Data Processing Addendum
This Data Processing Addendum ("DPA") is entered into by and between InQuery, Inc. ("InQuery") and the Customer identified in the Enterprise Services Agreement ("Agreement"). This DPA amends and forms part of the Agreement. This DPA applies where InQuery Processes Customer Personal Data as a Processor on behalf of Customer, the Controller (or as a subprocessor, where Customer is a Processor on behalf of a third-party Controller), in connection with providing the Services. This DPA will be effective as of the effective date of the Agreement. In the event of any inconsistency or conflict between this DPA and the Agreement, this DPA will govern. This DPA will terminate automatically upon termination of the Agreement or as earlier terminated pursuant to the terms of this DPA.
1. Definitions
For purposes of this DPA, the following terms will have the meaning ascribed below. Any capitalized term not defined in this DPA shall have the meaning given to it in the Agreement.
"CCPA" means the California Consumer Privacy Act of 2018, including (a) as amended by the California Privacy Rights Act of 2020 or otherwise and (b) any regulations promulgated thereunder.
"Controller" means "controller" and "business" (and analogous variations of such terms) under Data Protection Law.
"Customer Personal Data" means Personal Data that InQuery Processes on behalf of Customer in connection with providing the Services as described in Attachment 1 (including, for the avoidance of doubt, any such Personal Data comprised within Customer Content). Customer Personal Data does not include (i) such information pertaining to Customer's personnel or representatives who are business contacts of Customer, or (ii) Service Data.
"Data Protection Law" means the GDPR, the UK GDPR, the FADP, the CCPA, the Colorado Privacy Act, the Connecticut Act Concerning Personal Data Privacy and Online Monitoring, the Virginia Consumer Data Protection Act, the Utah Consumer Privacy Act, and any other state, federal, or international data protection or privacy laws that apply to InQuery's Processing of Customer Personal Data.
"Data Subject" means an identified or identifiable natural person.
"Deidentified Data" means information that cannot reasonably be linked to or associated with Customer or any Data Subject.
"GDPR" means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
"Personal Data" means "personal data" and "personal information" (and analogous variations of such terms) under Data Protection Law.
"Process" means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction, extending further to such operation or operations under Data Protection Law.
"Processor" means "processor" and "service provider" (and analogous variations of such terms) under Data Protection Law.
"SCCs" means Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on Standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (Text with EEA relevance), available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj, as may be replaced or superseded by the European Commission.
"Security Incident" means a breach of InQuery's security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data in InQuery's possession, custody, or control. For clarity, Security Incident does not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data (such as unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems).
"Service Data" means any data relating to the use, support, and/or operation of the Services, which is collected directly by InQuery from and/or about users of the Services and/or Customer's use of the Services for use for InQuery's own purposes.
"Services" means the services provided by InQuery pursuant to the Agreement.
"UK GDPR" means the GDPR as incorporated into United Kingdom ("UK") law by the Data Protection Act 2018 and amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (each as amended, superseded, or replaced).
"UK IDTA" means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner, Version B1.0, in force 21 March 2022, available at https://ico.org.uk/media2/migrated/4019539/international-data-transfer-addendum.pdf. Neither party can terminate the UK IDTA pursuant to Table 4 and Section 19 thereof without the written consent of the other.
2. Data Processing and Protection
2.1 Limitations on Use
InQuery will Process Customer Personal Data only: (a) in a manner consistent with Customer's documented instructions as specified under Section 2.2 (Instructions); and (b) as required by applicable laws. Without limiting the instructions under Section 2.2, InQuery will not: (x) retain, use, or disclose the Customer Personal Data (i) outside of the direct business relationship between the Parties except as permitted by Data Protection Law or (ii) for any purpose other than for the specific purpose of performing the Services, including retaining, using, or disclosing the Customer Personal Data for a commercial purpose other than providing the Services, or as otherwise permitted by Data Protection Law; (y) "sell" or "share" (as defined by Data Protection Law) the Customer Personal Data; or (z) combine Customer Personal Data with Personal Data InQuery receives from individuals or other Customers, except as permitted by Data Protection Law.
2.2 Instructions
Customer instructs InQuery to Process Customer Personal Data as necessary to provide the Services and as otherwise authorized or permitted under this DPA and the Agreement, including as specified in Attachment 1 (Scope of Processing). This DPA, the Agreement, and any instructions provided by Customer through configuration tools made available by InQuery constitute Customer's documented instructions regarding InQuery's Processing of Customer Personal Data. Additional instructions provided by Customer (if any) require prior written agreement by Customer and InQuery, including agreement on any additional fees to carry out such instructions. Customer will not instruct InQuery to perform any Processing of Customer Personal Data that violates any Data Protection Law. InQuery may suspend Processing based upon any Customer instructions that InQuery reasonably suspects violate Data Protection Law, provided InQuery will promptly inform Customer if, in InQuery's opinion, an instruction infringes Data Protection Law.
2.3 Compliance
Each Party will comply with its obligations under Data Protection Law. InQuery shall notify Customer if it determines that it cannot meet its obligations under Data Protection Law. Upon receiving written notice from Customer that InQuery has Processed Customer Personal Data without authorization, Customer may take reasonable and appropriate steps to stop and remediate such Processing.
2.4 Confidentiality
InQuery will ensure that persons authorized by InQuery to Process any Customer Personal Data are subject to appropriate confidentiality obligations.
2.5 Security
InQuery will implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against Security Incidents and provide the level of protection required by Data Protection Law ("Security Measures"). Notwithstanding, InQuery may, from time to time, update its Security Measures, provided the new measures do not materially reduce the level of security. Customer agrees that the Services, the Security Measures, and InQuery's commitments under this DPA are adequate to meet Customer's needs, including with respect to any security obligations of Customer under Data Protection Law, and provide a level of security appropriate to the risk in respect of the Customer Personal Data.
2.6 Disposal
At Customer's request, InQuery will delete or return all Customer Personal Data upon the end of the provision of Services: (a) unless applicable law requires the storage of such Customer Personal Data by InQuery; and (b) except for Customer Personal Data that is archived on back-up systems, which InQuery will securely isolate and protect from any further Processing, except to the extent required or permitted by law. Customer may make its request within 14 days of the cessation date of the Services by emailing the request to privacy@inquery.com. InQuery shall comply with such Customer instruction as soon as reasonably practicable.
2.7 Deidentified Data
InQuery may create and derive Deidentified Data to improve InQuery's products and services and for other business purposes. With respect to Deidentified Data, InQuery will: (a) take reasonable technical and organizational measures designed to ensure that such data cannot be associated with a Data Subject or Customer; (b) Process such data only in a de-identified fashion and not attempt to re-identify such data except as permitted by Data Protection Laws; and (c) comply with data protection laws applicable to InQuery's Processing of such data.
2.8 Service Data
Notwithstanding anything to the contrary in the Agreement and this DPA, Customer agrees that InQuery shall have the right to generate, collect, store, use, disclose, and/or otherwise Process data resulting from the use or provision of the Services for its legitimate business purposes, such as: billing, account management, sales, and marketing; performing data analytics; monitoring, improving, and supporting the Services; designing, developing, and offering InQuery products and services; and for any other lawful purposes. To the extent that any such data is considered Personal Data under Data Protection Law, InQuery is the Controller of such data and shall Process such data in accordance with InQuery's Privacy Policy and Data Protection Law.
3. Data Processing Assistance
3.1 Data Subject Rights Assistance
Customer shall be responsible for responding to requests from Data Subjects to exercise rights under Data Protection Law relating to Customer Personal Data (each a "Data Subject Request"). Customer will inform InQuery of any Data Subject Request to which InQuery must comply as a Processor under Data Protection Law and provide the information necessary for InQuery to comply with the request. To the extent Customer, in its use of the Services, does not have the ability to address the Data Subject Request, InQuery will, on Customer's request, provide commercially reasonable assistance to Customer in responding to such Data Subject Request, to the extent the response to such Data Subject Request is required under Data Protection Law. In the event any Data Subject Request is made directly to InQuery, InQuery will, to the extent permitted by Data Protection Law, notify Customer without undue delay. InQuery will not respond to the request directly, other than to advise the Data Subject to submit the request to Customer, except on the written instructions of Customer or as required by Data Protection Law.
3.2 Security Assistance
Taking into account the nature of Processing and the information available to InQuery, InQuery will provide commercially reasonable efforts to assist Customer in Customer's efforts to comply with Customer's obligations to secure Customer Personal Data by providing the information and assistance described in Section 5 (Audits).
3.3 Data Protection Impact Assessment and Prior Consultation Assistance
Taking into account the nature of Processing and the information available to InQuery, InQuery will provide commercially reasonable efforts to assist Customer in ensuring compliance with the obligations related to DPIAs and consulting with regulatory authorities to the extent required by Data Protection Law.
4. Security Incident
4.1 Notice and Assistance
InQuery will notify Customer without undue delay after becoming aware of a Security Incident. InQuery will provide Customer with information (insofar as such information is within InQuery's possession and knowledge and does not otherwise compromise the security or confidentiality of any other data in InQuery's possession or control) designed to allow Customer to meet its obligations under Data Protection Law to report the Security Incident if and to the extent required by Data Protection Law. InQuery will further take commercially reasonable steps to mitigate the effects and minimize any impact from the Security Incident and will reasonably cooperate with Customer and take commercially reasonable steps as may be requested by Customer to assist in the investigation of any such Security Incident. InQuery's notification of or response to a Security Incident shall not be construed as InQuery's acknowledgement of any fault or liability with respect to the Security Incident.
4.2 Notification to InQuery
If Customer determines to notify any governmental entity, Data Subject(s), the public, or others of a Security Incident, to the extent such notice directly or indirectly refers to or identifies InQuery, where permitted by applicable laws, Customer will notify InQuery in writing in advance of such notice and will, in good faith, consult with InQuery and consider any clarifications or corrections InQuery may reasonably recommend or request to any such notification that relates to InQuery's involvement in or relevance to such Security Incident and is consistent with applicable laws.
5. Audits
5.1 InQuery shall make available to Customer all information as InQuery (acting reasonably) considers appropriate to demonstrate its compliance with this DPA and with its obligations under Applicable Data Protection Law.
5.2 InQuery may procure audits by third parties to assess InQuery's adherence to SOC 2 Type II and/or certifications or other documentation evidencing compliance with alternative standards that are substantially equivalent to the foregoing (collectively, "Audit Reports"). Subject to the confidentiality obligations set forth in the Agreement, InQuery will provide Customer with summaries of InQuery's then-current Audit Reports on Customer's reasonable request. If the Agreement does not include a provision protecting InQuery's confidential information, then the Audit Reports will be made available to Customer subject to a mutually agreed-upon non-disclosure agreement covering the Audit Reports.
5.3 Customer will exercise its audit rights by first requesting the Audit Reports as described in Section 5.2. To the extent that the information provided in such Audit Reports is insufficient to demonstrate InQuery's compliance with this DPA and/or Data Protection Law, Customer may, not more than once every twelve (12) months, conduct (or another auditor mandated by Customer that is reasonably acceptable to InQuery may conduct) a documentary audit of InQuery's policies and procedures regarding the Processing of Customer Personal Data.
5.4 Any such audit must be tailored to what is reasonably necessary to verify InQuery's compliance with this DPA and must occur during InQuery's normal business hours. In connection with any such audit, the auditor will: (a) observe restrictions reasonably imposed by InQuery; and (b) not unreasonably interfere with or cause destruction, damage, or injury to InQuery's personnel and business activities. Customer will provide written communication of any audit findings to InQuery, and the results of the audit will be the confidential information of InQuery. Unless otherwise required by a data protection authority (which such audits will be conducted with reasonable prior notice to meet regulatory mandates), Customer will provide no less than thirty (30) days' advance notice of its request for any such audit and will cooperate in good faith with InQuery to schedule any such audit on a mutually agreed-upon date and time (such agreement not to be unreasonably withheld by either Party).
5.5 Prior to conducting any audit, Customer must submit a detailed proposed audit plan. The proposed audit plan must describe the proposed scope, duration, and start date of the audit. InQuery will review the proposed audit plan and provide Customer with any concerns or questions (for example, any request for information that could compromise InQuery security, privacy, employment, or other relevant policies). The Parties shall cooperate to agree on a final audit plan, including the confidentiality of any information or reports relating to the audit.
6. Subprocessors
6.1 Appointment of Subprocessors
Customer authorizes InQuery to use subcontractors to Process Customer Personal Data in connection with providing the Services (each, a "Subprocessor"). Customer specifically consents to InQuery's appointment of the Subprocessors identified in InQuery's Subprocessor List.
6.2 Objection Right for New Subprocessors
InQuery will notify Customer of its intent to update the Subprocessor List at least 14 days prior to engaging a new Subprocessor by sending an email to Customer's point of contact. Customer may object to InQuery's use of a new Subprocessor on reasonable grounds relating to data protection within 14 days of such notice by sending an email to privacy@inquery.com clearly indicating its desire to object to any such change. If Customer objects to the change in Subprocessors, InQuery and Customer will cooperate in good faith to resolve Customer's objection. If the Parties are unable to resolve Customer's objection within a reasonable time frame, then Customer may, as its sole and exclusive remedy, cancel the Services that InQuery indicates cannot be provided without the objected-to Subprocessor by providing written notice to InQuery and receive a refund of any prepaid but unused fees under the Agreement related to the canceled Services. If Customer does not object to InQuery's appointment of a Subprocessor during the objection period, Customer shall be deemed to have approved the engagement and ongoing use of that Subprocessor.
6.3 Liability
InQuery will impose data protection obligations upon any Subprocessor that are no less protective of Customer Personal Data than those included in this DPA. InQuery will remain liable to Customer for any breach of such obligations by its Subprocessors as it would for its own acts and omissions.
7. Data Transfers
7.1 Overview
The parties will conduct any transfers of Customer Personal Data relating to residents of the European Economic Area, the UK, and Switzerland to a country not subject to an adequacy decision (a "Data Transfer") pursuant to the SCCs, which are incorporated into this DPA and deemed executed by this reference. The parties agree to comply with the general clauses and with Module 2 where Customer is a Controller or Module 3 where Customer is a Processor on behalf of a third-party Controller. Under the SCCs, Customer is the "data exporter" and InQuery is the "data importer."
7.2 Transfers Subject to the GDPR
To the extent Customer Personal Data subject to the GDPR is subject to a Data Transfer, the SCCs will be modified as follows: in Clause 7, the optional docking language is deleted; in Clause 8.9, the audits shall be conducted according to the audit provisions of this DPA; in Clause 9, Option 2 applies and changes to Subprocessors will be notified in accordance with the Subprocessors section of this DPA; in Clause 11, the optional language is deleted; in Clauses 17 and 18, InQuery and Customer agree that the governing law and forum for disputes will be the laws and courts of Ireland (without reference to conflicts of law principles); the Annexes of the SCCs will be deemed completed with the information set forth in this DPA; and the supervisory authority that will act as competent supervisory authority will be determined in accordance with the GDPR.
7.3 Transfers Subject to the UK GDPR
To the extent Customer Personal Data subject to the UK GDPR is subject to a Data Transfer, the parties will conduct such transfers pursuant to the SCCs in tandem with the UK IDTA, which is incorporated by this reference. The information needed to complete the Tables to the UK IDTA is provided in this DPA.
7.4 Transfers Subject to Swiss Data Protection Law
To the extent Customer Personal Data subject to the Swiss Federal Act on Data Protection of 19 June 1992 (the "FADP") is subject to a Data Transfer, the parties will conduct such transfer pursuant to the SCCs with the following modifications: the competent supervisory authority in Annex I.C under Clause 13 shall be the Federal Data Protection and Information Commissioner insofar as the Data Transfer is governed by the FADP; references to a "Member State" and "EU Member State" will not be read to prevent data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland); and references to "GDPR" in the SCCs will be understood as references to the FADP.
7.5 Alternative Transfer Mechanism
In the event that InQuery is required to adopt an alternative transfer mechanism under Data Protection Law, in addition to or other than the mechanisms described above, such alternative transfer mechanism will apply automatically instead of the mechanisms described in this DPA (but only to the extent such alternative transfer mechanism complies with Data Protection Laws), and Customer agrees to execute such other documents or take such action as may be reasonably necessary to give legal effect to such alternative transfer mechanism.
8. Liability
The total aggregate liability of either Party toward the other Party, howsoever arising, under or in connection with this DPA will under no circumstances exceed any limitations or caps on, and shall be subject to any exclusions of, liability and loss agreed to by the Parties in the Agreement.
9. Miscellaneous
To the extent there is any conflict between the terms of this DPA, on the one hand, and the applicable SCCs or UK IDTA, on the other hand, the SCCs or UK IDTA, as appropriate, will control. Except as specifically amended and modified by this DPA, the terms and provisions of the Agreement remain unchanged and in full force and effect. Except as expressly stated in the SCCs and the UK IDTA, the governing law clause and forum selection clause of the Agreement will apply to any disputes arising out of this DPA. InQuery may on notice vary this DPA to the extent that (acting reasonably) it considers necessary to address the requirements of Data Protection Law from time to time.
Contact Us
Questions about this Data Processing Addendum?
Contact us at privacy@inquery.com