Legal Terms & Conditions

Resolver Inc. GDPR Addendum

Version: 3.0
Last updated: December 23, 2022

In providing the Resolver Inc. (and/or its Affiliates) (“Resolver“, “We“, “Our” or “Us” and terms of similar meaning) integrated risk management software in a hosted environment or by way of software-as-a-service (“Resolver Software“) to You pursuant to an agreement entered into between You and Us (the “Agreement“), We may Process Personal Data on Your behalf. We will comply with the provisions in this GDPR Addendum with respect to Our Processing of any Personal Data. Capitalized terms used but not defined in this GDPR Addendum have the same meanings as set out in the Agreement.

  1. Definitions

    For the purposes of this Addendum:

    1. Affiliate(s)” means any legal entity directly or indirectly controlling, controlled by or under common control with a party, where control means the ownership of a majority share of the stock, equity or voting interests of such entity;
    2. Controller” means You, the entity which determines the purpose and means of the Processing of Personal Data;
    3. Customer Data” means any data, information or material that You submit to Us by way of the Resolver Software;
    4. Data Subject” means the individual to whom Personal Data relates;
    5. EEA” means the European Economic Area, which includes European Union member states, Norway, Iceland and Liechtenstein, as well as, for the purposes of this GDPR Addendum, the United Kingdom;
    6. EU Data Protection Legislation” means (i) prior to 25 May 2018, Directive 95/46/EC of the European Parliament, (ii) on and after 25 May 2018, Regulation 2016/679 of the European Parliament (“General Data Protection Regulation” or “GDPR“), as amended, replaced or superseded. To the extent applicable to Data Subjects from the United Kingdom or to the extent You are established in the United Kingdom “EU Data Protection Legislation” shall mean the UK GDPR and the UK Data Protection Act 2018 (collectively the “UK Data Protection Laws and Regulations“). To the extent applicable to Data Subjects from Switzerland or to the extent You are established in Switzerland “EU Data Protection Legislation” means the Swiss Federal Act on Data Protection of June 19, 1992 and as it may be revised from time to time (the “FADP“)
    7. Personal Data” means any Customer Data relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
    8. Processor” means Us, the entity which Processes Personal Data on behalf of the Controller.
    9. Processing” means any operation or set of operations which is performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use,. disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction erasure or destruction.
    10. Supervisory Authority” means an independent public authority which is established by an EU member state pursuant to EU Data Protection Legislation.
    11. You” means the company, organization, legal entity or legal person that is the party to the Agreement for the Resolver Software. “Your” has the corresponding meaning to You.
    12. You” means the company, organization, legal entity or legal person that is the party to the Agreement for the Resolver Software. “Your” has the corresponding meaning to You.
  2. Applicability of GDPR Addendum

    1. This GDPR Addendum shall apply only to the extent You are established within the EEA, the United Kingdom or Switzerland and/or to the extent We Process Personal Data of Data Subjects located in the EEA, the United Kingdom, or Switzerland on Your behalf through Your use of the Resolver Software.
  3. Details of the Processing

    1. The categories of Personal Data are determined by You in Your sole discretion.
    2. Special categories of Personal Data, if any, are determined by You in Your sole discretion and may include, but are not limited to information revealing racial/ethnic origin, political, religious or philosophical beliefs, trade union membership or health data. The Resolver Software does not, in any of its standard configurations, Process any special categories of Personal Data and accordingly, the terms of this Addendum may not apply to such Personal Data.
    3. The categories of Data Subjects whose Personal Data may be Processed in connection with the Resolver Software are determined and controlled by You in Your sole discretion and may include Your employees or contractors and/or other natural persons that are of interest to You.
    4. We will Process Personal Data as necessary to permit you to Use the Resolver Software pursuant to the Agreement. The Processing operations performed on the Personal Data will depend on the Resolver Software that You Use and Your configuration of the Resolver Software. Such Processing operations of Personal Data as necessary for Us to provide the Resolver Software may include the following: collecting, recording, organizing, storage, use, alteration, disclosure, transmission, combining, retrieval, consultation, archiving and/or destruction.
  4. Roles and Responsibilities

    1. You, as Controller, appoint Us as a Processor to process the Personal Data on Your behalf.
    2. We shall Process Personal Data for the purposes set forth in the Agreement, to improve or develop enhancements to the Resolver Software and/or only in accordance with Your lawful, documented instructions (as set out below), except where otherwise required by applicable law. The Agreement and this GDPR Addendum set out Your complete instructions to Us in relation to the Processing of Personal Data and any Processing required outside of the scope of these instructions (inclusive of the rights and obligations set forth under the Agreement) will require prior written agreement of the parties. We shall inform You if, in our opinion, any of Your instructions infringes applicable EU Data Protection Legislation.
    3. We shall ensure that Our relevant employees, agents and contractors receive appropriate training regarding their responsibilities and obligations with respect to the Processing, protection and confidentiality of Personal Data.
    4. You, as Controller, shall be responsible for ensuring that, in connection with Customer Data: (i) You have complied, and will continue to comply, with all applicable privacy and data protection laws, including EU Data Protection Legislation; and (ii) You have, and will continue to have, the right to transfer, or provide access to, the Personal Data to Us for Processing in accordance with the terms of the Agreement and this GDPR Addendum.
  5. Security

    1. We shall implement appropriate technical and organisational measures, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects. Such measures shall be designed to ensure a level of security appropriate to the risk to protect Personal Data from accidental or unlawful destruction, loss, alteration, unauthorised disclosure, access or use (each a “Security incident“) and in accordance with Our security standards as set forth at resolver.com/trust.
    2. We shall ensure that any person that We authorize to Process the Personal Data (including its staff, agents, subcontractors and Sub-processors) shall be subject to a duty of confidentiality (whether a contractual or a statutory duty) that shall survive the termination of their employment and/or contractual relationship.
    3. Upon becoming aware of a Security Incident, We shall notify You without undue delay, but within no more than seventy-two (72) hours, and shall provide such timely information as You may reasonably require to enable You to fulfil any data breach reporting obligations under EU Data Protection Legislation. We will take steps to identify and remediate the cause of such Security Incident.
  6. Sub-processing

    1. You agree that We may engage Affiliates and third party sub-processors (collectively, “Sub-processors“) to Process the Personal Data on Our behalf The Sub-processors currently engaged by Us and authorized by You are listed at Our Sub-processor web page (the “Sub-processor List“) at resolver.com/legal. The engagement of Sub-processors shall contain data protection terms that protect the Personal Data to the same standard provided for by this GDPR Addendum and We shall remain liable for any breach of the GDPR Addendum caused by a Sub-processor.
    2. We may, by giving no less than thirty (30) days’ notice to You, add or make changes to the Sub-processors. You may object to the appointment of an additional Sub-processor within fourteen (14) calendar days of such notice on reasonable grounds relating to the protection of the Personal Data, in which case We shall have the right to cure the objection through one of the following options (to be selected at Our sole discretion): (a) We will cancel Our plans to use the Sub-processor with regard to Personal Data or will offer an alternative to provide the Resolver Software without such Sub-processor; or (b) We will take the corrective steps requested by You in Your objection (which remove Your objection) and proceed to use the Sub-processor with regard to Personal Data; or (c) We may cease to provide or You may agree not to use (temporarily or permanently) the particular aspect of the Resolver Software that would involve the use of such Sub-processor with regard to Personal Data. Objections to a Sub-processor shall be submitted to Us by sending an email to support@resolver.com with a copy to legal@resolver.com. If none of the above options are reasonably available and the objection has not been resolved to the mutual satisfaction of the parties within 30 days after Our receipt of Your objection, either party may terminate the Agreement with no further liability to the other party.
    3. We may replace a Sub-processor if the need for the change is urgent and necessary to provide the Resolver Software and the reason for the change is beyond Our reasonable control. In such instance, We shall notify You of the replacement as soon as reasonably practicable, and You shall retain the right to object to the replacement Sub-processor pursuant to Section 6(b)
  7. Cooperation

    1. We shall provide commercially reasonable assistance, including by appropriate technical and organizational measures as reasonably practicable and insofar as possible, to enable You to respond to any inquiry, communication or request from a Data Subject seeking to exercise his or her rights under EU Data Protection Legislation, including rights of access, correction, restriction, objection, erasure or data portability, as applicable. In the event such inquiry, communication or request is made directly to Us, We shall promptly inform You by providing the full details of the request. For the avoidance of doubt, You are responsible for responding to Data Subject requests for access, correction, restriction, objection, erasure or data portability involving that Data Subject’s Personal Data.
    2. We shall notify You without undue delay if a Supervisory Authority or law enforcement authority makes any inquiry or request for disclosure regarding Personal Data.
    3. We shall, to the extent required by EU Data Protection Legislation, provide You with reasonable assistance with data protection impact assessments and/or prior consultations with Supervisory Authorities that You are required to carry out under EU Data Protection Legislation. Any extraordinary requests for assistance may be subject to You being responsible for Our reasonable costs and expenses.
  8. Security Reports and Audits

    1. We shall provide a copy of our most current security report upon Your written request and subject to the confidentiality provisions of the Agreement (or separate confidentiality agreement). Upon reasonable notice to Us by You, We shall allow You (or Your independent third-party auditor) to conduct an on-site audit our facilities of the procedures relevant to the protection of Personal Data, subject to the confidentiality provisions of the Agreement. You shall be permitted to conduct any such audit once every twelve months. You and We will discuss and agree in advance on the reasonable start date, scope and duration of and security and confidentiality controls applicable to any audit; and We reserve the right to charge a fee (based on Our reasonable costs) for any such audit.
  9. Deletion or Return of Customer Data

    1. Upon termination or expiration of the Agreement, We shall, in accordance with the terms of the Agreement delete or make available to Customer for retrieval all relevant Personal Data (including copies) in Our possession, save to the extent that are required by any applicable law to retain some or all of the Personal Data. In such event, We shall extend the protections of the Agreement and this GDPR Addendum to such Personal Data and limit any further Processing of such Personal Data to only those limited purposes that require the retention, for so long as We maintain the Personal Data.
  10. International Data Transfer

    1. For transfers of data from the EU, the Controller to Processor form of the EU Standard Contractual Clauses (Decision 2021/914/EU 4 June 2021), as currently set out https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj, specifically sections I, II, III and IV to the extent they reference Module Two (Controller-to-Processor) (“EU C to P SCC‘s”) shall be deemed to be incorporated by reference in this Addendum. For the purposes of EU C to P SCC’s, You will be regarded as the data exporter and We will be regarded as the data importer, the Parties have completed Annexes 1 and 2 attached hereto, and the following operative provisions and additional terms apply:
      1. In Clause 7, the optional docking clause will not apply
      2. In Clause 9 (sub-processors), Option 2 will apply. We have the Your general authorisation for the engagement of sub-processor(s) from an agreed list, as set out in the Sub-processor List. We shall notify You of any changes as set out in Section 6 (b) of this GDPR Addendum;.
      3. In Clause 11(redress), the optional language will not apply;
      4. For the purposes of Clause 17 (Governing law), the Parties agree that the SCC’s shall be governed by the law that is designated in the Agreement as the law governing the Agreement.
      5. However, if such Agreement is not governed by EU Member State law, the SCC’s shall be governed by the law of the EU Member State in which the data exporter is established, which shall be.
      6. Notwithstanding the above, if the Agreement is governed by the laws of the United Kingdom, the SCC’s shall be governed by the laws of the United Kingdom.
      7. For the purposes of Clause 18 (Forum and Jurisdiction), courts under clause 18(b) shall be those designated as the court with jurisdiction in the Agreement. If the Agreement does not designate an EU Member State or UK courts as having jurisdiction, the Parties agree that it shall be the courts of the jurisdiction specified in Clause 17.
    2. For transfers of data from the UK, in addition to Section 10 (a) above, the UK Data Transfer Addendum (“UK DTA”) in a form adopted by the UK ICO, currently available at https://ico.org.uk/media/for-organisations/documents/4019538/international-data-transfer-agreement.pdf, as amended, superseded or replaced from time to time, will apply to such transfers, and the following information required under the UK DTA shall apply:
      1. Table 1 shall consist of the content in Section A of Annex I attached hereto;
      2. for Table 2, the Approved EU Standard Contractual Clauses set out in Section 10 (a) above are selected with the following modules, clauses, or optional provisions applied: (a) Module Two (controller to processor);(b) in Clause 7, the optional docking clause is not included; (c) in Clause 9, option 2 for general written authorization with a time period of thirty days; and (d) in Clause 11, the optional text is not included;
      3. Table 3 shall consist of the content in Annex I (Sections A-B) and Annex II of this Addendum; and
      4. for purposes of Table 4, neither Party may end the Addendum except by mutual agreement.
    3. For transfers subject to the FADP the EU C to P SCC’s, as set out in Section 10 (a) above, shall apply with the amendments set out in the following subclauses. Insofar as the transfer is subject to the FADP and the GDPR or the UK GDPR, the amendments below shall only apply with respect to the FADP and shall not affect the application of the EU C to P SCC’s for the purposes of the GDPR or the UK GDPR:
      1. References to “Regulation (EU) 2016/679” or “that Regulation” are to be interpreted as references to the FADP to the extent applicable;
      2. References to “Regulation (EU) 2018/1725” are removed;
      3. References to “Union”, “EU”, and “EU Member State” shall be interpreted to mean Switzerland;
      4. Clause 13 (a) and Part C of Annex I are not used; the competent supervisory authority is the Federal Data Protection and Information Commissioner insofar as the transfers are governed by the FADP;
      5. Clause 17 is replaced to state that “These Clauses are governed by the laws of Switzerland insofar as the transfers are governed by the FADP”;
      6. Clause 18’s reference to an EU Member state shall not preclude (i) disputes arising from the EU C to P SCC’s and relating to the FADP from being resolved by the courts of Switzerland; or (ii) data subjects in Switzerland bringing legal proceedings against the data exporter and/or data importer in their place of habitual residence (Switzerland) in accordance with Clause 18(c).
      7. As long as the FADP of 19 June 1992 is in force, or until otherwise amended to the contrary, the EU C to P SCC’s shall also protect Personal Data of legal entities and legal entities shall receive the same protection under the EU C to P SCC’s as natural persons.

         

  11. Miscellaneous

        1. Except as amended by this GDPR Addendum, the Agreement will remain in full force and effect.
        2. If there is a conflict between the Agreement and this GDPR Addendum, the terms of this GDPR Addendum will control.
        3. Any claims brought under this GDPR Addendum shall be subject to the terms and conditions, including but not limited to. the exclusions and limitations set forth in the Agreement.

ANNEX I

A. LIST OF PARTIES

Data exporter(s):

Name: The entity identified as “Customer” in the Agreement

Address: The address for Customer associated with its Resolver account or as otherwise specified in the Addendum or the Agreement

Contact person’s name, position and contact details: The contact details associated with Customer’s account, or as otherwise specified in the Addendum or the Agreement

Activities relevant to the data transferred under these Clauses: The activities specified in the Agreement or related Order Form, Statement of Work, or similar

Role (controller/processor): Controller

Data importer(s):

Name: Resolver Inc. or its affiliates as specified in the Agreement (“Resolver”)

Address: 111 Peter St Suite 804, Toronto, ON M5V 2H1 Canada

Contact person’s name, position and contact details: Jennifer Lo, Director, Legal, legal@resolver.com

Activities relevant to the data transferred under these Clauses: The activities specified in the Agreement or related Order Form, Statement of Work, or similar

Role (controller/processor): Processor

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred are listed below; with some categories non applicable depending on the software product or service provided pursuant to the Agreement:

  • Individuals authorized by the Customer to access the Software and Services provided by the data importer
  • Customer’s employees (including but not limited to contractors, temporary employees, trainees)
  • Customer’s directors, officers, ultimate beneficial owners who are natural persons
  • Customer’s customers (including potential customers, prospects, and others receiving Customer’s products and/or services) who are natural persons
  • Individuals with business relationships with the Customer
  • Visitors to the Customer’s premises

Categories of personal data transferred; with some categories non applicable depending on the Software product or Service provided pursuant to the Agreement

  • First and last name
  • Contact details (address, telephone number, email address, IP address)
  • Professional details (title, position, employer, employment history)
  • Any personal information that can be inferred from or incidental to descriptions of appearance

Sensitive data transferred (if applicable)

  • Not applicable in most uses of the Software and Services
  • With certain Software and Services racial and ethnic origin and incidental health related data

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

Continuous

Natured of the processing

The nature of the Processing is the performance of the Software and Services pursuant to the Agreement.

Purpose(s) of the data transfer and further processing

Data importer will Process Personal Data as necessary to provide the Software and perform the Services pursuant to the Agreement (or applicable Order Form or Statement of Work), as and as further instructed by Customer in its use of the Software and Services.

The period for which the personal data will be retained or, if that is not possible, the criteria used to determine that period

For the duration of the Agreement, and for a period of time after the termination of the Agreement as necessary for data importer to comply with applicable laws and in accordance with Resolver’s Document Retention Schedule

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

Sub-processor will Process Personal Data as necessary to provide the Software and perform the Services pursuant to the Agreement and for the duration of the Agreement, unless otherwise agreed in writing.

C. COMPETENT SUPERVISORY AUTHORITY

For the purposes of Clause 13 the supervisory authority shall be identified as set out below:

  1. If Customer/data exporter is established in an EU Member State the supervisory authority shall be the supervisory authority of the Member State with responsibility for ensuring compliance by the data exporter with GDPR;
  2. If Customer/ data exporter is NOT established in an EU Member State but falls within GDPR territorial scope and has appointed an EU representative the supervisory authority shall be the Supervisory Authority of the Member State of Customer’s EU Representative;
  3. If Customer/ data exporter is NOT established in an EU Member State but falls within GDPR territorial scope without being required to appoint an EU representative the supervisory authority shall be the supervisory authority of one of the EU Member States in which the data subjects whose data are being transferred pursuant to these Clauses are located; provided that Ireland is selected if it is a possible choice; or
  4. If Customer/data exporter is established in the United Kingdom or falls within the territorial scope of application of UK Data Protection Laws and Regulations, the Information Commissioner’s Office shall act as the competent supervisory authority

ANNEX II

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL
MEASURES TO ENSURE THE SECURITY OF THE DATA

  • AWS Advanced Shield,
  • Perimeter firewall (AWS ACL)
  • AWS VPC Security Groups (SC),
  • Web Application Firewall (WAF)
  • Two-Tier Web architecture,
  • Strong Authentication mechanism on Web Front tier,
  • Database Tier isolated from-end Web
  • Each Resolver (Core) Platform is fully Dockerized solution. Platform’s production environments run as an Elastic Container Service (Amazon ECS) cluster, contains at least two ECS Instances, deployed in separate availability-zones (AZ) and runs Docker containers for every Core service (web, data, object, etc). Resolver Core platform can naturally handle multiple components failures.
  • Each ECS cluster member is created using a most updated Amazon AMI. It is the latest version of Amazon ECS Optimized AMI (based on Amazon Linux AMI). Each Docker container running within the clustered instances is an image based on latest version of Alpine Linux.
  • The Docker containers are immutable.
  • The containers do not allow interactive login functionality.
  • Please refer to: https://app.cloudcraft.co/view/a64d12b0-a705-4e09-8c9f-babfa368aff0?key=3f20d9d7-d9fa-43fe-b831-f01a24203cbb
  • All communications across public networks, to and from Resolver Core, utilizes HTTPS over TLS v1.3 and TLS v1.2 secure communication channel with a strong cipher suite set.
  • All Customer’s data are stored in encrypted EBS folders (data is encrypted at rest), all database backups/snapshots are stored in encrypted S3 buckets utilizing unique encryption key material, managed by AWS KMS service, to encrypt/decrypt content of the volume/folder, AES 256 encryption algorithm is used
  • Resolver adopted real-time continuous monitoring utilizing
    • AWS Config (https://aws.amazon.com/config/) for monitoring environmental configuration changes
    • AWS CloudTrail (https://aws.amazon.com/cloudtrail/) for continuously monitoring account activities related to actions across our AWS infrastructure; all these logs, together with AWS VPC Flow Logs (which record VPC network activities), are analyzed using AWS GuardDuty, this tool also provides us ability to analyzing the configuration effectiveness and compare with AWS security best practices, and logs/events from OS and App level are store in immutable Amazon CloudWatch (https://aws.amazon.com/cloudwatch/) monitoring services.
    • All these logs are forwarded to SIEM System for further analysis and correlation with other events within the infrastructure and alerts to anomalous activity detection.
  • Automated static security code analysis (SCA) using Snyk Code (https://snyk.io/product/snyk-code) in conjunction with mandatory Code Peer Review before any code merge into the master branch as part of Jira tracking system ticket lifecycle.  
  • Snyk (https://snyk.io/) open-source libraries, components and dependencies vulnerability scanner integrated into CI/CD pipeline.
  • On a monthly basis, we perform automated vulnerability scans on various aspects of the Resolver Core environments, utilizing a cloud-based vulnerability management platform comprised of
    • Agent based hosts vulnerability scan
    • Advanced Network Scan
    • Web application scan
  • In addition, at least annually, or for product releases which introduce major architecture changes, external, 3rd party penetration testing is performed before public release.
  • All findings are reviewed and addressed by Resolver’s Security, Dev, DevOps and management teams, before production release or, as defined per internal risk assessment, with Resolver’s required mitigation time frame.
  • Penetration test executive summaries and Resolver responses to findings are made available to customers under NDA, upon written request.
  • Monthly maintenance cycle for updates/upgrades, OS and application-level patching is implemented in place
  • Resolver’s termination and role change processes is initiated automatically from our HR system and completes on the day of the termination.
  • Resolver has established a formal quarterly review process to review critical system access rights. Our employee termination and role change processes are initiated automatically from our HR system ensure access is removed when an employee leaves or changes roles.
  • A company-wide annual active users access review process is implemented as well.