Effective July 21, 2020
This Data Processing Addendum (“DPA”) applies whenever it is incorporated by reference into the Master Services Agreement (“Agreement”) between you and Code42. Capitalized terms used but not defined in this DPA have the meanings given to them in the Agreement.
1. Purpose and scope
In the course of providing the Offerings to you under the Agreement, Code42 will Process Customer Data on your behalf. Customer Data may include Personal Data. This DPA reflects the parties’ agreement relating to the Processing of Customer Data in accordance with the requirements of Data Protection Laws and Regulations. This DPA will control in the event of any conflict with the Agreement.
2.1 “CCPA” means the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. as amended from time to time.
2.2 “Data Controller” means the entity that determines the purposes and means of Processing of Personal Data.
2.3 “Data Processor” means the entity that Processes Personal Data on behalf of the Data Controller, including as applicable any "service provider" as that term is defined in the CCPA.
2.4 “Data Protection Laws and Regulations” means any applicable data protection laws and regulations applicable to the Processing of Personal Data under the Agreement, including the applicable laws and regulations of the European Union, the European Economic Area and their member states, Switzerland, and the United States and its states.
2.5 “Data Subject” means the individual to whom Personal Data relates.
2.6 “Personal Data” means any information that identifies, relates to, describes, is reasonably capable of being associated with or could reasonably be linked, directly or indirectly, to an identified or identifiable individual.
2.7 “Processing”, “Processes” or “Process” means any operation or set of operations performed upon Personal Data whether or not by automated means, such as collection, recording, organization, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, erasure, or destruction.
2.8 “Standard Contractual Clauses” means the standard data protection clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection, as approved by the European Commission decision 2010/87/EC, dated 5 February 2010.
2.9 “Sub-processor” means Code42’s Affiliates or other third-party service providers that Process Customer Data for Code42.
3. Processing of customer data
3.1 Data Processing Roles. As between you and Code42, you are the Data Controller of Customer Data and Code42 is the Data Processor. You control the categories of Data Subjects and Personal Data Processed under the Agreement and provide such Personal Data to Code42 for business purposes only. Code42 has no knowledge of, or control over, the Personal Data that you provide for Processing. You are solely responsible for the accuracy, quality, and legality of the Customer Data and the means by which you acquired the Customer Data.
3.2 Data Processing Instructions. This DPA and the Agreement are your complete and final instructions to Code42 for the Processing of Customer Data. You and Code42 must agree on any additional or alternate instructions. Code42 will inform you if, in Code42's opinion, your instructions violate Data Protection Laws and Regulations. Code42 will process Customer Data in accordance with the Agreement (including all documents incorporated in the Agreement), and to comply with other reasonable instructions you provide to Code42 (including by email) where your instructions are consistent with the Agreement. Code42 will not sell Customer Data. Code 42 will not collect, retain, use, or disclose Customer Data (A) for any purpose other than the specific purpose set forth in the Agreement, or (B) outside the direct business relationship between you and Code42. Code42 will disclose Customer Data if required to do so by applicable law, in which case Code42 will inform you in advance unless Code42 is prohibited from doing so. Code42 certifies that it understands and will comply with the restrictions in this section 3 (Processing of Customer Data).
4. Rights of data subjects
4.1 Correction, Blocking and Deletion. If you do not have the ability to amend, block, or delete Customer Data as required by Data Protections Laws and Regulations, you can provide written instructions to Code42 to act on your behalf. Code42 will follow your instructions to the extent they are technically feasible and legally permissible. You will pay Code42’s costs of providing this assistance if the assistance exceeds the services provided under the Agreement.
4.2 Data Subject Requests. If permitted, Code42 will promptly notify you of any request from a Data Subject for access to, correction, amendment, or deletion of that Data Subject’s Personal Data. Code42 will not respond to any Data Subject request without your prior written consent, except to confirm that the request relates to you.
4.3 Cooperation and Assistance. Code42 will assist you to address any request, complaint, notice, or communication you receive relating to Code42’s Processing of Customer Data received from (A) a Data Subject whose Personal Data is contained within the Customer Data, or (B) any applicable data protection authority. Code42 will also assist you with your reasonable requests for information to confirm compliance with this DPA or to conduct a privacy impact assessment. You will pay Code42’s costs of providing assistance if the assistance exceeds the services provided under the Agreement.
5. Code42 personnel
5.1 Confidentiality. Code42 informs its personnel engaged in the Processing of Customer Data about the confidential nature of such Customer Data. These personnel receive appropriate training on their responsibilities and are subject to written agreements with confidentiality obligations that survive the termination of their relationship with Code42.
5.2 Limitation of Access. Code42 ensures that access to Customer Data is limited to those personnel who require access to Process Customer Data under the Agreement.
6.1 Authorization. You expressly authorize Code42 to use Sub-processors to perform specific services on Code42’s behalf to enable Code42 to perform its obligations under the Agreement. Code42 has written agreements with its Sub-processors that contain obligations substantially similar to Code42’s obligations under this DPA. Code42 is liable for any breach of this DPA caused by an act or omission of its Sub-processors.
6.2 Notice and Objection. Code42’s current Sub-processors are listed at: https://support.code42.com/Terms_and_conditions/Compliance_resources/Code42_authorized_subprocessors. Code42 will publish changes to its Sub-processors to this website. You can subscribe to receive notice of any changes to Code42’s Sub-processors by emailing email@example.com with the subject “Subscribe” from the email address to which you want notification sent. If you subscribe, Code42 will notify you by email of new Sub-Processors before authorizing such Sub-processor(s) to process Customer Data. You have a right to reasonably object to Code42’s use of a new Sub-processor by notifying Code42 in writing within 10 business days after Code42 publishes notice of a new Sub-processor. If you do so, Code42 will use reasonable efforts to change the affected Software or Cloud Service, or recommend a commercially reasonable change to your configuration or use of the affected Software or Cloud Service, to avoid Processing of Customer Data by the new Sub-processor. If Code42 is unable to make or recommend such a change within a reasonable period of time, not to exceed 60 days, you may terminate only the Subscription Term for the Software and Cloud Service that Code42 cannot provide without using the new Sub-processor. You must provide written notice of termination to Code42 in accordance with the Agreement. Code42 will promptly refund you the fees applicable to the unused portion of the Subscription Term for the terminated Software and Cloud Services offering.
7. Security and audit
7.1 Controls for the Protection of Customer Data. Code42 maintains appropriate administrative, technical and organizational safeguards to protect Customer Data from unauthorized or unlawful Processing, from accidental loss, destruction, or damage. Code42’s obligations are described in the Information Security Addendum available at https://support.code42.com/Terms_and_conditions/Legal_terms_and_conditions/Information_security_addendum.
7.2 Third-Party Certifications. Code42’s third party certifications and independent audit reports are described in the Information Security Addendum. Code42 will provide you with a copy of the SOC2 independent auditor report upon request.
7.3 Incident Management and Breach Notification. Code42 will notify you within 24 hours of becoming aware of a breach of your Customer Data. To the extent known, the notice will include (A) a description of the nature of the Personal Data breach, including the categories and approximate number of your Data Subjects concerned and the categories and approximate number of your records concerned; (B) the name and contact details of a Code42 contact point for more information; (C) the measures Code42 is taking to address the breach, including measures to mitigate its possible adverse effects. You can find more information about Code42's incident response procedures in the Information Security Addendum.
7.4 Audit Rights. If the information provided in section 7.2 (Third-Party Certifications) is insufficient to reasonably demonstrate Code42’s compliance with its obligations under this DPA, Code42 will provide you with additional information - and will allow and contribute to audits, including inspections - reasonably necessary to demonstrate compliance. You will not exercise this right more than once per year. You will reimburse Code42 for any time taken for an audit or inspection at Code42’s then-current professional service rates. Code42 will provide those rates to you on request. You and Code42 will agree in advance on the timing, scope, duration and reimbursement rates for any audit or inspection
8. Return and deletion of customer data
Upon termination or expiration of your Subscription Term, or at any time upon your request, Code42 will return or destroy all Customer Data in accordance with the Agreement and the Documentation. The Software and Cloud Services allow you to retrieve Customer Data at any time prior to the end of a Subscription Term. Providing this functionality through the Software and Cloud Services during the Subscription Term satisfies Code42’s obligation to return Customer Data under this section.
9. Data transfers
9.1 Transfer Mechanisms. To the extent Code42’s processing of Customer Data requires the transfer of Customer Data from the European Economic Area (“EEA”), Switzerland or the United Kingdom to any country not recognized by the European Commission as providing an adequate level of protection, this Section 9 applies. In the event that the transfer is covered by more than one transfer mechanism, the transfer of Customer Data will be subject to a single transfer mechanism in the following order of precedence: (a) Code42’s EU-U.S. and Swiss-U.S. Privacy Shield Framework self-certification as set forth in Section 9.2; and (b) subject to Exhibit A, the Standard Contractual Clauses attached hereto as Exhibit B.
9.2 Privacy Shield. Code42 self-certifies and complies with the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks for Personal Data transferred from the EEA, the United Kingdom and Switzerland to the United States. Code42 certifies that it adheres to the privacy shield principles and agrees to comply with the frameworks (or any legally binding successor) or maintain another valid mechanism to legally transfer data as prescribed by the European Commission. If Code42 determines it can no longer meet these obligations, Code42 will promptly notify you and will cease Processing your Personal Data or take reasonable and appropriate steps to remediate.
Exhibit A – Additional terms for data transfers
This DPA and the Agreement are your complete and final instructions to Code42 for the Processing of Personal Data. You and Code42 must agree on any additional or alternate instructions. For the purposes of Clause 5(a) of the Standard Contractual Clauses, you instruct Code42 to Process Personal Data: (1) in accordance with the Agreement (including all documents incorporated in the Agreement), and (2) to comply with other reasonable instructions you provide to Code42 (including by email) where your instructions are consistent with the Agreement. In the event of any conflict or inconsistency with this DPA, the Agreement and the Standard Contractual Clauses, the Standard Contractual Clauses will control.
2.1 Appointment of Sub-processors. Pursuant to Clause 5(h) of the Standard Contractual Clauses, Code42 may use Sub-processors to Process the Customer Data as described in Section 6 of the DPA.
2.2 Notification of Sub-processors. Pursuant to Clause 11(4) of the Standard Contractual Clauses, Code42 will provide you a list of its Sub-processors and notify you of changes to its Sub-processors as described in Section 6 of the DPA.
2.3 Sub-processor Agreements. Upon request, Code42 will provide you with copies of its Sub-processor agreements pursuant to Clause 5(j) of the Standard Contractual Clauses. Code42 will remove all commercial and other terms unrelated to the protection of Personal Data from those agreements.
2.4 Sub-Processor Objection Right. You have a right to reasonably object to Code42’s use of a new Sub-processor as described in Section 6 of the DPA.
2.5 Audits Rights.
(A) You will conduct any audits described in Clause 5(f) and Clause 12(2) of the Standard Contractual Clauses in accordance with this section 3.5 (Audit Rights). You may perform an on-site audit of Code42’s compliance with this Supplement if (1) you reasonably believe that Code42 is not complying with its obligations under this Supplement, or (2) such audit is legally required by Data Protection Laws and Regulations.
(B) You will provide written notice to Code42 to request an on-site audit of the procedures relevant to Code42’s Processing of Customer Data. Your notice will provide a detailed audit plan, including the scope, duration and timing. If there has been an external audit within the past year covering the scope of your audit plan, and if Code42 confirms that it has not materially changed any controls since that audit, then you will accept that audit report in place of your own audit.
(C) If you conduct your own audit, you and Code42 will mutually agree upon the scope, duration, and timing of the audit. If a third party is to conduct the audit on your behalf, that third party must be mutually agreed upon and under a written confidentiality agreement containing provisions substantially similar to those set forth in the Agreement. You will promptly notify Code42 regarding any non-compliance discovered during the audit and provide a full copy of the audit findings.
(D) You may only conduct an audit during normal business hours at Code42’s principal place of business. Your audit cannot unreasonably interfere with Code42’s day-to-day operations. You will conduct your audit at your expense. You will reimburse Code42 for any time spent on your on-site audit at Code42’s then-current professional services rates. Code42 will provide those rates to you on request.
3. Certification of Deletion. Code42 will provide you with the certification of deletion of Personal Data described in Clause 12(1) of the Standard Contractual Clauses only upon your request.
Exhibit B – Standard Contractual Clauses
Standard Contractual Clauses (processors)
For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection.
Name of the data exporting organization: the legal entity that is a party to the Agreement with Code42 Software, Inc.
(the data exporter)
Name of the data importing organization: Code42 Software, Inc.
Address: 100 Washington Avenue S, Suite 2000, Minneapolis, MN 55401, USA, Attn: General Counsel
(the data importer)
each a “party”; together “the parties”,
HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.
For the purposes of the Clauses:
(a) 'personal data', 'special categories of data', 'process/processing', 'controller', 'processor', 'data subject' and 'supervisory authority' shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
(b) 'the data exporter' means the controller who transfers the personal data;
(c) 'the data importer' means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country's system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;
(d) 'the subprocessor' means any processor engaged by the data importer or by any other subprocessor of the data importer who agrees to receive from the data importer or from any other subprocessor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;
(e) 'the applicable data protection law' means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;
(f) 'technical and organizational security measures' means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
Details of the transfer
The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.
Third-party beneficiary clause
1. The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.
2. The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
3. The data subject can enforce against the subprocessor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
4. The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.
Obligations of the data exporter
The data exporter agrees and warrants:
(a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;
(b) that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only on the data exporter's behalf and in accordance with the applicable data protection law and the Clauses;
(c) that the data importer will provide sufficient guarantees in respect of the technical and organizational security measures specified in Appendix 2 to this contract;
(d) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
(e) that it will ensure compliance with the security measures;
(f) that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;
(g) to forward any notification received from the data importer or any subprocessor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;
(h) to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for subprocessing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
(i) that, in the event of subprocessing, the processing activity is carried out in accordance with Clause 11 by a subprocessor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and
(j) that it will ensure compliance with Clause 4(a) to (i).
Obligations of the data importer
The data importer agrees and warrants:
(a) to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(c) that it has implemented the technical and organizational security measures specified in Appendix 2 before processing the personal data transferred;
(d) that it will promptly notify the data exporter about:
(i) any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation,
(ii) any accidental or unauthorized access, and
(iii) any request received directly from the data subjects without responding to that request, unless it has been otherwise authorized to do so;
(e) to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;
(f) at the request of the data exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;
(g) to make available to the data subject upon request a copy of the Clauses, or any existing contract for subprocessing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;
(h) that, in the event of subprocessing, it has previously informed the data exporter and obtained its prior written consent;
(i) that the processing services by the subprocessor will be carried out in accordance with Clause 11;
(j) to send promptly a copy of any subprocessor agreement it concludes under the Clauses to the data exporter.
1. The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or subprocessor is entitled to receive compensation from the data exporter for the damage suffered.
2. If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity.
The data importer may not rely on a breach by a subprocessor of its obligations in order to avoid its own liabilities.
3. If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the subprocessor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the subprocessor agrees that the data subject may issue a claim against the data subprocessor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the subprocessor shall be limited to its own processing operations under the Clauses.
Mediation and jurisdiction
1. The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:
(a) to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;
(b) to refer the dispute to the courts in the Member State in which the data exporter is established.
2. The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.
Cooperation with supervisory authorities
1. The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
2. The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
3. The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any subprocessor preventing the conduct of an audit of the data importer, or any subprocessor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5 (b).
The Clauses shall be governed by the law of the Member State in which the data exporter is established.
Variation of the contract
The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.
1. The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the subprocessor which imposes the same obligations on the subprocessor as are imposed on the data importer under the Clauses. Where the subprocessor fails to fulfill its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the subprocessor's obligations under such agreement.
2. The prior written contract between the data importer and the subprocessor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
3. The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.
4. The data exporter shall keep a list of subprocessing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5 (j), which shall be updated at least once a year. The list shall be available to the data exporter's data protection supervisory authority.
Obligation after the termination of personal data processing services
1. The parties agree that on the termination of the provision of data processing services, the data importer and the subprocessor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
2. The data importer and the subprocessor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.
Appendix 1 to the Standard Contractual Clauses
The data exporter is the legal entity that is party to the Agreement with Code42 Software, Inc.
The data importer is Code42 Software, Inc., a global provider of data security and endpoint data storage.
The categories of data subjects whose personal data may be processed include: data exporter’s employees, consultants, contractors, agents, prospects, customers, vendors, business partners and users authorized to use the Services; employees or contacts of third parties data exporter conducts business with.
Categories of data
The personal data transferred may include the following categories of data: first and last name, employer, professional title, contact information (email, phone number, physical address), username, identification data (IP address, device ID) and any other personal data provided through the services; depending on the data exporter’s endpoint environment and naming conventions, data transferred may include personal data, such as that possibly found in a computer name, user name or file name.
Special categories of data (if appropriate)
The personal data transferred may include sensitive personal data, the extent of which is determined and controlled solely by the data exporter, and which may include: racial or ethnic origin; political opinions, religious or philosophical beliefs; trade-union membership; genetic or biometric data; health data; and data concerning sex-life or sexual orientation.
The personal data transferred may be subject to the following basic processing activities: cloud based storage, retrieval, erasure or destruction, disclosure by transmission, analysis and any other processing necessary to provide and improve the services pursuant to the Agreement; to provide technical support; and otherwise in accordance with the data exporter’s instructions or to comply with law.
Appendix 2 to the Standard Contractual Clauses
The description of the technical and organizational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c):
Any capitalized term not otherwise defined herein shall have the meaning given in the Agreement.
Data importer will maintain administrative, technical and organizational safeguards for protection of the security, availability and integrity of Personal Data uploaded to the Software and Cloud Services, as described in the Information Security Addendum available at https://support.code42.com/Terms_and_conditions/Legal_terms_and_conditions/Information_security_addendum or otherwise made reasonably available by data importer.