Subcontractor DPA
SUBCONTRACTOR DATA PROCESSING ADDENDUM
This Subcontractor Data Processing Addendum (“DPA”) governing the use by dbt Labs, Inc. (“dbt Labs”) and clients of dbt Labs acting as controllers (dbt Labs together with its relevant clients, “Customer”) of the Services, between dbt Labs and the entity (“SUBCONTRACTOR”) that entered into an underlying master agreement with dbt Labs that references this DPA, including any active statements of work (“SOWs”), in each case as updated from time to time (“Agreement”). This DPA supplements the Agreement, has the same effective date (“Effective Date”) as the Agreement, and governs SUBCONTRACTOR’s access to and processing, retention, and/or use of Customer Data pursuant to Applicable Law. Unless otherwise defined in this DPA or in the Agreement, all capitalised terms used in this DPA will have the meanings given to them in Section 17 of this DPA.
1. Data Processing.
1.1 Scope and Roles. This DPA applies when Customer Data is processed by SUBCONTRACTOR. In this context, SUBCONTRACTOR will act as processor to Customer, who can act either as controller or processor of Customer Data.
1.2 Details of Data Processing.
1.2.1 Subject matter. The subject matter of the data processing under this DPA is Customer Data.
1.2.2 Duration. As between SUBCONTRACTOR and Customer, the duration of the data processing under this DPA is determined by Customer.
1.2.3 Purpose. The purpose of the data processing under this DPA is the provision of the Services initiated by Customer from time to time.
1.2.4 Nature of the processing. Compute, storage and such other Services as described in the Documentation and initiated by Customer from time to time.
1.2.5 Type of Customer Data. Customer Data uploaded, provided, transferred or made accessible to SUBCONTRACTOR by Customer.
1.2.6 Categories of data subjects. The data subjects could include Customer’s clients, employees, contractors, agents, designees, suppliers and End Users.
1.3 Compliance with Laws. SUBCONTRACTOR will comply with all laws, rules and regulations (together with data protection and privacy laws, including without limitation the GDPR, the CCPA, other State Laws, and any law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding instrument which implements any of the above or which otherwise relates to data protection, privacy or the use of Personal Data and incorporating any amendments, revisions or modifications, “Applicable Law”) applicable and binding on it in the performance of this DPA.
1.4 Ownership and Access. SUBCONTRACTOR agrees that Customer owns all rights to Customer Data. Except to comply with the Subcontractor Security Standards, SUBCONTRACTOR will not under any circumstances impede, prevent, restrict, block or deny access of Customer to Customer Data.
2. Customer Instructions. The parties agree that this DPA, the Agreement, and Customer provided instructions via Services constitute Customer’s instructions regarding SUBCONTRACTOR’s processing of Customer Data (“Instructions”). SUBCONTRACTOR will process Customer Data only in accordance with Instructions. SUBCONTRACTOR acknowledges that where Customer is acting as a processor, these may be based on the instructions of its controllers. Lawful instructions from dbt Labs’ controllers will be accepted by SUBCONTRACTOR, and SUBCONTRACTOR will process Customer Data according to such instructions. SUBCONTRACTOR will not retain, use, or disclose Customer Data outside the direct business relationship between SUBCONTRACTOR and Customer, including by not combining any Customer Data with other personal information collected or received from any other source, except as permitted by the CCPA; and SUBCONTRACTOR will not sell or share Customer Data or take any action that will place Customer in violation of any Applicable Law. If SUBCONTRACTOR reasonably believes that processing pursuant to Instructions is likely to violate Applicable Law, SUBCONTRACTOR will inform Customer without undue delay, in which event, Customer is entitled to withdraw or modify its Instructions. Customer is entitled to terminate this DPA and the Agreement if SUBCONTRACTOR declines to process pursuant to Customer’s lawful instructions hereunder. Processing outside the scope of this DPA will require a prior written agreement between the Customer and SUBCONTRACTOR.
3. Confidentiality of Customer Data. SUBCONTRACTOR will not access or use, or disclose to any third party, any Customer Data, except, in each case, as necessary to perform the Services, or as necessary to comply with the law or a valid and binding order of a governmental body (such as a subpoena or court order). If a governmental body sends SUBCONTRACTOR a demand for Customer Data, SUBCONTRACTOR will attempt to redirect the governmental body to request that data directly from Customer. As part of this effort, SUBCONTRACTOR may provide Customer’s basic business contact information to the governmental body. If compelled to disclose Customer Data to a governmental body, then SUBCONTRACTOR will give Customer reasonable notice of the demand to allow Customer to seek a protective order or other appropriate remedy unless SUBCONTRACTOR is legally prohibited from doing so.
4. Confidentiality Obligations of Subcontractor Personnel. During the term hereof,SUBCONTRACTOR will implement and maintain control that restrict its personnel from processing Customer Data without authorisation by SUBCONTRACTOR pursuant to the Subcontractor Security Standards. SUBCONTRACTOR provides appropriate training annually and procures appropriate contractual obligations of its personnel that effectuate its confidentiality, data protection and data security obligations.
5. Security of Data Processing
5.1 Technical and Organisational Measures. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, SUBCONTRACTOR has implemented and will maintain or exceed appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including the measures set out in the Subcontractor Security Standards.
5.2 Subcontractor Employees and Personnel. SUBCONTRACTOR shall ensure that any employees or other personnel have agreed in writing to protect the confidentiality and security of Customer Data (as applicable).
6. Subprocessing.
6.1 Authorised Subprocessors. Customer provides general authorisation to SUBCONTRACTOR’s use of subprocessors to provide lawful processing activities on Customer Data on behalf of Customer (“Subprocessors”) in accordance with this Section 6 to the extent SUBCONTRACTOR notifies Customer within 30 days of the Effective Date of this DPA, identifies Subprocessors that SUBCONTRACTOR currently engages, and specifies the Subprocessor’s name and address, the services provided, and the region in which the Subprocessor provides its services. Customer may object to the engagement of any such initial Subprocessor for a period of 30 days after receiving such notice from SUBCONTRACTOR. Additionally, at least 60 days before SUBCONTRACTOR engages an additional or new Subprocessor, SUBCONTRACTOR will notify dbt Labs of the proposed change, and Customer may object to the engagement of any such additional or new Subprocessor during such 60 day period. Where Customer objects to a Subprocessor, (a) SUBCONTRACTOR may propose moving the relevant Customer Data to an alternate Subprocessor and (b) SUBCONTRACTOR shall, within a reasonable time following receipt of such written request, use commercially reasonable efforts to ensure that the Subprocessor does not process any of the Customer Data until the move, or if such alternate Subprocessor is not feasible, available and/or acceptable to Customer, Customer may: (i) terminate the Agreement for breach pursuant to its terms; (ii) cease using the affected part of the Service for which SUBCONTRACTOR has engaged the Subprocessor; or (iii) change to an alternate SUBCONTRACTOR Region where SUBCONTRACTOR has not engaged the Subprocessor.
6.2 Subprocessor Obligations. Where SUBCONTRACTOR authorises a Subprocessor as described in Section 6.1:
(i) SUBCONTRACTOR will restrict the Subprocessor’s access to Customer Data only to what is necessary to provide or maintain the Services in accordance with the Documentation, and SUBCONTRACTOR will prohibit the Subprocessor from accessing Customer Data for any other purpose;
(ii) SUBCONTRACTOR will enter into a written agreement with the Subprocessor and, to the extent that the Subprocessor performs SUBCONTRACTOR’s data processing hereunder or under the Agreement, SUBCONTRACTOR will impose on the Subprocessor substantially similar contractual obligations that SUBCONTRACTOR has under this DPA and the Agreement; and
(iii) SUBCONTRACTOR will remain responsible for compliance with its obligations under this DPA and for any acts or omissions of the Subprocessor as if they were the acts and omissions of SUBCONTRACTOR.
7. Subcontractor Assistance with Data Subject Requests. SUBCONTRACTOR will assist Customer in fulfilling reasonable requests by Customer for assistance meeting its obligations to respond to data subjects’ requests under the Applicable Law. If a data subject makes a request to SUBCONTRACTOR, SUBCONTRACTOR will forward such request to Customer without undue delay once SUBCONTRACTOR has identified that the request is from a data subject for whom Customer is responsible.
8. CPRA Cooperation. To the extent legally required, with respect to Customer Data on its systems, SUBCONTRACTOR will cooperate with Customer in responding to verifiable consumer requests by, for example: (a) providing responsive personal information in its possession obtained during the relationship to Customer; (b) deleting Customer Data and, if applicable, notifying downstream entities about the deletion request; and (c) permitting the correction of inaccurate information.
9. Security Incident Notification.
9.1 Security Incident. SUBCONTRACTOR will (a) notify Customer of a Security Incident within twenty-four (24) hours after becoming aware of the Security Incident, and (b) investigate the Security Incident and provide such reasonable assistance to the Customer (and any law enforcement or Regulator) as required to investigate the Security Incident, (c) take steps to remedy any noncompliance by SUBCONTRACTOR with this DPA, and (d) take any other measures appropriate to address the Security Incident, including without limitation measures reasonably requested by Customer to remediate and mitigate any adverse effects resulting from the Security Incident.
9.2 Subcontractor Assistance. To enable Customer to provide notice of a Security Incident to supervisory authorities or data subjects (as applicable), SUBCONTRACTOR will cooperate with and assist Customer by including in the notification under Section 9.1 (a) such information about the Security Incident as SUBCONTRACTOR is able to disclose to Customer, taking into account the nature of the processing, the information available to SUBCONTRACTOR, and any restrictions on disclosing the information, such as confidentiality.
9.3 Unsuccessful Security Incidents. Customer agrees that an unsuccessful Security Incident will not be subject to this Section 9. An unsuccessful Security Incident is one that results in no unauthorised access to Customer Data or to any of SUBCONTRACTOR’s equipment or facilities storing Customer Data, and could include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorised access to traffic data that does not result in access beyond headers) or similar incidents.
9.4 Communication. Notification(s) of Security Incidents, if any, will be delivered via email to one or more of Customer’s contacts or administrators, an additional copy sent to legal@dbtlabs.com.
10. Subcontractor Certifications and Audits.
10.1 Subcontractor ISO-Certification, SOC Reports and Vulnerability Testing. Upon Company’s request, and provided that the parties have an applicable NDA in place, Subcontractor will make available at a minimum the following documents and information:
(i) the certificates issued for ISO 27001 and the ISO 27701 or the international equivalent;
(ii) the System and Organization Controls (SOC) 2 Type II Report and HIPAA Report or the international equivalent;
(iii) a business continuity plan that aligns with industry standards;
(iv) evidence of periodic (but at least annually), manual and automated vulnerability testing by an accredited third party performed (including penetration testing based on recognized industry best practices) on all Subcontractor internet-facing networks, systems, software, and devices used to access Company Data, which shall include a statement of opinion from an accredited third party for vulnerability and penetration testing completed on Subcontractor internet facing systems; and Subcontractor further agrees that Subcontractor will notify Company within 72 hours if Subcontractor identifies a vulnerability that has been compromised and is a risk to Company’s implementation of any Services or Deliverables provided by Subcontractor to Company under the Agreement and will promptly provide remediation steps and patching instructions to address the vulnerability and risk; and
(v) other reports/documentation describing controls implemented by Subcontractor that update, replace or are substantially equivalent to such certificates, plans, and/or reports.
10.2 Subcontractor Annual Audits. SUBCONTRACTOR’s use of external auditors will verify the adequacy of its security measures, including the security of any physical locations from which SUBCONTRACTOR provides the Services, if applicable. Audits: (a) will be performed at least annually; (b) will be performed according to ISO 27001 standards or such other alternative standards that are substantially equivalent to ISO 27001; (c) will be performed by independent third party security professionals at SUBCONTRACTOR’s selection and expense; and (d) will result in the generation of an audit report (“Report”), which will be SUBCONTRACTOR’s Confidential Information.
10.3 Audit Reports. At Customer’s written request, and provided that the parties have written confidentiality protections in place, SUBCONTRACTOR will provide Customer with a copy of the Report so that Customer can reasonably confirm SUBCONTRACTOR’s compliance with its obligations under this DPA.
10.4 Privacy Impact Assessment and Prior Consultation. Taking into account the nature of the processing and the information available to SUBCONTRACTOR, SUBCONTRACTOR will assist Customer in complying with Customer’s obligations in respect of data protection impact assessments and prior consultation, by providing the information SUBCONTRACTOR makes available under this Section 10.
11. Customer Audits. SUBCONTRACTOR will, upon reasonable prior written request from the Customer, allow for and contribute to inspections and/or audits, including providing relevant information reasonably requested as necessary to demonstrate SUBCONTRACTOR’s compliance with Applicable Law, this DPA and/or inspections, and conducted by Customer or an independent third party auditor appointed by Customer, in possession of the required professional qualifications and bound by a duty of confidentiality provided (i) such audits or inspections are not conducted more than once per year (unless required by a Regulator or in the event of a Security Incident); (ii) are conducted only during normal business hours; and (iii) are limited to determining compliance by SUBCONTRACTOR with its obligations hereunder. SUBCONTRACTOR shall reimburse Customer any reasonable fees or costs incurred by Customer in conducting (or arranging the conduct of) any audits where SUBCONTRACTOR is found by Customer or the independent auditor, acting reasonably, to be in material violation of this DPA.
12. Transfers of Personal Data.
12.1 Regions. If available and applicable as indicated in the SOW, ordering document and/or Agreement, Customer can specify a certain limited geographical location where Customer Data will be processed (“Region”), including without limitation Regions in the EEA (Germany), the U.S. (Virginia), or Australia (Sydney). In such event, SUBCONTRACTOR will not transfer Customer Data from the selected Region except to an authorised Subprocessor or as directed by Customer, as permitted in writing by Customer, or as necessary to comply with the law or binding order of a governmental body.
12.2 Application of Standard Contractual Clauses. Subject to Section 12.3 and to the extent SUBCONTRACTOR (acting as a data importer) processes Customer Data in a Third Country ( “Data Transfer”), SUBCONTRACTOR shall, and shall procure that any of its affiliates, contractors, and Subprocessors shall, comply with the data importer’s obligations set out in the Controller to Processor Clauses, which are hereby incorporated into and form part of this DPA.
12.2.1 When Customer is acting as a controller, the Controller-to-Processor Clauses will apply to a Data Transfer. Customer will comply with the data exporter’s obligations in such Controller to Processor Clauses.
12.2.2 Where dbt Labs acts as a processor, the Processor-to-Processor Clauses may apply to a Data Transfer. dbt Labs acknowledges that it may not be possible for SUBCONTRACTOR to know the identity of dbt Labs’s controllers because SUBCONTRACTOR may have no direct relationship with dbt Labs’s controllers; and, therefore, in such a circumstance, dbt Labs may fulfil SUBCONTRACTOR’s obligations to dbt Labs’s controllers under SCCs between dbt Labs and its controllers, where legally required and/or applicable. In the alternative, where SUBCONTRACTOR knows the identity of dbt Labs’s controllers, SUBCONTRACTOR will fulfil its obligations to Customer.
12.2.3 With respect to any Standard Contractual Clauses required by law of the parties, the parties will negotiate in good faith to determine the appropriate template and agree upon its provisions, and the appropriate template will be deemed to be executed as of the date hereof. Further, with respect to the GDPR Controller to Processor Clauses, as applicable (and adapted as necessary or required by law):
(a) for the purposes of Annex I.A of such Controller to Processor Clauses, the Data Exporter is a data controller and the Data Importer is a data processor, and the name, address, contact person’s details and relevant activities for each of them is as set out in the Agreement;
(b) for the purposes of Appendix 1 or Annex I/I.B (as relevant) of such Controller to Processor Clauses, Section 1.2 of this DPA shall apply;
(c) for the purposes of Appendix 2 of Annex II (as relevant) of such Controller to Processor Clauses, the security measures set out in Annexes I and II of this DPA shall apply; and
(d) if applicable, for the purposes of: (i) Clause 7 (Docking Clause), this is optional and deleted; (ii) Clause 9 of such Controller to Processor Clauses, Option 2 (“General written authorization”) is deemed to be selected and the notice period specified in Section 9.1 of this DPA shall apply; (iii) clause 11(a) of such Controller to Processor Clauses, the optional wording in relation to independent dispute resolution is deemed to be omitted; (iv) Clause 13 (a) (First Paragraph Option) and Annex I.C, the competent supervisory authority shall be the supervisory authority of the EU member state where the Subscriber is established or where its local representative is appointed; (v) Clause 17, Option 1 is deemed to be selected and the governing law shall be Ireland and (vi) Clause 18, the competent courts shall be Ireland.
12.3 Alternative Transfer Mechanism. The Standard Contractual Clauses will not apply to a Data Transfer if SUBCONTRACTOR has adopted Binding Corporate Rules for Processors or an alternative recognised compliance standard for lawful Data Transfers.
12.4 Subprocessor Compliance. To the extent SUBCONTRACTOR permits Subprocessors to Process Customer Data in any Third Country: (a) SUBCONTRACTOR shall execute the Processor to Processor Clauses, where applicable, with any relevant sub-processor or subcontractor it appoints on behalf of the Customer; or (b) if the Processor to Processor Clauses are not applicable, the parties agree to execute the relevant Controller to Processor Clauses with the processing details set out in Section 1.2 of this DPA shall apply to Appendix 1 and the technical and organizational measures set out in Annexes I and II of this DPA shall apply to Appendix 2, with any relevant Subprocessor it appoints on behalf of the Customer.
12.5 Conflicts. In the event of any conflict between any terms herein or those required in Applicable Law, this DPA and the Agreement, the terms required by Applicable Law shall be deemed incorporated herein and shall prevail over any conflicting language.
13. Termination of the DPA. This DPA will continue in force until the termination of the Agreement (“Termination Date”). Upon the Termination Date, SUBCONTRACTOR will cease Processing Customer Data on behalf of Customer except to the extent required for SUBCONTRACTOR to comply with Section 14 hereof.
14. Return or Deletion of Customer Data. Customer Data will be retained by Subcontractor only for so long as it is reasonably required to provide Services and comply with obligations under the Agreement. Upon written request by Customer or at least within 21 days following the Termination Date, subject to the terms and conditions of the Agreement, SUBCONTRACTOR will return or delete Customer Data, without undue delay, except as required for legal, fiduciary or tax purposes or by SUBCONTRACTOR’s consultants, advisors, auditors, attorneys, investors, bankers, payment processors, regulatory bodies, tax authorities, when compelled by court order, or as otherwise needed to fulfill SUBCONTRACTOR’s duties under this Agreement. Any Customer Data so retained will remain subject to the confidentiality provisions herein and in the Agreement and will be used solely by SUBCONTRACTOR for such purposes as described herein until returned or deleted, and such confidentiality obligations will survive termination or expiration hereof.
15. Duties to Inform.
15.1 Insolvency. Where Customer Data becomes subject to confiscation during bankruptcy or insolvency proceedings, or similar measures by third parties while being processed by SUBCONTRACTOR, SUBCONTRACTOR will inform Customer without undue delay. SUBCONTRACTOR will, without undue delay, notify such parties (for example, creditors, bankruptcy trustee) that Customer Data is Customer’s property and responsibility and that Customer Data is at Customer’s sole disposition.
15.2 Changes in Law. The parties agree to notify the other party of any changes in Applicable Law requiring modification to this DPA, and the parties agree negotiate in good faith modifications to this DPA if changes are required for SUBCONTRACTOR to continue to process Customer Data as contemplated by this DPA in compliance with the Applicable Law or to address the legal interpretation of the Applicable Law, including without limitation (i) any guidance on the interpretation of any of their respective provisions; (ii) the Standard Contractual Clauses or any other mechanisms or findings of adequacy are issued, invalidated or amended, or (iii) if changes to the membership status of a country in the European Union or the European Economic Area require such modification.
16. Entire Agreement; Conflict. This DPA incorporates the Standard Contractual Clauses by reference. This DPA will replace any previously applicable data processing addendum dated prior to the date hereof. Except as amended by this DPA, the Agreement will remain in full force and effect. In the event of a conflict between the Agreement and this DPA, the terms of this DPA will control as to matters related to data protection, data privacy, and Applicable Law but not trade laws. Nothing in this document varies or modifies the Standard Contractual Clauses.
17. Definitions. Unless otherwise defined in the Agreement, all capitalised terms used in this DPA will have the meanings given to them below:
“CCPA” means the California Consumer Privacy Act of 2018 as updated by the California Privacy Rights Act of 2020 (“CPRA”), including any regulations promulgated thereunder, as amended from time to time.
The terms “controller”, “data subject”, “Personal Data”, “processor”, and “process” (and their conjugates) shall have the same meaning as set out in the GDPR whether or not European or non-European Data Protection Laws apply. The terms “business”, “Service Provider”, “share” and “sell” (and their conjugates) shall have the same meaning as set out in the CCPA/CPRA.
“Controller-to-Processor Clauses” means the standard contractual clauses between controllers and processors for Data Transfers, as approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
“Customer Data” means Personal Data uploaded, provided, transferred or made accessible to SUBCONTRACTOR by Customer.
“EEA” means the European Economic Area.
“GDPR” means Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). For purposes of this DPA, GDPR shall also encompass other European laws, in each case as amended and replaced from time to time and to the extent applicable, including but not limited to the Privacy and Electronic Communications Directive 2002/58/EC; the UK Data Protection Act 2018, the UK General Data Protection Regulation as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019, and the Privacy and Electronic Communications Regulations 2003; and the Swiss Federal Act on Data Protection. Any reference to the SCCs herein shall be interpreted to be the clauses required by the applicable country or region governing the Personal Data. Where more than one jurisdiction governs Personal Data, the laws of the jurisdiction that is most protective shall prevail as to the SCCs that apply.
“Other State Laws” means, once enforced, the applicable laws and regulations enacted by and in effect in any other U.S. states and/or the U.S. Federal government, as amended or replaced from time to time, including but not limited to Connecticut, Illinois, Virginia, Colorado, Texas, and Utah.
“Processor-to-Processor Clauses” means the standard contractual clauses between processors for Data Transfers, as approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
“Security Incident” means a breach of SUBCONTRACTOR’s security or systems leading to the actual or potential accidental or unlawful destruction, loss, alteration, disclosure of, or access to, Customer Data.
“Services” are as defined in the Agreement.
“Standard Contractual Clauses” or “SCCs” means, (a) in respect of transfers of Personal Data from the EEA, (i) the Controller-to-Processor Clauses, or (ii) the Processor to-Processor Clauses; (b) in respect of transfers of Personal Data from the UK, the “International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, Version B1.0, in force 21 March 2022” to the SCCs, with Customer as data exporter and SUBCONTRACTOR as data importer, or any equivalent clauses issued by the relevant competent authority of the UK, and (c) in respect of transfers of Personal Data from Switzerland or any other country, whether or not in Europe, the clauses are as required by law and agreed to between the parties; in each case as amended and replaced from time to time; each as applicable in accordance with Sections 12.2.1 and 12.2.2.
“Subcontractor Network” means SUBCONTRACTOR’s facilities, servers, networking equipment, and software systems (for example, virtual firewalls) that are within SUBCONTRACTOR’s control and are used to provide the Services. SUBCONTRACTOR as used in this definition will include SUBCONTRACTOR’s suppliers or Subprocessors.
“Subcontractor Security Standards” means the security standards attached to and incorporated into this DPA as Annex I (Physical Security) and Annex II (Technical and Organisational Security Measures).
“Subprocessor” means means any entity, agent or contractor engaged by SUBCONTRACTOR who may process Customer Data on behalf of SUBCONTRACTOR, provide principal services, or is identified in Annex III as attached to and incorporated into this DPA.
“Third Country” means a country outside the EEA not recognised by the European Commission as providing an adequate level of protection for personal data (as described in the GDPR or another jurisdiction with similar legal or regulatory framework), and excluding countries approved as providing adequate protection for Personal Data by the European Commission from time to time to the extent Subcontractor has complied with the applicable adequacy ruling obligations.
“UK” means the United Kingdom.
Last Updated July 26, 2023
Annex I
SUBCONTRACTOR Physical Security
Capitalized terms not otherwise defined in this annex have the meanings assigned to them in the Agreement.
1. Physical Access Controls. To the degress that physical components of the Subcontractor Network are housed in facilities (the “Facilities”), physical barrier controls will be used to prevent unauthorised entrance to the Facilities. Passage through the physical barriers at the Facilities will require either electronic access control validation (for example, card access systems, etc.) and/or validation by human security personnel (for example, contract or in-house security guard service, receptionist, etc.). Employees and certain contractors will be assigned photo-ID badges to be worn while employees and contractors are at the Facilities. Visitors and any other contractors will sign-in with designated personnel, show appropriate identification, be assigned a visitor ID badge that must be worn while the visitor or contractor is at any of the Facilities, and be continually escorted by authorised employees or contractors while visiting the Facilities.
2. Physical Security Protections. All access points (other than main entry doors) are maintained in a secured (locked) state. Access points to the Facilities are monitored by video surveillance cameras designed to record all individuals accessing the Facilities. SUBCONTRACTOR also maintains electronic intrusion detection systems designed to detect unauthorised access to the Facilities, including monitoring points of vulnerability (for example, primary entry doors, emergency egress doors, roof hatches, dock bay doors, etc.) with door contacts, glass breakage devices, interior motion-detection, or other devices designed to detect individuals attempting to gain access to the Facilities. All physical access to the Facilities by employees and contractors is logged and routinely audited.
ANNEX II
TECHNICAL AND ORGANISATIONAL SECURITY MEASURES
1. SUBCONTRACTOR will implement, maintain and enforce appropriate internal security policies and procedures, and procures that its Subprocessors do likewise, which are designed to:
a. secure any Personal Data processed by SUBCONTRACTOR against accidental or unlawful loss, access or disclosure;
b. identify reasonably foreseeable and internal risks to security and unauthorised access to the Personal Data processed by SUBCONTRACTOR;
c. minimise security risks, including through risk assessment and regular testing;
d. designate one or more employees to coordinate and be accountable for the internal security policies and procedures, and, taking into account the global distribution of SUBCONTRACTOR staff, such internal security policies and procedures will manage the access allowed to the Subcontractor Network from each network connection and user, including the use of firewalls or functionally equivalent technology and authentication controls; and
e. meet or exceed the following additional measures:
- A SOC2 Type II annually;
- Encryption At-Rest;
- Encryption In-Transit;
- Password Requirements;
- Key Management;
- Risk Assessment;
- Vendor Risk Management;
- User Provisioning/Deprovisioning;
- Subcontractor Network Security;
- Vulnerability Management;
- Incident Management;
- Change Management;
- System Logging/Monitoring;
- Data Management;
- Communication;
- Business Continuity; and
- Disaster Recovery.
2. SUBCONTRACTOR will, and will use reasonable efforts to procure that its Subprocessors, conduct periodic reviews of the security of their network and the adequacy of their information security program as measured against industry security standards and its policies and procedures.
3. SUBCONTRACTOR will, and will use reasonable efforts to procure that its Subprocessors, periodically evaluate the security of their network and associated services to determine whether additional or different security measures are required to respond to new security risks or findings generated by the periodic reviews.