Data Processing Addendum
This Data Processing Addendum (the “DPA”) is an addendum to the Order Form between Benevity, Inc. (“Benevity”) and Client (as defined in the Order Form) and is dated as of the Effective Date of the Order Form (together with the Terms of Service, the “Agreement”). Capitalized terms used but not defined herein shall have the meanings set forth in the Agreement.
(A) Benevity and Client entered into the Agreement that requires Benevity to process Personal Data on behalf of Client;
(B) This DPA sets out the additional terms, requirements, and conditions on which Benevity will process Personal Data when providing services under Agreement. This DPA contains the mandatory clauses required by Article 28(3) of the retained EU law version of the General Data Protection Regulation ((EU) 2016/679) for contracts between controllers and processors and the General Data Protection Regulation ((EU) 2016/679).
1. Definitions: In this DPA, the following terms shall have the following meanings:
1.2. In the case of conflict or ambiguity between:
(b) the terms of the Agreement and any provision contained in the Appendicies of this DPA, the provision contained in the Appendicies will prevail;
(c) any of the provisions of this DPA and the provisions of the Agreement, the provisions of this DPA will prevail; and
(d) any of the provisions of this DPA and any executed SCC, the provisions of the executed SCC will prevail.
Where applicable, with respect to US Privacy Laws, Client is a “business” or “Controller” and is engaging Benevity as a “service provider” or “Processor” to Process Covered Personal Data in the performance of the Services on behalf of Client.
Should Benevity reasonably believe that a specific Processing activity beyond the scope of the Client’s instructions but is required to comply with a legal obligation to which Benevity as Processor is subject, Benevity shall inform the Client of that legal obligation before undertaking such Processing.
3. Purpose limitation: Benevity shall Process the Personal Data as a Processor as necessary to perform its obligations under the Agreement, including performing the Services specified therein and strictly in accordance with the documented instructions of Client, provided this does not infringe Applicable Data Protection Law, and in such a case, Benevity shall notify Client of that legal requirement before Processing, unless the applicable law prohibits such notification (the “Permitted Purpose”).
Without prejudice to the terms of this Clause 3, Benevity is granted a “General Written Authorisation” under Clause 9 of the Standard Contractual Clauses to transfer Personal Data to any Subprocessors named in this DPA.
In no event shall Benevity Process the Personal Data for its own purposes or those of any third party.
For Personal Data protected under applicable US Privacy Laws, any Processing of Covered Personal Data, is not for monetary or other valuable consideration, but instead to support the Services pursuant to the Agreement, and therefore does not constitute a sale of Covered Personal Data to Benevity. The Processor is expressly prohibited from selling or sharing the Covered Personal Data, retaining, using or disclosing the Covered Personal Data for any other purpose other than the specific purpose of performing the Services including retaining, using, or disclosing the Covered Personal Data for a commercial purpose other than providing the Services; and retaining, using, or disclosing the information outside of the direct business relationship.
4. International transfers: Benevity shall not Transfer the Personal Data (nor permit the Personal Data to be Transferred) across country borders unless: (a) it has first obtained Client's prior written consent; (b) it takes measures as are necessary and legally required, such as entering into applicable Standard Contractual Clauses, to ensure the Transfer is in compliance with Applicable Data Protection Law; and (c) it has implemented all necessary additional measures and safeguards as required by Applicable Data Protection Laws. Client hereby consents to the Transfer of Personal Data between Canada and the United States and across country borders as may be required to facilitate the Services, further, and for the avoidance of doubt, the Client hereby consents to the appointment by Benevity of Subprocessors located outside the UK and the EEA, and the Client authorizes Benevity to enter into the SCCs contained in this DPA with such of its Subprocesssors as is appropriate.
5. Confidentiality of processing: Benevity shall ensure that any person that it authorizes to Process the Personal Data (including Benevity's staff, agents and subcontractors) (an "Authorized Person(s)") shall be subject to a strict duty of confidentiality (whether a contractual duty or a statutory duty), and shall not permit any person to Process the Personal Data who is not under such a duty of confidentiality. Benevity shall ensure that all Authorized Persons process the Personal Data only as necessary for the Permitted Purpose.
6. Security: Benevity shall implement appropriate technical and organizational measures to protect the Personal Data from Data Breaches. Such measures shall have regard to the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. At a minimum, such measures shall include the measures identified in Exhibit A of the Software and Service Information and as described in Appendix B of this DPA.
Additionally, Benevity will ensure that, as appropriate, its employees:
(a) are informed of the confidential nature of the Personal Data and are bound by confidentiality obligations and use restrictions in respect of the Personal Data;
(b) have undertaken training on the Applicable Data Protection Law relating to handling Personal Data and how it applies to their particular duties; and
(c) are aware of their duties and obligations to support the Security measures set out at Appendix C to this DPA.
7. Subprocessing: Except as following this subsection, Benevity shall not subcontract any Processing of the Personal Data to a third party Subprocessor without the prior written consent of Client. Client hereby consents to Benevity engaging third party Subprocessors to Process the Personal Data provided that: (a) Benevity provides the Client the opportunity to object to the use of a Subprocessor by providing at least thirty (30) days' prior notice of the addition of any new Subprocessor (including details of the scope of Processing it performs or will perform and the location and identity of the Subprocessor), which may be given by emailing details of such addition to Client; (b) Benevity carries out adequate due diligence on the Subprocessor to ensure it is capable of providing the level of protection of Personal Data required by this DPA; (c) Benevity imposes data protection terms on any new Subprocessor that protect the Personal Data to the same standard provided for by this DPA; and (d) Benevity remains fully liable for any breach of this DPA that is caused by an act, error or omission of its Subprocessor. A list of approved Subprocessors as at the date of this DPA is attached at Appendix A. If Client refuses Benevity’s appointment of a third-party Subprocessor on reasonable grounds relating to the protection of the Personal Data, then either Benevity will not appoint the Subprocessor or Client may elect to suspend or terminate the Agreement without penalty.
If Client terminates the Agreement pursuant to this Section 7, it does so without penalty or liability (other than for fees due and owing to Benevity for services performed prior to such termination).
8. Cooperation and Data Subjects’ Rights: Taking into account the nature of the Processing, Benevity shall provide assistance (including by appropriate technical and organizational measures) to Client to enable Client to respond to: (a) any request from a Data Subject to exercise any of its rights under Applicable Data Protection Law (including its rights of access, correction, objection, erasure, and data portability, as applicable); and (b) any other correspondence, enquiry or complaint received from a Data Subject, regulator or other third party in connection with the Processing of the Personal Data (together, a “Request”). In the event that any such Request, is made directly to Benevity, Benevity shall promptly inform Client providing full details of the same.
9. Data Protection Impact Assessment: Taking into account the nature, scope, context and purposes of the Processing, if the Client directs, or if Benevity believes or becomes aware that its Processing of the Personal Data is likely to result in a high risk to the data protection rights and freedoms of Data Subjects, it shall promptly inform Client and provide Client with all such reasonable and timely assistance as Client may require in order to conduct a Transfer Impact Assessment.
10. Data Breaches: Upon becoming aware of a Data Breach affecting Client’s Personal Data, Benevity shall inform Client without undue delay, and in any event no longer than 24 hours. Benevity shall provide all such timely information and cooperation as Client may require in order for Client to fulfil its data breach reporting obligations under (and in accordance with the timescales required by) Applicable Data Protection Law. Such notification shall include, at a minimum: (a) a description of the nature of the breach (including, where possible, categories and approximate number of Data Subjects and Personal Data records concerned); (b) details of a contact point where more information can be obtained; (c) a description of the likely consequences of the Data Breach; and (d) a description of the measures taken or proposed to address the Data Breach, including measures to mitigate its possible adverse effects. Benevity shall further take all such measures and actions as are necessary to remedy or mitigate the effects of the Personal Data Breach and shall keep Client up-to-date about all developments in connection with the Personal Data Breach.
11. Deletion or Return of Personal Data: Upon termination or expiry of the Agreement, Benevity shall (at Client’s election) destroy or return to Client all Personal Data (including all copies of the Personal Data) in its possession or control (including any Personal Data subcontracted to a third party for Processing). Notwithstanding the foregoing, and only to the extent necessary for the prevention of fraud and to adhere to taxation record retention requirements, Benevity retains Personal Data pertaining to donation transactions in accordance with requirements under applicable laws, but in general for seven (7) years from the date of termination of the Agreement. The requirement to destroy or return herein shall also not apply to the extent that Benevity is required by any other applicable law to retain some or all of the Personal Data. In the event of any of the foregoing exceptions, Benevity shall isolate and protect the Personal Data from any further Processing except to the extent required for fraud prevention or by such law. In all cases, for so long as Personal Data is retained in accordance with this Section 11: (i) the obligations of confidentiality and security set out in the Agreement and this DPA shall apply in relation to that Personal Data; (ii) the Personal Data will not be used for any commercial purpose; and (iii) the Personal Data will be deleted or otherwise destroyed in a timely manner in accordance with Benevity’s document management/destruction policies.
12. Security Package, Audit and Inspection:
(a) Benevity Security Package. Upon request by Client, Benevity will provide initially and annually to Client, without charge, Benevity’s standard security package which includes copies of: (i) Benevity’s audit report performed by an independent third-party auditor; (ii) Benevity’s hosting provider’s audit report; (iii) PCI DSS attestations of compliance from payment processors used; and (iv) a completed industry-standard information security questionnaire (together the “Benevity Security Package”). Benevity will assist Client with reasonable inquiries that may not be covered by the Benevity Security Package. Where requests to complete Client’s security questionnaire, are duplicative of material available in the Benevity Security Package, Benevity will charge a reasonable agreed-upon fee to Client for such additional assistance.
(b) Audit and Inspection. Benevity shall permit Client (or its third-party auditors) to inspect or audit for Benevity’s compliance with this DPA to the extent required by Applicable Data Protection Law with mutual agreement on scope, timing and duration, provided that Client gives at least thirty (30) days’ prior notice of its intention to inspect or audit, conducts its inspection or audit during normal business hours, and takes all reasonable measures to prevent unnecessary disruption to Benevity’s operations. Client shall ensure that its personnel (or its third-party auditors) adhere to Benevity’s reasonable internal security measures and are bound to confidentiality obligations no less stringent than those in the Agreement. Except for an audit or inspection as a result of Section 12(c)(i) and (ii) below, Benevity will charge a reasonable agreed-upon fee to Client for such additional assistance.
Any audits with respect to Benevity’s Subprocessor Amazon Web Services (AWS) shall be conducted in accordance with the AWS audit policy located at: https://d1.awsstatic.com/legal/aws-gdpr/AWS_GDPR_DPA.pdf.
(c) Annual Request. Client will not exercise its audit and inspection rights more than once in any twelve (12) calendar month period, except: (i) if and when required by instruction of a competent data protection authority; or (ii) Client reasonably believes a further audit is necessary due to a Data Breach suffered by Benevity.
13. Standard Contractual Clauses: The parties agree that when the Transfer of Personal Data from Client (as “data exporter”) to Benevity (as “data importer”) is a Restricted Transfer and Applicable Data Protection Law requires that appropriate safeguards are put in place, the Parties will be subject to the relevant Standard Contractual Clause(s). The relevant Standard Contractual Clause(s) will be deemed incorporated into and form a part of this DPA as follows:
(a) In relation to Transfers of Personal Data protected by the GDPR, the EU SCCs will be completed as follows:
(ii) Part 1: Table 2 to such UK Addendum shall be interpreted as referencing the EU SCC (module Controller to Processor) as completed in the EU SCC Exhibit;
(iii) Part 1: Table 3 – Annex 1A and 1B to such UK Addendum shall be deemed to be the same as Appendix B;
(iv) Part 1: Table 3 – Annex II to such UK Addendum shall be deemed to be the same as Appendix C;
(v) Part 1: Table 3 – Annex III to such UK Addendum shall be deemed to be the same as Appendix A; and
(vi) Parties agree to not complete Part 1: Table 4.
(ii) in Clause 13, the Swiss FDPIC shall be the competent supervisory authority insofar as the data transfer is governed by the FADP with parallel supervision together with the EU competent supervisory authority;
(ii) in Clause 17, the law of the EU country specified shall be the governing law; and
(iii) in Clause 18, the courts of the EU country as specified shall be the choice of forum, but this shall not exclude individuals in Switzerland from the possibility of bringing a claim in their place of habitual residence in Switzerland, in accordance with Clause 18(c).
(e) Subject to terms required by Applicable Data Protection Law, the term of this DPA shall be for the period in which the Agreement remains in force (“DPA Term”) and shall not be terminated prior to the end of the DPA Term unless there is a material breach of this DPA or the parties agree in writing.