DATA PROCESSING ADDENDUM
This DATA PROCESSING ADDENDUM (this "Addendum") is effective as of the Effective Date and forms a part of and is incorporated into that certain Software as a Service and Lease Agreement (the "Agreement") between the Customer and HALO. This Addendum sets forth the Parties understanding with respect to the Processing of Personal Data and, to the extent of any conflict, replaces and/or supersedes any existing provision regarding Personal Data in the Agreement or otherwise.
1. Definitions and Interpretation.
(a) Terms Defined in the Agreement. Capitalized terms used but not otherwise defined in this Addendum shall have the meanings given to such terms in the Agreement.
(b) Terms under Applicable Data Protection Law. The terms "processor", "controller", "data subject", "processing" and other terminology and definitions shall, to the greatest extent possible, have the meanings given to them under Applicable Data Protection Law.
(c) Other Defined Terms.
"Anonymized" means the stripping and masking of Personal Data, using obfuscation and non-reversible hashing cryptographic algorithms, such that the data in no way identifies or is connection to any person. "Anonymized" shall also mean making it impossible to identify individuals within data sets and is an irreversible process. When anonymization is effective, the data is no longer considered as personal data and the requirements of the GDPR are no longer applicable.
"Applicable Data Protection Law" means, if and to the extent applicable, (i) the UK Data Protection Act 2018 and the EU GDPR, as it forms part of retained EU law in the United Kingdom ("UK GDPR"); (ii) Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC ("General Data Protection Regulation" or "GDPR"); (iii) data protection laws in the U.S., including but not limited to the California Consumer Privacy Act of 2018, California Civil Code § 1798.100 et seq, as amended by the California Privacy Rights Act of 2020, and regulations issued thereunder (collectively, "US Data Protection Laws"); and (iv) any other data protection rules, regulations, self-regulatory guidelines or implementing legislation applicable to the Services and HALO's processing of Data.
"Appropriate Security Measures" means appropriate security measures required by Applicable Data Protection Law to protect against unauthorised or unlawful access to, alteration, disclosure or destruction of Personal Data and against its accidental loss or destruction and, in particular, where the processing involves the transmission of Personal Data over a network, it shall mean having regard to the state of technological development and the cost of implementing the measures, and ensuring that the measures provide a level of security appropriate to: (i) the risks that are presented by the processing; (ii) the harm that might result from authorized or unlawful processing, accidental or unlawful destruction or accidental loss of or damage to the data concerned, and (iii) the nature of the Personal Data, and shall include the measures set forth in Annex 2 to this Addendum.
"Permitted Third Party Service Provider" means third party service providers as specified in Annex 3 to this Addendum and engaged by HALO for the purposes of providing the Services.
"Personal Data" means the personal data processed by HALO on behalf of the Customer in connection with the Services (whether part of the Customer Data or otherwise), or is defined as "personally identifiable information", "personal information", "personal data" or similar term under Applicable Data Protection Law.
"Personnel" means, in relation to a person, that person's servants, officers, employees, agents or contractors.
"SCCs" means the standard contractual clauses approved by the EU Commission by Decision (EU) 2021/914 of 4 June 2021 for the transfer of personal data to third countries.
2. Data Protection
Data Controller. The parties acknowledge that in, relation to Personal Data,and for the purposes of the Applicable Data Protection Law, the Customer is the data controller (as set forth in the Applicable Data Protection Law) and HALO is a data processor. The control and responsibility for the Personal Data shall remain with the Custome at all times.
(b) Data Processor's Obligations. HALO agrees with the Customer that:
(i) it shall only process Personal Data:
1. in accordance with the instructions of the Customer, which instructions shall be documented in writing by way of the Agreement or such other manner as may be agreed between the Customer and HALO from time to time; and
2. in accordance with the nature and purpose of the processing set out in Annex 1 to this Addendum;
(ii) it shall ensure that any processing of Personal Data by it shall be carried out in compliance with Applicable Data Protection Law;
(iii) it shall inform the Customer as soon as practicable if, in its opinion, it receives an instruction from the Customer which infringes or is in conflict with Applicable Data Protection Law;
(iv) it shall disclose Personal Data only to those members of its Personnel to whom such disclosure is necessary for the exercise of its rights, and performance of its obligations, under this Agreement, and shall use commercially reasonable efforts to ensure that such Personnel are bound by obligations of confidentiality;
(v) subject to the other provisions of this Addendum, it shall not sell, transfer, disclose or otherwise allow access to any Personal Data to any party other than its Personnel, save where the prior written approval of the Customer has been obtained;
(vi) it shall not copy or maintain any Personal Data on any other systems, application or other medium other than required for the provision of the Services or as contemplated in HALO's ordinary course of business;
(vii) without prejudice to Section 7 of this Addendum, it shall not sub-contract or delegate or purport to transfer any of its obligations to the Customer under this Addendum from time to time to any third party unless HALO has in place a contract with the proposed third party providing the same or a higher level of protection of Personal Data as is set out in this Addendum;
(viii) it shall not perform the Services in such a way as to cause the Customer to breach any of its obligations under Applicable Data Protection Law; and
(ix) at the Customer's cost, HALO shall promptly assist the Customer in complying with its obligations under Articles 32 to 36 of the GDPR.
(c) Cross-Border Transfers of Personal Information.
(i) Annex 1 to this Addendum lists all of the countries where HALO currently receives, accesses, transfers or stores Personal Data. HALO shall not receive, access, transfer or store Personal Data outside the countries listed on Annex 1 to this Addendum unless the receipt, access, transfer or storage complies with the Applicable Data Protection Laws.
(ii) If any Personal Data transfer between HALO and the Customer requires execution of SCCs, the Parties will take all actions required to execute such SCCs and to legitimize the transfer, including, implementing any necessary supplementary measures or supervisory authority consultations.
(d) Processing Details. Each of the parties acknowledges and agrees that Annex 1 to this Addendum is an accurate description of the Personal Data.
HALO shall implement Appropriate Security Measures to prevent accidental or unauthorised, loss, destruction, damage, alteration, disclosure or unlawful or unauthorised access to any Personal Data in the custody of HALO, and HALO shall ensure that its Personnel are aware of and comply with those measures.
4. Data Breach.
(a) Notification. HALO shall promptly notify the Customer upon becoming aware of any unauthorized access to, or unauthorized use, alteration, disclosure, accidental loss or destruction of, any Personal Data in the custody of HALO (each a "data breach").
(b) Actions. In the event of any data breach, HALO shall:
- (i) take action to mitigate any potential damage and remedy the cause of the data breach;
- (ii) take action to investigate said data breach and, upon the Customer's request, share the results of such investigation and its remediation plan with the Customer; and
- (iii) upon the Customer's request, provide the Customer with all information required to fulfil its obligations, as data controller, under all Applicable Data Protection Law.
5. Data Subject Requests and Complaints.
(a) Notification. HALO shall promptly notify the Customer of any request from a data subject to exercise any of his or her rights under Applicable Data Protection Law or any complaint from any data subject with respect to the Personal Data provided to HALO by the Customer.
(b) Settlement and Resolution. HALO shall not settle or resolve any such request or complaint except on the written instructions of the Customer, not to be unreasonably withheld or delayed.
(c) Assistance. HALO shall, upon request of the Customer and at the Customer's expense, taking into account the nature of the processing, assist the Customer by appropriate technical and organizational measures, for the fulfilment of the Customer's obligation to respond to requests for exercising the data subject's rights under Applicable Data Protection Law.
The Customer shall indemnify and hold harmless HALO and its Affiliates, and their respective agents, members, shareholders, officers, directors, employees, and contractors from time to time on demand from and against any and all third party actions, suits, proceedings, claims, demands, orders, damages, dues, penalties, fines, costs, liabilities, obligations, losses, expenses and fees (including, without limitation, reasonable attorneys' fees and costs) directly or indirectly suffered, incurred or payable by the indemnified party arising out of or in connection with any of the following events:
(a) any breach by the Customer of its obligations under this Addendum;
(b) all claims, proceedings or actions brought by a competent public authority or a data subject against the Customer with respect to the processing of Personal Data by the Customer; and/or
(c) the Customer's failure to comply with Applicable Data Protection Law.
7. Destruction and Delivery of Data.
Subject to the last sentence of this Section 7, at any time during the course of the provision of the Services, or upon termination of this Agreement, HALO shall, upon the request of the Customer, immediately securely deliver to the Customer or destroy all Personal Data in its possession or control, as may be requested by the Customer and shall certify such destruction or delivery in writing to the Customer on request from time to time and, shall instruct each Permitted Third Party Service Provider to destroy all Personal Data in their possession or control; provided, that in the event that HALO delivers or destroys Personal Data at the request of the Customer prior to termination of the Agreement, HALO shall be released under any provision of the Agreement relating to the retention, destruction or delivery of such Personal Data. If any law, regulation, or government or regulatory body requires HALO to retain any documents or materials that HALO would otherwise be required to return or destroy, it will notify the Customer in writing of that retention requirement, giving details of the documents or materials that it must retain, the legal basis for retention, and establishing a specific timeline for destruction once the retention requirement ends. HALO may only use this retained Personal Data for the required retention audit reason or purposes.
8. Permitted Third Party Service Provider.
(a) Consent. Without prejudice to the pre-condition specified in Section 2(b)(vii) of this Addendum, HALO shall be permitted to sub-contract processing of Personal Data to a Permitted Third Party Service Provider provided that:
(i) the same data protection obligations as set out in this Addendum shall be imposed on that Permitted Third Party Service Provider by way of a data sub-processing agreement, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of Applicable Data Processing Law; and
(ii) HALO shall remain responsible for all acts and omissions of Permitted Third Party Service Provider and the acts and omissions of those employed or engaged by the Permitted Third Party Service Provider as if they were its own. An obligation on HALO to do, or to refrain from doing, any act or thing shall include an obligation on HALO to procure that its Personnel and the Personnel of each Permitted Third Party Service Provider also do, or refrain from doing, such act or thing.
(b) Consent to Transfer to Third Countries. Further to Sections 2(b)(vii) and 8(a) above, the Customer hereby consents to the transfer of Personal Data to such Permitted Third Party Service Provider as may be located outside of the U.S. or the European Economic Area.
9. Compliance Verifications.
(a) HALO shall reasonably cooperate with any requests from the Customer for information reasonably necessary to demonstrate compliance with the obligations set forth in this Addendum and reasonably cooperate with, to the extent required by Applicable Data Processing Law, audits, including inspections, conducted by the Customer or another auditor mandated by the Customer.
(b) Such auditor will be bound by confidentiality obligations no less stringent than those set forth in the Agreement. In the event of any requested review, the Customer shall give HALO reasonable advance notice of the reviews and such reviews shall not unreasonably interfere with or disrupt HALO's business activities. Audits shall take place within normal business hours unless the review is required to be carried out on an emergency basis by a regulatory authority.
(c) To the extent permitted by applicable law, the Customer shall be responsible for and shall reimburse HALO for any reasonable and documented costs arising from HALO's provision of assistance that are over and beyond those required by applicable law.
10. Aggregated Statistics.
Notwithstanding anything to the contrary in the Agreement or this Addendum, to the extent any Personal Data becomes Anonymized, HALO may monitor, collect and use such information for any commercial purpose in accordance with Applicable Data Protection Law, including but not limited to developing analytics, and may retain, use and disclose such information for such purpose, without restriction.
11. Term and Termination.
This Addendum shall continue in full force and effect until the termination or expiry of the Agreement whereupon HALO's authority to process Personal Data in accordance with this Agreement shall terminate automatically, unless otherwise agreed between the parties in writing.
12. Representations and Warranties of Client.
The Client represents and warrants to HALO, on a continuing basis for the duration of the Agreement that:
(a) all consents, if required, for the processing of all the Personal Data by HALO in the manner contemplated by this Agreement have been validly obtained and are in full force and effect; and
(b) the Customer has complied with all of its obligations (however arising) with respect to all the Personal Data.
(a) Agreement. This Addendum forms part of and is incorporated into the Agreement. In the event of any conflict between this Addendum and any other term of the Agreement relating to data protection or Applicable Data Protection Law, the terms of this Addendum shall prevail.
(b) Severability. If the whole or any part of a provision of this Addendum is or becomes illegal, invalid or unenforceable, that will not affect the legality, validity or enforceability of the remainder of the provision in question or any other provision of this Addendum.
(c) Binding on Successors. This Addendum and all of its provisions shall be binding upon and inure to the benefit of the parties and their respective heirs, executors, administrators, successors and permitted assigns.
(d) Survival of Obligations. The provisions of this Addendum shall, as necessary, survive the termination of the provision of Services by HALO however it arises, and shall continue to bind the parties or the relevant party (as applicable) without limit in time.
ANNEX 1 – PERSONAL DATA
Types of personal data to be processed
(i) audio and video recording data.
Categories of data subjects
(i) site visitors;
Nature of the processing
Any operation or set of operations which may be performed on personal data or sets of personal data, whether or not by automated means, to include collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction).
Purpose of the processing
Provision of the Services under the MSA
Countries where HALO currently receives, accesses, transfers or stores Personal Data
United States, United Kingdom
ANNEX 2 – SECURITY MEASURES
In Halo, security is an ongoing process, not a one-time task. We regularly reassess our security measures to adapt to evolving threats and technology changes. We have recently achieved ISO 27001 certification which demonstrates our commitment to securing our customer’s data. We have an Information Security Policy and a set of other policies which outline our approach to information security. Protecting customer information is crucial, and we have implemented a range of security controls to achieve this:
Data Encryption & Backups
Sensitive customer data is encrypted, both in transit and at rest. This ensures that even if unauthorised access occurs, the data remains unreadable without the proper decryption keys. Regular backups of customer data are taken and these backups are kept secure. This helps in the event of data loss due to system failures, cyber attacks, or other emergencies.
Access to customer information is on a need-to-know basis. Strong authentication methods are used, like multi-factor authentication, to ensure only authorised personnel can access sensitive data.
Regular Software Updates
Software is kept updated, including security software, to patch vulnerabilities. Systems are regularly updated and patched to protect against known exploits.
We have secure physical access in place for our offices. This includes access controls, and environmental controls to protect against physical theft or damage.
We clearly communicate our privacy policies to customers. We are transparent about how their information is collected, stored, and used. We obtain explicit consent for collecting and processing personal data.
BCP & Incident Response
We have a comprehensive Business Continuity Plan in place which has been approved by all areas of our business and is tested regularly.
An incident response plan has been developed and maintained to quickly and effectively address security incidents. This includes steps for identifying, containing, eradicating, recovering, and lessons learned from security breaches.
Staff receive regular training on security best practices. This ensures they understand the importance of safeguarding customer information and are educated on how to recognise and respond to security threats.
Auditing & Penetration Testing
Regular security audits and reviews are conducted to identify and address potential vulnerabilities. This includes reviewing access logs, monitoring for unusual activity, and ensuring compliance with security policies.
Our Halo Vault is tested on an annual basis and any high or medium risk findings are investigated and resolved.
ANNEX 3 – PERMITTED THIRD PARTY SERVICE PROVIDERS
- Amazon Web Services
- Affiliates of HALO (for purposes of implementation, support and maintenance of the Services)