.webp)
.webp)
Vendor Data Processing Addendum
Vendor Data Processing Addendum
This Vendor Data Processing Addendum (the “Vendor DPA”) forms a part of, and is subject to, the agreement(s) between Vendor and Flock Group Inc (“Flock”) for Vendor’s services (the “Agreement”). All capitalized terms used but not defined herein will have the meaning ascribed to them in the Agreement. To the extent of any conflict between this DPA and any other agreement between Vendor and Flock, this DPA shall control.
Vendor will provide services as described in the Agreement that will involve the Processing of Personal Data (the “Services”). In delivering the Services under the Agreement, Vendor may Process Personal Data controlled by Flock or a Flock Affiliate, and/or their respective representatives, customers, or business partners.
1. Definitions
“Affiliate” means any entity which is directly or indirectly controlling, controlled by, or under common control with a party to the Agreement.
“Agreement” means the agreement between Vendor and Flock.
“Applicable Privacy Law” means all privacy, data protection, and data security laws and regulations of any jurisdiction directly applicable to a party as a result of the Processing of Personal Data under the Agreement.
“CCPA” means the California Consumer Privacy Act, Cal. Civ. Code §§ 1798.100 et seq., as amended by the California Privacy Rights Act, and its implementing regulations;
“Controller” means the entity which determines the purpose and means of the Processing of Personal Data.
“Personal Data” means “personal data,” “personal information,” or an equivalent term, as defined by Applicable Privacy Law.
“Personal Data Breach” means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
“Processing” means any operation or set of operations performed upon Personal Data by or on behalf of Vendor for Flock in connection with the Agreement.
“Processor” means the entity which Processes Personal Data on behalf of the Controller pursuant to the Controller’s instructions and solely to provide the Vendor Services, including as applicable any “service provider” as that term is defined under the CCPA.
“Standard Contractual Clauses (SCCs)” means a transfer mechanism enabling the lawful cross-border transfer of Personal Data under Applicable Privacy Laws, such as: (i) the Standard Contractual Clauses approved by the European Commission pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021, which are attached as Schedule 3; (ii) the Addendum issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, which went into effect on 21 March 2022 and is attached as Schedule 4; or (iii) Standard Contractual Clauses of any jurisdiction applicable to either Party’s Processing of Personal Data under this Vendor DPA.
“Subprocessor(s)” means any Processor engaged by Vendor or Vendor Affiliate directly or indirectly to Process any Personal Data relating to this Vendor DPA, the Agreement, and/or the Vendor Services.
2. Data Processing Details
2.1 The parties acknowledge and agree that, with regard to the Processing of Personal Data under this Vendor DPA, Flock is the Controller and determines the purpose and means of the Processing and Vendor is a Processor. The parties shall each comply with their respective obligations under Applicable Privacy Law.
2.2 The subject matter of Processing by Vendor is the performance of Services under the Agreement. The details around Vendor’s Processing, including the duration and nature and purpose of the Processing, as well as the types of Personal Data and categories of Data Subjects whose Personal Data is Processed under this Vendor DPA are specified in Schedule 1 (Parties and Data Processing Details), below.
2.3 Unless required under applicable law, Vendor shall only Process Personal Data (i) in accordance with Flock’s documented instructions as set out in this Vendor DPA (including, Schedule 1 (Parties and Data Processing Details), below) or the Agreement for the sole purpose of providing the Vendor Services; or (ii) to comply with other reasonable instructions provided by Flock.
2.4 Flock’s instructions for the Processing of Personal Data shall comply with Applicable Privacy Laws. Vendor shall inform Flock immediately if (i) in Vendor’s opinion, Flock’s instruction constitutes a violation of Applicable Privacy Laws, or (ii) if Vendor is unable to follow Flock’s instructions for the Processing of Personal data.
2.5 As required under Applicable Privacy Law, Vendor shall provide reasonable assistance to Flock with data protection impact assessments and consultations with a supervisory authority.
3. Personnel
3.1 Vendor shall take commercially reasonable steps to ensure the reliability of any personnel engaged in the Processing of Personal Data and that all such Personnel have executed written employment agreements that contain confidentiality obligations which survive the termination of the agreement.
3.2 Vendor shall take reasonable steps to (and instruct Subprocessors to) (i) train employees on Applicable Privacy Laws and security requirements; (ii) instruct and train employees who have access to Personal Data on maintaining the confidentiality of the Personal Data; and (iii) limit access to Personal Data on a need-to know basis.
4. Data Subject Rights Requests
4.1 As between the Parties, Flock shall have sole discretion and responsibility in responding to the rights asserted by any individual in relation to Flock Personal Data, and Vendor shall notify Flock within three (3) business days if Vendor receives a complaint or request from a Data Subject to exercise the Data Subject's rights under Applicable Privacy Law (“DSR Request”) by emailing privacy@flocksafety.com. Vendor shall not respond to a DSR Request itself, except that Flock authorizes Vendor to redirect the DSR Request to Flock as necessary to enable Flock’s response.
4.2 Vendor shall assist Flock by offering appropriate technical and organizational measures to support Flock in its obligation to respond to a DSR Request. To the extent Flock does not have the ability to address a DSR Request using the measures offered by Vendor, Flock may request commercially reasonable assistance from Vendor in responding to such a DSR Request.
5. Personal Data Breach Notification
5.1 Vendor shall notify Flock within forty-eight (48) hours after becoming aware of a Personal Data Breach by emailing privacy@flocksafety.com. Where possible, and to the extent applicable, Vendor shall provide Flock with sufficient information to allow Flock to meet any legally required notification obligations. To the extent known to Vendor, the information provided shall include: (i) the nature of the Personal Data Breach including where applicable, the categories and approximate number of Data Subjects affected, and the categories and approximate volume of Personal Data records concerned; (ii) the likely consequences and impact of the Personal Data Breach; (iii) the measures taken or proposed to be taken by Vendor to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects; and (iv) the name and contact information of the individual(s) from whom more information can be obtained.
5.2 Vendor shall make reasonable efforts to identify the cause of any Security Incident and take the steps Vendor deems possible, necessary, and reasonable to remediate such cause to the extent the remediation is within Vendor’s reasonable control. Vendor shall take all reasonable steps to assist in Flock’s investigation, mitigation, and remediation of the Personal Data Breach.
5.3 Unless otherwise required by applicable law, Vendor shall not issue any public notice related to the Personal Data Breach which names Flock without Flock’s express prior written consent.
6. Security Measures
6.1 Vendor shall implement and maintain appropriate technical and organizational measures designed to protect against any misuse or accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data that Vendor may transmit, store, or otherwise Process in its provision of Services to Flock. Such measures shall include the requirements set forth in the Vendor Information Security Addendum located at www.flocksafety.com/legal/Vendor-InfoSec-Addendum. Vendor shall regularly test, assess, and evaluate the effectiveness of any such technical and organizational measures.
7. Audits and Inspections
7.1 Subject to the terms of this Section 6, Vendor shall make available to Flock reasonable information necessary to demonstrate compliance with the Agreement and this Vendor DPA and shall allow for and contribute to an annual audit by Flock or a mutually agreed to third-party auditor (“Auditor”) in relation to the Processing of Personal Data.
7.2 Flock or Auditor may, in accordance with applicable law, at Flock’s expense and no more than annually, perform an audit of Vendor’s data protection and information security practices with written notice provided reasonably, but at least thirty (30) business days in advance. The audit shall take place over not more than one day, unless Vendor permits otherwise, during Vendor’s normal business hours on a mutually agreed schedule that will minimize the audit’s impact on Vendor’s operations. Flock or Auditor shall comply with Vendor’s security requirements related to the performance of the audit.
7.3 Upon Flock’s reasonable written request and no more than once per year, Vendor shall complete Flock’s reasonable data protection and information security questionnaire.
7.4 If the controls or measures to be assessed in the requested audit are addressed in a SOC 2 Type 2 report or similar and current qualified third-party audit report or certificate, Flock agrees to accept such report in lieu of conducting an audit.
7.5 All information provided to Flock by Vendor under this Section 6 is considered Vendor Confidential Information.
8. Subprocessors
8.1 Vendor has Flock’s general authorization to use Subprocessors for the provision of services provided that Vendor shall (i) carry out adequate diligence prior to engaging the Subprocessor to select Subprocessors that are capable of maintaining the privacy, confidentiality, security, integrity, and availability of Personal Data consistent with the requirements of this Vendor DPA; and (ii) ensure that the arrangement between Vendor and Subprocessor is governed by a binding contract that includes terms which offer a substantially similar level of protection for Personal Data as those set forth in this Vendor DPA and which meet the requirements of Data Protection Legislation.
8.2 If Subprocessors are replaced or added during the term of the Agreement, Vendor shall give Flock notice of such changes thirty (30) days prior to sharing Personal Data with the Subprocessor by emailing privacy@flocksafety.com. Flock shall have fifteen (15) days from receipt of that notice to raise a material objection to the change, and Flock and Vendor shall work together in good faith to cure any material objection. If no material objection is raised within the objection period, the proposed change will be deemed agreed to.
8.3 Vendor will remain liable to Flock for the acts and omissions of Vendor’s Subprocessors to the extent they relate to the provision of the Vendor Services to Flock.
9. Third Party Disclosures
9.1 Vendor agrees not to allow, unless required by applicable law, regulations, order of a court or any regulatory, judicial, governmental, or similar body (a “Government Request”), or as authorized by Flock, access to Personal Data by any administrative body, authority or agency.
9.2 If Vendor receives a legally binding Government Request to access Personal Data, Vendor shall, where legally permitted, seek to redirect the Government Request to Flock, and Flock agrees that Vendor may provide information as reasonably necessary to facilitate such a redirect. If Vendor is unable to redirect the Government Request to Flock, then Vendor shall, to the extent permitted by law, provide Flock with notice of the Government Request, the circumstances of the required disclosure, and the Personal Data that must be disclosed. If Vendor is prohibited from providing such notice under applicable law, Vendor shall make commercially reasonable efforts to challenge the Government Request and not disclose the Personal Data until required to do so, providing the minimum amount of information permissible in response to the Government Request.
9.3 Vendor shall promptly notify Flock if Vendor becomes aware of any direct access by a public authority or government agency to Personal Data. Vendor further certifies that it (i) has not purposefully created back doors or similar programming for the purpose of allowing access to Personal Data and (ii) as of the effective date of this Vendor DPA, is not aware of any national law or government policy requiring Vendor to maintain such back doors.
10. Deletion or Return of Personal Data
10.1 Vendor shall delete Personal Data (i) within sixty (60) days following the termination/expiry of the Agreement, (ii) where relevant, in accordance with any selected retention package; and/or (iii) upon Flock’s reasonable request at any time. Vendor may retain Personal Data only to the extent and for such period as legally required, provided that Vendor shall ensure the confidentiality of the Personal Data and that such Personal Data is only Processed as necessary for the legally required purpose(s).
10.2 Prior to termination of the Agreement, and upon reasonable request, Vendor shall, enable Flock to access and retrieve certain Personal Data.
11. Service Provider Obligations under the CCPA
11.1 For purposes of this Section 11, the terms “Business Purpose,” “Commercial Purpose,” “Sell,” “Service Provider,” and “Share” shall have the respective meanings given thereto in the CCPA.
11.2 Vendor (i) acknowledges that Personal Data is disclosed by Flock only for limited and specified purposes described in this Vendor DPA; (ii) shall comply with applicable obligations under the CCPA, and shall provide the same level of privacy protection to Personal Data as is required by the CCPA; (iii) agrees that Flock has the right to take reasonable and appropriate steps under Section 7 of this Vendor DPA to help ensure that Vendor’s use of Personal Data is consistent with Flock’s obligations under the CCPA; (iv) shall notify Flock in writing of any determination made by Vendor that it can no longer meet its obligations under the CCPA; and (v) agrees that Flock has the right, upon notice, including pursuant to the preceding clause, to take reasonable and appropriate steps to stop and remediate use of Personal Data.
11.3 Vendor shall not (i) Sell or Share any Personal Data; (ii) retain, use, or disclose any Personal Data for any purpose other than for the specific Business Purpose of providing the Vendor Services under and in accordance with this Agreement, including retaining, using, or disclosing Personal Data for a Commercial Purpose other than the Business Purpose of providing the Vendor Services or as otherwise permitted by the Agreement or applicable law; (iii) retain, use, or disclose the Personal Data outside of the direct business relationship between Vendor and Flock; or (iv) combine Personal Data received pursuant to the Agreement with Personal Data (a) received from or behalf of another person or (b) or collected from Vendor’s own interaction with any individual to whom such Personal Data pertains, except as otherwise permitted under the Agreement or applicable law.
12. Automated Decision Making and Artificial Intelligence
12.1 Where Vendor’s services include the provision of Artificial Intelligence (AI), Vendor may not use any Flock Personal Data to train, improve, or refine AI models.
12.2 Vendor may not use automated decision making, as such term is defined under Applicable Privacy Laws on Personal Data without Flock’s express written permission.
13. International Personal Data Transfers
13.1 To the extent the provision of Vendor Services requires the international transfer of Personal Data, Vendor agrees that Personal Data shall only be transferred to countries that can provide adequate protections over Personal Data in alignment with this DPA and in accordance with any applicable SCCs.
13.2 Where the international data transfer includes the transfer of Personal Data belonging to data subjects located in the European Economic Area (EEA) or United Kingdom, Schedule 3 (EU Standard Contractual Clauses) and Schedule 4 (UK International Data Transfer Addendum) shall apply.
13.3 Either party may, on notice, amend this Vendor DPA upon agreement with the other party to the extent reasonably necessary to address the requirements of Applicable Privacy Law related to international data transfer mechanisms (e.g., a new form of any relevant SCCs).
14. Liability
14.1 Each party’s liability arising out of or related to this Vendor DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitation of liability section agreed to under the Agreement. Any reference in such section to the liability of a party means the aggregate liability of that party and all of its affiliates under the Agreement and all DPAs together.
14.2 Where a Data Subject asserts any claims against a party to this Vendor DPA in accordance with Applicable Privacy Law, the other party shall support in defending against such claims, where possible.
15. Change in Laws
15.1 Either party may, on notice, amend this Vendor DPA upon agreement with the other party but only to the extent reasonably necessary to address the requirements of Applicable Privacy Laws.
16. Termination
16.1 Any termination rights arising from a breach of a provision in this Vendor DPA shall be in accordance with the termination provisions set forth in the Agreement.
Schedule 1: Parties and Data Processing Details
LIST OF PARTIES
Data Controller
Data Processor
DETAILS OF PROCESSING AND DESCRIPTION OF TRANSFER
Schedule 2: Vendor Information Security Addendum
As set forth in Flock’s Vendor Information Security Addendum, available at www.flocksafety.com/legal/Vendor-InfoSec-Addendum.
Schedule 3: EU Standard Contractual Clauses
Where an international data transfer occurring under this Vendor DPA includes the transfer of Personal Data belonging to data subjects located in the European Economic Area (EEA), this Schedule 3 shall apply.
1. Signature of the EU SCCs
1.1 Where applicable and in accordance with Section 11 of this Vendor DPA, each of the Parties is hereby deemed to have signed the SCCs at the relevant signature block in Annex I to the Appendix to the EU SCCs, and the EU SCCs are entered into by and between the Parties with effect from (a) the DPA effective date, or (b) the date of the first international transfer subject to the EU SCCs occurs, whichever is later.
1.2 With respect to any given international transfer subject to the EU SCCs, on request from Flock, Vendor shall promptly, and in any event within ten (10) business days, execute full-form versions of the EU SCCs, which shall be amended and populated in accordance with this Schedule 3.
2. Modules
2.1 Taking into account the Parties to this Vendor DPA and the nature of the data flows, where Flock is the Controller and Vendor is the processor, Module 2 (Transfer Controller to Processor) applies.
3. Population of the Body of the EU SCCs
3.1 Clause 7, the optional docking clause, applies.
3.2 Under Clause 9 (Use of Subprocessors), the Parties select Option 2 (General Written Authorization). Vendor shall provide written notice at least thirty (30) days prior to any intended additions or replacements of Sub-Processors.
3.3 Under Clause 11 (Redress), the optional requirement that Data Subjects be permitted to lodge a complaint with an independent dispute resolution body does not apply.
3.4 Under Clause 17 (Governing Law), the Parties choose Option 1 (the law of an EU Member State that allows for third-party beneficiary rights). The Parties select the law of Ireland.
3.5 Under Clause 18 (Choice of Forum and Jurisdiction), the Parties select the courts of Ireland.
4. Population of the Annexes in the EU SCC Appendices
4.1 The entirety of Annex I to the EU SCCs is populated with the corresponding information detailed in Schedule 1 (Parties & Data Processing Details) to this Vendor DPA, with (a) Flock being Data Exporter and (b) Vendor being Data Importer.
4.2 Annex II to the EU SCCs is populated with the security measures set forth in Schedule 2 (Vendor Information Security Addendum) to this DPA.
4.3 Annex III to the EU SCCs is populated with Vendor’s current list of Subprocessors, as described in Section 8 of this Vendor DPA, and Vendor has Flock’s general authorization for use of these Subprocessors. Vendor will inform the Flock via electronic means of any changes to that list in the event Subprocessors are added or replaced during the term of the Agreement in accordance with Clause 9(a), Option 2 and the process set out in Section 8 of the DPA.
Schedule 4: UK International Data Transfer Addendum
Where an international data transfer occurring under this Vendor DPA includes the transfer of Personal Data belonging to data subjects located in the United Kingdom, this Schedule 4 shall apply.
This Addendum has been issued by the Information Commissioner for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.
Part 1: Tables
Table 1: Parties
Table 2: Selected SCCs, Modules, and Selected clauses
Table 3: Appendix Information
“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:
Table 4: Ending this Addendum when the Approved Addendum Changes
Part 2: Mandatory Clauses