BRdata Software SolutionsBRdata Software SolutionsBRdata Software Solutions
(631)391-8840
support@brdata.com
Melville, NY 11747

Data Processing Agreement

Last Updated: June 2021

This Data Processing Agreement (“DPA”) amends the terms and forms, between SR Data Systems Co. Inc. d/b/a BR Data (collectively, “BR Data” or “Service Provider”), and the Customer (“Customer” or “you”) each a “Party” and collectively the “Parties”. This DPA governs your use of BR Data products and services, including but not limited to BR Data Cloud (the “BR Data Service”). This DPA applies to and takes precedence over any associated contractual document between the Parties, such as Terms and Conditions, an order form, statement of work, or other thereunder (collectively, the “Agreement”), to the extent of any conflict.

If you are an individual who consent to the terms of this DPA on behalf of an entity, you represent and warrant that you have the authority to bind that entity to this DPA and your consent to this DPA will be treated as the consent of the business.

BR Data and Customer agree as follows:

1. Definitions. For purposes of this DPA:

a. “Data Privacy Laws” means all applicable laws, regulations, and other legal or selfregulatory requirements in any jurisdiction relating to privacy, data protection, data security, communications secrecy, breach notification, or the Processing of Personal Data, including without limitation, to the extent applicable, the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et seq. (“CCPA”). For the avoidance of doubt, if Customer’s processing activities involving Personal Data are not within the scope of a given Data Privacy Law, such law is not applicable for purposes of this DPA.

b. “Data Controller” or “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data; for the purposes of this DPA, where Customer acts as processor for another controller, it shall in relation to the BR Data Service be deemed as additional and independent Controller with the respective controller rights and obligations under this DPA.

c. “Data Subject” means an identified or identifiable natural person about whom Personal Datarelates.

d. “Personal Data” includes “personal data,” “personal information,” and “personally identifiable information,” and such terms will have the same meaning as defined by the CCPA.

e. “Processing” or “Process” means any operation or set of operations which is performed on Personal Information, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

f. “Security Breach” means any accidental or unlawful acquisition, destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.

g. “Service Provider” or “Data Processor” has the same meaning as set forth in the CCPA. For the purpose of this Agreement, the Service Provider is BR Data.

2. Scope and Purposes of Processing.

a. BR Data will Process the Customer’s data, including Personal Data, solely to fulfill its obligations to the Customer as Service Provider, on behalf of the Customer and in the course of providing the BR Data Services under the Agreement and for no other purposes, unless otherwise required by applicable Data Privacy Laws.

b. Without limiting the foregoing, Customer determines the purpose and means of Processing Customer’s data. The Customer directs BR Data to Process data, including Personal Data, in accordance with the Customer’s written instructions.

• Governance. BR Data acts as a Processor and Customer and the person that it permits to use the BR Data Service (“Authorized User”) act as Data Controllers as defined by the CCPA. Customer acts as a single point of contact and is solely responsible for obtaining any relevant authorizations, consents and permissions for the processing of Personal Data in accordance with this DPA, including, where applicable approval by Controllers to use the BR Data Service as a Processor. Where authorizations, consent, instructions or permissions are provided by Customer these are provided not only on behalf of the Customer but also on behalf of any other Controller using the BR Data Service. Where BR Data informs or gives notice to Customer, such information or notice is deemed received by those Controllers permitted by Customer to use the BR Data Service and it is Customer’s responsibility to forward such information and notices to the relevant Controllers.

• Effective Date. This DPA shall come into effect from the latest date of the signature by both Parties.

• Anticipated duration of Processing (“Term”). For the term of the Agreement or to the extent that BR Data continues to Process Personal Data, whichever is longer.

• Termination. Upon termination of this DPA, upon the Data Controller’s written request, or upon fulfillment of all purposes agreed in the context of the BR Data Service whereby no further processing is required, the Customer will delete all Personal Data as described in Section 8(b) of this DPA.

3. Customer’s Role

a. As Controller, the Customer determines the purpose and means of processing Personal Data in relation to its access and use of the BR Data Services and will provide Personal Data solely for the purpose of the Agreement. Customer agrees that: (a) it has provided all notices and obtained all consents, permissions and rights necessary under applicable Data Privacy Laws for BR Data to lawfully process the Personal Data; (b) Customer will not transmit to BR Data nor require BR Data to process any highly sensitive data; and (c) Customers shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data.

b. The Customer understands that BR Data does not access or control the Personal Data made available by the Customer on the BR Data Services and in the event the Customer is not able to comply with its responsibilities under this Section 3, under the CCPA or any applicable Data Privacy Laws, the Customer shall notify BR Data accordingly and without undue delay.

c. Customers hereby certifies that it understands its restrictions and obligations set forth in this DPA and will comply with them. 

4. BR Data’s Obligations

a. BR Data will not:

• Sell Personal Data. At all times, BR Data is prohibited from “selling” as that term is defined by the CCPA, any Personal Data provided by Customer or Customer’s Data Subjects.

• Process Personal Data for any purpose other than for the specific purposes set forth herein and only as necessary to perform its obligations under the Agreement. For the avoidance of doubt, BR Data will not use, retain, or disclose any Personal Data provided by Customer for any purpose other than the purposes set forth in the Agreement and this DPA including, without limitation, using the Personal Data for any business purpose other than what is set forth in the Agreement including this DPA.

• Disclose Personal Information except as necessary to comply with applicable laws and regulations or to detect security incidents or prevent fraudulent activity or comply with a valid and binding order of a law enforcement agency (such as a subpoena or court order). If a law enforcement agency sends BR Data a demand for Personal Data, BR Data will attempt to redirect the law enforcement agency to request that data directly from Customer. As part of this effort, BR Data may provide Customer’s basic contact information to the law enforcement agency. If compelled to disclose Personal Data to
a law enforcement agency, then BR Data will give Customer reasonable notice of the demand to allow Customer to seek a protective order or other appropriate remedy unless BR Data is legally prohibited from doing so.

• Attempt to retain, use, or disclose Customer Data for any other purpose than furthering the business purposes of the Agreement and in performance of the BR Data Services.

b. Personnel. BR Data ensures that its personnel have received appropriate training on their responsibilities concerning Personal Data and have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

5. Compliance with Data Privacy Laws. Each party will comply with all Data Protection Laws and Regulations applicable to it and binding on it in the provision or use of the BR Data Services under the Agreement, including all statutory requirements relating to data protection.

6. Personal Data Processing Requirements.

a. The Parties understand and agree that the BR Data Services provide Customer with controls to enable Customer to retrieve, correct, delete, or block Personal Data and to respond to any Data Subject Requests (as defined below). Customer is responsible for: (a)setting up and using the safety measures made available by BR Data in connection with the BR Data Services (including
the security controls), and; (b)taking such steps as Customer considers adequate to maintain appropriate security, protection, deletion and backup of Personal Data, which may include use of encryption technology to protect Personal Data from unauthorized access and routine archiving of Personal Data; (c) and ensuring that users duly authorized by Customer to use the
BR Data Services on behalf of Customer understand and comply with the Agreement including the DPA.

b. Cooperation. At Customer’s request, BR Data will reasonably cooperate with and assist Customer and Controllers in dealing with requests from Data Subjects or regulatory authorities regarding BR Data’s processing of Personal Data or any Personal Data Breach.

c. BR Data will implement and maintain policies and procedures to allow it to promptly comply with any Customer or Data Subject Requests related to a Data Subject’s request to “opt-out,” delete, request access to, or exercise any other rights granted to the Consumer under the CCPA and to maintain any records of such requests. Such policies and procedures will include any processes necessary to identify the specified Personal Data when responding to a particular request. If BR Data receives a request for access, a request to know, or request to delete Personal Data directly from a Data Subject, BR Data shall either act on behalf of Customer in processing the request(s) or inform the Data Subject that the request(s) cannot be acted upon because the request(s) was sent to a Service Provider.

d. BR Data shall promptly comply with any Data Subject’s request to “opt-out” of the sale of that Data Subject’s Personal Data, whether such request is relayed by the Data Subject or otherwise relayed by Customer.

e. Each party is responsible for its compliance with its documentation requirements, in particular maintaining records of processing where required under Data Privacy Law. Each party shall reasonably assist the other party in its documentation requirements, including providing the information the other party needs from it in a manner reasonably requested by the other party (such as using an electronic system), in order to enable the other party to comply with any obligations relating to maintaining records of processing.

7. Data Security.

a. BR Data has implemented and will apply the technical and organizational measures set forth in Exhibit A. Customer has reviewed such measures and agrees that as to the BR Data Services selected by Customer under the Agreement, the measures are appropriate taking into account the state of the art, the costs of implementation, nature, scope, context and purposes of the processing of Personal Data.

b. Changes. BR Data applies the technical and organizational measures set forth in Appendix 2 to BR Data’s entire customer base hosted out of the same data center and receiving the same Services. BR Data may change the measures set out in Appendix 2 at any time without notice so long as it maintains a comparable or better level of security. Individual measures may be replaced by new measures that serve the same purpose without diminishing the security level protecting Personal Data.

c. Customer is solely responsible for reviewing the information made available by BR Data relating to the control of data and to data security in relation to BR Data Services and making an independent determination as to whether the BR Data Services meet Customer’s requirements, and for ensuring that Customer’s personnel and consultants follow the guidelines they are provided regarding data security.

8. Data Export And Deletion.

a. Export and Retrieval by Customer. During the Term and subject to the Agreement, Customer can access the Personal Data at any time. Customer may export and retrieve its Personal Data in a standard format. Export and retrieval may be subject to technical limitations, in which case BR Data and Customer will find a reasonable method to allow Customer access to Personal
Data.

b. Deletion. Before the Term expires, Customer may use BR Data’ self-service export tools (as available) to perform a final export of Personal Data from the BR Data Services (which shall constitute a “return” of Personal Data). Before the Term expires, Customer is required to use BR Data’ self-service export tools (as available) to perform a final export of Personal Data
from the BR Data Services (which shall constitute a “return” of Personal Data) and shall delete Personal Data from the BR Data Services using the self-service tools. If Customer is unable to download and/or delete Personal Data due to any technical reason, then Customer may request that BR Data deletes or returns the Personal Data remaining on the BR Data Services.

9. Security Breach.

a. Notification. If BR Data becomes aware of a Security Breach, BR Data will without undue delay and, where feasible, not later than 48 hours after having become aware of it, notify Customer of the Security Breach. Where the notification to the Customer is not made within 48 hours, it shall be accompanied by reasonable reasons for the delay.

b. Assistance. To assist Customer in relation to any data breach notifications, BR Data will include in the notification under section 10(a) such information about the Security Breach as BR Data is reasonably able to disclose to Customer, taking into account the nature of the BR Data Services, the information available to BR Data, and any restrictions on disclosing the
information, such as confidentiality.

c. Limitations. Customer agrees that: (a)an attempted but failed Security Breach will not be subject to this Section; and (b) the provisions set forth in this Section 8 are not and will not be construed as an acknowledgement by BR Data of any fault or liability of BR Data with respect to the Security Breach.

10. Subprocessors.

a. Permitted Use. BR Data is granted a general authorization to subcontract the processing of Personal Data to Subprocessors, provided that:

• BR Data shall engage Subprocessors under a written (including in electronic form) contract consistent with the terms of this DPA in relation to the Subprocessor’s processing of Personal Data. BR Data shall be liable for any breaches by the Subprocessor in accordance with the terms of this Agreement;

• BR Data will evaluate the security, privacy and confidentiality practices of a Subprocessor prior to selection to establish that it is capable of providing the level of protection of Personal Data required by this DPA; and

• BR Data’ list of Subprocessors in place on the effective date of the Agreement is published by BR Data. Upon request, BR Data will make the list of Subprocessors available to Customer including the name, address and role of each Subprocessor BR Data uses to provide the BR Data Service.

b. New Subprocessors. BR Data’s use of Subprocessors is at its discretion, provided that:

• BR Data will inform Customer in advance (by email or by posting within the BR Data Services) of any intended additions or replacements to the list of Subprocessors including name and role of the new Subprocessor; and

• Customer may object to such changes as set out in Section 11(c) herein.

c. Objections to New Subprocessors.

• If Customer has a legitimate reason under Data Privacy Law to object to the new Subprocessors’ processing of Personal Data, Customer may terminate the Agreement (limited to the BR Data Services for which the new Subprocessor is intended to be used) on written notice to BR Data. Such termination shall take effect at the time determined by the Customer which
shall be no later than thirty days from the date of BR Data’s notice to Customer informing Customer of the new Subprocessor. If Customer does not terminate within this thirty day period, Customer is deemed to have accepted the new Subprocessor.

• Within the thirty day period from the date of BR Data’s notice to Customer informing Customer of the new Subprocessor, Customer may request that the parties come together in good faith to discuss a resolution to the objection. Such discussions shall not extend the period for termination and do not affect BR Data’s right to use the new Subprocessor(s) after the thirty
day period.

• Any termination under this Section 11(c) shall be deemed to be without fault by either party and shall be subject to the terms of the Agreement

d. Emergency Replacement. BR Data may replace a Subprocessor without advance notice where the reason for the change is outside of BR Data’s reasonable control and prompt replacement is required to protect the integrity and security of Customer’s Personal Data. In this case, BR Data will inform Customer of the replacement Subprocessor as soon as possible following its
appointment.

e. Affiliates. BR Data may engage any of its affiliates to process Personal Data without seeking any prior approval from Customer. The same data protection requirements and obligations, as set forth in this DPA shall equally apply to the processing of Customer’s Personal Data by any BR Data’s affiliate and BR Data will, at all times, remain fully liable to Customer for affiliates
compliance with such requirements and obligations.

11. Certification and Audits.

a. Customer Audit. Customer or its independent third party auditor reasonably acceptable to BR Data (which shall not include any third party auditors who are either a competitor of BR Data or not suitably qualified or independent) may audit BR Data’ control environment and security practices relevant to Personal Data processed by BR Data only if:

• BR Data has not provided sufficient evidence of its compliance with the technical and organizational measures that protect the production systems of the BR Data Service through providing either: (i) a certification as to compliance applicable standards (scope as defined in the certificate); or (ii) a valid ISAE3402 and/or ISAE3000 or other SOC1-3 attestation report.
Upon Customer’s request audit reports or ISO certifications are available through the third party auditor or BR Data;

• A Personal Data Breach has occurred;

• An audit is formally requested by Customer’s data protection authority; or

• Mandatory Data Protection Law provides Customer with a direct audit right and provided that Customer shall only audit once in any twelve month period unless mandatory Data Privacy Laws requires more frequent audits.

b. Scope of Audit. Customer shall provide at least sixty (60) days advance notice of any audit unless mandatory Data Privacy Laws or a competent data protection authority requires shorter notice. The frequency and scope of any audits shall be mutually agreed between the parties acting reasonably and in good faith. Customer audits shall be limited in time to a maximum of three business days. Beyond such restrictions, the parties will use current certifications or other audit reports to avoid or minimize repetitive audits. Customer shall provide the results of any audit to the BR Data Services.

c. Cost of Audits. Customer shall bear the costs of any audit unless such audit reveals a material breach by BR Data of this DPA, then BR Data shall bear its own expenses of an audit. If an audit determines that BR Data has breached its obligations under the DPA, BR Data will promptly remedy the breach at its own cost.

12. Indemnification. Each party indemnifies the other and holds them harmless against all claims, actions, third party claims, losses, damages and expenses incurred by the indemnified party and arising directly or indirectly out of or in connection with a breach of this DPA.

13. Survival. The provisions of this DPA survive the termination or expiration of the Agreement for so long as BR Data Process the Personal Data.

Exhibit A: Security Measures

1. TECHNICAL AND ORGANIZATIONAL MEASURES

The following sections define BR Data’ current technical and organizational measures. BR Data may change these at any time without notice so long as it maintains a comparable or better level of security. Individual measures may be replaced by new measures that serve the same purpose without diminishing the security level protecting Personal Data.

1.1 Physical Access Control. Unauthorized persons are prevented from gaining physical access to premises, buildings or rooms where data processing systems that process and/or use Personal Data are located.

• BR Data protects its assets and facilities using the appropriate means based on the BR Data Security
Policy

• In general, buildings are secured through restricted access

• Depending on the security classification, buildings, individual areas, and surrounding premises may be further protected by additional measures. These include video surveillance, intruder alarm systems, or biometric access control systems, security staff.

1.2 System Access Control. Data processing systems used to provide the BR Data Cloud Services
must be prevented from being used without authorization.

• Multiple authorization levels are used when granting access to sensitive systems, including those storing and processing Personal Data. Authorizations are managed via defined processes.

• All personnel access BR Data’ systems with a unique identifier.

• In case personnel leaves the company, their access rights are revoked.

• BR Data has established a password policy that prohibits the sharing of passwords, governs responses to password disclosure, and requires passwords to be changed on a regular basis and default passwords to be altered. Personalized user IDs are assigned for authentication. All passwords must fulfill defined minimum requirements and are stored in encrypted form. Each computer has a password-protected screensaver.

• The company network is protected from the public network by firewalls.

• BR Data uses up–to-date antivirus software at access points to the company network (for e-mail accounts), as well as on all file servers and all workstations.

• Security patch management is implemented to provide regular and periodic deployment of relevant security updates. Full remote access to BR Data’ corporate network and critical infrastructure is protected by strong authentication.\

1.3 Data Access Control. Persons entitled to use data processing systems gain access only to the Personal Data that they have a right to access, and Personal Data must not be read, copied, modified or removed without authorization in the course of processing, use and storage.

• All production servers are operated in in secure server rooms. Security measures that protect applications processing Personal Data are regularly checked. To this end, BR Data conducts internal and external security checks and penetration tests on its IT systems.

• An BR Data security standard governs how data and data carriers are deleted or destroyed once they are no longer required.

1.4 Data Transmission Control. Except as necessary for the provision of the BR Data Services in accordance with the Agreement, Personal Data must not be read, copied, modified or removed without authorization during transfer. Where data carriers are physically transported, adequate measures are implemented at BR Data to provide the agreed-upon service levels (for example, encryption and lead-lined containers).

• Personal Data in transfer over BR Data internal networks is protected according to BR Data Security Policy.

• When data is transferred between BR Data and its Ccustomers, the protection measures for the transferred Personal Data are mutually agreed upon and made part of the relevant agreement. This applies to both physical and network based data transfer. In any case, the Customer assumes responsibility for any data transfer once it is outside of BR Data-controlled systems.

1.5 Data Input Control. It will be possible to retrospectively examine and establish whether and by whom Personal Data have been entered, modified or removed from BR Data processing systems.

• BR Data only allows authorized personnel to access Personal Data as required in the course of their duty.

• BR Data has implemented a logging system for input, modification and deletion, or blocking of Personal Data by BR Data or its Subprocessors within the Cloud Services to the extent technically possible.

1.6 Job Control. Personal Data being processed on a Customer’s behalf is processed solely in
accordance with the Agreement and related instructions of the Customer.

• BR Data uses controls and processes to monitor compliance with contracts between BR Data and its Customers, subprocessors or other service providers.

• As part of the BR Data Security Policy, Personal Data requires at least the same protection level as “confidential” information according to the BR Data Information Classification standard.

• All BR Data employees and contractual Subprocessors or other service providers are contractually bound to respect the confidentiality of all sensitive information including trade secrets of BR Data customers and partners.

1.7 Availability Control. Personal Data will be protected against accidental or unauthorized destruction or loss.

• BR Data employs regular backup processes to provide restoration of business-critical systems as and
when necessary.

• BR Data has defined business contingency plans for business-critical processes and may offer
disaster recovery strategies for business critical Services as further set out in the Documentation or
incorporated into the Statement of Work Form for the relevant Service.

• Emergency processes and systems are regularly tested.

1.8 Data Separation Control.

• BR Data uses the technical capabilities of the deployed software (for example: multi- tenancy,
system landscapes) to achieve data separation among Personal Data originating from multiple
Customers.

• Each Customer has access only to its own data.

1.9 Data Integrity Control. Personal Data will remain intact, complete and current during processing activities.
BR Data has implemented a multi-layered defense strategy as a protection against unauthorized
modifications.

In particular, BR Data uses the following to implement the control and measure sections described above:

• Firewalls;

• Security Monitoring Center;

• Antivirus software;

• Backup and recovery;

• External and internal penetration testing;

• Regular external audits to prove security measures.

BRdata Data Processing Agreement PDF