Last Modified: April 22, 2021
This Infront X Data Processing Addendum (“DPA”), that includes the Standard Contractual Clauses adopted by the European Commission, and a US Data Processing Addendum, as applicable, forms part of and is attached to the Master Services Agreement, Corebine PaaS Agreement, iX Engage Terms of Service, or any other respective master services agreement or statement of work applicable (individually and collectively, the “Agreement”) between Infront X, LLC, a Delaware limited liability company (“Infront X”), and you, the person or entity, who engages Infront X for the Services pursuant to an Agreement (“Client”).
This DPA, in addition to the terms contained herein, consists of:
(i) Standard Contractual Clauses, attached hereto as EXHIBIT 1.
(a) Appendix 1 to the Standard Contractual Clauses, which includes specifics on the Personal Data transferred by the data exporter to the data importer.
(b) Appendix 2 to the Standard Contractual Clauses, which includes a description of the technical and organizational security measures implemented by the data importer as referenced.
(ii) List of Sub-Processors, attached hereto as EXHIBIT 2.
(iii) US DATA PROCESSING ADDENDUM, attached hereto as Exhibit 3 (if applicable).
1. Scope and Effective Date
a. Application of these Terms. These terms will only apply to the extent that the Data Protection Law applies to the processing of Personal Data by Infront X on behalf of Client, including if:
(i) the processing is in the context of the activities of an establishment of Client in the EEA; and/or
(ii) Personal Data relates to Data Subjects who are in the EEA and the processing relates to the offering to them of goods or services or the monitoring of their behavior in the EEA.
b. Scope: This DPA reflects the parties’ agreement with respect to the Personal Data that is processed by Infront X on behalf of Client in the course of Infront X providing custom and product digital platform design, development, managed services and related professional services, including digital strategy consulting, as defined in the Agreement between Client and Infront X (collectively, the “Services”).
c. Binding Agreement. The individual or legal entity accepting these terms on behalf of Client, represents and warrants that: (i) it has full legal authority to bind Client to these terms; (ii) it has read and understand these terms; and (iii) agrees, on behalf of Client, to these terms.
d. Effective Date. This DPA is an amendment to the Agreement, incorporated by reference, and is effective the later of (i) May 25, 2018 and (ii) the effective date of the Agreement (“Effective Date”) and will continue until the deletion of Personal Data by Infront X as described in these terms.
e. Priority and Interpretation. The DPA will supersede any existing data privacy and protection provisions to the contrary in the Agreement. Where individual provisions of this DPA are invalid or unenforceable, the validity and enforceability of the other provisions of this DPA shall not be affected. In the event of any conflict or inconsistency between this DPA and the Standard Contractual Clauses in Exhibit 1, the Standard Contractual Clauses shall prevail. Terms not otherwise defined herein shall have the meaning as set forth in the Agreement.
f. Client Acknowledgement. By agreeing to this DPA, Client is not acknowledging or agreeing that Client and/or any Client Data is subject to the Data Protection Law or the California Consumer Privacy Act (“CCPA”). Infront X’s CCPA Data Processing Addendum can be found here.
“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data. For the purposes of this Addendum, unless otherwise expressly indicated in the respective Agreement, Client shall be the Controller.
“Data Protection Law” means all applicable legislation relating to data protection and privacy including without limitation the EU Data Protection Directive 95/46/EC and all local laws and regulations which amend or replace any of them, including the GDPR, together with any national implementing laws in any Member State of the European Union or, to the extent applicable, in any other country, as amended, repealed, consolidated or replaced from time to time.
“Data Subject” means the individual to whom Personal Data relates.
“EEA” means the European Economic Area, being the European Union member states, Iceland, Liechtenstein and Norway.
“GDPR” means the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
“Personal Data” means any information relating to an identified or identifiable Data Subject; an identifiable Data Subject is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that Data Subject and is protected similarly as personal data or personally identifiable information under applicable Data Protection Law.
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
“Processing” means any operation or set of operations which is performed on Personal Data, encompassing the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction or erasure of Personal Data.
“Processor” means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller.
“Standard Contractual Clauses” means the clauses attached hereto as Exhibit 1 pursuant to the European Commission’s decision (C(2010)593) of 5 February 2010 on Standard Contractual Clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection.
“Sub-Processor” means third parties authorized under these terms to have logical access to and process Personal Data in order to provide parts of the Services and any related technical support.
3. Details of the Processing
a. Roles and Authorization. The parties acknowledge and agree that:
i. Infront X is a Processor of Personal Data under the Data Protection Law;
ii. Client is a Controller or processor, as applicable, of Personal Data under the Data Protection Law; and
iii. each party will comply with the obligations applicable to it under the Data Protection Law with respect to the processing of Personal Data.
b. Categories of Data Subjects. Personal Data will concern the following categories of Data Subjects:
i. Data Subjects about whom Infront X collects Personal Data in its provision of the Services; and/or
ii. Data Subjects about whom personal data is transferred to Infront X in connection with the Services by, at the direction of, on or on behalf of Client.
Depending on the nature of the Services, these Data Subjects may include individuals: (i) to whom online advertising has been, or will be, directed; (ii) who have visited websites or applications in respect of which Infront X provides the Services; and/or (iii) who are end-users of Client’s products or services.
c. Categories of Personal Data. Personal Data may include the following categories, to the extent applicable to the Services and related administration incidental to the Services (e.g. invoicing): an identifier such as a name or identification number, location data, online behavior, online identifiers such as cookies, pseudonymous data (personal data made into a pseudonym but identifies an individual utilizing a key).
d. Subject-Matter and Nature of the Processing. The subject-matter of Processing of Personal Data by Processor is the provision of the Services to the Controller that involves the Processing of Personal Data. Infront X will Process Personal Data as instructed by Controller and as specified in the Agreement in accordance with these terms.
e Purpose of the Processing. Personal Data will be Processed for purposes of providing the Services set out and otherwise agreed to in the Agreement.
f. Duration of the Processing. Personal Data will be Processed for the duration of the Agreement, subject to Section 5 of this DPA.
4. Controller Responsibility
a. Instructions Compliance with Data Protection Law. Within the scope of the Agreement and in its use of the Services, the Controller shall be solely responsible for complying with the statutory requirements relating to data protection and privacy, in particular regarding the disclosure and transfer of Personal Data to the Processor and the Processing of Personal Data. For the avoidance of doubt, Controller’s instructions for the Processing of Personal Data shall comply with the Data Protection Law. This DPA is Client’s complete and final instruction to Infront X in relation to Personal Data and that additional instructions outside the scope of DPA would require prior written agreement between the parties. Instructions shall initially be specified in the Agreement and may, from time to time thereafter, be amended, amplified or replaced by Controller in separate written instructions (as individual instructions). Controller shall inform Processor without undue delay and comprehensively about any errors or irregularities related to statutory provisions on the Processing of Personal Data.
b. Security Responsibilities. Client agrees that, without prejudice to Infront X’s obligations under Section 5(c) (Security Measures) and 5(d) (Personal Data Breaches), it is solely responsible for use of the Services, including making appropriate use of the Services to ensure a level of security appropriate to the risk in respect of Personal Data and securing account authentication credentials, systems and devices Client uses to access the Services. Client further agrees that Infront X has no obligation to protect Personal Data that Client elects to store or transfer outside of Infront X’s and its Sub-Processors’ systems.
5. Obligations of Processor
a. Client is a Processor. If Client is a processor, Client warrants to Infront X that Client’s instructions and actions with respect to the Personal Data, including its appointment of Infront X as another processor or sub-processor, have been authorized by and disclosed to the relevant Controller, including any and all applicable Infront X sub-processors.
b. Compliance with Instructions. The parties acknowledge and agree that if Client is the Controller of Personal Data, then Infront X is the Processor of that Personal Data. Processor shall collect, process and use Personal Data only within the scope of Controller’s instructions. If the Processor believes that an instruction of the Controller infringes the Data Protection Law, it shall immediately inform the Controller without delay. If Processor cannot process Personal Data in accordance with the Instructions due to a legal requirement under any applicable European Union or Member State law, Processor will (i) promptly notify the Controller of that legal requirement before the relevant Processing to the extent permitted by the Data Protection Law; and (ii) cease all Processing (other than merely storing and maintaining the security of the affected Personal Data) until such time as the Controller issues new instructions with which Processor is able to comply. If this provision is invoked, Processor will not be liable to the Controller under the Agreement for any failure to perform the applicable Services until such time as the Controller issues new instructions in regard to the Processing.
c. Security Measures. Processor shall take the appropriate technical and organizational measures to adequately protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data, described under Appendix 2 to the Standard Contractual Clauses (as updated or modified from time-to-time). Such measures include, but are not be limited to:
i. the prevention of unauthorized persons from gaining access to Personal Data Processing systems (physical access control),
ii. the prevention of Personal Data Processing systems from being used without authorization (logical access control),
iii. ensuring that persons entitled to use a Personal Data Processing system gain access only to such Personal Data as they are entitled to accessing in accordance with their access rights, and that, in the course of Processing or use and after storage, Personal Data cannot be read, copied, modified or deleted without authorization (data access control),
iv. ensuring that Personal Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage on storage media, and that the target entities for any transfer of Personal Data by means of data transmission facilities can be established and verified (data transfer control),
v. ensuring the establishment of an audit trail to document whether and by whom Personal Data have been entered into, modified in, or removed from Personal Data Processing systems (entry control),
vi. ensuring that Personal Data is Processed solely in accordance with the Instructions (control of instructions),
vii. ensuring that Personal Data is protected against accidental destruction or loss (availability control).
Client acknowledges and agrees that (taking into account the state of the art, the costs of implementation and the nature, scope, context and purpose of the Processing, as well as the risks to individuals) the security measures implemented and maintained by Infront X as set out in Appendix 2 provide a level of security appropriate to the risk in respect of Personal Data.
d. Infront X’s Impact Assessment Assistance. Infront X agrees to assist (taking into account the nature of the Processing of Personal Data and the information available to Infront X) Controller’s compliance with Controller’s obligations in respect of data protection impact assessments and prior consultation, including to the extent applicable, Client’s obligations pursuant to Articles 35 and 36 of the GDPR, by (i) providing security documentation, (ii) providing the information contained in these terms, and (iii) providing or otherwise making available, in accordance with standard company practices, other materials concerning the nature of the Processing Personal Data.
e. Infront X’s Security Assistance. Infront X agrees to assist (taking into account the nature of the Processing of Personal Data and the information available to Infront X) Controller’s compliance with the Controller’s obligation to implement security measures with respect to Personal Data (including if applicable Controller’s obligations pursuant to Articles 32 to 34 (inclusive) of the GDPR), by (i) implementing and maintaining the security measures described under Appendix 2, (ii) complying with the terms of Section 5(d) (Personal Data Breaches); and (iii) providing the Controller with information in relation to the Processing in accordance with Section 6 (Audits). Except for negligible costs, Client will reimburse Infront X with costs and expenses incurred by Infront X in connection with the provision of assistance to Client under this paragraph.
f. Confidentiality. Processor shall ensure that any personnel whom Processor authorizes to process Personal Data on its behalf is subject to confidentiality obligations with respect to that Personal Data. The undertaking to confidentiality shall continue after the termination of the above-entitled activities.
g. Personal Data Breaches. Processor will notify the Controller as soon as practicable after it becomes aware of any of any Personal Data Breach affecting any Personal Data. At the Controller’s request, Processor will promptly provide the Controller with all reasonable assistance necessary to enable the Controller to notify relevant Personal Data Breaches to competent authorities and/or affected Data Subjects if Controller is required to do so under the Data Protection Law. Client is solely responsible for complying with incident notification laws applicable to Client and fulfilling any third-party notification obligations related to a Personal Data Breach. Infront X’s notification of or response to a Personal Data Breach will not be construed as an acknowledgement by Infront X of any fault or liability with respect to the Personal Data Breach.
h. Data Subject Requests. Processor will provide reasonable assistance, including by appropriate technical and organizational measures and taking into account the nature of the Processing, to enable Controller to respond to any request from Data Subjects seeking to exercise their rights under the Data Protection Law with respect to Personal Data (including access, rectification, restriction, deletion or portability of Personal Data, as applicable), to the extent permitted by the law. If such a request is made directly to the Processor, the Processor will promptly inform the Controller and will advise Data Subjects to submit their request to the Controller. Controller shall be solely responsible for responding to any Data Subjects’ requests. Controller shall reimburse the Processor for the costs arising from this assistance.
a. Consent. Processor shall be entitled to engage Sub-Processors to fulfil Processor’s obligations defined in the Agreement only with Controller’s written consent. For these purposes, Controller consents to the engagement as Sub-Processors of Processor’s affiliated companies and the third parties listed in Exhibit 2. For the avoidance of doubt, the above authorization constitutes Controller’s prior written consent to the sub-Processing by Processor for purposes of Clause 11 of the Standard Contractual Clauses.
b. Objection to New Sub-Processor. If the Processor intends to instruct Sub-Processors other than the companies listed in Exhibit 2, the Processor will notify the Controller thereof in writing (email to the email address(es) on record in Processor’s account information for Controller is sufficient) and will give the Controller the opportunity to object to the engagement of the new Sub-Processors within 30 days after being notified.
c. Written Agreement with Sub-Processor. Where Processor engages Sub-Processors, Processor will enter into a contract with the Sub-Processor that:
i. the Sub-Processor only accesses and uses Personal Data to the extent required to perform the obligations subcontracted to it, and does so in accordance with the Agreement (including this DPA); and
ii. if the GDPR applies to the Processing of Personal Data, the data protection obligations set out in Article 28(3) of the GDPR are imposed on the Sub-Processor; and
Where the Sub-Processor fails to fulfil its data protection obligations, the Processor will remain liable to the Controller for the performance of such Sub-Processors obligations.
d. Audit Right with Sub-Processor. Where a Sub-Processor is engaged, the Controller must be granted the right to monitor and inspect the Sub-Processor’s activities in accordance with this DPA and the Data Protection Law, including to obtain information from the Processor, upon written request, on the substance of the contract and the implementation of the data protection obligations under the sub-Processing contract, where necessary by inspecting the relevant contract documents.
e. Sub-Processor outside of the EEA. The provisions of this Section 6 shall mutually apply if the Processor engages a Sub-Processor in a country outside the EEA not recognized by the European Commission as providing an adequate level of protection for Personal Data. If, in the performance of this DPA, Infront X transfers any Personal Data to a Sub-Processor located outside of the EEA, Infront X shall, in advance of any such transfer, ensure that a legal mechanism to achieve adequacy in respect of that processing is in place.
7. Data Transfers.
a. Where Data is Processed and Stored. Controller acknowledges and agrees that Infront X may store and process Personal Data in connection with the performance of the Services under the Agreement in the United States and any other country in which Infront X or any of its Sub-Processors maintain facilities.
b. Data Transfers Out of the EEA and Switzerland. The Standard Contractual Clauses at Exhibit 1 will apply with respect to Personal Data that is transferred outside the EEA, either directly or via onward transfer, to any country not recognized by the European Commission as providing an adequate level of protection for personal data (as described in the Data Protection Law).
8. Deletion or Retrieval of Personal Data.
a. Deletion During the Term. During the Term, if Client exercises a deletion functionality included in the Services (i.e. through the admin portal) for the Personal Data or submits a request, then Infront X will delete such Personal Data from its systems as soon as reasonably practicable and within a maximum period of 90 days, unless Data Protection Law requires storage. If Processor is unable to delete Personal Data for technical or other reasons, Processor will apply measures to ensure that Personal Data is blocked from any further Processing. Infront X may charge a fee for data deletion based on Client’s request. Infront X will provide Client with further details of any applicable fee, and the basis of its calculation.
b. Deletion or Retrieval Upon Termination. Controller shall at least 30 days prior to the termination or expiration of the Agreement and by way of issuing an instruction, stipulate, within a period of time set by Processor, the reasonable measures to return or to delete stored Personal Data. Infront X will comply with the instruction as soon as reasonably practicable and within a maximum period of 90 days unless Data Protection Law requires storage. Infront X may charge a fee for data deletion or retrieval based on Client’s instruction. Infront X will provide Client with further details of any applicable fee, and the basis of its calculation.
c. Data Retention Policy. Infront X will comply with its data retention practices described in its Data Retention Policy or any express written Client instructions.
a. Remote or Onsite. The Controller may, prior to the commencement of Processing, in accordance with the Agreement, and at regular intervals thereafter, audit the technical and organizational measures taken by the Processor. For such purpose, Controller may request and obtain information from the Processor or upon reasonable and timely advance agreement, during regular business hours and without interrupting Processor’s business operations, and at Client’s expense, conduct an on-site inspection of Infront X’s business operations or have the same conducted by a qualified third party which shall not be a competitor of Infront X, as determined by Infront X. Following receipt by Infront X of a request for an audit, Infront X and Client will discuss and agree in advance on reasonable any fees, start date, scope and duration of, and security and confidentiality controls applicable to any audit under Section 9.
b. Audit Fee. Infront X may charge a fee for an audit. Infront X will provide Client with further details of any applicable fee, and the basis for its calculation, in advance of any such audit. Client will be responsible for any and all third party fees related to any third parties engaged by Client.
c. Cooperation with Audit. Processor shall, upon Controller’s written request and within a reasonable period of time, provide Controller with all information necessary for such audit, to the extent that such information is within Processor’s control and Processor is not precluded from disclosing it by applicable law, a duty of confidentiality, or any other obligation owed to a third party. Without limiting the foregoing, Infront X will not be required to permit access to or disclose to Client or its third party auditor the following:
i. any data of any other client of Infront X;
ii. any internal accounting or financial information regarding Infront X or its affiliates;
iii. any trade secret of Infront X or its affiliates;
iv. any information that, in Infront X’s reasonable opinion, could compromise the security of Infront X’s systems or premises or cause Infront X to breach its obligations under the Data Protection Law or its security and/or privacy obligations to any third party; or
v. any information that Client or its third party auditor seeks to access for any reason other than the good faith fulfillment of Client’s obligations under the Data Protection Law.
10. General Provisions
a. Contacts. Client may contact Infront X in relation to these terms via firstname.lastname@example.org . Infront X’s Data Protection Officer can be contacted at email@example.com. Infront X is responsible for collecting and maintaining records of certain information related to data processing, including the name and contact details of each processor and/or controller on behalf of which Infront X is acting and (if applicable) such processor’s or controller’s local representative and data protection officer, and make such information available to the supervisory authorities. As such, Client will provide and update such information to Infront X to ensure that such information is kept up-to-date.
b. Changes to the DPA. For the avoidance of doubt, with respect to updates and changes to this DPA, the terms stated in the Agreement that apply to modification of the Agreement and no-waiver shall apply equally to the terms in this DPA.
Standard Contractual Clauses (Processors)
For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection,
Client, as defined in the Agreement (the “data exporter”) and Infront X, LLC with an address of 1261 Broadway, Suite 200, New York, NY 10001 (the “data importer”), each a ‘party’; together ‘the parties’,
HAVE AGREED on the following Contractual Clauses (the “Clauses”) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.
Clause 1: Definitions
For the purposes of the Clauses:
(a) ‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’ and ‘supervisory authority’ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
(b) ‘the data exporter’ means the controller who transfers the personal data;
(c) ‘the data importer’ means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;
(d) ‘the subprocessor’ means any processor engaged by the data importer or by any other subprocessor of the data importer who agrees to receive from the data importer or from any other subprocessor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;
(e) ‘the applicable data protection law’ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;
(f) ‘technical and organizational security measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
Clause 2: Details of the transfer
The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.
Clause 3: Third-party beneficiary clause
Clause 4: Obligations of the data exporter
The data exporter agrees and warrants:
(a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;
(b) that it has instructed and throughout the duration of the personal data-processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses;
(c) that the data importer will provide sufficient guarantees in respect of the technical and organizational security measures specified in Appendix 2 to this contract;
(d) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
(e) that it will ensure compliance with the security measures;
(f) that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;
(g) to forward any notification received from the data importer or any subprocessor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;
(h) to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for subprocessing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
(i) that, in the event of subprocessing, the processing activity is carried out in accordance with Clause 11 by a subprocessor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and
(j) that it will ensure compliance with Clause 4(a) to (i).
Clause 5: Obligations of the data importer
The data importer agrees and warrants:
(a) to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(c) that it has implemented the technical and organizational security measures specified in Appendix 2 before processing the personal data transferred;
(d) that it will promptly notify the data exporter about:
(i) any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation;
(ii) any accidental or unauthorized access; and
(iii) any request received directly from the data subjects without responding to that request, unless it has been otherwise authorized to do so;
(e) to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;
(f) at the request of the data exporter to submit its data-processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;
(g) to make available to the data subject upon request a copy of the Clauses, or any existing contract for subprocessing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;
(h) that, in the event of subprocessing, it has previously informed the data exporter and obtained its prior written consent;
(i) that the processing services by the subprocessor will be carried out in accordance with Clause 11;
(j) to send promptly a copy of any subprocessor agreement it concludes under the Clauses to the data exporter.
Clause 6: Liability
Clause 7: Mediation and jurisdiction
1. The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:
(a) to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;
(b) to refer the dispute to the courts in the Member State in which the data exporter is established.
2. The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.
Clause 8: Cooperation with supervisory authorities
Clause 9: Governing law
The Clauses shall be governed by the law of the Member State in which the data exporter is established.
Clause 10: Variation of the contract
The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.
Clause 11: Subprocessing
Clause 12: Obligation after the termination of personal data-processing services
to the Standard Contractual Clauses
This Appendix 1 forms part of the Clauses. The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix.
A. Data exporter
The data exporter is the Client, as defined in the Agreement.
B. Data importer
The data importer is Infront X, LLC (“Infront X”)
C. Data subjects
Categories of data subjects are set out under Section 3 of the Data Processing Agreement to which the Clauses are attached.
D. Categories of data
Categories of personal data are set out under Section 3 of the Data Processing Agreement to which the Clauses are attached.
E. Special categories of data (if appropriate)
The parties do not anticipate the transfer of special categories of data.
F. Processing operations
The processing activities set out under Section 3 of the Data Processing Agreement to which the Clauses are attached:
to the Standard Contractual Clauses
This Appendix 2 forms part of the Clauses.
Description of the technical and organizational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c):
Infront X currently observes the security practices described in this Appendix 2. Notwithstanding any provision to the contrary otherwise agreed to by data exporter, Infront X may modify or update these practices at its discretion provided that such modification and update does not result in a material degradation in the protection offered by these practices. All capitalized terms not otherwise defined herein shall have the meanings as set forth in the Agreement.
(a) Access Control
i) Preventing Unauthorized Product Access
Outsourced processing: Infront X’s services and products are hosted with outsourced cloud infrastructure providers. Additionally, Infront X maintains contractual relationships with vendors in order to provide the Services in accordance with our Data Processing Agreement. Infront X relies on contractual agreements, privacy policies, and vendor compliance programs in order to protect data processed or stored by these vendors.
Physical and environmental security: Infront X hosts its product infrastructure with multi-tenant, outsourced infrastructure providers. The physical and environmental security controls are audited for SOC 2 Type II and ISO 27001 compliance, among other certifications.
Authentication: Infront X implemented a uniform password policy for its products. Clients who interact with the products via the user interface must authenticate before accessing non-public customer data.
Authorization: Customer data is stored in multi-tenant storage systems accessible to relevant exporter Client via only application user interfaces and application programming interfaces. Clients are not allowed direct access to the underlying application infrastructure. The authorization model in each of Infront X’s products is designed to ensure that only the appropriately assigned individuals can access relevant features, views, and customization options. Authorization to data sets is performed through validating the user’s permissions against the attributes associated with each data set.
Application Programming Interface (API) access: Public product APIs may be accessed using an API key or through OAuth authorization, or as otherwise determined by Infront X in its sole discretion, as is relevant for the respective product and or services.
ii) Preventing Unauthorized Product Use
Infront X implements industry standard access controls and detection capabilities for the internal networks that support its products.
Access controls: Network access control mechanisms are designed to prevent network traffic using unauthorized protocols from reaching the product infrastructure. The technical measures implemented differ between infrastructure providers and include Virtual Private Cloud (VPC) implementations, security group assignment, and traditional firewall rules.
Intrusion detection and prevention: Infront X implements industry standard intrusion detection and prevention processes to protect hosted customer websites and other internet-accessible applications.
Static code analysis: Security reviews of code stored in Infront X’s source code repositories is performed, checking for coding best practices and identifiable software flaws.
iii) Limitations of Privilege & Authorization Requirements
Product access: A subset of Infront X’s employees have access to the products and to customer data via controlled interfaces. The intent of providing access to a subset of employees is to provide effective customer support, to troubleshoot potential problems, to detect and respond to security incidents and implement data security. All such requests are logged. Employees are granted access by role, and reviews of high risk privilege grants are initiated annually. Employee roles are reviewed at least once per annum.
Background checks: All Infront X employees with access to customer data, undergo a third-party background check prior to beginning employment at Infront X, in accordance with the applicable laws. All employees are required to conduct themselves in a manner consistent with company guidelines, non-disclosure requirements, and ethical standards.
(b) Transmission Control
In-transit: Infront X makes HTTPS encryption (also referred to as SSL or TLS) available on every one of its login interfaces and, when requested by Client, on every Client site hosted on the Infront X products. Infront X’s HTTPS implementation uses industry standard algorithms and certificates.
At-rest: Infront X stores user passwords following policies that follow industry standard practices for security. With effect May 25, 2018, Infront X has implemented technologies to ensure that stored data is encrypted at rest.
(c) Input Control
Detection: Infront X designed its infrastructure to log information about the system behavior, traffic received, system authentication, and other application requests. Internal systems aggregated log data and alert appropriate employees of malicious, unintended, or anomalous activities. Infront X personnel, including security, operations, and support personnel, are responsive to known incidents.
Response and tracking: Infront X maintains a record of known security incidents that includes description, dates and times of relevant activities, and incident disposition. Suspected and confirmed security incidents are investigated by security, operations, or support personnel; and appropriate resolution steps are identified and documented. For any confirmed incidents, Infront X will take appropriate steps to minimize product and Client damage or unauthorized disclosure.
Communication: If Infront X becomes aware of unlawful access to customer data stored within its products, Infront X will: 1) notify the affected Clients of the incident; 2) provide a description of the steps Infront X is taking to resolve the incident; and 3) provide status updates to the Clients’ respective contacts, as Infront X deems necessary. Notification(s) of incidents, if any, will be delivered to one or more of the Client’s contacts in a form Infront X selects, which may include via email or telephone.
(d) Availability Control
Infrastructure availability: The third party hosted infrastructure providers use commercially reasonable efforts to ensure a minimum of 99.95% uptime. The providers maintain a minimum of N+1 redundancy to power, network, and HVAC services.
Fault tolerance: Backup and replication strategies are designed to ensure redundancy and fail-over protections during a significant processing failure. When requested by Client, data is backed up to multiple durable data stores and replicated across multiple availability zones.
Online replicas and backups: Where feasible and as requested by Client, production databases are designed to replicate data between no less than 1 primary and 1 secondary database. All databases are backed up and maintained using at least industry standard methods.
Where requested and as indicated by Client, Infront X’s products are designed to ensure redundancy and seamless failover. The server instances that support the products are also architected with a goal to prevent single points of failure. This design assists Infront X operations in maintaining and updating the product applications and backend while limiting downtime.
EXHIBIT 2 (List of Sub-Processors)