Exhibit C: SCLogic Data Processing Agreement (“DPA”) U.S. Clients

 

Definitions

Controller: The natural or legal person, public authority, agency, or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Subscriber: The individual or entity that has entered into the Agreement and agreed to the incorporation of this DPA into the Agreement.

Data Breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

Data Protection Laws: The data protection or privacy laws of any country or state regarding the Processing of Personal Data.

Data Subject: An identified or identifiable natural person.

Personal Data: Any information relating to an identifiable or identifiable natural person (data subject’).

Processing: Any operation or set of operations performed on personal data, whether or not by automated means. This can include collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure, or destruction.

Processor: A natural or legal person, public authority, agency, or any other body which processes personal data on behalf of the controller.

Sub Processor: Any processor engaged by the main processor for carrying out specific processing activities on behalf of the controller.

Supervisory Authority: An independent, competent public authority established or recognized under Data Protection Laws.

Introduction

Purpose of the DPA

This Data Processing Addendum (“DPA”) is an integral part of the agreement between SCLogic, LLC (“SCLogic”) and Subscriber that governs the Subscriber’s usage and access to SCLogic’s Services (“Agreement”). Any capitalized terms not explicitly defined in this DPA shall have the meaning given in the Agreement.

Roles of parties involved

Subscriber and SCLogic agree that Subscriber is a Controller and SCLogic is a Processor. Each party is solely responsible for its compliance with applicable Data Protection Laws and fulfilling any related obligations to third parties, Data Subjects, and Supervisory Authorities.

Subscriber as the Controller

  • Subscriber is exclusively responsible for the accuracy of Personal Data and the legality of the methods they use to obtain, disclose, and process Personal Data.
  • Subscriber’s instructions for processing Personal Data will adhere to Data Protection Laws and will be appropriately authorized, ensuring all necessary rights, permissions, and consents have been obtained.

SCLogic as the Processor

  • SCLogic will process Personal Data only as instructed by Subscriber in writing or as initiated by authorized users via an SCLogic online service.
  • SCLogic will process Personal Data only as necessary to provide the Services and prevent or address technical problems with an SCLogic online service.
  • SCLogic will process Personal Data as required by applicable law. SCLogic agrees to immediately inform Subscriber if SCLogic believes that any instruction to process Personal Data violates or would violate Data Protection Laws.
  • SCLogic will implement and maintain appropriate technical and organizational security measures, such as encryption, access controls, and regular testing of security systems to protect Personal Data from unauthorized access, destruction, or alteration.
  • SCLogic will assist the Subscriber with Data Protection Impact Assessments (DPIAs) where required by applicable laws, considering the nature of processing and the information available to SCLogic.
  • SCLogic will ensure that all personnel authorized to process Personal Data have committed themselves to confidentiality.

Scope and Purpose of Processing

Description of the data being processed

The data processed on behalf of the Subscriber is internal directory-type data to enable routing and delivery of items and services to the correct recipient(s). At minimum, the processed data elements may include name, department, delivery address, telephone number, and email address (for email notifications). The types of Personal Data and categories of Data Subject about whom the Personal Data relates are determined and controlled solely by the Subscriber. The processing of sensitive data elements is not necessary for the successful operation of SCLogic services.

The purpose and duration of the data processing

Processing of Personal Data by SCLogic is reasonably required to facilitate or support the provision of Services as described under the Agreement and this DPA. This Data Processing is integral to the provision of SCLogic’s services and will continue as long as the Agreement between Subscriber and SCLogic is in effect. SCLogic undertakes not to use Personal Data for any purposes other than those specified in the Agreement.

Data retention and deletion procedures

Upon the termination of the Agreement, SCLogic commits to either securely delete or return the Subscriber’s data, as per the Subscriber’s specified choice. SCLogic will delete existing copies of Personal Data unless applicable law requires storage. The Subscriber’s data will be preserved for a duration not exceeding 90 days following the cessation of the Agreement.

 

Obligations of the Processor

Compliance with all applicable laws

The Processor shall comply with all applicable data protection laws, regulations, and guidelines that govern the processing of Personal Data. This includes, but is not limited to, the General Data Protection Regulation (GDPR) in the European Union and any relevant national or regional data protection laws.

Procedures for reporting data breaches

In the event of a Data Breach, the Processor shall promptly notify the Controller without undue delay. The notification shall include all relevant details of the breach, including the nature of the incident, the types of personal data involved, the likely consequences, and any measures taken or proposed to address the breach. The Processor shall cooperate with the Controller and assist in fulfilling any obligations to notify the relevant supervisory authority or affected individuals, as required by applicable laws.

Assistance to the Controller in fulfilling individual rights requests

The Processor shall provide reasonable assistance to the Controller in responding to requests from data subjects to exercise their rights under applicable data protection laws. This may include, but is not limited to, assisting the Controller in fulfilling requests for access, rectification, erasure, restriction of processing, data portability, or objections to processing.

SCLogic shall respond to such requests within 30 days or a mutually agreed upon timeframe, based on the nature and complexity of the request.

SCLogic will inform the Subscriber without undue delay if it receives a request directly from a Data Subject regarding Personal Data controlled by the Subscriber.

 

Data security incident response procedures

SCLogic shall maintain documented incident response procedures to respond to data security incidents effectively and promptly. These procedures will include the identification and assessment of incidents, containment and mitigation measures, notification to the relevant parties, investigation and remediation of the incident, and any necessary actions to prevent similar incidents in the future. SCLogic shall regularly test and review these procedures to ensure their effectiveness and make any necessary improvements.

Sub Processors

SCLogic may engage Sub Processors to process personal data on the Controller’s behalf. Sub Processors may be engaged to assist with hosting, infrastructure, service, or support.

Conditions for engaging Sub Processors

SCLogic will carry out appropriate due diligence on each Sub Processor. A written agreement shall be established with each Sub Processor which includes provisions for processing personal data that are at least as protective as those set forth in this DPA.

Where required by law, SCLogic will obtain the subscriber’s prior general written authorization to engage Sub Processors. SCLogic will notify Subscriber of any intended changes concerning the addition or replacement of Sub Processors, giving the Subscriber the opportunity to object to such changes within 10 business days.

SCLogic’s Sub Processors

SCLogic maintains a current list of Sub Processors in the SCLogic Trust Center: https://trust.sclogic.com/. This Sub Processor list may be updated from time to time in accordance with this DPA. The Controller authorizes SCLogic to use any identified Sub Processors subject to the terms and conditions of this DPA.

Technical and Organizational Security Measures

Implementation of appropriate security measures

The Processor shall implement appropriate technical and organizational security measures to protect personal data against unauthorized or unlawful processing, accidental loss, destruction, or damage. These measures shall be designed to ensure a level of security appropriate to the risks presented by the processing and the nature of the Personal Data.

SCLogic maintains a current list of technical and organizational security measures in the SCLogic Trust Center: https://trust.sclogic.com/

Audit Rights

Audit and Reporting

SCLogic shall conduct annual audits to verify the adequacy of its security measures and controls (“Audit”). The Audit shall be carried out by independent third-party security professionals selected by SCLogic and at SCLogic’s expense.

SCLogic annual audits shall include testing the security measures and controls of the online Services, in accordance with AICPA SOC 2 standards or other equivalent standards. The results of the Audit shall generate at least a SOC 2 report or its substantive equivalent. Additionally, penetration testing of the online Services shall be conducted, resulting in the generation of a penetration test report executive summary.

The reports generated from the Audit shall be provided to the Subscriber upon written request, subject to the confidentiality obligations of the Agreement or a mutually agreed non-disclosure agreement. Each report will specifically discuss the online Services that were commercially available at the time the report was issued. Any subsequently released Services that are covered by this report will be included in the next annual iteration of that report.

 

Subscriber Audit

Upon the Subscriber’s written request, SCLogic shall provide reasonable assistance to the Subscriber with respect to data protection impact assessments and consultations with Supervisory Authorities, taking into account the nature of SCLogic’s Processing activities and the information available to SCLogic. If the Subscriber requires additional information for compliance with Data Protection Laws beyond the aforementioned reports, and is unable to access such information independently, the Subscriber may request an Audit, subject to the following conditions:

  • Subscriber shall be responsible for any expenses incurred by or related to the Subscriber-requested Audit.
  • The Subscriber shall provide SCLogic with reasonable advance notice, including the identity of the auditor and the anticipated date and scope of the Audit.
  • SCLogic shall approve the auditor by providing notice to the Subscriber. Such approval shall not be unreasonably withheld.
  • The Subscriber and the auditor shall take measures to prevent any damage, injury, or disruption to SCLogic’s premises, equipment, or business during the course of the Audit.
  • The Subscriber shall initiate only one Audit in any calendar year, unless otherwise required by a Supervisory Authority or applicable law.
  • SCLogic shall not unreasonably withhold or delay its consent to an audit or inspection.

Data Transfers

SCLogic will not transfer Subscriber Personal Data outside of the U.S., unless such transfer(s) is explicitly requested by Subscriber.

U.S.-based Subscribers who request that international data transfers be included in the scope of their engagement with SCLogic, acknowledge and agree that the Processing of Subscriber Personal Data by SCLogic may involve an international transfer of Subscriber Personal Data to SCLogic.

SCLogic is committed to providing the necessary safeguards for these transfers in compliance with Data Protection Laws. This includes adhering to EU Standard Contractual Clauses approved by relevant authorities and implementing robust technical and organizational security measures. These measures are designed to safeguard Subscriber Personal Data against unauthorized access or breaches, ensuring ongoing confidentiality, integrity, and availability of the data.

Further details regarding these security measures can be accessed from the SCLogic Trust Center: https://trust.sclogic.com/

This data transfer provision, including all implemented measures, will be periodically reviewed to ensure continued compliance with evolving Data Protection Laws.

 

Data Subjects’ Rights

Procedure to handle data subjects’ requests

SCLogic will provide Subscriber access to Subscriber Personal Data via the online Services to allow Subscriber to respond to Data Subject requests. Subscriber validated Data subject requests should be sent to [email protected] for prompt resolution.

Cooperation between controller and processor in fulfilling these rights

SCLogic will notify the Subscriber without undue delay, and in any event within 10 business days, following receipt and verification of any request received directly from a Data Subject relating to Personal Data controlled by the Subscriber. SCLogic may only respond directly to a Data Subject:

  1. To verify that such request relates to Subscriber
  2. With written consent of Subscriber
  3. As required by applicable law

Except as provided herein, SCLogic has no intention of responding to or fulfilling any Data Subject requests directly.

At Subscriber’s written request and to the extent Subscriber is unable to access Subscriber Personal Data on its own, SCLogic will provide reasonable assistance to Subscriber to facilitate the handling of Data Subject requests. To the extent legally permitted, Subscriber will be responsible for any expenses attributable to SCLogic’s assistance efforts outside the normal course of business.

Breach Notification

SCLogic will notify the Controller in writing without undue delay, and within 72 hours of becoming aware of a Data Breach.

SCLogic will investigate and, as necessary, mitigate or remediate a Data Breach in accordance with SCLogic’s security incident response policies, procedures, and plans.

Subject to SCLogic’s legal obligations, SCLogic will provide the Controller with relevant Data Breach information that is in SCLogic’s possession resulting from its response measures. This information may encompass details regarding the incident’s nature, any known specific information disclosed, and pertinent mitigation or remediation efforts. The purpose of providing this Breach Information is to assist the Controller in fulfilling its obligations under Data Protection Laws following a Data Breach.

 

GDPR & the UK GDPR

Where any client (here referred to as “controller”) data processed by SCLogic is the personal information of either an EU resident or residents OR of a UK resident or residents and subject accordingly to respectively either the GDPR OR the UK GDPR, then the following shall apply:

  • SCLogic uses the Standard Contractual Clauses (SCCs) as a basis for transfer of data for its services.
  • SCLogic will only act on the controller’s documented instructions unless required by relevant law to act without such instructions.
  • SCLogic will ensure that people processing the data are subject to a duty of confidentiality.
  • SCLogic will take appropriate measures to ensure the security of processing.
  • SCLogic will only engage a sub-processor with the controller’s prior authorization and under a written contract.
  • SCLogic will take appropriate measures to help the controller respond to requests for individuals to exercise their rights.
  • Taking into account the nature of the processing and the information available, SCLogic will assist the controller in meeting respectively as relevant its GDPR or UK GDPR obligations in relation to the security of processing, the notification of personal data breaches, and data protection impact assessments.
  • SCLogic will delete or return all personal data to the controller (at the controller’s choice) at the end of the contract, and SCLogic will also delete existing personal information/data unless the law requires its storage; and
  • SCLogic will submit to audits and inspections as legally required. SCLogic will also give the controller whatever information it needs to ensure they are both meeting their Article 28 obligations.