Resolver Inc. GDPR Addendum

Version: 3.0
Last updated: December 23, 2022

In providing the Resolver Inc. (and/or its Affiliates) (“Resolver“, “We“, “Our” or “Us” and terms of similar meaning) integrated risk management software in a hosted environment or by way of software-as-a-service (“Resolver Software“) to You pursuant to an agreement entered into between You and Us (the “Agreement“), We may Process Personal Data on Your behalf. We will comply with the provisions in this GDPR Addendum with respect to Our Processing of any Personal Data. Capitalized terms used but not defined in this GDPR Addendum have the same meanings as set out in the Agreement.

  1. Definitions

    For the purposes of this Addendum:

    1. Affiliate(s)” means any legal entity directly or indirectly controlling, controlled by or under common control with a party, where control means the ownership of a majority share of the stock, equity or voting interests of such entity;
    2. Controller” means You, the entity which determines the purpose and means of the Processing of Personal Data;
    3. Customer Data” means any data, information or material that You submit to Us by way of the Resolver Software;
    4. Data Subject” means the individual to whom Personal Data relates;
    5. EEA” means the European Economic Area, which includes European Union member states, Norway, Iceland and Liechtenstein, as well as, for the purposes of this GDPR Addendum, the United Kingdom;
    6. EU Data Protection Legislation” means (i) prior to 25 May 2018, Directive 95/46/EC of the European Parliament, (ii) on and after 25 May 2018, Regulation 2016/679 of the European Parliament (“General Data Protection Regulation” or “GDPR“), as amended, replaced or superseded. To the extent applicable to Data Subjects from the United Kingdom or to the extent You are established in the United Kingdom “EU Data Protection Legislation” shall mean the UK GDPR and the UK Data Protection Act 2018 (collectively the “UK Data Protection Laws and Regulations“). To the extent applicable to Data Subjects from Switzerland or to the extent You are established in Switzerland “EU Data Protection Legislation” means the Swiss Federal Act on Data Protection of June 19, 1992 and as it may be revised from time to time (the “FADP“)
    7. Personal Data” means any Customer Data relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
    8. Processor” means Us, the entity which Processes Personal Data on behalf of the Controller.
    9. Processing” means any operation or set of operations which is performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use,. disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction erasure or destruction.
    10. Supervisory Authority” means an independent public authority which is established by an EU member state pursuant to EU Data Protection Legislation.
    11. You” means the company, organization, legal entity or legal person that is the party to the Agreement for the Resolver Software. “Your” has the corresponding meaning to You.
    12. You” means the company, organization, legal entity or legal person that is the party to the Agreement for the Resolver Software. “Your” has the corresponding meaning to You.
  2. Applicability of GDPR Addendum

    1. This GDPR Addendum shall apply only to the extent You are established within the EEA, the United Kingdom or Switzerland and/or to the extent We Process Personal Data of Data Subjects located in the EEA, the United Kingdom, or Switzerland on Your behalf through Your use of the Resolver Software.
  3. Details of the Processing

    1. The categories of Personal Data are determined by You in Your sole discretion.
    2. Special categories of Personal Data, if any, are determined by You in Your sole discretion and may include, but are not limited to information revealing racial/ethnic origin, political, religious or philosophical beliefs, trade union membership or health data. The Resolver Software does not, in any of its standard configurations, Process any special categories of Personal Data and accordingly, the terms of this Addendum may not apply to such Personal Data.
    3. The categories of Data Subjects whose Personal Data may be Processed in connection with the Resolver Software are determined and controlled by You in Your sole discretion and may include Your employees or contractors and/or other natural persons that are of interest to You.
    4. We will Process Personal Data as necessary to permit you to Use the Resolver Software pursuant to the Agreement. The Processing operations performed on the Personal Data will depend on the Resolver Software that You Use and Your configuration of the Resolver Software. Such Processing operations of Personal Data as necessary for Us to provide the Resolver Software may include the following: collecting, recording, organizing, storage, use, alteration, disclosure, transmission, combining, retrieval, consultation, archiving and/or destruction.
  4. Roles and Responsibilities

    1. You, as Controller, appoint Us as a Processor to process the Personal Data on Your behalf.
    2. We shall Process Personal Data for the purposes set forth in the Agreement, to improve or develop enhancements to the Resolver Software and/or only in accordance with Your lawful, documented instructions (as set out below), except where otherwise required by applicable law. The Agreement and this GDPR Addendum set out Your complete instructions to Us in relation to the Processing of Personal Data and any Processing required outside of the scope of these instructions (inclusive of the rights and obligations set forth under the Agreement) will require prior written agreement of the parties. We shall inform You if, in our opinion, any of Your instructions infringes applicable EU Data Protection Legislation.
    3. We shall ensure that Our relevant employees, agents and contractors receive appropriate training regarding their responsibilities and obligations with respect to the Processing, protection and confidentiality of Personal Data.
    4. You, as Controller, shall be responsible for ensuring that, in connection with Customer Data: (i) You have complied, and will continue to comply, with all applicable privacy and data protection laws, including EU Data Protection Legislation; and (ii) You have, and will continue to have, the right to transfer, or provide access to, the Personal Data to Us for Processing in accordance with the terms of the Agreement and this GDPR Addendum.
  5. Security

    1. We shall implement appropriate technical and organisational measures, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects. Such measures shall be designed to ensure a level of security appropriate to the risk to protect Personal Data from accidental or unlawful destruction, loss, alteration, unauthorised disclosure, access or use (each a “Security incident“) and in accordance with Our security standards as set forth at www.resolver.com/trust.
    2. We shall ensure that any person that We authorize to Process the Personal Data (including its staff, agents, subcontractors and Sub-processors) shall be subject to a duty of confidentiality (whether a contractual or a statutory duty) that shall survive the termination of their employment and/or contractual relationship.
    3. Upon becoming aware of a Security Incident, We shall notify You without undue delay, but within no more than seventy-two (72) hours, and shall provide such timely information as You may reasonably require to enable You to fulfil any data breach reporting obligations under EU Data Protection Legislation. We will take steps to identify and remediate the cause of such Security Incident.
  6. Sub-processing

    1. You agree that We may engage Affiliates and third party sub-processors (collectively, “Sub-processors“) to Process the Personal Data on Our behalf The Sub-processors currently engaged by Us and authorized by You are listed at Our Sub-processor web page (the “Sub-processor List“) at www.resolver.com/legal. The engagement of Sub-processors shall contain data protection terms that protect the Personal Data to the same standard provided for by this GDPR Addendum and We shall remain liable for any breach of the GDPR Addendum caused by a Sub-processor.
    2. We may, by givin