ViewNexa Data Protection Agreement

DATA PROTECTION ADDENDUM

This Data Protection Addendum (“Data Protection Addendum” or “DPA”) forms part of and is incorporated into the Master Services Agreement (Agreement) between the Parties and applies only in the event and to the extent that Bitcentral receives or has access to Personal Information of Customer.

1. DEFINITIONS.

1.1 Capitalized terms not defined in this DPA shall have the meaning ascribed to them in the Agreement.
1.2 “Applicable Law” means all federal, state and local laws, statutes, ordinances, and regulations of any applicable jurisdiction including, without limitation, privacy and data security statutes and regulations promulgated and in effect thereunder.
1.3 “Contractors” means all contractors, subcontractors, and service providers of Bitcentral.
1.4 “Personal Information” means any information, other than Personal Financial Information, that any information relating to an identified or identifiable (using commercially reasonable efforts) natural person, as defined under applicable data privacy laws.
1.5 “User Information” shall mean all information pertaining to users of the Services, including, without limitation, any user Personal Information and all user data that is generated, collected, stored, processed or used in connection with or derived from Bitcentral’s performance of the Services, including without limitation, from cookies or other tracking technology placed in connection with the Services.

2. CONFIDENTIALITY.

2.1 “Confidential Information” has the meaning ascribed in the Agreement, and also includes (a) any and all information accessed through or provided by any Customer file computing system, database, server, website, application or networked environment or domain, including, without limitation, all development, quality assurance, staging and production environments (collectively, “Customer Systems”); (b) any password issued to Bitcentral for access to any Customer System; (c) any information disclosed, accessed, received or collected through a third party acting on behalf of Customer, for example, if Bitcentral receives Customer’s information directly from another Customer service provider or other mechanism that provides (or provides access to) Customer’s Confidential Information outside of Customer itself, including, without limitation, through the provision of software as a service, platform as a service or an application programming interface; and (d) all other Customer Information (as defined below).

3. USE OF CUSTOMER DATA.

Bitcentral further represents and warrants that, unless expressly permitted under this Agreement, it will not use or disclose Customer Data for any purpose other than that necessary to perform the Services and for Bitcentral’s internal business, process, product, and service development or improvement purposes.

4. DATA SECURITY.

4.1 General. Bitcentral agrees that its collection, use, storage and disposal of Customer Data shall at all times comply with Applicable Law Bitcentral shall, and shall contractually require its Contractors, to implement and maintain security procedures and practices for Customer Data that comply with Applicable Law and industry standards designed to (a) ensure Customer Data security and confidentiality, (b) protect against threats or hazards to its security or integrity, and (iii) prevent unauthorized access, acquisition, destruction, use, modification, and/or disclosure. Bitcentral and its Contractors shall each ensure that its security infrastructures are consistent with industry standards for virus protection, firewalls and intrusion prevention technologies to help prevent Bitcentral’s network, systems, servers and applications from unauthorized access. Bitcentral will restrict access to Customer Data at all times to only those employees and Contractors whose access is necessary to performing the Services or as otherwise permitted under the Agreement, and such employees and Contractors will be required to protect Customer Data in accordance with the applicable requirements of this Agreement. Bitcentral shall segregate Customer Data from the data of Bitcentral’s other customers. Bitcentral must ensure proper user authentication for all employees and Contractors with access to Customer Data, including, without limitation, by assigning each employee or Contractor unique access credentials for access to any system on which Customer Data can be accessed and prohibiting employees and Contractors from sharing such access credentials. Bitcentral shall ensure that upon termination of any employee or Contractor, the terminated person’s access to Customer Data is promptly revoked. Bitcentral shall securely store and secure in transmission all of Customer Data and shall encrypt Customer Data in transit, including on portable devices or on portable media, consistent with industry standards and at a minimum of 256-bit encryption.
4.2 Information Security Program. Bitcentral shall implement and maintain an Information Security Program having (a) an organizational structure and appropriate security controls to identify and protect Customer Data in accordance with this Agreement; (b) employee and Contractor controls, such as communication of all applicable security policies, background checks of employees who will access Customer Data (as permitted by Applicable Law), security awareness training, disciplinary processes; (c) controls designed to ensure the physical safety and security of Bitcentral’s facilities, including, without limitation, records of such access; (d) controls designed to ensure Bitcentral’s security posture is maintained over time, such as patch management, backups, and incident management; (e) controls designed to protect access to Bitcentral’s systems and Customer Data, and designed to ensure appropriate levels of access are restricted to authorized employees and Contractors, and that authentication mechanisms are appropriately protected, such as key management and access rights auditing; and, (f) controls designed to ensure Bitcentral’s software is securely developed in accordance with this Agreement, such as design reviews, secure separation of development and production environments, code reviews, and quality assurance testing.
4.3 Hardening and Secure Coding. Prior to commencing the Services, Bitcentral will security-harden all network devices and servers owned or controlled by Bitcentral (excluding any owned or controlled by Customer or its affiliates, contractors or service providers) that will host or process Customer Data (in accordance with industry accepted benchmarks, such as those published by the Center for Internet Security (or equivalent)), code or web applications that are under Bitcentral’s control in accordance with these standards. Bitcentral shall perform reasonable web application security code analysis in accordance with industry accepted standards on all code prior to deployment in a production environment and correct any security flaws discovered by source code analyses prior to deployment.
4.4 Ongoing Monitoring. Bitcentral shall proactively ensure the security of its applications and environment. Bitcentral shall ensure that the Services and its networks, servers and applications are continuously monitored for potential Security Flaws. Bitcentral shall respond and resolve (at Bitcentral’s expense) any detected Security Flaw in accordance with industry standards in accordance with the Security Resolution Schedule.

5. DISPOSAL.

5.1 Upon termination or expiration of this Agreement, Bitcentral shall, and shall cause its Contractors, to promptly securely delete or destroy Customer Data pursuant to Bitcentral’s data retention policy.

6. SECURITY AUDIT RIGHTS.

6.1 At the request of Customer, Bitcentral shall provide Customer with the results of an independent security audit of, all records, security policies and procedures, and other practices relating to the use, processing, storage and disclosure of Customer Data. The audit results and Bitcentral’s plan for addressing or resolving issues identified by the audit shall be shared with Customer within 10 days of Bitcentral’s receipt of the audit results. In addition, subject to Bitcentral’s advance approval as to scope and timing, Customer also reserves the right to conduct, at its own cost, not more than once per calendar year, technical security integrity reviews, and penetration tests and monthly Internet security scans to ensure Bitcentral remains compliant with this Agreement (collectively, “Application Security Assessments”). Customer will provide at least seven days’ notice prior to penetration testing or the commencement of monthly scanning activities. Bitcentral shall correct any Security Flaw discovered by Customer in accordance with industry standards in accordance with the Security Resolution Schedule. Further, Bitcentral and any Contractor that accesses, stores or collects Customer Data shall conduct, at its own cost, an Application Security Assessment annually using an independent third-party tester. Customer acknowledges that all information relating to Bitcentral’s records, logs, information, policies, procedures, other documents, data, and systems shall constitute Bitcentral’s Confidential Information subject to the confidentiality provisions of this Agreement.

7. MALICIOUS CODE.

7.1 Bitcentral will use commercially reasonable efforts, and comply with this DPA, to ensure that the Services will not result in the transmission to Customer of any (a) back door, time bomb, Trojan Horse, worm, drop-dead device, virus, spyware or malware; or (b) any computer code or software routine that disables, damages, erases, disrupts or impairs the normal operation of Customer’s or its users’ systems or any component thereof.

8. CONTRACTORS.

8.1 Bitcentral shall remain liable and responsible for the performance or non-performance of its Contractors.

9. INTERNATIONAL TRANSFER OF DATA.

9.1 Other than creative content provided by Customer as part of Customer Data, Bitcentral shall not transfer Customer Data to, or allow access to Customer Data by, its employees or Contractors in any location outside the United States unless agreed to in writing by Customer. If Customer is required by Applicable Laws to comply with the European General Data Protection Regulation, then, at Customer’s request, Bitcentral and any Affiliate or Contractor of Bitcentral will enter into a data processing agreement that incorporates the European Commission Standard Contractual Clauses between Controllers and Processors, or any similar agreement relating to other countries, with Customer Affiliates in order to allow Customer Data to be transferred to Bitcentral and any Affiliate or Contractor of Bitcentral by Customer’s international Affiliates.

10. ASSISTANCE WITH REGULATOR INTERACTIONS.

10.1 Upon notice to Bitcentral, Bitcentral shall assist and support Customer in the event of an investigation of Customer by any government agency regulator, including a data protection regulator, or similar authority, if and to the extent that such investigation relates to Customer Data handled by Bitcentral on behalf of Customer. Such assistance shall be at Customer’s sole expense and Customer shall promptly reimburse Bitcentral for Bitcentral’s (and its Contractors’) expenses, except where such investigation was required due solely to Bitcentral’s acts or omissions, in which case such assistance by Bitcentral shall be at Bitcentral’s sole expense. Bitcentral shall take any other steps reasonably requested by Customer to assist Customer in complying with any notification, registration or other obligations applicable to Customer or its Affiliates under Applicable Law with respect to Personal Information. In the event that this Agreement, or any actions to be taken or contemplated to be taken in performance of this Agreement, do not or would not satisfy either Party’s obligations under such laws, the Parties shall negotiate in good faith an appropriate amendment to this Agreement, or, at Bitcentral’s option, Bitcentral may terminate this Agreement without penalty.

11. DATA SECURITY BREACH NOTIFICATION AND INCIDENT RESPONSE.

11.1 Breach Notification. “Data Breach” means a detected intrusion or penetration involving any systems owned, controlled or contracted for by Service Provider or its subcontractors by unauthorized persons or entities and which involves the unauthorized access, use, exfiltration, disclosure, transmission, or lockup of unencrypted Customer Data. Bitcentral shall comply with Applicable Law Bitcentral shall notify Customer via the telephone and email address provided below (as may be updated by Customer from time to time) of any Data Security Breach. Bitcentral shall use commercially reasonable efforts to notify Customer of a Data Breach within 72 hours after detecting or being notified of a Data Breach. Customer’s designated telephone and email contacts will be taken from the most recently executed Statement of Services.
11.2 Other Parties. Customer will determine whether and when to notify any individuals regarding any Data Breach affecting Personal Information. Notwithstanding the foregoing, Bitcentral is permitted to comply with all Applicable Laws and contractual obligations to which it is subject, and may notify third parties other than notification of individuals.
11.3 Data Breach Investigation. In the event of a Data Breach, Bitcentral shall permit, at Customer’s expense, an independent forensics firm, to conduct a review of such of Bitcentral’s equipment, systems, physical and electronic log files, and facilities used to deliver the services to Customer for purposes of validating compliance with the security measures described in this Section. In addition, Bitcentral will, upon Customer’s request and pursuant to Customer’s instructions, at Bitcentral’s cost (if the Data Breach was due to Bitcentral’s or its Contractors’ failure to comply with this DPA), notify any affected persons or entities; provided that the method and content of such notice to shall be agreed to in writing by Customer prior to sending such notice. Bitcentral shall also cooperate with Customer and any relevant authority in the event of litigation or regulatory inquiry concerning a Data Breach.

12. TRACKING TECHNOLOGIES; NO RESPAWNING.

12.1 Other than as explicitly permitted under this Agreement, Bitcentral agrees that it will not use Customer Services to distribute cookies or other tracking technology, including, without limitation, browser-based cookies. Bitcentral will not (a) place any cookie that is associated as a Customer domain cookie; (b) place a cookie in connection with the Customer Services that evades a user’s efforts to remove it from the user’s device; (c) restore, repopulate, or rebuild any cookie or other tracking technology using values stored in a local shared object, or other technologies placed on user browsers or devices when visiting the Customer Services; or (d) extract any information that could be used to personally identify a user, any userID, user names, user passwords, or any unique device identifier from a referrer header. Bitcentral acknowledges and agrees that Customer will not grant javascript access to Bitcentral into the Customer domain.

13. CCPA CERTIFICATION.

13.1 CCPA/CPRA. If compliance with California’s Consumer Privacy Protection Act of 2018 (and, when effective, the California Privacy Rights Act of 2020, together “CCPA/CPRA”) is required, each Party will comply with all applicable requirements of CCPA/CPRA when collecting, using, retaining, or disclosing Personal Information.
13.2 CCPA/CPRA Obligations. Bitcentral certifies that it understands its obligations under this DPA and CCPA/CPRA, including, but not limited to, time deadlines, as well as restrictions and prohibitions on selling (as that term is defined under CCPA/CPRA) Personal Information. Except as required by Applicable Law, Bitcentral will not collect, access, use, disclose, process, or retain Client Personal Information for any purpose other than (a) the purpose of performing the Support Services, (b) another business purpose permitted by 11 CCR § 999.314(c) or this Addendum, (c) for Vendor’s internal business and process improvement and development purposes, or (d) as permitted under the Agreement.
13.3 Warrant. Bitcentral warrants that it has no reason to believe any CCPA requirements or restrictions prevent it from providing any of the Contracted Business Purposes or otherwise performing under this Data Addendum.

 

 

*******