Data Processing Addendum
This Data Processing Addendum (“DPA”) forms part of the Brighton Science Master Service Agreement (the “Agreement”) and is entered by the parties to reflect their agreement with regard to Processing of Personal Data.
All capitalized terms not defined herein, shall have the meaning set forth in the Agreement.
In the course of providing the Service pursuant to the Agreement, Brighton Science may Process Personal Data on behalf of Customer and the parties agree to comply with the following provisions with respect to any Personal Data, each acting in good faith.
a) “Controller” means the entity which determines the purposes and means of the Processing of Personal Data.
b) “Data Protection Law” means the laws and regulations applicable to the Processing of Personal Data under the Agreement.
c) “Data Subject” means an identified or identifiable natural person as defined by Data Protection Law.
d) “GDPR” means the General Data Protection Regulation 2016/679.
e) “New SCC Relevant Transfer” means a transfer (or an onward transfer) to a Third Country of Personal Data that is either subject to GDPR or to applicable Data Protection Law and where any required adequacy means under GDPR or applicable Data Protection Law can be met by entering into the New Standard Contractual Clauses.
f) “New Standard Contractual Clauses” means the standard contractual clauses, published by the European Commission, reference 2021/914 or any subsequent final version thereof which shall automatically apply. To avoid doubt Modules 2 and 3 shall apply as set out in Section 8.
g) “Personal Data” has the meaning giving to that term in Data Protection Laws. Personal Data is a sub-set of Customer Data (as defined under the Agreement).
h) “Personal Data Breach” means a confirmed accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or unauthorized third-party access to Personal Data; or similar incident involving Personal Data, in each case for which a Controller is required under Data Protection Law to provide notice to competent data protection authorities or Data Subjects.
i) “Process” and its correlate, “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automated means, such as but not limited to, collection, recording, organization, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination.
j) “Processor” means the entity which Processes Personal Data on behalf of the Controller.
k) “Subprocessor” means Brighton Science Affiliates and third parties engaged by Brighton Science or its Affiliates in connection with the Service and which Process Personal Data in accordance with this DPA.
l) “Technical and Organizational Measures” means the technical and organizational measures for the Service set out in Schedule 2.
m) “Third Country” means any country, organization or territory not acknowledged by the European Union under Article 45 of GDPR as a safe country with an adequate level of data protection.
a) Purpose and Application. This DPA is incorporated into the Agreement and forms part of a written contract between Brighton Science and Customer. This DPA applies to Personal Data which is Processed by Brighton Science and its Subprocessors in connection with its provision of the Service.
b) Structure. Schedules 1 through 3 are incorporated into and form part of this DPA. They set out the agreed subject-matter, the nature and purpose of the Processing, the type of Personal Data, categories of data subjects (Schedule 1), the applicable Technical and Organizational Measures (Schedule 2), and Brighton Science’s current Subprocessors (Schedule 3).
c) Governance. Brighton Science acts as a Processor and Customer and its Authorized Users act as Controllers under the DPA. Customer acts as a single point of contact and shall obtain any relevant authorizations, consents and permissions for the Processing of Personal Data in accordance with this DPA, including, where applicable approval by Controllers to use Brighton Science as a Processor.
a) Applicability of the Technical and Organizational Measures. Brighton Science has implemented and will apply the Technical and Organizational Measures. Customer has reviewed such measures and agrees that the measures are appropriate with respect to the Service taking into account the state of the art, the costs of implementation, nature, scope, context and purposes of the Processing of Personal Data.
b) Changes. Customer acknowledges that Brighton Science applies the Technical and Organizational Measures to Brighton Science’s entire customer base hosted out of the same data center or receiving the same Service. Brighton Science may change the Technical and Organizational Measures at any time without notice so long as it maintains a comparable or better level of security. Individual measures may be replaced by new measures that serve the same purpose without diminishing the security level protecting Personal Data.
4) BRIGHTON SCIENCE OBLIGATIONS
a) Instructions from Customer. Brighton Science will Process Personal Data only in accordance with documented instructions from Customer. The Agreement (including this DPA) constitutes such documented initial instructions and each use of the Service then constitutes further instructions. Brighton Science will use reasonable efforts to follow any other Customer instructions, as long as they are required by Data Protection Law, technically feasible and do not require changes to the Service. If any of the foregoing exceptions apply, or Brighton Science otherwise cannot comply with an instruction or is of the opinion that an instruction infringes Data Protection Law, Brighton Science will promptly notify Customer.
b) Processing Required by Law. Brighton Science may also Process Personal Data where required to do so by applicable law. In such a case, Brighton Science will inform Customer of that legal requirement before Processing unless that law prohibits such information on grounds of public interest.
c) Personnel. To Process Personal Data, Brighton Science and its Subprocessors will only grant access to authorized personnel who have committed themselves to confidentiality. Brighton Science and its Subprocessors will regularly train personnel having access to Personal Data in applicable data security and data privacy measures.
d) Cooperation. At Customer’s request, Brighton Science will reasonably cooperate with Customer in dealing with requests from Data Subjects or regulatory authorities regarding Brighton Science’s Processing of Personal Data or any Personal Data Breach. If Brighton Science receives a request from a Data Subject in relation to the Personal Data Processing hereunder, Brighton Science will promptly notify Customer (where the Data Subject has provided information to identify the Customer) via email and will not respond to such request itself but instead ask the Data Subject to redirect its request to Customer. In the event of a dispute with a Data Subject as it relates to Brighton Science’s Processing of Personal Data under this DPA, the parties will keep each other informed and, where appropriate, reasonably cooperate with the aim of resolving the dispute amicably with the Data Subject.
e) Personal Data Breach Notification. Brighton Science will notify Customer without undue delay after becoming aware of any Personal Data Breach and provide reasonable information in its possession to assist Customer to meet Customer’s obligations to report a Personal Data Breach as required under Data Protection Law. Brighton Science may provide such information in phases as it becomes available. Such notification shall not be interpreted or construed as an admission of fault or liability by Brighton Science.
f) Data Protection Impact Assessment. If, pursuant to Data Protection Law, Customer (or any of its own Controllers) is required to perform a data protection impact assessment or prior consultation with a regulator, at Customer’s request, Brighton Science will provide such documents as are generally available in connection with the Service (for example, this DPA, the Agreement, audit reports and certifications). Any additional assistance shall be mutually agreed between the parties.
5) DATA EXPORT AND DELETION
a) Export and Retrieval by Customer. During the Term and subject to the Agreement, Customer can access its Personal Data at any time. Customer may export and retrieve its Personal Data in a standard format. Export and retrieval may be subject to technical limitations, in which case Brighton Science and Customer will find a reasonable method to allow Customer access to Personal Data.
b) Deletion. Brighton Science will return to Customer promptly upon request and, to the extent allowed by applicable law, delete all Personal Data as further set forth in the Agreement. Brighton Science will ensure that any Subprocessors adhere to the same obligation.
a) Customer Audit. Subject to Section 6(b), Brighton Science will make available to Customer on request all information necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits, including inspections, by Customer or a third-party auditor chosen by Customer in relation to the Processing of Personal Data by Brighton Science or its Subprocessors. Information and audit rights only arise to the extent that the Agreement does not otherwise give Customer information and audit rights meeting the relevant requirements of Data Protection Law (including, where applicable, article 28(3)(h) of the GDPR).
b) Scope and Cost of Audit. Customer will provide at least 60 days advance notice of any audit unless mandatory Data Protection Law or a competent data protection authority requires shorter notice. The frequency and scope of any audits shall be mutually agreed between the parties acting reasonably and in good faith. Customer audits shall be limited in time to a maximum of 3 business days. Beyond such restrictions, the parties will use current certifications or other audit reports to avoid or minimize repetitive audits. Customer shall provide the results of any audit to Brighton Science. Customer shall bear the costs of any audit unless such audit reveals a material breach by Brighton Science of this DPA, then Brighton Science shall bear its own expenses for such audit. If an audit determines that Brighton Science has breached its obligations under the DPA, Brighton Science will promptly remedy the breach at its own cost.
a) Permitted Use. Brighton Science is granted a general authorization to subcontract the Processing of Personal Data to Subprocessors, provided that: (i) Brighton Science or Brighton Science Affiliates acting on its behalf will engage Subprocessors under a written contract consistent with the terms of this DPA in relation to the Subprocessors processing of Personal Data; (ii) Brighton Science will be liable for any breaches by the Subprocessor in accordance with the terms of the Agreement; and (iii) Brighton Science will evaluate the security, privacy and confidentiality practices of a Subprocessor prior to selection to establish that it is capable of providing the level of protection of Personal Data required by this DPA. Brighton Science’s list of Subprocessors in place on the effective date of the Agreement is listed on Schedule 3.
b) Objection to New Subprocessors. Customer may object to use by Brighton Science of a new Subprocessor by notifying Brighton Science in writing within 10 business days after receipt of information of any intended changes concerning the addition of a new Subprocessor. In the event Customer objects to a new Subprocessor, as permitted in the preceding sentence, Brighton Science will use reasonable efforts to make available a change in the Service or recommend a commercially reasonable change to Customer’s configuration or use of the Service to avoid Processing of Personal Data by the objected-to new Subprocessor without unreasonably burdening Customer. If Brighton Science is unable to make available such change within a reasonable period of time, which shall not exceed 60 days, Customer may terminate the Agreement with respect only to the Service which cannot be provided without the use of the objected-to new Subprocessor by providing written notice in accordance with the Agreement. Brighton Science will refund any prepaid fees covering the remainder of the Term of the Agreement following the effective date of termination with respect to such terminated Service, without imposing a penalty for such termination on Customer.
c) Emergency Replacement. Brighton Science may replace a Subprocessor without notice where the reason for the change is outside of Brighton Science’s reasonable control and prompt replacement is required for security or other urgent reasons. In this case, Brighton Science will inform Customer of the replacement Subprocessor as soon as possible following its appointment.
8) INTERNATIONAL PROCESSING
a) Conditions. Brighton Science shall be entitled to Process Personal Data, including by using Subprocessors, in accordance with this DPA outside the country in which the Customer is located as permitted under Data Protection Law.
b) Applicability of New Standard Contractual Clauses. The following will apply with effect from 27 September 2021 and will solely apply in respect of New SCC Relevant Transfers:
i) Where Brighton Science is not located in a Third Country and acts as a data exporter, Brighton Science has entered in to the New Standard Contractual Clauses with each Subprocessor as the data importer. Module 3 (Processor to Processor) of the New Standard Contractual Clauses shall apply to such New SCC Relevant Transfers.
ii) Where Brighton Science is located in a Third Country, Brighton Science and Customer hereby enter into the New Standard Contractual Clauses with Customer as the data exporter and Brighton Science as the data importer which shall apply as follows:
(1) Module 2 (Controller to Processor) shall apply where Customer is a Controller; and
(2) Module 3 (Processor to Processor) shall apply where Customer is a Processor. Where Customer acts as Processor under Module 3 (Processor to Processor) of the New Standard Contractual Clauses, Brighton Science acknowledges that Customer acts as Processor under the instructions of its Controller(s).
iii) Other Controllers or Processors whose use of the Service has been authorized by Customer under the Agreement may also enter into the New Standard Contractual Clauses with Brighton Science in the same manner as Customer in accordance with Section 8(b) above. In such case, Customer enters into the New Standard Contractual Clauses on behalf of the other Controllers or Processors. With respect to a New SCC Relevant Transfer, on request from a Data Subject to the Customer, Customer may make a copy of Module 2 or 3 of the New Standard Contractual Clauses entered into between Customer and Brighton Science (including the relevant Schedules), available to Data Subjects.
c) Relation of the Standard Contractual Clauses to the Agreement. Nothing in the Agreement shall be construed to prevail over any conflicting clause of the New Standard Contractual Clauses. For the avoidance of doubt, where this DPA further specifies audit and Subprocessor rules, such specifications also apply in relation to the New Standard Contractual Clauses.
d) Third Party Beneficiary Right Under the New Standard Contractual Clauses. Where Customer is located in a Third Country and acting as a data importer under Module 2 or Module 3 of the New Standard Contractual Clauses and Brighton Science is acting as Customer’s subprocessor under the applicable Module, the respective data exporter shall have the following third party beneficiary right: in the event that Customer has factually disappeared, ceased to exist in law or has become insolvent (in all cases without a successor entity that has assumed the legal obligations of the Customer by contract or by operation of law), the respective data exporter shall have the right to terminate the affected Service solely to the extent that the data exporter’s Personal Data is Processed. In such event, the respective data exporter also instructs Brighton Science to erase or return the Personal Data.
e) Governing Law. The governing law of the New Standard Contractual Clauses shall be the law of the country where Customer is domiciled.
9) DOCUMENTATION; RECORDS OF PROCESSING
a) Responsibilities of the Parties. Each party is responsible for its own compliance with its documentation requirements, in particular maintaining records of Processing where required under Data Protection Law. Each party shall reasonably assist the other party in its documentation requirements, including providing the information the other party needs from it in a manner reasonably requested by the other party (such as using an electronic system), in order to enable the other party to comply with any obligations relating to maintaining records of Processing.
a) Governing Law. Without prejudice to Section 8(e) of this DPA, or to any clauses of the New Standard Contractual Clauses stipulating governing law or dispute resolution procedures, the parties to this DPA hereby submit to the choice of jurisdiction and governing law stipulated in the Agreement with respect to any disputes or claims howsoever arising under this DPA.
b) Severability. Should any provision of this DPA be deemed to be invalid or unenforceable, then the remainder of this DPA will remain valid and in force and the invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability while preserving the intention of the parties as closely as possible, or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
c) Liability. The parties’ liability under this DPA shall be subject to the same limitation of liability as agreed between the parties in the Agreement. For the avoidance of doubt, nothing in this DPA or the Agreement relieves either party of its own direct responsibilities and liabilities under Data Protection Law.
This Schedule 1 applies to describe the Processing of Personal Data for the purposes of the New Standard Contractual Clauses and applicable Data Protection Law.
1) List of the Parties
a) Module 2: Transfer Controller to Processor. Where Brighton Science is located in a Third Country, Customer is the Controller and Brighton Science is the Processor, then Customer is the data exporter and Brighton Science is the data importer.
b) Module 3: Transfer Processor to Processor. Where Brighton Science is located in a Third Country, Customer is a Processor and Brighton Science is a Processor, then Customer is the data exporter and Brighton Science is the data importer.
2) Description of the Transfer
a) Data Subjects. Unless provided otherwise by the data exporter, transferred Personal Data relates to the following categories of Data Subjects: employees, contractors, business partners or other individuals having Personal Data stored in the Service, transmitted to, made available to, accessed or otherwise Processed by the data importer.
b) Data Categories. Customer determines the categories of data per Service subscribed. Customer can configure the data fields during implementation of the Service or as otherwise provided by the Service. The transferred Personal Data typically relates to the following categories of data: name, phone numbers, e-mail address, system access / usage / authorization data, company name, plus any application-specific data that Authorized Users enter into the Service.
c) Purposes of the Data Transfer and Further Processing; Nature of the Processing. The transferred Personal Data is subject to the following basic processing activities:
i) The purpose of the transfer is to provide and support the Service.
ii) Enable custom, personalized experiences.
3) Competent Supervisory Authoritya) In respect of the New Standard Contractual Clauses:
i) Module 2: Transfer Controller to Processor
ii) Module 3: Transfer Processor to Processor
b) Where Customer is the data exporter, the supervisory authority shall be the competent supervisory authority that has supervision over the Customer in accordance with Clause 13 of the New Standard Contractual Clauses.
This Schedule 2 applies to describe the applicable technical and organizational measures for the purposes of the New Standard Contractual Clauses and applicable Data Protection Law.
Brighton Science will apply and maintain the Technical and Organizational Measures.
To the extent that the provisioning of the Service comprises New SCC Relevant Transfers, the Technical and Organizational Measures set out in Schedule 2 describe the measures and safeguards which have been taken to fully take into consideration the nature of the Personal Data and the risks involved. If local laws may affect the compliance with the clauses, this may trigger the application of additional safeguards applied during transmission and to the processing of the personal data in the country of destination (if applicable: encryption of data in transit, encryption of data at rest, anonymization, pseudonymization).
The technical and organizational security measures that Brighton Science has in place for any system that processes Personal Data in order to prevent improper destruction, alteration, disclosure, access, and other improper forms of Processing of information exported by the data exporter to the data importer, include the following areas:
- Non-Disclosure Agreements
- Customer Sensitive Information Protection
- Anti-Bribery and Anti-Corruption
- Handling Customer Property
- Building Access
- Secrecy and Security Awareness
- Incident Response Plan
- System Security Plan for Controlled Unclassified Information
- Customer Communication and Satisfaction
- Contingency Plans
The list of sub processors can be found here.