai
Activities relevant to the data transferred under these Clauses: Forma, Inc., is a provider of software and related services, and which from time to time processes Personal Data upon the instruction of the data exporter in accordance with the terms of the Agreement.
Signature and date: As set forth in the Order Form
Role (controller/processor): Processor
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred
Data exporter may submit Personal Data to the data importer, the extent of which is determined and controlled by the data exporter in its sole discretion, and which may include, but is not limited to, Personal Data relating to the following categories of data subjects:
- Data exporter’s assigned users of the Forma software and services
- Data exporter’s employees, agents, contractors or advisors (who are natural persons)
Categories of personal data transferred
The personal data transferred concern the following categories of data (please specify):
From data subjects at customers that participate in post-tax benefits programs, the data importer collects names, email addresses, work location, department, and other work related information such as title and employment status. In addition, from data subjects at customers that participate in pre-tax benefits programs, the data importer will also collect date of birth, mailing address, benefits election data, including information related to data subjects’ participation in post-tax benefits programs as controlled and selected by the data exporter such as gym memberships and home office equipment reimbursements.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
On a continuous basis.
Nature of the processing
The performance of the services by Forma as set forth in the Agreement.
Purpose(s) of the data transfer and further processing
The objective of Processing Personal Data by the data importer is the performance of the services by Forma as set forth in the Agreement.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
The personal data will be retained for as long as necessary for the purpose of the processing and taking into account applicable laws.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
A list and details of sub-processors can be provided on written request by Customer
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13
The supervisory authority will be designated in accordance with Clause 13.
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
The Data Importer has implemented and will maintain appropriate technical and organisational measures to protect the personal data against misuse and accidental loss or destruction as set forth in Forma’s Security Practices Summary, a version of which is current as of the DPA Effective Date and accessible through the following link: https://www.joinforma.com/legal/security-addendum.
Forma may update its Security Practices Summary from time to time at its sole discretion, as described in this DPA. Forma will provide an updated version of its Security Practices Summary upon request.