DATA PROCESSING ADDENDUM
EU STANDARD CONTRACTUAL CLAUSES
BY EXECUTING AN ORDER FORM AND/OR STATEMENT OF WORK THAT REFERENCES THIS DATA PROCESSING ADDENDUM (“DPA”, TOGETHER WITH THE TERMS AND CONDITIONS, THIS “AGREEMENT”), YOU AGREE YOU HAVE READ AND ARE BOUND BY THE TERMS OF THIS DPA, WHICH IS INCORPORATED IN AND FORMS A PART OF THE AGREEMENT. IF YOU ARE ENTERING INTO THIS AGREEMENT ON BEHALF OF A COMPANY OR OTHER LEGAL ENTITY, YOU REPRESENT THAT YOU HAVE THE AUTHORITY TO BIND SUCH ENTITY TO THIS AGREEMENT, IN WHICH CASE THE TERM “CUSTOMER” WILL REFER TO SUCH ENTITY. IF YOU DO NOT HAVE SUCH AUTHORITY, OR IF YOU DO NOT AGREE WITH THIS AGREEMENT, YOU MUST NOT ACCEPT THIS AGREEMENT AND MAY NOT USE THE TWIC PLATFORM. IN THE EVENT OF A CONFLICT BETWEEN THE TERMS OF THE AGREEMENT AND THIS DPA, THE TERMS OF THE DPA WILL APPLY.
This DPA is made as of the Effective Date of the Agreement between Twic, Inc., a Delaware corporation, DBA Forma, with a place of business at 47000 Warm Springs Blvd, Suite 1-170, Fremont, CA 94539 (“Forma”), and the Customer identified in the applicable Order Form (“Customer”).
HOW THIS DPA APPLIES
Forma provides services to Customer under the Agreement. Pursuant to the Agreement, Forma may from time to time process Personal Data (as defined below) for which Customer may be a “Data Controller” as defined by Applicable Data Protection Law (defined below), including the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”). When processing such Personal Data, Forma may be a “Data Processor” as defined by Applicable Data Protection Law.
Because such processing may, from time to time, require the maintenance and implementation of appropriate technical and organizational safeguards, and because such processing may, from time to time, involve the transfer of Personal Data from the European Union to the United States, Customer and Forma have agreed to execute this DPA in order to ensure that adequate safeguards are established with respect to the protection of Personal Data.
1. Definitions. All capitalized words not defined below will have the meaning set forth in the Agreement.
1.1 “Applicable Data Protection Law” means privacy and data protection laws, regulations, and decisions by a supervisory authority or other applicable governmental entity applicable to Customer or Forma, respectively.
1.2 “DPA Effective Date” means the Effective Date of the Agreement.
1.3 “Personal Data” means all data which is defined as ‘personal data’ or ‘sensitive data’ in the GDPR, and which is provided by the Customer to Forma and is accessed, stored, or otherwise Processed by Forma pursuant to the Agreement.
1.4 “Processing”, “Data Controller,” “Data Subject,” “Supervisory Authority,” and “Data Processor” have the same meaning set forth in the GDPR.
1.5 “Standard Contractual Clauses” mean the standard data protection clauses annexed to the EU Commission Implementing Decision 2021/914 of June 4, 2021 for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection, as described in Article 46 of the GDPR.
1.6 “Security Practices Summary” means summary documentation of Forma’s security practices (including without limitation third-party security attestations and certifications, as applicable) that Forma makes generally available to its customers, as may be updated by Forma from time to time. A copy of the Security Practices Summary, current as of the DPA Effective Date, is incorporated into Appendix 2 of Schedule 1 of this DPA.
1.7 “Subprocessor” means third party sub-contractors Forma may retain from time to time that provide services to Forma necessary for Forma to perform its obligations under the Agreement.
2. Applicability. This DPA applies (i) when Personal Data of data subjects located in the European Economic Area (“EEA”) or Switzerland is processed by Forma on behalf of Customer or (ii) where Customer is established in the EEA or Switzerland. Customer will at all times act as the “Data Controller” as defined by Applicable Data Protection Law, and Forma will at all times act as the “Data Processor as defined by applicable privacy laws.
3. Processing of Personal Data. With respect to the processing of Personal Data, Forma will:
3.1 process Personal Data only in accordance with Applicable Data Protection Law;
3.2 act only upon instructions from Customer, including as set forth in the Agreement and this DPA, including Customer's instructions to correct, amend, delete or to stop processing Personal Data;
3.3 take all measures required to implement and maintain appropriate technical and organizational measures to ensure a level of security for Personal Data consistent with Applicable Data Protection Law, such measures to be described in the Security Practices Summary, as may be updated from time to time; provided, however, that Forma will not materially degrade the level of security in effect as of the DPA Effective Date;
3.4 disclose Personal Data only pursuant to Customer’s instructions for the purpose of providing the services under the Agreement and to those of Forma’s personnel who have a “need-to-know” in order to fulfill Forma’s obligations under the Agreement and who are subject to written confidentiality agreements that obligate them to use and protect such Personal Data as required under the Agreement and this DPA, and for no other purpose;
3.5 promptly notify Customer upon Forma’s or its Subprocessors’ receipt of any request, dispute or claim directly from a Data Subject (including, without limitation, requests related to the exercise of that Data Subject’s rights under Applicable Data Privacy Law with respect to Personal Data), and to refrain from responding to such request, dispute or claim unless and until Customer provides written consent to such response to Forma;
3.6 notify Customer without undue delay (and in no case later than the statutory maximum for notification under Applicable Data Protection Law) if Forma or its Subprocessors reasonably suspects or have reason to know of any accidental or unlawful destruction or accidental loss, alternation, or unauthorized disclosure or access of Personal Data that presents a material risk to the rights of data subjects (a “Data Breach”) or of any processing of Personal Data in a manner inconsistent with the terms of the Agreement and this DPA, and to provide reasonable assistance to Forma with respect to any Data Breach (including without limitation cooperating with Customer with respect to notification of Supervisory Authorities and communicating to Data Subjects regarding a Data Breach);
3.7 provide reasonable assistance to Customer where processing performed by Forma is relevant to a data protection impact assessment being conducted by Forma;
3.8 promptly notify Customer upon Forma’s or its Subprocessors’ receipt of any request for disclosure of Personal Data from a Supervisory Authority, government entity or court of law of a competent jurisdiction, or pursuant to a subpoena (unless otherwise prohibited by law);
3.9 promptly notify Customer upon Forma’s or its Subprocessors’ determination that it can no longer meet its obligation to provide the level of protection to Personal Data required under the Agreement and this DPA;
3.10 upon notice by Customer, where Customer has determined Forma is no longer processing data in accordance with the Agreement and this DPA, take reasonable and appropriate steps to stop and remediate such unauthorized processing.
4. Standard Contractual Clauses.
4.1 The Parties acknowledge that Personal Data will be processed by Forma in the United States of America (“US”). To the extent that the processing of Personal Data under this Agreement involves transfers of Personal Data out of the EEA from Customer to Forma, Forma and the Customer enter into and agree to be bound by the provisions of Module 2 of the Standard Contractual Clauses, incorporated herein by reference and completed as follows: the “data exporter” is Customer; the “data importer” is Forma; the optional docking clause in Clause 7 is not implemented; Clause 9(a) option 2 is implemented and the time period therein is specified as twenty (20) days; the optional redress clause in Clause 11(a) is struck; Clause 13(a) paragraph 1 is implemented; Clause 17 option 2 is implemented and the governing law is the law of the Republic of Ireland; the court in Clause 18(b) are the Courts of the Republic of Ireland; Annex 1 and 2 to module 2 of the Standard Contractual Clauses are Appendix 1 and 2 to this Addendum respectively.
4.2 To the extent an adequate transfer safeguard is required for the transfer of Personal Data from the United Kingdom, from the Customer to Forma in the United States, by UK data protection laws, as confirmed by relevant competent authorities, the Customer and the Forma enter into and agree to be bound by the provisions of Module 2 of the Standard Contractual Clauses, as incorporated herein by reference and completed as set out in Section 4.1. (“UK Standard Contractual Clauses”) in relation to such transfers of personal data. For the purposes of the UK Standard Contractual Clauses any references to EU legislation, EU authorities and the EU Member States in the UK Standard Contractual Clauses are amended to reflect corresponding UK legislation, UK competent authorities as appropriate, including the following amends:
4.21 The following definitions are included in the UK Standard Contractual Clauses prior to Section I of the UK Standard Contractual Clauses: (i) “UK”: The United Kingdom of Great Britain and Northern Ireland; and (ii) “UK Data Protection Laws”: All laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the United Kingdom General Data Protection Regulation (as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018) and the UK Data Protection Act 2018;
4.22 References to “Regulation (EU) 2016/679” OR “That Regulation” are replaced by “UK Data Protection Laws” and references to specific Article(s) of “Regulation (EU) 2016/679” are replaced with the equivalent Article or Section of UK Data Protection Laws;
4.23 References to Regulation (EU) 2018/1725 are removed;
4.24 References to the “Union”, “EU” and “EU Member State” are all replaced with “UK”;
4.25 The Supervisory Authority selected for the purposes of Clause 13 (Supervision) of the UK Standard Contractual Clauses is the UK Information Commissioner’s Office (ICO);
4.26 Clause 17 (Governing law) of the UK Standard Contractual Clauses shall refer to the law of the UK as the governing law of the UK Standard Contractual Clauses and Clause 18 (Choice of forum and jurisdiction) shall refer to the UK courts as the proper forum and jurisdiction for disputes and legal proceedings arising under the UK Standard Contractual Clauses.
4.3 As of the DPA Effective Date, and with respect to all Personal Data Processed by Forma pursuant to the Agreement that is subject to the GDPR, Forma will comply with the obligations of the “data importer” in the Standard Contractual Clauses and Customer will comply with the obligations of the “data exporter” in the Standard Contractual Clauses.
4.4 Pursuant to Clause 9 (a) of the (UK) Standard Contractual Clauses:
4.41 Customer acknowledges and agrees that Forma may retain Subprocessors for the purposes of providing services under the Agreement, and hereby provides general authorization to the use of Subprocessors as described herein. In addition, Customer hereby provides general authorization to the use of those Subprocessors engaged by Forma as of the DPA Effective Date.
4.42 Upon written request from Customer (not more than once annually, unless required by a Supervisory Authority), Forma will provide to Customer a list of its then-current Subprocessors (the “Subprocessor List”). Forma shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub-processors at least ten (10) days in advance. Customer will have ten (10) days after receipt of the Subprocessor List to provide written notice to Forma of any objections Customer has with respect to one or more Subprocessors. Forma will have a commercially reasonable time after the receipt of any such objection to either (i) provide clarification to Customer regarding the Subprocessor’s processing activities, security profile, and compliance with Applicable Data Protection Law, and thereafter receive Customer’s authorization to use such Subprocessor (such authorization not to be unreasonably withheld) or (ii) make reasonable changes to Forma’s processing in order to accommodate the objection, and gain Customer’s approval of such changes. If Forma is unable to comply with (i) or (ii), Customer may terminate any services provided by Forma to Customer that involve processing by objected-to Subprocessors.
4.43 Forma agrees to be liable for the acts and omissions of its Subprocessors to the same extent as Forma would be if performing the services of its Subprocessors under the terms of the Agreement.
5. Pursuant to Clause 9 (c) of the (UK) Standard Contractual Clauses:
5.1 Customer agrees that the copies of the Subprocessor agreements may be provided only upon reasonable request, and only once annually (unless requested by a Supervisory Authority).
5.2 Customer agrees that such copies may be provided in summary form or, upon reasonable request from Customer, in a form with all commercial information and clauses unrelated to data privacy and security redacted by Forma.
6. Pursuant to Clause 8.9 , of the (UK) Standard Contractual Clauses an “audit” as described therein will be carried out as follows:
6.1 Upon written request by Customer, and subject to the confidentiality obligations of the Agreement, Forma will make available to Customer the security information Forma generally makes available to its customers.
6.2 In the event an on-site review is required by a Supervisory Authority or is otherwise reasonably requested by Customer, Customer and Forma will mutually agree upon the scope, timing, and duration of such on-site review. On-site audits will be carried out at Customer’s expense.
7.1 This DPA shall remain in full force and effect until the earlier of:
7.11 the expiration or termination of the Agreement;
7.12 the mutual agreement of the parties to terminate.
7.2 In the event of a conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses will apply.
A. LIST OF PARTIES
Data exporter(s): The legal entity that has executed the Standard Contractual Clauses as the data exporter, which is identified as the Customer in the Order Form. The Order Form is incorporated by reference herein, including without limitation the following Customer Information, as listed in the Order Form:
- Name: Customer Name, as set forth in the Order Form
Address: Customer Address, as set forth in the Order Form
Contact person’s name, position and contact details: As set forth in the Order Form
Activities relevant to the data transferred under these Clauses: Data exporter may submit, for processing by Data importer, Personal Data of its employees, agents, contractors and/or advisors who wish to use Forma’s platform and services for administering and participating in employee benefits programs.
Signature and date: As set forth in the Order Form
Role (controller/processor): Controller
Data importer(s): The legal entity that has executed the Standard Contractual Clauses as the data importer (also referred to herein as Forma).
(1) Name: Twic, Inc.
Address: 47000 Warm Springs Blvd, Suite 1-170, Fremont, CA 94539
Contact person’s name, position and contact details: Max Hsieh, CTO, email@example.com
Activities relevant to the data transferred under these Clauses: Twic, Inc., is a provider of software and related services, and which from time to time processes Personal Data upon the instruction of the data exporter in accordance with the terms of the Agreement.
Signature and date: As set forth in the Order Form
Role (controller/processor): Processor
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred
Data exporter may submit Personal Data to the data importer, the extent of which is determined and controlled by the data exporter in its sole discretion, and which may include, but is not limited to, Personal Data relating to the following categories of data subjects:
- Data exporter’s assigned users of the Forma software and services
- Data exporter’s employees, agents, contractors or advisors (who are natural persons)
Categories of personal data transferred
The personal data transferred concern the following categories of data (please specify):
From data subjects at customers that participate in post-tax benefits programs, the data importer collects names, email addresses, work location, department, and other work related information such as title and employment status. In addition, from data subjects at customers that participate in pre-tax benefits programs, the data importer will also collect date of birth, mailing address, benefits election data, including information related to data subjects’ participation in post-tax benefits programs as controlled and selected by the data exporter such as gym memberships and home office equipment reimbursements.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
On a continuous basis.
Nature of the processing
The performance of the services by Forma as set forth in the Agreement.
Purpose(s) of the data transfer and further processing
The objective of Processing Personal Data by the data importer is the performance of the services by Forma as set forth in the Agreement.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
The personal data will be retained for as long as necessary for the purpose of the processing and taking into account applicable laws.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
A list and details of sub-processors can be provided on written request by customer
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13
The supervisory authority will be designated in accordance with Clause 13.
ANNEX II - TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
The Data Importer has implemented and will maintain appropriate technical and organisational measures to protect the personal data against misuse and accidental loss or destruction as set forth in Forma’s Security Practices Datasheet, a version of which is provided below that is current as of the DPA Effective Date.
Forma may update its Security Practices Datasheet from time to time at its sole discretion, as described in this DPA. Forma will provide an updated version of its Security Practices Datasheet upon request.