Resolver Inc. GDPR Addendum
Last updated: December 1, 2018
In providing the Resolver Inc. (and/or its Affiliates) (“Resolver”, “We”, “Our” or “Us” and terms of similar meaning) integrated risk management software in a hosted environment or by way of software-as-a-service (“Resolver Software”) to You pursuant to an agreement entered into between You and Us (the “Agreement”), We may Process Personal Data on Your behalf. We will comply with the provisions in this GDPR Addendum with respect to Our Processing of any Personal Data. Capitalized terms used but not defined in this GDPR Addendum have the same meanings as set out in the Agreement.
For the purposes of this Addendum:
- “Affiliate(s)” means any legal entity directly or indirectly controlling, controlled by or under common control with a party, where control means the ownership of a majority share of the stock, equity or voting interests of such entity;
- “Controller” means You, the entity which determines the purpose and means of the Processing of Personal Data;
- “Customer Data” means any data, information or material that You submit to Us by way of the Resolver Software;
- “Data Subject” means the individual to whom Personal Data relates;
- “EEA” means the European Economic Area, which includes European Union member states, Norway, Iceland and Liechtenstein, as well as, for the purposes of this GDPR Addendum, the United Kingdom;
- “EU Data Protection Legislation” means (i) prior to 25 May 2018, Directive 95/46/EC of the European Parliament, (ii) on and after 25 May 2018, Regulation 2016/679 of the European Parliament (“General Data Protection Regulation” or “GDPR”), as amended, replaced or superseded
- “Personal Data” means any Customer Data relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
- “Processor” means Us, the entity which Processes Personal Data on behalf of the Controller.
- “Processing” means any operation or set of operations which is performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use,. disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction erasure or destruction.
- “Supervisory Authority” means an independent public authority which is established by an EU member state pursuant to EU Data Protection Legislation.
- “You” means the company, organization, legal entity or legal person that is the party to the Agreement for the Resolver Software. “Your” has the corresponding meaning to You.
Applicability of GDPR Addendum
- This GDPR Addendum shall apply only to the extent You are established within the EEA or Switzerland and/or to the extent We Process Personal Data of Data Subjects located in the EEA on Your behalf through Your use of the Resolver Software.
Details of the Processing
- The categories of Personal Data are determined by You in Your sole discretion.
- Special categories of Personal Data, if any, are determined by You in Your sole discretion and may include, but are not limited to information revealing racial/ethnic origin, political, religious or philosophical beliefs, trade union membership or health data. The Resolver Software does not, in any of its standard configurations, Process any special categories of Personal Data and accordingly, the terms of this Addendum may not apply to such Personal Data.
- The categories of Data Subjects whose Personal Data may be Processed in connection with the Resolver Software are determined and controlled by You in Your sole discretion and may include Your employees or contractors and/or other natural persons that are of interest to You.
- We will Process Personal Data as necessary to permit you to Use the Resolver Software pursuant to the Agreement. The Processing operations performed on the Personal Data will depend on the Resolver Software that You Use and Your configuration of the Resolver Software. Such Processing operations of Personal Data as necessary for Us to provide the Resolver Software may include the following: collecting, recording, organizing, storage, use, alteration, disclosure, transmission, combining, retrieval, consultation, archiving and/or destruction.
Roles and Responsibilities
- You, as Controller, appoint Us as a Processor to process the Personal Data on Your behalf.
- We shall Process Personal Data for the purposes set forth in the Agreement, to improve or develop enhancements to the Resolver Software and/or only in accordance with Your lawful, documented instructions (as set out below), except where otherwise required by applicable law. The Agreement and this GDPR Addendum set out Your complete instructions to Us in relation to the Processing of Personal Data and any Processing required outside of the scope of these instructions (inclusive of the rights and obligations set forth under the Agreement) will require prior written agreement of the parties. We shall inform You if, in our opinion, any of Your instructions infringes applicable EU Data Protection Legislation.
- We shall ensure that Our relevant employees, agents and contractors receive appropriate training regarding their responsibilities and obligations with respect to the Processing, protection and confidentiality of Personal Data.
- You, as Controller, shall be responsible for ensuring that, in connection with Customer Data: (i) You have complied, and will continue to comply, with all applicable privacy and data protection laws, including EU Data Protection Legislation; and (ii) You have, and will continue to have, the right to transfer, or provide access to, the Personal Data to Us for Processing in accordance with the terms of the Agreement and this GDPR Addendum.
- We shall implement appropriate technical and organisational measures, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects. Such measures shall be designed to ensure a level of security appropriate to the risk to protect Personal Data from accidental or unlawful destruction, loss, alteration, unauthorised disclosure, access or use (each a “Security incident”) and in accordance with Our security standards as set forth at resolver.com/trust.
- We shall ensure that any person that We authorize to Process the Personal Data (including its staff, agents, subcontractors and Sub-processors) shall be subject to a duty of confidentiality (whether a contractual or a statutory duty) that shall survive the termination of their employment and/or contractual relationship.
- Upon becoming aware of a Security Incident, We shall notify You without undue delay, but within no more than seventy-two (72) hours, and shall provide such timely information as You may reasonably require to enable You to fulfil any data breach reporting obligations under EU Data Protection Legislation. We will take steps to identify and remediate the cause of such Security Incident.
- You agree that We may engage Affiliates and third party sub-processors (collectively, “Sub-processors”) to Process the Personal Data on Our behalf The Sub-processors currently engaged by Us and authorized by You are listed at Our Sub-processor web page (the “Sub-processor List”) at resolver.com/legal. The engagement of Sub-processors shall contain data protection terms that protect the Personal Data to the same standard provided for by this GDPR Addendum and We shall remain liable for any breach of the GDPR Addendum caused by a Sub-processor.
- We may, by giving no less than thirty (30) days’ notice to You, add or make changes to the Sub-processors. You may object to the appointment of an additional Sub-processor within fourteen (14) calendar days of such notice on reasonable grounds relating to the protection of the Personal Data, in which case We shall have the right to cure the objection through one of the following options (to be selected at Our sole discretion): (a) We will cancel Our plans to use the Sub-processor with regard to Personal Data or will offer an alternative to provide the Resolver Software without such Sub-processor; or (b) We will take the corrective steps requested by You in Your objection (which remove Your objection) and proceed to use the Sub-processor with regard to Personal Data; or (c) We may cease to provide or You may agree not to use (temporarily or permanently) the particular aspect of the Resolver Software that would involve the use of such Sub-processor with regard to Personal Data. Objections to a Sub-processor shall be submitted to Us by sending an email to firstname.lastname@example.org with a copy to email@example.com. If none of the above options are reasonably available and the objection has not been resolved to the mutual satisfaction of the parties within 30 days after Our receipt of Your objection, either party may terminate the Agreement with no further liability to the other party.
- We may replace a Sub-processor if the need for the change is urgent and necessary to provide the Resolver Software and the reason for the change is beyond Our reasonable control. In such instance, We shall notify You of the replacement as soon as reasonably practicable, and You shall retain the right to object to the replacement Sub-processor pursuant to Section 6(b)
- We shall provide commercially reasonable assistance, including by appropriate technical and organizational measures as reasonably practicable and insofar as possible, to enable You to respond to any inquiry, communication or request from a Data Subject seeking to exercise his or her rights under EU Data Protection Legislation, including rights of access, correction, restriction, objection, erasure or data portability, as applicable. In the event such inquiry, communication or request is made directly to Us, We shall promptly inform You by providing the full details of the request. For the avoidance of doubt, You are responsible for responding to Data Subject requests for access, correction, restriction, objection, erasure or data portability involving that Data Subject’s Personal Data.
- We shall notify You without undue delay if a Supervisory Authority or law enforcement authority makes any inquiry or request for disclosure regarding Personal Data.
- We shall, to the extent required by EU Data Protection Legislation, provide You with reasonable assistance with data protection impact assessments and/or prior consultations with Supervisory Authorities that You are required to carry out under EU Data Protection Legislation. Any extraordinary requests for assistance may be subject to You being responsible for Our reasonable costs and expenses.
Security Reports and Audits
- We shall provide a copy of our most current security report upon Your written request and subject to the confidentiality provisions of the Agreement (or separate confidentiality agreement). Upon reasonable notice to Us by You, We shall allow You (or Your independent third-party auditor) to conduct an on-site audit our facilities of the procedures relevant to the protection of Personal Data, subject to the confidentiality provisions of the Agreement. You shall be permitted to conduct any such audit once every twelve months. You and We will discuss and agree in advance on the reasonable start date, scope and duration of and security and confidentiality controls applicable to any audit; and We reserve the right to charge a fee (based on Our reasonable costs) for any such audit.
Deletion or Return of Customer Data
- Upon termination or expiration of the Agreement, We shall, in accordance with the terms of the Agreement delete or make available to Customer for retrieval all relevant Personal Data (including copies) in Our possession, save to the extent that are required by any applicable law to retain some or all of the Personal Data. In such event, We shall extend the protections of the Agreement and this GDPR Addendum to such Personal Data and limit any further Processing of such Personal Data to only those limited purposes that require the retention, for so long as We maintain the Personal Data.
- Except as amended by this GDPR Addendum, the Agreement will remain in full force and effect.
- If there is a conflict between the Agreement and this GDPR Addendum, the terms of this GDPR Addendum will control.
- Any claims brought under this GDPR Addendum shall be subject to the terms and conditions, including but not limited to. the exclusions and limitations set forth in the Agreement.