Last Updated: May 2021
Canalyst Financial Modeling Corporation Data Processing Addendum to the Service Agreement (the “Addendum”)
1. Definitions.
For purposes of this Addendum:
a. “Data Privacy Laws” means all applicable laws, regulations, and other legal or self-regulatory requirements in any jurisdiction relating to privacy, data protection, data security, breach notification, or the Processing of Personal Data, including without limitation, to the extent applicable, the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. (“CCPA”), the Canadian Personal Information Protection and Electronic Documents Act (“PIPEDA”), the General Data Protection Regulation, Regulation (EU) 2016/679 (“GDPR”), the United Kingdom Data Protection Act of 2018 (“UK Privacy Act”) and the Australian Privacy Act No. 119 of 1988 (“Australian Privacy Act”). For the avoidance of doubt, if Canalyst’s Processing activities involving Personal Data are not within the scope of a given Data Privacy Law, such law is not applicable for purposes of this Addendum.
b. “Data Subject” means an identified or identifiable natural person about whom Personal Data relates.
c. “Personal Data” includes “personal data,” “personal information,” “personally identifiable information,” and similar terms, and such terms shall have the same meaning as defined by applicable Data Privacy Laws, that is Processed in relation to the current version of the agreement between the Parties governing the services (“Service Agreement”).
d. “Process” and “Processing” mean any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, creating, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
e. “Security Breach” means any accidental or unlawful acquisition, destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
2. Scope and Purposes of Processing.
a. Canalyst will Process Personal Data solely: (1) to fulfill its obligations to Client under the Service Agreement, including this Addendum; (2) on Client’s behalf; and (3) in compliance with Data Privacy Laws. Canalyst will not sell Personal Data or otherwise Process Personal Data for any purpose other than for the specific purposes set forth herein. For purposes of this paragraph, “sell” shall have the meaning set forth in the CCPA.
b. Canalyst will not attempt to link, identify, or otherwise create a relationship between Personal Data and non-Personal Data or any other data without the express authorization of Client.
3. Personal Data Processing Requirements.
Canalyst will:
a. Ensure that the persons it authorizes to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
b. Upon written request of Client, assist Client in the fulfilment of Client’s obligations to respond to verifiable requests by Data Subjects (or their lawful representatives) for exercising their rights under Data Privacy Laws (such as rights to access or delete Personal Data), at Client’s reasonable expense.
c. Promptly notify Client of (i) any third-party or Data Subject complaints regarding the Processing of Personal Data; or (ii) any government or Data Subject requests for access to or information about Canalyst’s Processing of Personal Data on Client’s behalf, unless prohibited by Data Privacy Laws. Canalyst will provide Client with reasonable cooperation and assistance in relation to any such request. If Canalyst is prohibited by applicable Data Protection Laws from disclosing the details of a government request to Client, Canalyst shall inform Client that it can no longer comply with Client’s instructions under this Addendum without providing more details and await Client’s further instructions.
d. Provide reasonable assistance to and cooperation with Client for Client’s performance of a data protection impact assessment of Processing or proposed Processing of Personal Data, when required by applicable Data Privacy Laws, and at Client’s reasonable expense.
e. Provide reasonable assistance to and cooperation with Client for Client’s consultation with regulatory authorities in relation to the Processing or proposed Processing of Personal Data, including complying with any obligation applicable to Canalyst under Data Privacy Laws to consult with a regulatory authority in relation to Canalyst’s Processing or proposed Processing of Personal Data.
4. Data Security.
Canalyst will implement appropriate administrative, technical, physical, and organizational measures to protect Personal Data, as set forth in Exhibit A to this Addendum.
5. Security Breach.
Canalyst will notify Client promptly of any known Security Breach and will assist Client in Client’s compliance with its Security Breach-related obligations, including without limitation, by:
a. Taking steps to mitigate the effects of the Security Breach and reduce the risk to Data Subjects whose Personal Data was involved; and
b. Providing Client with the following information, to the extent known:
i. The nature of the Security Breach, including, where possible, how the Security Breach occurred, the categories and approximate number of Data Subjects concerned, and the categories and approximate number of Personal Data records concerned;
ii. The likely consequences of the Security Breach; and
iii. Measures taken or proposed to be taken by Canalyst to address the Security Breach, including, where appropriate, measures to mitigate its possible adverse effects.
6. Subprocessors.
a. Client acknowledges and agrees that Canalyst may use Canalyst affiliates and other subprocessors to Process Personal Data in accordance with the provisions within this Addendum and Data Privacy Laws. Where Canalyst sub-contracts any of its rights or obligations concerning Personal Data, including to any affiliate, Canalyst will take steps to select and retain subprocessors that are capable of maintaining appropriate privacy and security measures to protect Personal Data consistent with applicable Data Privacy Laws.
b. If Canalyst processes Personal Data of residents in the European Economic Area (“EEA”), Switzerland, or the United Kingdom on Client’s behalf, Canalyst will provide a current list of Canalyst’s subprocessors upon Client’s request, and Client hereby consents to Canalyst’s use of such subprocessors. Canalyst will maintain an up-to-date list of its subprocessors, and upon Client’s request, it will provide Client with notice of any new subprocessor added to the list. In the event Client objects to a new subprocessor, Canalyst will use reasonable efforts to make available to Client a change in the services or recommend a commercially reasonable change to, Client’s use of the services to avoid Processing of Personal Data by the objected-to subprocessor without unreasonably burdening the Client.
7. Data Transfers.
To the extent that Canalyst Processes Personal Data of Data Subjects located in or subject to the applicable Data Protection Laws of the EEA, Switzerland, and the United Kingdom, by signing this Addendum, Canalyst agrees to be bound by the standard contractual clauses for the transfer of personal data from these jurisdictions to processors established in third countries that the European Commission has decided do not provide adequate protection for Personal Data (Commission Decision 2010/87/EC) (“Model Clauses”) located here: https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32010D0087. In case of conflict between the Model Clauses and this Addendum, the Model Clauses will prevail.
a. For purposes of Appendix 1 of the Model Clauses:
i. The data exporter is Client.
ii. The data importer is Canalyst.
iii. The applicable data subjects are any data subjects residing in the EEA, the United Kingdom, and Switzerland.
iv. The categories of Personal Data include any Personal Data as defined herein of applicable Data Subjects that are transferred from Client to Canalyst in the course of Canalyst’s performance of services for Client.
v. Canalyst’s Processing activities shall be limited to those discussed in the underlying Service Agreement and in this Addendum.
b. For purposes of Appendix 2 of the Model Clauses, Exhibit A to this Addendum shall apply.
8. Audits.
Canalyst will make available to Client all reasonable information necessary to demonstrate compliance with this Addendum as it relates to Client and will allow for and contribute to audits, including inspections, conducted by Client or another auditor mandated by Client, provided that, such audit shall occur nor more than once every twelve (12) calendar months, upon reasonable prior written notice, and to the extent Canalyst’s personnel are required to cooperate thereupon, during Canalyst’s normal business hours.
9. Return or Destruction of Personal Data.
Except to the extent required otherwise by Data Privacy Laws, Canalyst will, at the choice of Client, return to Client and/or securely destroy all Personal Data upon (a) written request of Client or (b) termination of the Service Except to the extent prohibited by Data Privacy Laws, Canalyst will inform Client if it is not able to return or delete the Personal Data.
10. Survival.
The provisions of this Addendum survive the termination or expiration of the Service Agreement for so long as Canalyst or its subprocessors Process the Personal Data.
Exhibit A
CANALYST’S DATA SECURITY MEASURES
Canalyst will implement and maintain the following administrative, technical, physical, and organizational security measures for the Processing of Personal Data:
Canalyst’s Information Security Program includes specific security requirements for its personnel and all subprocessors or agents who have access to Personal Data (“Data Personnel”). Canalyst’s security requirements covers the following areas:
a. Information Security Policies and Standards. Canalyst will maintain information security policies, standards and procedures addressing administrative, technical, and physical security controls and procedures. These policies, standards, and procedures shall be kept up to date, and revised whenever relevant changes are made to the information systems that use or store Personal Data.
b. Physical Security. Canalyst will maintain commercially reasonable security systems at all Canalyst sites at which an information system that uses or stores Personal Data is located (“Processing Locations”) that include reasonably restricting access to such Processing Locations, and implementing measures to detect, prevent, and respond to intrusions.
c. Organizational Security. Canalyst will maintain information security policies and procedures addressing acceptable data use standards, data classification, and incident response protocols.
d. Network Security. Canalyst maintains commercially reasonable information security policies and procedures addressing network security.
e. Access Control. Canalyst agrees that: (1) only authorized Canalyst staff can grant, modify or revoke access to an information system that Processes Personal Data; and (2) it will implement commercially reasonable physical and technical safeguards to create and protect passwords.
f. Virus and Malware Controls. Canalyst protects Personal Data from malicious code and will install and maintain anti-virus and malware protection software on any system that handles Personal Data.
g. Canalyst has implemented and maintains a security awareness program to train employees about their security obligations. Data Personnel follow established security policies and procedures. Disciplinary process is applied if Data Personnel fail to adhere to relevant policies and procedures.