SPRIG DATA PROCESSING ADDENDUM
This Data Processing Addendum (including its attachments) (“DPA”) forms part of and is subject to the terms and conditions of the agreement that governs Company’s use of Sprig’s Services (“Agreement”) by and between Company and Sprig. All capitalized terms not otherwise defined in this DPA will have the meaning given to them in the Agreement. If there is any inconsistency or conflict between this DPA and any Agreement, then as it relates to data protection, this DPA will control.
- “Company Personal Data” means Company Data that is Personal Data processed by Sprig on behalf of Company in the provision of the Services under the Agreement.
- “Data Subject” means the identifiable, natural person to whom Company Personal Data relates.
- “Data Protection Legislation” means the applicable data privacy, data protection, and cybersecurity laws, rules and regulations to which the Company Personal Data are subject. “Data Protection Legislation” may include, but is not limited to, the California Consumer Privacy Act of 2018 (“CCPA”); the EU General Data Protection Regulation 2016/679 (“GDPR”) and its respective national implementing legislations; the Swiss Federal Act on Data Protection; the United Kingdom General Data Protection Regulation; and the United Kingdom Data Protection Act 2018 (in each case, as amended, adopted, or superseded from time to time).
- “Personal Data” means any information relating to an identified or identifiable natural person.
- “Security Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Company Personal Data transmitted, stored or otherwise processed.
- “Subprocessor” means Sprig’s authorized vendors and third-party service providers that process Company Personal Data.
2. PROCESSING OF COMPANY PERSONAL DATA.
- 2.1. Purpose of Processing. The purpose of the processing of Company Personal Data under the Agreement is the provision of the Services pursuant to the Agreement.
- 2.2. Processor and Controller Responsibilities. The parties acknowledge and agree that: (a) Sprig is a “processor” or “service provider” of Company Personal Data under applicable Data Protection Legislation; (b) Company is a “controller” or “business” of Company Personal Data under applicable Data Protection Legislation; and (c) each party will comply with the obligations applicable to it under the Data Protection Legislation with respect to the processing of Company Personal Data.
- 2.3. Company Instructions. Company instructs Sprig to process Company Personal Data to provide the Services in accordance with the Agreement and any applicable Order Form. Company will ensure that its instructions for the processing of Company Personal Data will comply with the Data Protection Legislation. Company will have sole responsibility for the accuracy, quality, and legality of Company Personal Data and the means by which Company obtained the Company Personal Data.
- 2.4 Restriction on Protected Health Information. Company shall not upload, provide, or otherwise permit Protected Health Information (as defined by theHealth Insurance Portability and Accountability Act of 1996) to be processed via the Services. Company acknowledges and agrees that Services are not intended to process Protected Health Information and that Sprig shall have no liability in connection with the access, use, disclosure, or storage of Protected Health Information.
- 2.5. Sprig’s Compliance with Company Instructions. Sprig will only process Company Personal Data in accordance with Company’s instructions set forth in the Agreement and this DPA. Sprig may process Company Personal Data other than on the written instructions of Company if it is required under applicable law to which Sprig is subject. In this situation, Sprig will inform Company of such requirement before Sprig processes the Company Personal Data unless prohibited by applicable law.
- 3.1. Sprig Personnel. Sprig will ensure that its personnel engaged in the processing of Company Personal Data are informed of the confidential nature of the Company Personal Data, and are subject to obligations of confidentiality.
- 3.2. Security. Sprig will implement appropriate technical and organizational measures designed to safeguard Company Personal Data taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. Such technical and organizational measures shall include those set forth in Attachment 1.
4. COMPLIANCE ASSISTANCE.
- 4.1. Assistance with Company’s Obligations. To the extent Company, in its use or receipt of the Services, does not have the ability to fulfill requests from Data Subjects exercising their rights in Company Personal Data granted to them under applicable Data Protection Legislation, Sprig will provide reasonable cooperation to Company to help facilitate Company’s fulfillment of such requests as required by applicable Data Protection Legislation.
- 4.2. Requests Received from Data Subjects. If Sprig receives a request from a Data Subject related to Company Personal Data, Sprig will inform the Data Subject that it should reach out to the applicable customer which is responsible for their Personal Data (i.e., the “controller” or “business” of such Data Subject’s Personal Data) without making any specific reference to Company.
- 4.3 Additional Compliance Assistance. Where required by Data Protection Legislation, Sprig will reasonably cooperate with Company, at Company’s expense, to assist Company in ensuring compliance with Company’s obligations under applicable Data Protection Legislation taking into account the nature of processing and the information available to Sprig.
- 5.1. General Authorization. Company generally authorizes the use of Sprig’s Subprocessors.
- 5.2 New Subprocessors. When Sprig engages any new Subprocessor, Sprig will, at least ten (10) days before the new Subprocessor processes any Company Personal Data, inform Company of the engagement via email to the email address on file for Company’s account and give Company the opportunity to object to such Subprocessor within five (5) days of Sprig giving notice. If Company objects to a new Subprocessor, and such objection is not resolved within twenty (20) days of Sprig receiving the objection, Sprig may terminate the Agreement with Company.
- 5.3. Sprig Obligations. Sprig will remain liable for the acts and omissions of its Subprocessors to the same extent Sprig would be liable if performing the services of each Subprocessor directly under the terms of this DPA. Sprig will contractually impose data protection obligations on its Subprocessors that are consistent with those data protection obligations imposed on Sprig under this DPA.
6. DATA TRANSFERS.
- 6.1 Cross-Border Transfers of Company Personal Data. Company authorizes Sprig and its Subprocessors to transfer Company Personal Data across international borders, including from the European Economic Area, Switzerland, and/or the United Kingdom to the United States.
- 6.2 Data Transfer Addendum. If Company Personal Data originating in the European Economic Area, Switzerland, and/or the United Kingdom is transferred by Company to Sprig in a country that has not been found to provide an adequate level of protection under applicable Data Protection Legislation, the parties agree that the transfer shall be governed by the Data Transfer Addendum located at: https://sprig.com/dta.html, which is incorporated herein by reference.
7. SECURITY BREACH.
- 7.1. Notification Obligations. In the event Sprig becomes aware of any Security Breach, Sprig will notify Company of the Security Breach without undue delay. The obligations in this Section 7 do not apply to incidents that are caused by Company or Company's personnel or end users or to unsuccessful attempts or activities that do not compromise the security of Company Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.
- 7.2. Manner of Notification. Notification(s) of Security Breaches, if any, will be delivered to one or more of Company’s business, technical or administrative contacts by any means Sprig selects, including via email. It is Company’s sole responsibility to ensure it maintains accurate contact information on Sprig’s support systems at all times.
8. DELETION OF COMPANY PERSONAL DATA.
- 8.1. Deletion/Return of Company Personal Data. Following termination or expiration of the Agreement, Sprig will delete all Company Personal Data except to the extent that Sprig is required under applicable law to keep a copy of the Company Personal Data.
- 9.1. Information Rights. Upon Company’s written request no more than once per year, Sprig will provide a copy of Sprig’s then most recent third-party audits or certifications regarding Sprig’s technical and organizational security measures (the “Audit Reports”), as applicable, or any summaries thereof, that Sprig makes available to its customers. To the extent Company is afforded an audit right under applicable Data Protection Legislation, Company agrees that Sprig may satisfy such audit right by providing Company with a confidential copy of an Audit Report so that Company may reasonably verify Sprig’s compliance with the technical and organizational security measures set forth in this DPA. If Company is not satisfied with the above Audit Reports, Sprig will allow Company or a mutually agreed upon independent auditor appointed by Company to conduct an audit (including inspection) of Sprig’s policies, procedures, and records relevant to the processing of Company Personal Data, no more than once per year upon eight weeks’ notice. Any audit must be: (a) conducted during Sprig’s regular business hours; (b) with reasonable advance notice to Sprig; (c) carried out in a manner that prevents unnecessary disruption to Sprig’s operations; and (d) subject to reasonable confidentiality procedures. Sprig will contribute to such audits whose sole purpose will be to verify Sprig’s compliance with its obligations under this DPA.
- 9.2. Separate Service. Any request for Sprig to provide assistance with an audit is considered a separate service if such audit assistance requires the use of resources different from or in addition to those required by law. Company will reimburse Sprig for any time spent for any such audit at rates mutually agreed to by the parties, taking into account the resources expended by Sprig. Company will promptly notify Sprig with information regarding any non-compliance discovered during the course of an audit.
10. SERVICE OPTIMIZATION.
- 10.1 Service Optimization. Where permitted by applicable Data Protection Legislation, Sprig may process Company Personal Data: (a) for its internal uses to build or improve the quality of its services; (b) to detect Security Breaches; and (c) to protect against fraudulent or illegal activity.
11. ACCOUNT DATA.
- 11.1 Account Data. “Account Data” means data about Company or its Authorized Users that Company or its Authorized Users: (a) provide to Sprig in connection with the creation or administration of their account; or (b) generate in connection with their use of the Services. For example, Account Data may include an Authorized User’s name, email address, and usage data associated with an Authorized User’s account. Company Data does not include Account Data.
- 11.2 Use of Account Data. Sprig shall process Account Data to provide the Services and in accordance with its Privacy Notice available at: https://sprig.com/privacy-policy.html.
ATTACHMENT 1 – SPRIG TECHNICAL AND ORGANIZATIONAL MEASURES
This Attachment 1 forms part of the DPA. Capitalized terms not defined in this Attachment 1 will have the meaning set forth in the DPA.
Sprig will implement and maintain an information security program (“Information Security Program”) that: (a) is consistent with industry standard practices taking into consideration the sensitivity of the relevant Company Personal Data, and the nature and scope of the Services to be provided; (b) includes appropriate technical and organizational measures designed to safeguard Company Personal Data; and (c) complies with Data Protection Legislation. At a minimum, the Information Security Program shall include:
- Information Security Policy. Sprig shall maintain a written information security policy applicable to all authorized personnel.
- Training. Sprig will provide information security awareness training to all employees annually.
- Access Control. Sprig will maintain an access control policy, procedures, and controls consistent with industry-standard practices. Sprig will limit access to Company Personal Data to those employees and Subprocessors with a need-to-know.
- Logical Separation. Sprig will ensure Company Personal Data is logically separated from other Sprig client data.
- Encryption. Sprig will encrypt Company Personal Data in transit and at rest using industry-standard encryption technologies.
- Password Management. Sprig will maintain a password management policy designed to ensure strong passwords consistent with industry-standard practices.
- Incident Response Plan. Sprig will maintain an incident response plan that addresses Security Breach handling. Upon request, Sprig will provide Company with a copy of its incident response plan.
- Backups of Company Personal Data. Sprig will maintain an industry-standard backup system and backup of Company Personal Data designed to facilitate timely recovery in the event of a service interruption.
- Disaster Recovery and Business Continuity Plans. Sprig will maintain disaster recovery and business continuity plans consistent with industry-standard practices.