This Data Processing Addendum, inclusive of Schedules 1 and 2 (“DPA”) sets out the essential terms required by Sojern, Inc., a Delaware corporation with its principal place of business located at 575 Market Street, 4th Floor, San Francisco, CA 94105 USA (“Sojern”). For the purposes of this DPA, the company that is a party to the Agreement (as defined below) in which this DPA is incorporated is referred to as “Company”.
“Agreement” means any and all agreements between the parties under which Sojern receives, collects, accesses or otherwise processes Personal Data for the purposes pursuant to the applicable data provider or service agreement. This DPA incorporates the terms and conditions of the Agreement and as set forth below. In the event of a conflict between the DPA and the Agreement, the terms of this DPA shall govern and prevail. All capitalized terms used but not defined herein shall have their respective meanings as set forth in the Agreement.
“Personal Data” means any information relating to an identified or identifiable natural person who can be directly or indirectly identified.
“Service” means the services provided by Sojern or Company, as applicable, under the Agreement.
For the purposes of the processing carried out by Sojern pursuant to the Agreement, Sojern’s role as a data processor or data controller with respect to Personal Data processed by Sojern shall be set forth in the applicable Agreement.
Except as expressly permitted herein or in writing by Company, Sojern will not directly or indirectly (a) disclose, sell, distribute or transmit Personal Data to any third party, or (b) use Personal Data for any purpose other than to provide Company the Service under the Agreement, and in accordance with all applicable privacy and data protection laws. Sojern will ensure that each person authorized to process Personal Data is subject to a duty of confidentiality with respect to that Personal Data.
Each party certifies it understands its obligations under applicable privacy and data protection laws and shall process Personal Data in accordance with all applicable privacy and data protection laws. Where Sojern is acting as a data processor, Sojern will perform the processing as documented and instructed by Company in the Agreement, unless otherwise notified by a regulatory authority that such processing does not comply with applicable privacy and data protection laws, in which case Sojern will promptly provide Company with written notice of that regulatory notice and may cease processing Personal Data until the regulatory issue is resolved.
To the extent required by applicable Data Protection Law, Company shall only instruct Sojern to Process Personal Data for those purposes permitted under applicable privacy and data protection laws and shall disclose Personal Data to Sojern only for the limited and specified purposes specified in the Agreement. Company reserves the right, upon reasonable notice, to take reasonable and appropriate steps to help ensure that Sojern uses Personal Data transferred in a manner consistent with Sojern’s obligations under applicable privacy and data protection laws, including reasonable and appropriate steps to stop and remediate unauthorized use of Personal Data. Sojern shall notify Company if it makes a determination that it can no longer meet its obligations under applicable privacy and data protection laws.
Where the Agreement specifies that Sojern is acting as a “third party” under the California Consumer Protection Act (CCPA):
Sojern shall only process Personal Data during the term of the Agreement to provide or perform the Service, specifically for the limited and specific purpose of providing the Service or as otherwise instructed or permitted in writing by Company. For clarity, the Services provided by Sojern are enumerated on Company’s Order Form.
Sojern shall comply with all applicable obligations under the CCPA and provide the same level of privacy protection as required by the CCPA and shall provide notice if it can no longer meet its obligations under the CCPA.
Sojern grants Company the right to (a) take reasonable and appropriate steps to help ensure that Supplier uses Personal Data in a manner consistent with its obligations under the CCPA and (b) upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Data.
Each party will maintain a written or electronic record of the processing of Personal Data. Each party will reasonably cooperate with the other party in complying with applicable privacy and data protection laws with respect to data impact assessments, records of processing, related requests or consultations with data protection authorities, and audits in accordance with the applicable Agreement to enable Company to confirm that Sojern have complied with its obligations under applicable privacy and data protection laws and the Agreement.
The parties acknowledge that Sojern does not maintain a direct relationship with individuals whose Personal Data is provided to Sojern. As such, where required by applicable privacy and data protection laws, Company will make available the Sojern Privacy Policy available at https://www.sojern.com/privacy/privacy-policy/ to individuals whose Personal Data is processed by Sojern.
Company shall provide notice to, and obtain consents from, individuals as required by applicable privacy and data protection laws regarding Company’s collection, use, and disclosure of Personal Data. If applicable privacy and data protection laws require mechanisms by which individuals may exercise rights, including but not limited to opt-out rights, Company (or such other party who is responsible for the collection of Personal Data on behalf of Company), shall provide such mechanism to individuals. Company will be presumed to have provided appropriate notices and have obtained appropriate consents, if required, from any individuals whose Personal Data is provided to Sojern. Company shall promptly provide, upon request and at any time by Sojern, proof that appropriate consents have been obtained by Company from relevant individuals.
Each party will reasonably cooperate with the other party in response to any requests or complaints from individuals relating to the processing of Personal Data under the Agreement and pertaining to privacy rights under applicable privacy and data protection laws. If Sojern receives a request from an individual, Sojern will promptly: (a) forward the request to Company to manage the request; and (b) where Sojern is a data processor, implement Company’s decision with respect to how the request will be managed.
The parties acknowledge that Personal Data originating outside the USA (including the European Economic Area (EEA), the United Kingdom, or Switzerland) may be transferred to or processed by Sojern in a country or territory recognized as ensuring adequate protection under relevant privacy and data protection law. The parties also agree that transfers of such Personal Data to Sojern may be made in accordance with a solution, other than standard contractual clauses, that enables the lawful transfer of personal data to a third country in accordance with applicable privacy and data protection law (a “Transfer Solution.”) This includes, but is not limited to, an approved data protection framework recognized as ensuring that participating entities provide adequate protection of Personal Data.
To the extent Personal Data originating outside the USA (including the European Economic Area (EEA), the United Kingdom, or Switzerland) is transferred to Sojern, the data processing requires adequacy under the laws of the country of the Company, no adequacy decision or Transfer Solution applies, and the required adequacy can be met by the terms of this DPA, then the parties agree that this DPA incorporates by reference, as applicable, the (EU) 2021/914 European Commission standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016-679 by EU/EEA controllers to processors established outside the EU/EEA (“Module 2”) and/or by EU/EEA controllers to controllers established outside the EU/EEA (“Module 1”), and as they are amended or replaced from time to time by the European Commission (collectively, the “Clauses”). For convenience purposes, the Clauses hyperlinked above are generated based on the text made available by the European Commission for the sole purpose to incorporate the Clauses into the Agreement, select the appropriate Module(s), and to add information in the Appendix as permitted by the Clauses. For purposes of Personal Data transfers, Company shall be the “data exporter” and Sojern shall be the “data importer” (even if Company is an entity located outside the EU/EEA, provided the Company is otherwise subject to the Regulation (EU) 2016-679). Where the Clauses apply, Company and Sojern will be deemed to have entered into the Clauses in their respective names and on their own behalf, and the parties’ names, addresses, contact details, roles, and activities related to the Personal Data transferred under these Clauses will be provided in the Agreement. The execution of the Agreement shall be deemed execution of the Clauses, specifically execution of Annex I.A of the Clauses. To the extent there is any conflict between the terms of this DPA and the Clauses, the applicable Clauses shall govern and prevail.
Each party shall implement and maintain appropriate technical, physical, and organizational measures to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, or damage.
Company grants a general authorization to Sojern to use other data processors for the processing of Personal Data (“Sub-processors”), who are bound by confidentiality and data protection obligations consistent with this DPA and applicable privacy and data protection laws, listed at www.sojern.com/legal/partner-list/. Where required by the Agreement or where Sojern is acting as a data processor, Sojern will inform Company of any changes concerning the addition or replacement of Sub-processors by updating the above-mentioned list, thereby giving Company an opportunity to object to such changes, and instructions for objections are provided at the same URL. If Company reasonably objects to a change and Sojern is unable to resolve such objection, Company may terminate the Agreement and DPA.
This DPA shall remain in full force and effect until the latter of (a) the Agreement(s) remains in effect, and (b) Sojern retains copies of Personal Data. Either party may terminate this DPA immediately upon a material breach of this DPA or a regulatory authority and/or a tribunal or court with jurisdiction finds that processing of Personal Data by the parties materially violates applicable privacy and data protection laws, provided however, that the non-breaching party must provide notice of the alleged breach, and such breach shall have remained uncured for a period of fifteen (15) days following such notice.
This DPA shall be deemed to have been made in and shall be construed pursuant to the laws of the State of California, USA, without regard to conflicts of laws provisions thereof.
Travelers and other customers of the Company.
Personal Data transferred by Company is provided in accordance with the Agreement, and may include but is not limited to:
None
Continuous basis, for the duration of the applicable Agreement.
Collection of online browsing information through the use of cookies and other tracking technologies.
For any lawful purpose in connection with the Services provided under the Agreement between data exporter and data importer, particularly targeted advertising based on online browsing information. No further processing is permitted.
For the duration of the applicable Agreement, unless at the choice of data exporter Personal Data is deleted or returned.
Sub-processors are listed at www.sojern.com/legal/partner-list/ as permitted by Model 1 Clause 9(a).
The supervisory authority of one of the Member States in which the data subjects whose Personal Data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, as indicated in Annex I.C, shall act as competent supervisory authority.
1. Generale. Sojern stabilirà, implementerà e manterrà adeguate misure amministrative, tecniche e organizzative progettate per proteggere contro il trattamento non autorizzato o illegale dei Dati personali e contro la perdita, la distruzione o il danneggiamento accidentale dei Dati personali. Queste misure saranno adeguate a rispettare le leggi applicabili sulla protezione dei dati e Sojern rispetterà in ogni momento le sue politiche di sicurezza delle informazioni e il suo programma di sicurezza delle informazioni.
2. Politiche e standard di sicurezza delle informazioni. Sojern manterrà politiche, standard e procedure di sicurezza delle informazioni. Queste politiche, standard e procedure devono essere mantenute aggiornate e riviste ogni volta che vengono apportate modifiche pertinenti ai sistemi informativi che utilizzano o archiviano i dati personali.
3. Gestione delle vulnerabilità. Sojern manterrà un programma di gestione delle vulnerabilità per tutti i sistemi che trattano i dati personali che include, a titolo esemplificativo, la scansione delle vulnerabilità interne ed esterne con i risultati della valutazione del rischio e piani formali di riparazione per risolvere eventuali vulnerabilità identificate.
4. Valutazione del rischio. Sojern condurrà valutazioni periodiche del rischio per identificare e valutare i rischi ragionevolmente prevedibili per la sicurezza, la riservatezza e l'integrità dei record contenenti Dati personali e valuterà e migliorerà, ove necessario, l'efficacia delle sue misure di protezione per limitare tali rischi.
5. Classificazione dei dati. Sojern manterrà politiche e procedure per classificare le risorse informative sensibili, chiarire le responsabilità in materia di sicurezza e promuovere la consapevolezza di tutti i dipendenti.
6. Crittografia. Sojern implementerà meccanismi di crittografia standard del settore e suite di crittografia avanzate (si consiglia AES a 256 bit) per l'archiviazione e la trasmissione. Sojern accetterà connessioni su canali crittografati (si consiglia TLS).
7. Sicurezza della rete. Sojern proteggerà la propria rete utilizzando un approccio di difesa approfondito che utilizza apparecchiature disponibili in commercio e tecniche standard del settore, inclusi, a titolo esemplificativo, firewall, sistemi di rilevamento delle intrusioni, elenchi di controllo degli accessi e protocolli di routing.
8. Controlli contro virus e malware. Sojern proteggerà i dati personali da codici dannosi e installerà e manterrà software di protezione da virus e malware su qualsiasi sistema che gestisca i dati personali.
9. Controllo degli accessi. Sojern applicherà il principio del privilegio minimo laddove l'accesso ai Dati personali sia concesso solo a coloro all'interno dell'organizzazione che hanno esigenze aziendali per tale accesso e le autorizzazioni saranno limitate alla quantità minima richiesta per svolgere la specifica funzione lavorativa.
10. Luogo del trattamento. I dati personali saranno trattati da Sojern negli Stati Uniti, fatte salve le leggi sulla protezione dei dati applicabili che potrebbero richiedere diversamente.
11. Risposta agli incidenti. Sojern manterrà un programma di risposta agli incidenti di sicurezza dei dati e documenterà tutti i sospetti incidenti di sicurezza dei dati. Sojern indagherà su eventuali incidenti di sicurezza dei dati e adotterà tutte le misure necessarie per eliminare o contenere l'incidente di sicurezza dei dati.
12. Personale. Sojern manterrà un programma di sensibilizzazione e formazione sulla sicurezza delle informazioni e formerà il personale responsabile di Sojern sulle misure di protezione dei dati e sulle protezioni generali in materia di sicurezza informatica.
13. Fornitore. Sojern manterrà un programma di gestione dei fornitori che valuterà tutti i fornitori con cui Sojern scambia dati personali. Tali fornitori saranno tenuti a rispettare standard di sicurezza dei dati non meno restrittivi di quelli stabiliti nel presente documento.