Envoy Data Protection Addendum

Last updated on Sep 24, 2021

Envoy Data Protection Addendum

Last updated on Sep 24, 2021

Effective Date: September 27, 2021

This Data Processing Addendum ("Addendum" or "DPA") forms part of the Enterprise SaaS Agreement or the Terms of Service ("Principal Agreement") between: (i) Envoy, Inc. ("Vendor" or "Envoy") acting on its own behalf and as agent for each Vendor Affiliate; and (ii) the Customer listed in the Principal Agreement ("Company") acting on its own behalf and as agent for each Company Affiliate, solely to the extent Vendor or any Vendor Affiliate processes Company Personal Data in the capacity as a Processor of Company or the Company Affiliate.

In consideration of the mutual obligations set out herein, the parties hereby agree that the terms and conditions set out below shall be added as an Addendum to the Principal Agreement. Except as modified below, the terms of the Principal Agreement shall remain in full force and effect. Except where the context requires otherwise, references in this Addendum to the Principal Agreement are to the Principal Agreement as amended by, and including, this Addendum.

1. Definitions and Interpretation

1.1. In this Addendum, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:

1.1.1 "Company Affiliate" means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with Company, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise;

1.1.2 "Company Group Member" means Company or any Company Affiliate;

1.1.3 "Company Personal Data" means any Personal Data Processed by Vendor or the relevant Vendor Affiliate on behalf of a Company Group Member pursuant to or in connection with the Principal Agreement;

1.1.4 "Data Protection Laws" means all laws and regulations applicable to the Processing of Personal Data under this Addendum, in each case as amended from time to time, including the GDPR, the Data Protection Act 2018 of the United Kingdom and the Swiss Federal Act on Data Protection;

1.1.5 "EEA" means the European Economic Area;

1.1.6 "EU Standard Contractual Clauses" means the clauses approved with Commission Implementing Decision (EU) 2021/914 of June 4, 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as amended, supplemented, updated or replaced form time to time;

1.1.7 "GDPR" means the General Data Protection Regulation 2016/679 together with any national implementing laws in any Member State of the EEA ("EU GDPR") and the EU GDPR in such form as incorporated into the laws of the United Kingdom ("UK GDPR");

1.1.8 "Services" means the services and other activities to be supplied to or carried out by or on behalf of Vendor for Company Group Members pursuant to the Principal Agreement;

1.1.9 "Subprocessor" means any person (including any third party and any Vendor Affiliate, but excluding an employee of Vendor, of any Vendor Affiliate or of any of their sub-contractors) appointed by or on behalf of Vendor or any Vendor Affiliate to Process Company Personal Data on behalf of any Company Group Member in connection with the Principal Agreement;

1.1.10 "UK Controller to Processor Standard Contractual Clauses" means the Standard Contractual Clauses for controller to processor transfers set forth in the European Commission's decision (C(2010)593) of 5 February 2010; and

1.1.11 "Vendor Affiliate" means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with Vendor, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise.

1.2. The terms, "Controller", "Data Subject", "Personal Data", "Personal Data Breach", "Processing", "Processor" and "Supervisory Authority" shall have the same meaning as in the Data Protection Laws, and their cognate terms shall be construed accordingly.

1.3. Capitalized terms used in this Addendum not otherwise defined herein shall have the meaning given to them in the Principal Agreement.

1.4. The word "include" shall be construed to mean include without limitation, and cognate terms shall be construed accordingly.

1.5. The Schedules in this DPA form part of this DPA and will have effect as if set out in full in the body of this DPA. Any reference to this DPA includes the Schedules.

2. Authority

2.1. Vendor warrants and represents that, before any Vendor Affiliate Processes any Company Personal Data on behalf of any Company Group Member, Vendor's entry into this Addendum as agent for and on behalf of that Vendor Affiliate will have been duly and effectively authorized (or subsequently ratified) by that Vendor Affiliate.

3. Controller's Instructions

3.1. The parties acknowledge and agree that with regard to the Processing of Company Personal Data, Company or the relevant Company Affiliate is the Controller, Vendor or the relevant Vendor Affiliate is the Processor and that Vendor or the relevant Vendor Affiliate will engage Subprocessors pursuant to the requirements set forth in Section 7 (Subprocessing) below.

3.2. The Company:

3.2.1. instructs Vendor and each Vendor Affiliate (and authorizes Vendor and each Vendor Affiliate to instruct each Subprocessor) to:

3.2.1.1. Process Company Personal Data; and

3.2.1.2. in particular, transfer Company Personal Data to any country or territory, in each case as reasonably necessary for the provision of the Services and consistent with the Principal Agreement;

3.2.2. warrants and represents that it is and will at all relevant times remain duly and effectively authorized to give the instruction set out in this Addendum on behalf of each relevant Company Affiliate and to receive any communications or notifications in relation to this Addendum on behalf of the relevant Company Affiliate. Except where Data Protection Laws require a Company Affiliate to exercise a right or seek any remedy under this Addendum against Vendor or Vendor Affiliate directly by itself, the parties agree that solely Company shall exercise any such right or seek any such remedy on behalf of the relevant Company Affiliate;

3.2.3. warrants and represents that it will comply with its obligations under the Data Protection Laws and that it has obtained any necessary consents and/or provided any necessary notices, and otherwise has a legitimate ground to disclose the Company Personal Data to Vendor and each Vendor Affiliate to enable Vendor and each Vendor Affiliate to Process Company Personal Data as contemplated by this Addendum and the Principal Agreement.

3.3. Vendor and each Vendor Affiliate shall comply with all applicable Data Protection Laws in the Processing of Company Personal Data, and only Process Company Personal Data on the relevant Company Group Member's documented instructions. If Data Protection Laws preclude Vendor from complying with the Company's instructions, Vendor will inform the Company of its inability to comply with the instructions. Vendor will also immediately inform the Company if, in its opinion, an instruction from the Company infringes the Data Protection Laws.

3.4. Schedule 1 to this Addendum sets out a description of the Processing of the Company Personal Data. Any amendments to Schedule 1 require prior written agreement between Vendor and the Company.

4. Confidentiality

4.1. Vendor will require Vendor's employees who access Company Personal Data to commit to protect the confidentiality of the data.

5. Cross-Border Transfers of Personal Data

5.1. With respect to the transfer of Company Personal Data originating from the EEA or Switzerland from the Company (including when acting on behalf of the relevant Company Affiliate) to the Vendor and subject to Section 5.2 of this Addendum, the parties agree to comply with the general clauses and with "Module Two" (Transfer Controller to Processor) of the EU Standard Contractual Clauses, which are incorporated herein by reference. In furtherance of the foregoing, the parties agree that, for purposes of the EU Standard Contractual Clauses:

5.1.1. Company shall act and comply with the obligations, and shall have the rights, of the "data exporter" under Module Two of the EU Standard Contractual Clauses, and Vendor shall act and comply with the obligations as the "data importer" under such Module;

5.1.2. for the purpose of Clause 17, the EU Standard Contractual Clauses shall be governed by the laws of Ireland;

5.1.3. for the purpose of Clause 18(b), the parties agree to submit to the jurisdiction of the courts of Ireland;

5.1.4. in Clause 7, the optional docking clause will not apply;

5.1.5. in Clause 9, Option 2 will apply and the time period for prior notice of Subprocessor changes will be as set forth in Section 7.1 of this Addendum;

5.1.6. in Clause 11, the optional language will not apply;

5.1.7. for the purposes of Annex I, Section A (List of Partis), (i) the data exporter's and the data importer's identity and contact details and, where applicable, information about their respective data protection officer and/or representative in the EEA are those set forth in the Principal Agreement or as otherwise communicated by each party to the other party; (ii) Company or the relevant Company Affiliate is a Controller, and Vendor is a Processor; (iii) the activities relevant to the data transferred under the EU Standard Contractual Clauses relate to the provision of the Services pursuant to the Principal Agreement; and (iv) each of the Company's and the Vendor's entering into this Addendum shall be treated as, respectively, Company's and Vendor's signature of Annex I, Section A, as of the Effective Date of this Addendum;

5.1.8. For the purposes of Annex I, Section B (Description of Transfer): (i) Schedule 1 to this Addendum is incorporated by reference and sets out a description of the Processing of Company Personal Data; (ii) the frequency of the transfer is continuous (for as long as the Company uses the Services); (iii) Company Personal Data will be retained in accordance with Clause 8.5 of the Standard Contractual Clauses and this Addendum; (iv) Vendor uses Subprocessors to support the provision of the Services. A list of Subprocessors and the nature of the Processing activities can be found at: https://envoy.com/subprocessors/.

5.1.9. For the purposes of Annex I, Section C (Competent Supervisory Authority), the competent supervisory authority identified in accordance with Clause 13 of the EU Standard Contractual Clauses is the competent supervisory authority communicated by Company to Vendor.

5.1.10. For the purposes of Annex II, data importer has implemented and will maintain appropriate technical and organizational measures to protect the security, confidentiality and integrity of Company Personal Data as described here https://envoy.com/security-details/#data-security or as otherwise made reasonably available by data importer to the data exporter. Please also refer to Vendor's compliance certification page at https://envoy.com/compliance-legal/.

5.2. Insofar as the transfer of Company Personal Data is subject to the Swiss Federal Act on Data Protection, the following provisions apply: (i) the Federal Data Protection and Information Commissioner (FDPIC) will be the competent supervisory authority under Clause 13 of the EU Standard Contractual Clauses; (ii) the parties agree to abide by the GDPR standard in relation to all Processing of Company Personal Data that is governed by the Swiss Federal Act on Data Protection; (iii) the term 'Member State' in the EU Standard Contractual Clauses will not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the EU Standard Contractual Clauses; and (iv) references to the 'GDPR' in the EU Standard Contractual Clauses will be understood as references to the Swiss Federal Act on Data Protection insofar as the transfer of Company Personal Data is subject to the Swiss Federal Act on Data Protection.

5.3. With respect to transfers of Company Personal Data originating from the United Kingdom from the Company (including when acting on behalf of the relevant Company Affiliate) to the Vendor, the parties agree to comply with the UK Controller to Processor Standard Contractual Clauses, which are incorporated herein by reference. The parties agree that, for the purposes of the UK Controller to Processor Standard Contractual Clauses: (i) Company shall act and comply with the obligations as the "data exporter", and Vendor shall act and comply with the obligations as the "data importer"; (ii) all references to the "Directive 95/46/EC" and its provisions shall be deemed to refer to the relevant provisions of the UK GDPR and the Data Protection Act 2018 of the United Kingdom; (iii) all references to the "Commission" shall be deemed to refer to the Information Commissioner; (iv) all references to the "European Economic Area" or the "European Union" shall be deemed to refer to the United Kingdom; (v) for the purposes Appendix 1 to the UK Controller to Processor Standard Contractual Clauses, information about the exporter and importer, the categories of Data Subjects, types of Personal Data and type of Processing operations are as set out in Schedule 1 to this Addendum; and (vi) for the purposes Appendix 2 to the UK Controller to Processor Standard Contractual Clauses, the security measures are as described here https://envoy.com/security-details/#data-security or as otherwise made reasonably available by data importer to the data exporter. The parties acknowledge that the Information Commissioner's Office has not yet approved new standard contractual clauses under the UK GDPR. The UK Controller to Processor Standard Contractual Clauses will apply only until such time as the Information Commissioner's Office issues new standard contractual clauses under the UK GDPR. The parties shall work together, in good faith, to enter into an updated version of the UK Controller to Processor Standard Contractual Clauses or negotiate an alternative solution to enable transfers of Company Personal Data in compliance with Data Protection Laws.

6. Security

6.1. Vendor and each Vendor Affiliate shall in relation to the Company Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR (and equivalent requirements of other Data Protection Laws). Vendor may update these measures from time to time provided that Vendor will not materially decrease the overall security of the Services during the term of the Principal Agreement. Company is responsible for reviewing the information made available by Vendor relating to data security and making an independent determination as to whether the Services meet Company's requirements and legal obligations under Data Protection Laws.

6.2. Vendor shall notify Company without undue delay upon Vendor or any Subprocessor becoming aware of a Personal Data Breach affecting Company Personal Data, providing Company with sufficient information to allow each Company Group Member to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws. Vendor shall provide reasonable co-operation to Company and each Company Group Member and take such reasonable commercial steps as are directed by Company to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

7. Subprocessing

7.1. Each Company Group Member hereby authorizes Vendor and each Vendor Affiliate to appoint (and permit each Subprocessor appointed in accordance with this Section 7 to appoint) Subprocessors in accordance with this Section 7 and any restrictions in the Principal Agreement.

7.2. The Subprocessors appointed by Vendor as at the date of this Addendum are set out at https://envoy.com/subprocessors/ ("Subprocessors List"). Vendor will inform Company of any intended changes concerning the addition or replacement of any appointed Subprocessors (a "New Sub-Processor") at least fifteen (15) days in advance, along with reasonably detailed information about such New Sub-Processor and Company will have an opportunity to object to such changes within seven (7) days after receipt of such notice, provided that such objection must be on reasonable, substantial grounds, directly related to such New Sub-Processor's ability to comply with substantially similar obligations to those set out in this Addendum. If the Company does not so object, the engagement of the New Sub-Processor shall be deemed accepted by the Company. If the Company notifies Vendor in writing of any objections to the proposed appointment, neither Vendor nor any Vendor Affiliate shall appoint that proposed Subprocessor until reasonable steps have been taken to address the objections raised by any Company Group Member and Company has been provided with a reasonable written explanation of the steps taken.

7.3. Vendor will enter into an agreement with each Subprocessor that imposes on the Subprocessor substantially the same obligations that apply to Vendor under this Addendum. Where any of its Subprocessors fails to fulfil its data protection obligations, Vendor will be liable to the Company for the performance of its Subprocessors' obligations.

7.4. The parties agree that the copies of the Subprocessor agreements that must be provided by Vendor to Company or the relevant Company Affiliate pursuant to Clause 9(c) of the EU Standard Contractual Clauses and Clause 5 of the UK Controller to Processor Standard Contractual Clauses may have commercial information, removed by Vendor beforehand; and, that such copies will be provided by Vendor, in a manner to be determined in its sole discretion, only upon Company's or Company Affiliate's written request.

8. Data Subject Rights

8.1. Taking into account the nature of the Processing, Vendor and each Vendor Affiliate shall assist each Company Group Member by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Company Group Members' obligations, as reasonably understood by Company, to respond to requests to exercise Data Subject rights under the Data Protection Laws.

8.2. Vendor shall:

8.2.1. promptly notify Company if Vendor or the relevant Vendor Affiliate receives a request from a Data Subject under any Data Protection Law in respect of Company Personal Data; and

8.2.2. ensure that the Vendor or the relevant Vendor Affiliate does not respond to that request except on the documented instructions of Company, unless otherwise required by Data Protection Laws.

9. Data Protection Impact Assessment and Prior Consultation

9.1. Upon Company's request, Vendor and each Vendor Affiliate shall provide reasonable assistance to each Company Group Member with any data protection impact assessments, and prior consultations with Supervisory Authorities, which Company reasonably considers to be required of any Company Group Member by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Laws, in each case solely in relation to Processing of Company Personal Data by, and taking into account the nature of the Processing and information available to, the Vendor or the relevant Vendor Affiliate. Vendor may charge a fee (based on Vendor's reasonable costs) for any such assistance.

10. Deletion or Return of Company Personal Data

10.1. Subject to Sections 10.2 and 10.3 below, Vendor and each Vendor Affiliate shall promptly and in any event within thirty (30) days of the date of cessation of any Services involving the Processing of Company Personal Data (the "Cessation Date"), delete and procure the deletion of all copies of those Company Personal Data.

10.2. Subject to Section 10.3, Company may in its absolute discretion, acting reasonably, by written notice to Vendor within thirty (30) days of the Cessation Date require Vendor and each Vendor Affiliate to (a) return a complete copy of all Company Personal Data to Company by secure file transfer in such format as is reasonably notified by Company to Vendor and subject to the Company paying all of Vendor's fees at prevailing rates, and all expenses, for returning data in that format; and (b) delete and procure the deletion of all other copies of Company Personal Data Processed by Vendor or the relevant Vendor Affiliate. Vendor and each Vendor Affiliate shall comply with any such written request within thirty (30) days of the Cessation Date.

10.3. Vendor or the relevant Vendor Affiliate may retain Company Personal Data to the extent required by applicable laws and only to the extent and for such period as required by applicable laws and always provided that Vendor and each Vendor Affiliate shall ensure the confidentiality of all such Company Personal Data and shall ensure that such Company Personal Data is only Processed as necessary for the purpose(s) specified in the applicable laws requiring its storage and for no other purpose.

10.4. The parties agree that certification of deletion of Company Personal Data as described in Clause 8.5 of the EU Standard Contractual Clauses and Clause 12 of the UK Controller to Processor Standard Contractual Clauses shall be provided only upon Company's request.

11. Audits

11.1. Subject to Sections 11.2 to 11.1, Vendor and each Vendor Affiliate shall make available to each Company Group Member on request all information necessary to demonstrate compliance with this Addendum, and shall allow for and contribute to audits, including inspections, by any Company Group Member or an auditor of Company Group Member by any Company Group Member in relation to the Processing of the Company Personal Data by the Vendor or the relevant Vendor Affiliate.

11.2. Information and audit rights of the Company Group Members only arise under Section 11.1 to the extent that the Principal Agreement does not otherwise give them information and audit rights meeting the relevant requirements of Data Protection Law (including, where applicable, article 28(3)(h) of the GDPR).

11.3. Company or the relevant Company Affiliate undertaking an audit shall give Vendor or the relevant Vendor Affiliate reasonable notice of any audit or inspection to be conducted under Section 11.1 and shall make (and ensure that each of its mandated auditors makes) reasonable endeavors to avoid causing (or, if it cannot avoid, to minimize) any damage, injury or disruption to the Vendor or the relevant Vendor Affiliate's premises, equipment, personnel and business while its personnel are on those premises in the course of such an audit or inspection. Vendor or the relevant Vendor Affiliate need not give access to its premises for the purposes of such an audit or inspection:

11.3.1. to any individual unless he or she produces reasonable evidence of identity and authority;

11.3.2. outside normal business hours at those premises, unless the audit or inspection needs to be conducted on an emergency basis and Company or the relevant Company Affiliate undertaking an audit has given notice to Vendor or the relevant Vendor Affiliate that this is the case before attendance outside those hours begins; or

11.3.3. for the purposes of more than one audit or inspection, in respect of Vendor or the relevant Vendor Affiliate, in any calendar year, except for any additional audits or inspections which:

11.3.3.1. Company or the relevant Company Affiliate undertaking an audit reasonably considers necessary because of genuine concerns as to Vendor's or the relevant Vendor Affiliate's compliance with this Addendum; or

11.3.3.2. A Company Group Member is required or requested to carry out by Data Protection Laws, a Supervisory Authority or any similar regulatory authority responsible for the enforcement of Data Protection Laws in any country or territory, in each case, where Company or the relevant Company Affiliate undertaking an audit has identified its concerns or the relevant requirement or request in its notice to Vendor or the relevant Vendor Affiliate of the audit or inspection.

11.4. Following receipt by Vendor of an audit request, the parties will discuss and agree in advance on the reasonable start date, scope and duration of and security and confidentiality controls applicable to any audit. Vendor may charge a fee (based on Vendor's reasonable costs) for any audit. Vendor will provide Company with further details of any applicable fee, and the basis of its calculation, in advance of any such audit. Company will be responsible for any fees charged by any auditor appointed by Company to execute any such audit.

12. General Terms

Order of precedence

12.1. Nothing in this Addendum reduces Vendor's or any Vendor Affiliate's obligations under the Principal Agreement in relation to the protection of Company Personal Data or permits Vendor or any Vendor Affiliate to Process (or permit the Processing of) Company Personal Data in a manner which is prohibited by the Principal Agreement. In the event of any conflict or inconsistency between this Addendum and the EU Standard Contractual Clauses or the UK Controller to Processor Standard Contractual Clauses, the applicable Standard Contractual Clauses shall prevail.

12.2. Subject to Section 12.1, with regard to the subject matter of this Addendum, in the event of inconsistencies between the provisions of this Addendum and any other agreements between the parties, including the Principal Agreement and including (except where explicitly agreed otherwise in writing, signed on behalf of the parties) agreements entered into or purported to be entered into after the date of this Addendum, the provisions of this Addendum shall prevail.

Changes in Data Protection Laws, etc.

12.3. Upon notice to the Vendor, Company may propose any variations to this Addendum which Company reasonably considers to be necessary to address the requirements of any Data Protection Laws.

12.4. If Company gives notice under Section 12.3, the parties shall promptly discuss the proposed variations and negotiate in good faith with a view to agreeing and implementing those or alternative variations designed to address the requirements identified in Company's notice as soon as is reasonably practicable.

12.5. Neither Company nor Vendor shall require the consent or approval of any Company Affiliate or Vendor Affiliate to amend this Addendum pursuant to Section 12.4 or otherwise.

Liability

12.6. Each party's liability towards the other party under or in connection with this Addendum will be limited in accordance with the provisions of the Principal Agreement.

Severance

12.7. Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties' intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.

SCHEDULE 1
DETAILS OF PROCESSING OF COMPANY PERSONAL DATA

This Schedule 1 includes certain details of the Processing of Company Personal Data as required by Article 28(3) GDPR or equivalent requirements of other Data Protection Laws.

1. Subject matter and duration of the Processing of Company Personal Data

The subject matter of the Processing of the Company Personal Data is the provision of the Services to the Company. Company Personal Data will be Processed for the duration of the Principal Agreement, subject to Section 10 of this Addendum.

2. Nature and purpose of the Processing of Company Personal Data

Vendor shall host, maintain and otherwise process Company Personal Data only in connection with the provision of Services pursuant to the terms of the Agreement and this Addendum.

3. Types of Company Personal Data Processed

Personal Data input by (or at the direction of) Company or by Data Subjects into Vendor's system or that Vendor otherwise Processes on Company's behalf in connection with providing the Services pursuant to the terms of the Agreement and this Addendum, including name, contact information (including, but not limited to: phone, email address) and visitor information (including timestamp of visit).

For certain Services (Envoy Protect and Vaccine Tracking), Company Personal Data processed by Vendor includes vaccine status and other health related information, such as information on symptoms and possible exposure to COVID-19 or a similar/related public health emergency through contact with others, travel and other criteria determined by the Company, collected from Data Subjects through wellness checks.

4. Categories of Data Subject to whom the Company Personal Data Relates

Company's employees and visitors.

5. Obligations and rights of Company and Company Affiliates

The obligations and rights of Company and Company Affiliates are set out in the Principal Agreement and this Addendum.

Contact Information

If you have any questions or comments you can contact us at [email protected].

Envoy, Inc.
410 Townsend St, Suite 410
San Francisco, CA 94107
United States

Last updated on Sep 24, 2021