Data Processing Addendum
Effective Date: February 19, 2024
This Data Processing Addendum, including the exhibits to it (“DPA”), is incorporated into the Customer Terms and Conditions (the “Customer Terms”) that are between you (together, with any subsidiaries and affiliated entities, collectively, “Customer” or “Controller”) and Knowledge Transfer LLC (together, with any subsidiaries and affiliated entities, collectively “Processor”) and sets forth additional terms that apply to the extent any information you provide to Knowledge Transfer LLC pursuant to the Customer Terms includes Personal Data (as defined below).
1. DEFINITIONS
a. “CCPA” means the California Consumer Privacy Act (California Consumer Privacy Act of 2018, Cal. Civ. Code § [1798.100 - 1798.199.100]) as amended, including by the California Privacy Rights Act of 2020 and its implementing regulations.
b. “Data Privacy Framework(s)” means, as applicable, the EU-US Data Privacy Framework, the UK Extension to the EU-US Data Privacy Framework, and the Swiss-US Data Privacy Framework developed by the US Department of Commerce and the European Commission, UK Government, and Swiss Federal Administration permitting organizations participating in such Data Privacy Frameworks to receive Personal Data from the European Union / European Economic Area, the UK and Gibraltar, and Switzerland in compliance with applicable Data Protection Laws in those regions.
c. “Data Protection Laws” means all applicable federal, state, and foreign data protection, privacy and data security laws, as well as applicable regulations and formal directives intended by their nature to have the force of law, all as amended from time to time, including, without limitation, the EU Data Protection Laws, UK Data Protection Laws, the Swiss Data Protection Laws, the Privacy Act 1988, the Personal Information Protection and Electronic Documents Act, and United States state privacy laws, including the CCPA, and the privacy laws of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, and Montana.
d. “Data Subject” means the individual or consumer to whom Personal Data relates.
e. “Data Subject Request” means a request by a Data Subject to exercise rights afforded by Data Protection Laws with respect to the Data Subject’s Personal Data.
f. “EU Data Protection Laws” means GDPR together with any applicable implementing legislation or regulations, as well as European Union or Member State laws, as amended from time to time.
g. “GDPR” means the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.)
h. “Personal Data” means any Customer Data relating to an identified or identifiable natural person that is processed by Knowledge Transfer LLC on behalf of Customer in connection with providing RadiansERP to Customer, when such information is protected as “personal data” or “personal information” or a similar term under Data Protection Law(s).
i. “Process” or “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
j. “Security Breach” means a confirmed breach of Knowledge Transfer LLC’s information security measures leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data covered by this DPA.
k. “Services” means RadiansERP provided by Knowledge Transfer LLC to Customer under the Customer Terms or MSA.
l. “Standard Contractual Clauses” or “SCCs” means the model clauses for the transfer of Personal Data to processors established in third countries approved by the European Commission, the approved version of which is set out in the European Commission Implementing Decision 2021/914 of 4 June 2021 and at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX%3A32021D0914&locale=e.
m. “Swiss Data Protection Laws” means all laws relating to data protection, the Processing of Personal Data, privacy and/or electronic communications in force from time to time in Switzerland, including the Federal Act on Data Protection of June 19, 1992 and its ordinances, and, once it entered into force, in accordance with Article 16 paragraph 2 letter d of the future revised Swiss Federal Act on Data Protection dated 25 September 2020 (collectively, “FADP”).
n. “UK Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (the “SCCs” defined above) issued by the Commissioner under S119A(1) Data Protection Act 2018, Version B1.0, in force 21 March 2022 and available at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf.
o. “UK Data Protection Laws” means all laws relating to data protection, the Processing of Personal Data, privacy and/or electronic communications in force from time to time in the United Kingdom (“UK”), including the United Kingdom GDPR and the Data Protection Act 2018.
p. “UK GDPR” means the United Kingdom General Data Protection Regulation, as it forms part of the law of the United Kingdom by virtue of section 3 of the European Union (Withdrawal) Act 2018.
q. The terms “Processor” and “Controller” shall have the meanings given to them under the applicable Data Protection Law. Any capitalized terms herein that are not defined in this DPA shall have the meanings associated with them in the Customer Terms and are hereby adopted by reference in this Addendum.
2. PROCESSING AND TRANSFER OF PERSONAL DATA
a. Customer Obligations. Customer is the Controller of Personal Data and shall (a) determine the purpose and essential means of the Processing of Personal Data in accordance with the Customer Terms; (b) be responsible for the accuracy of Personal Data; and (c) comply with its obligations under Data Protection Laws, including, when applicable, ensuring Customer has a lawful basis to collect Personal Data, providing Data Subjects with any required notices, and/or obtaining the Data Subject’s consent to process the Personal Data.
b. Knowledge Transfer LLC Obligations. Knowledge Transfer LLC is the Processor of Personal Data and shall (a) Process Personal Data on Customer’s behalf in accordance with Customer’s written instructions (unless waived in a written requirement) provided during the term of this DPA; and (b) comply with its obligations under Data Protection Laws. The parties agree that the Customer Terms, including this DPA, together with Customer’s use of RadiansERP in compliance with the Customer Terms, constitute Customer’s complete and final written instruction to Knowledge Transfer LLC in relation to the Processing of Personal Data, and additional instructions outside the scope of these instructions shall require a prior written and mutually executed agreement between Customer and Knowledge Transfer LLC. In the event Knowledge Transfer LLC reasonably believes there is a conflict with any Data Protection Law and Customer’s instructions, Knowledge Transfer LLC will inform Customer promptly and the parties shall cooperate in good faith to resolve the conflict and achieve the goals of such instruction.
c. Data Use. Knowledge Transfer LLC shall not use Personal Data, except for usage of Personal Data pursuant to Customer’s instructions, as permitted under the Customer Terms and as necessary to bring and defend claims, to comply with requirements of the legal process, to cooperate with regulatory authorities, and to exercise other similar permissible uses as expressly provided under Data Protection Laws.
d. Location of Processing. The parties acknowledge and agree that processing of the Personal Data will occur in the United States and perhaps other jurisdictions outside the residence of the Data Subjects, and Customer shall comply with all notice and consent requirements for such transfer and processing to the extent required by Data Protection Laws.
e. Return or Destruction of Data. Knowledge Transfer LLC shall return or securely destroy Personal Data, in accordance with Customer’s instructions, upon Customer’s request or upon termination of Customer’s Account(s) unless Personal Data must be retained to comply with applicable law.
3. EU, SWISS, and UK DATA PROTECTION LAWS
This Section 3 shall apply with respect to Processing of Personal Data when such Processing is subject to the EU Data Protection Laws, Swiss Data Protection Laws, or UK Data Protection Laws.
a. Transfers of Personal Data. Customer acknowledges and agrees that Knowledge Transfer LLC is located in the United States and that Customer’s provision of Personal Data from the European Economic Area (“EU”), Switzerland or the United Kingdom to Knowledge Transfer LLC for Processing is a transfer of Personal Data to the United States. All transfers of Customer Personal Data out of the EU (“EU Personal Data”), Switzerland (“Swiss Personal Data”) or the United Kingdom (“UK Personal Data”) to the United States shall be governed by the Data Privacy Framework applicable to such transfer. If any such Data Framework is invalidated or otherwise ceases to exist as a legally transfer mechanism for Personal Data, then such transfers shall be governed by the Standard Contractual Clauses, and the UK Addendum as applicable, as follows:
i. For such transfers of EU Personal Data, or transfers containing Swiss Personal Data that are subject to both EU Data Protection Laws and Swiss Data Protection Laws (in this latter case, the parties shall adopt the GDPR standard for all data transfers), Module 2 of the SCCs for Controller to Processor transfers, together with the options and amendments set out in to this DPA, shall apply and are incorporated into this DPA.
ii. For such transfers of only Swiss Personal Data, Module 2 of the SCCs for Controller to Processor transfers, together with the options and amendments, including those applicable to Switzerland, shall apply and are incorporated into this DPA, and the parties agree that any references to the GDPR are to be understood as references to the FADP.
iii. For transfers of Swiss Personal Data subject to Sections 3.a.i. and 3.a.ii of this DPA, the term 'member state' shall not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of suing for their rights in Switzerland in accordance with Clause 18c.
iv. For such transfers of UK Personal Data, Module 2 of the SCCs shall apply as set forth in subsection 3.a.i above, and the options and amendments to the UK Addendum shall apply and are incorporated into this DPA.
b. GDPR and UK GDPR Obligations. Knowledge Transfer LLC shall: (i) assist Customer, to a reasonable extent, in complying with its obligations with respect to EU Personal Data pursuant to Articles 32 to 36 of GDPR (or their equivalent under UK Data Protection Laws for UK Personal Data); (ii) maintain a record of all categories of Processing activities carried out on behalf of Customer in accordance with Article 30(2) of the GDPR (or their equivalent under UK Data Protection Laws for UK Personal Data); and (iii) cooperate, on request, with an EU or UK supervisory authority regarding the performance of RadiansERP.
4. CCPA
a. CCPA. This section 4 applies to Knowledge Transfer LLC’s, and Knowledge Transfer LLC acts as Customer’s service provider with respect to, Processing of Personal Data subject to the CCPA. Customer discloses the Personal Data to Knowledge Transfer LLC, and Knowledge Transfer LLC shall Process such Personal Data only for the purposes set out in the Customer Terms, including this DPA.
b. Knowledge Transfer LLC shall not:
i. Sell or share the Personal Data;
ii. retain, use, or disclose the Personal Data for any purpose, including a commercial purpose, other than the business purposes as set out in the Customer Terms, or outside of the direct business relationship between the parties;
iii. combine the Personal Data with personal data that Knowledge Transfer LLC receives from, or on behalf of, another person or persons, or collects from its own interaction with the consumer, provided that Knowledge Transfer LLC may combine Personal Data to perform any business purpose as permitted by the CCPA.
c. Knowledge Transfer LLC shall comply with obligations applicable to it as a service provider under the CCPA and shall provide Personal Data with the same level of privacy protection as is required by the CCPA.
d. Customer shall have the right to take reasonable and appropriate steps to help ensure that Knowledge Transfer LLC uses the Personal Data in a manner consistent with Customer’s obligations under the CCPA. The process for such steps shall be as set out in Section 8 below.
e. Knowledge Transfer LLC shall notify Customer if it makes a determination that it can no longer reasonably meet its obligations as a service provider under the CCPA. If Knowledge Transfer LLC, so notifies Customer, Customer shall have the right to take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Data.
f. For any sub-processors used by Knowledge Transfer LLC to process Personal Data subject to the CCPA, in addition to its obligations in Section 5 below, Knowledge Transfer LLC’s agreement with any such sub-processor shall obligate such sub-processor to observe it’s requirements under the CCPA .
g. For purposes of this Section 4, the terms “consumer”, “service provider”, “sell” and “share” shall have the meanings given to them under the CCPA.
5. SUB-PROCESSORS
a. Sub-processor List. Customer consents to Knowledge Transfer LLC’s use of the sub-processors who may Process Personal Data on behalf of Customer to help Knowledge Transfer LLC provide RadiansERP. Knowledge Transfer LLC may update its list of sub-processors from time to time.
b.Notice. Knowledge Transfer LLC will provide Customer with a mechanism to receive notices of updates to its sub-processors. Knowledge Transfer LLC will notify Customer via such mechanism if Customer has signed up to receive notification of any such updates at least thirty (30) days prior to any such update taking effect. If Customer does not subscribe to such notifications, Customer waives any right it may have to receive prior notice of changes to Knowledge Transfer LLC’s sub-processors. When legally permitted to object, Customer may make an objection to a new sub-processor within thirty (30) days of receiving a notification from Knowledge Transfer LLC by emailing [email protected] if Customer has reasonable concerns related to such sub-processor’s data protection. Customer will be deemed to have consented to Knowledge Transfer LLC’s use of such sub-processor if Customer does not object within thirty (30) days of receipt of such notification. Upon Customer’s objection, the parties shall work together in good faith to address Customers concerns. If the parties are unable to reach a resolution, Customer may terminate that portion of RadiansERP that involve the use of such sub-processor without penalty.
c. Sub-processor Agreements. Knowledge Transfer LLC may enter into a written agreement with any such sub-processor containing data protection obligations that are at least as restrictive as its obligations in this DPA.
6. DATA PROTECTION
a. Data Security. Knowledge Transfer LLC will utilize commercially reasonable technical and organizational measures to maintain the security, confidentiality, and integrity of the Personal Data.
b. Authorized Personnel. Knowledge Transfer LLC shall ensure that Knowledge Transfer LLC’s employees, contractors, agents, and auditors who need to know or otherwise access Personal Data for the purposes of enabling Knowledge Transfer LLC to perform its obligations under the Customer Terms are under a duty of confidentiality with respect to the Personal Data.
c. Security Breaches. Upon becoming aware of a Security Breach, Knowledge Transfer LLC will promptly: (i) notify Customer of the Security Breach; (ii) investigate the Security Breach; (iii) provide Customer with necessary details about the Security Breach as required by applicable law; and (iv) take reasonable actions to prevent a recurrence of the Security Breach. Knowledge Transfer LLC will make available relevant records and other materials related to the Security Breach’s effects on Customer as required to comply with Data Protection Laws.
7. ASSISTANCE
a. Processor Assistance. Upon Customer's written request, Knowledge Transfer LLC shall provide reasonable assistance to Customer as necessary in order to assist Customer with meeting its obligations under Data Protection Laws, including by providing information to Customer about Knowledge Transfer LLC’s technical and organizational security measures, and as needed to complete data protection assessments (the process for which is set out in Section 8 below).
b. Data Subject Requests. If a Customer employee or other applicable Data Subject makes a Data Subject Request to Knowledge Transfer LLC, Knowledge Transfer LLC will advise the Data Subject to submit their request directly to the Knowledge Transfer LLC customer who is the applicable Controller of that Personal Data and will inform Customer of such request if the Data Subject identifies Customer as the applicable Controller to Knowledge Transfer LLC. Customer is responsible for Data Subject Requests. Knowledge Transfer LLC provides functionality through RadiansERP which allow Customer to carry out Data Subject Requests. Knowledge Transfer LLC shall reasonably assist Customer with the fulfillment of Customer’s obligations in connection with a Data Subject Request in the event that Customer cannot act on such request itself using RadiansERP.
c. Costs. If Knowledge Transfer LLC determines in good faith that a request for assistance under this Section 7 is unreasonable, overly burdensome, and outside of industry expectation for assistance with each respective matter, the parties will agree in good faith on costs to be paid by Customer to Knowledge Transfer LLC for such assistance.
8. AUDITS
Within thirty (30) days of Customer’s written request, and no more than once annually if requested, Knowledge Transfer LLC shall make available to Customer (or a mutually agreed upon third-party auditor) information reasonably necessary to demonstrate Knowledge Transfer LLC’s compliance with the obligations set forth in this DPA in the form of its most recent third-party audit or certification report(s) (such as SOC 2 or ISO 27001). If, after receiving the report(s), Customer in its reasonable judgment determines that further information is needed to confirm that Knowledge Transfer LLC is meeting its obligations in this DPA or for Customer to complete a data protection assessment, Customer may request in writing such additional information. The parties will then work together in good faith to agree upon the additional information which Knowledge Transfer LLC shall provide, and Knowledge Transfer LLC will provide the agreed upon information. All information provided by Knowledge Transfer LLC under this Section 8 is considered Knowledge Transfer LLC’s Confidential Information and is subject to the confidentiality obligations set forth in the Customer Terms.
9. Knowledge Transfer LLC’s Role as a Processor
The parties acknowledge and agree that Knowledge Transfer LLC processes certain personal data as a Processor which is described in, and processes it in accordance with, our Privacy Notice for the following purposes when EU, UK or Swiss Data Protection Laws apply to such personal data: (i) to manage the relationship with Customer, including creating customer Accounts, handling billing, and performing sales and marketing activities; (ii) for purposes related to Knowledge Transfer LLC’s internal business operations, such as accounting, audits, tax preparation and filing and compliance purposes; (iii) to monitor, investigate, prevent and detect fraud, security incidents and other misuse of RadiansERP; (iv) for identity verification purposes; (v) to comply with legal or regulatory obligations applicable to the processing and retention of personal data to which Knowledge Transfer LLC is subject; (vi) to develop, improve, and understand usage of its products and services, and (vii) as otherwise permitted under Data Protection Laws and as set out in Knowledge Transfer LLC’s Privacy Notice.
10. Miscellaneous
a. Conflict. In the event of any conflict or inconsistency between this DPA and Data Protection Laws, Data Protection Laws shall prevail. In the event of any conflict or inconsistency between the terms of this DPA and the terms of the Customer Terms, the terms of this DPA shall prevail solely to the extent that the subject matter concerns the processing of Personal Data.
b. Amendments. This DPA shall not be modified except by a written instrument signed by the parties. To the extent that it is determined by any data protection authority that the Customer Terms or this DPA is insufficient to comply with Data Protection Laws or changes to Data Protection Laws, Customer and Knowledge Transfer LLC agree to cooperate in good faith to amend the Customer Terms or this DPA or enter into further mutually agreeable data processing agreements in an effort to comply with all Data Protection Laws.
c. Liability. Each Party’s liability arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, is subject to the limitations of liability contained in the Customer Terms. For the avoidance of doubt, each reference herein to the “DPA” means this DPA including its exhibits and annexes.
d. Entire Agreement. This DPA is without prejudice to the rights and obligations of the parties under the Customer Terms, which shall continue to have full force and effect. This DPA together with the Customer Terms is the final, complete and exclusive agreement of the Parties with respect to the subject matter hereof and supersedes and merges all prior discussions and agreements between the parties with respect to such subject matter.