Data Processing Agreement

This Data Processing Agreement (DPA) and its applicable DPA Exhibits apply to the Processing of Personal Data by RANDORI on behalf of Client (Client Personal Data) subject to the General Data Protection Regulation 2016/679 (GDPR) or any other data protection laws identified at https://www.randori.com/dpa-dpl (together ‘Data Protection Laws’) in order to provide services (Services) pursuant to the Agreement between Client and RANDORI. DPA Exhibits for each Service will be provided in the applicable Transaction Document (TD). This DPA is incorporated into the Agreement. Capitalized terms used and not defined herein have the meanings given them in the applicable Data Protection Laws. In the event of conflict, the DPA Exhibit prevails over the DPA which prevails over the rest of the Agreement.

1. Processing
   • Client is: (a) a Controller of Client Personal Data; or (b) acting as Processor on behalf of other Controllers and has been instructed by and obtained the authorization of the relevant Controller(s) to agree to the Processing of Client Personal Data by RANDORI as Client’s subprocessor as set out in this DPA. Client appoints RANDORI as Processor to Process Client Personal Data. If there are other Controllers, Client will identify and inform RANDORI of any such other Controllers prior to providing their Personal Data, in accordance with the DPA Exhibit.
   • A list of categories of Data Subjects, types of Client Personal Data, Special Categories of Personal Data and the processing activities is set out in the applicable DPA Exhibit for a Service. The duration of the Processing corresponds to the duration of the Service, unless otherwise stated in the DPA Exhibit. The purpose and subject matter of the Processing is the provision of the Service as described in the Agreement.
   • RANDORI will Process Client Personal Data according to Client’s documented instructions. The scope of Client’s instructions for the Processing of Client Personal Data is defined by the Agreement, and, if applicable, Client’s and its authorized users’ use and configuration of the features of the Service. Client may provide further legally required instructions regarding the Processing of Client Personal Data (Additional Instructions) as described in Section 10.2. If RANDORI notifies Client that an Additional Instruction is not feasible, the parties shall work together to find an alternative. If RANDORI notifies the Client that neither the Additional Instruction nor an alternative is feasible, Client may terminate the affected Service, in accordance with any applicable terms of the Agreement. If RANDORI believes an instruction violates the Data Protection Laws, RANDORI will immediately inform Client, and may suspend the performance of such instruction until Client has modified or confirmed its lawfulness in documented form.
   • Client shall serve as a single point of contact for RANDORI. As other Controllers may have certain direct rights against RANDORI, Client undertakes to exercise all such rights on their behalf and to obtain all necessary permissions from the other Controllers. RANDORI shall be discharged of its obligation to inform or notify another Controller when RANDORI has provided such information or notice to Client. Similarly, RANDORI will serve as a single point of contact for Client with respect to its obligations as a Processor under this DPA.
   • RANDORI will comply with all Data Protection Laws in respect of the Services applicable to RANDORI as Processor. RANDORI is not responsible for determining the requirements of laws or regulations applicable to Client’s business, or that a Service meets the requirements of any such applicable laws or regulations. As between the parties, Client is responsible for the lawfulness of the Processing of the Client Personal Data. Client will not use the Services in a manner that would violate applicable Data Protection Laws.
2. Technical and organizational measures
   • Client and RANDORI agree that RANDORI will implement and maintain the technical and organizational measures set forth in the applicable DPA Exhibit (TOMs) which ensure a level of security appropriate to the risk for RANDORI’s scope of responsibility. TOMs are subject to technical progress and further development. Accordingly, RANDORI reserves the right to modify the TOMs provided that the functionality and security of the Services are not degraded.
3. Data Subject Rights and Requests
   • RANDORI will inform Client of requests from Data Subjects exercising their Data Subject rights (e.g., including but not limited to rectification, deletion and blocking of data) addressed directly to RANDORI regarding Client Personal Data. Client shall be responsible to handle such requests of Data Subjects. RANDORI will reasonably assist Client in handling such Data Subject requests in accordance with Section 10.2.
   • If a Data Subject brings a claim directly against RANDORI for a violation of their Data Subject rights, Client will reimburse RANDORI for any cost, charge, damages, expenses or loss arising from such a claim, to the extent that RANDORI has notified Client about the claim and given Client the opportunity to cooperate with RANDORI in the defense and settlement of the claim. Subject to the terms of the Agreement, Client may claim from RANDORI damages resulting from Data Subject claims for a violation of their Data Subject rights caused by RANDORI’s breach of its obligations under this DPA and the respective DPA Exhibit.
4. Third Party Requests and Confidentiality
   • RANDORI will not disclose Client Personal Data to any third party, unless authorized by the Client or required by law. If a government or Supervisory Authority demands access to Client Personal Data, RANDORI will notify Client prior to disclosure, unless such notification is prohibited by law.
   • RANDORI requires all of its personnel authorized to Process Client Personal Data to commit themselves to confidentiality and not Process such Client Personal Data for any other purposes, except on instructions from Client or unless required by applicable law.
5. Audit
   • RANDORI shall allow for, and contribute to, audits, including inspections, conducted by the Client or another auditor mandated by the Client in accordance with the following procedures:
     1. Upon Client’s written request, RANDORI will provide Client or its mandated auditor with the most recent certifications and/or summary audit report(s), which RANDORI has procured to regularly test, assess and evaluate the effectiveness of the TOMs, to the extent set out in the DPA Exhibit.
     2. RANDORI will reasonably cooperate with Client by providing available additional information concerning the TOMs, to help Client better understand such TOMs.
     3. If further information is needed by Client to comply with its own or other Controllers audit obligations or a competent Supervisory Authority’s request, Client will inform RANDORI in writing to enable RANDORI to provide such information or to grant access to it.
     4. To the extent it is not possible to otherwise satisfy an audit right mandated by applicable law or expressly agreed by the Parties, only legally mandated entities (such as a governmental regulatory agency having oversight of Client’s operations), the Client or its mandated auditor may conduct an onsite visit of the RANDORI facilities used to provide the Service, during normal business hours and only in a manner that causes minimal disruption to RANDORI’s business, subject to coordinating the timing of such visit and in accordance with any audit procedures described in the DPA Exhibit in order to reduce any risk to RANDORI’s other customers.

Any other auditor mandated by the Client shall not be a direct competitor of RANDORI with regard to the Services and shall be bound to an obligation of confidentiality.

• Each party will bear its own costs in respect of paragraphs a. and b. of Section 5.1, otherwise Section 10.2 applies accordingly.

6. Return or Deletion of Client Personal Data
   • Upon termination or expiration of the Agreement RANDORI will either delete or return Client Personal Data in its possession as set out in the respective DPA Exhibit, unless otherwise required by applicable law.
7. Subprocessors
   • Client authorizes the engagement of other Processors to Process Client Personal Data (Subprocessors). A list of the current Subprocessors is set out in the respective DPA Exhibit. RANDORI will notify Client in advance of any addition or replacement of the Subprocessors as set out in the respective DPA Exhibit. Within 30 days after RANDORI’s notification of the intended change, Client can object to the addition of a Subprocessor on the basis that such addition would cause Client to violate applicable legal requirements. Client’s objection shall be in writing and include Client’s specific reasons for its objection and options to mitigate, if any. If Client does not object within such period, the respective Subprocessor may be commissioned to Process Client Personal Data. RANDORI shall impose substantially similar but no less protective data protection obligations as set out in this DPA on any approved Subprocessor prior to the Subprocessor initiating any Processing of Client Personal Data.
   • If Client legitimately objects to the addition of a Subprocessor and RANDORI cannot reasonably accommodate Client’s objection, RANDORI will notify Client. Client may terminate the affected Services as set out in the Agreement, otherwise the parties shall cooperate to find a feasible solution in accordance with the dispute resolution process.
8. Transborder Data Processing
   • In the case of a transfer of Client Personal Data to a country not providing an adequate level of protection pursuant to the Data Protection Laws (Non-Adequate Country), the parties shall cooperate to ensure compliance with the applicable Data Protection Laws as set out in the following Sections or at the Data Protection Laws at http://www.Randori.com/dpa/dpl. If Client believes the measures are not sufficient to satisfy the legal requirements, Client shall notify RANDORI and the parties shall work together to find an alternative.
   • By entering into the Agreement, Client and RANDORI are entering into EU Standard Contractual Clauses as set out in the applicable DPA Exhibit (EU SCC) if Client, RANDORI, or both are located in a Non-Adequate Country. If the EU SCC are not required because both parties are located in a country considered adequate by the Data Protection Laws, but during the Service the country where RANDORI or Client is located becomes a Non-Adequate Country, the EU SCC will apply.

The parties acknowledge that the applicable module of the EU SCC will be determined by their role as Controller and/or Processor under the circumstances of each case and are responsible for determining the correct role undertaken in order to fulfil the appropriate obligations under the applicable module.

• Client agrees that the EU SCC, including any claims arising from them, are subject to the terms set forth in the Agreement, including the limitations of liability. In case of conflict, the EU SCC shall prevail.
• RANDORI will enter into the EU SCC with each Subprocessor located in a Non-Adequate Country as listed in the respective DPA Exhibit.

9. Personal Data Breach
   • RANDORI will notify Client without undue delay after becoming aware of a Personal Data Breach with respect to the Services. RANDORI will promptly investigate the Personal Data Breach if it occurred on RANDORI infrastructure or in another area RANDORI is responsible for and will assist Client as set out in Section 10.
10. Assistance
    • RANDORI will assist Client by technical and organizational measures for the fulfillment of Client’s obligation to comply with the rights of Data Subjects and in ensuring compliance with Clients obligations relating to the security of Processing, the notification and communication of a Personal Data Breach and the Data Protection Impact Assessment, including prior consultation with the responsible Supervisory Authority, if required, taking into account the nature of the processing and the information available to RANDORI.
    • Client will make a written request for any assistance referred to in this DPA. RANDORI may charge Client no more than a reasonable charge to perform such assistance or an Additional Instruction, such charges to be set forth in a quote and agreed in writing by the parties, or as set forth in an applicable change control provision of the Agreement. If Client does not agree to the quote, the parties agree to reasonably cooperate to find a feasible solution in accordance with the dispute resolution process.

Data Processing and Protection Data Sheet

This document specifies RANDORI’s Data Processing and Protection details for the specific Cloud Service(s) listed above.

This Data Sheet is also considered as the DPA Exhibit and specifies the DPA at https://www.randori.com/data-processing-agreement/ for the identified Cloud Service, if the DPA is applicable to the respective Cloud Service. The DPA and applicable DPA Exhibit(s) apply to personal data contained in Content, if and to the extent: i) the European General Data Protection Regulation (EU/2016/679); or ii) other data protection laws identified at https://www.randori.com/dpa-dpl apply. Content consists of all data, software, and information that Client or its authorized users provides, authorizes access to, or inputs to RANDORI Cloud Services

1. Categories of Data Subjects
   The Categories of Data Subjects (individuals) whose Personal Data generally are or can be processed within the Cloud Service are:
   
   Client’s and its affiliates’ employees (including temporary or casual workers, volunteers, assignees, trainees, retirees, pre-hires and applicants), Client’s business partners, supplier and subcontractors and their employees, Client’s (potential) customers and their employees, Client’s visitor, agents, consultants and other professional experts (contractors)
   
   Given the nature of the Cloud Services, RANDORI is not able to verify the above list of categories of Data Subjects. In order to maintain an accurate record as required by applicable data protection laws, Client will notify RANDORI in accordance with the ‘RANDORI Contact and Notification’ Section below if the Personal Data of any of the listed categories of Data Subjects are not Processed in this Cloud Service.

2. Content
   The types of data that generally are or can be Processed as Content within this Cloud Service are described in this Section. Client is responsible for not including any data in the Content that the Cloud Service is not designed to Process. Client should not include Personal Data in text fields that are not intended for or do not request Personal Data. Client is responsible to assess if the Cloud Service, including its security features, functions and certifications, is appropriate for Personal Data and other regulated Content.
   This Cloud Service is designed to Process the following data types within the Content:
   – Personal Data as specified below in Section 2.1

2.1 Types of Personal Data and Special Categories of Personal Data
Given the nature of the Cloud Service, RANDORI is not able to verify the types of Personal Data and Special Categories of Personal Data Processed. In order to maintain an accurate record as required by applicable data protection laws, Client will notify RANDORI in accordance with ‘RANDORI Contact and Notification’ Section below if any of the Types of Personal Data or Special Categories of Personal Data listed above are not Processed in this Cloud Service.

2.1.1 Types of Personal Data
The following types of Personal Data generally are or can be Processed as Content within this Cloud Service:

• Basic Personal Information about the identity of an individual (such as name, address, phone number, email). This includes BCI that is being processed or stored within the content
• Technically Identifiable Personal Information (such as device IDs, asset identifier, usage-based identifiers, static IP address, online access and authentication credentials, online connection and network connectivity data – when linkable to an individual)

2.1.2 Special Categories of Personal Data
The following Special Categories of Personal Data generally are or can be Processed as Content within this Cloud Service:

• This Cloud Service is not designed to process any Special Categories of Personal Data.

3. Data Actions
   RANDORI’s data actions based on Client’s instructions are:

• Collection
  – Direct data collection from individuals by manual or automated means
  – Data collected (acquired or received) from third parties other than the individual
• Creation
  – Creation of new data via aggregation, combination or matching
  – Creation of new data by analytics, inference or analysis
• Transformation
  – Manipulation (parsing, formatting or transformation) of data
  – Updating, for example, to keep data current
• Use
  – Reading data only
  – Presenting, accessing, using or copying data
• Sharing with third parties
• Storage of data including backups
• Deletion of data

4. Duration of Processing

• The duration of Processing Content within this Cloud Service is 30 days after termination or expiration of the Cloud Service.
  However, some Content may remain in the Cloud Service backups until the expiration of such backups 366 days after Client termination or expiration of the Cloud Service.

5. Technical and Organizational Measures
   The technical and organizational measures (TOMs) described in this Section 5 apply to all Content, including Client Personal Data, Processed at each processing location by RANDORI, RANDORI Subprocessors, and third-party Subprocessors:

5.1 Base Technical and Organizational Measures
RANDORI’s foundational TOMs for data security and protection within its Cloud Services are as described in RANDORI’s Data Security and Privacy Principles (https://www.randori.com/security/). Modifications to the foundational TOMs for this Cloud Service are described below or within the Randori Platform Terms of Service  (https://www.randori.com/platform-terms-of-service/).

5.2 Modifications to foundational TOMs
The foundational TOMs as described in the RANDORI Data Security and Privacy Principles are modified for this Cloud Service as follows:

• This section is intentionally left blank.

5.3 Additional TOMs
The following additional TOMs are applicable to this Cloud Service:

5.3.1 Data Security

• Content is encrypted when transmitted on any public networks.
• Content is encrypted when transmitted within the Cloud Service’s private datacenter network.
• Content is encrypted at rest within the Cloud Datacenter.

5.3.2 Business Continuity

• The Cloud Service has Business Continuity plans in place to provide for the recovery of both the Cloud Service, and the associated Client Content, within hours in the event of a corresponding disaster.

5.4 Certifications
This Cloud Service maintains the following industry recognized compliance, certifications, attestations, or reports as one measure of this Cloud Service’s implementation of the TOMs:

• ISO 27001
• SOC2 Type 2

6. Deletion and Return of Content

• If requested prior to termination or expiration of the Cloud Service, RANDORI will return a copy of Content that is accessible to RANDORI within a reasonable period and in a reasonable format. RANDORI will delete the Content at the end of the period specified in the ‘Duration of Processing’ Section above.
• Client may also request removal of Content at any time prior to termination or expiration of the Cloud Service.

7. RANDORI Processing Locations
   Content is Processed at the following locations. Depending on the Cloud Service, RANDORI may be able to limit Processing of Content to a subset of these locations, upon request. See the Randori Platform Terms of Service (https://www.randori.com/platform-terms-of-service/) for details.

8. Third-Party Subprocessors
   Content is Processed by the following third-party Subprocessors used in this Cloud Service:

• This Data Sheet will be updated for any intended additional or replacement third-party Subprocessors. Clients can subscribe to the self-service portal referred to in ‘RANDORI Contact and Notification’ Section below to subscribe for an automatic notification of such updates. Additional details for each third-party Subprocessor are available upon request.

9. Transborder Data Processing

• 9.1 EU Standard Contractual Clauses
  By entering into the Agreement, RANDORI and Client are entering into the EU Standard Contractual Clauses (EU SCC) available at [http://www.ibm.com/terms?id=Z126-8005], unless both RANDORI and Client are located in a country considered to have an adequate level of protection under the Data Protection Laws, in which case the EU SCC are not required between RANDORI and Client.
  Where the EU SCC are required between RANDORI and Client, the parties acknowledge that the applicable module of the EU SCC will be determined by their role as Controller and/or Processor under the circumstances of each case and are responsible for determining the correct role undertaken in order to fulfil the appropriate obligations under the applicable module.
• 9.2 UK Standard Contractual Clauses
  By entering into the Agreement, in addition to the EU SCC referenced above, RANDORI and Client are entering into the United Kingdom’s International Data Transfer Addendum to the EU SCC (together, the UK SCC) available at [http://www.ibm.com/terms?id=Z126-8005], unless both RANDORI and Client are located in a country providing an adequate level of protection under the UK data protection law. With reference to the list of Sub-processors above, where applicable, RANDORI will enter into the UK SCC with each Sub-processor located in a Non-Adequate Country.  Where the UK SCC are required between RANDORI and Client, the parties acknowledge that the applicable module of the UK SCC will be determined by their role as Controller and/or Processor under the circumstances of each case and are responsible for determining the correct role undertaken in order to fulfill the appropriate obligations under the relevant module.
• 9.4 Transparency Report
  RANDORI publishes information regarding/about government requests for client data in the RANDORI Cloud Law Enforcement Access Request Transparency Report available at:http://ibm.biz/IBMTransparencyReport

10. RANDORI Contact and Notifications

• For data privacy related questions, the RANDORI privacy team can be contacted at chiefprivacyoffice@ca.ibm.com.

11. Data Protection Officer and Other Controllers

• In order for RANDORI to maintain a record required by applicable data protection laws, Client will, when the DPA applies, submit and keep up-to-date the contact details for Clients’ Data Protection Officer and, if applicable, its EU Representative, and for each other Controllers’ Data Protection Officers and, if applicable, their EU Representatives though the self-service portal or by sending an email to chiefprivacyoffice@ca.ibm.com with the contract number and Client name.