.svg)
.svg)
Last Updated • June 2023
This Supplier Data Protection Addendum (“DPA”) is by and between Ridgeline and Supplier and is entered into as of the effective date of the Agreement in which it is referenced (such date the “DPA Effective Date”).
This DPA is incorporated into and forms part of the Supplier provided services to Ridgeline pursuant to the Agreement between Ridgeline and acting on its own behalf and on behalf of its Affiliates (“Supplier”) (collectively, the “Parties”). This DPA reflects the parties’ obligations with respect to Personal Data Processed as part of the Services (all as defined below).
In the event of a conflict between the terms of this DPA and the Agreement with respect to the subject matter herein, the terms of this DPA govern. Any data protection agreements that may already exist between the Parties as of the last signature date of this DPA as well as any earlier version of data security terms to which the Parties may have agreed to are superseded and replaced by this DPA in their entirety. All capitalized terms not defined in this DPA will have the meaning given to them in the Agreement.
“Administrative Data” means data related to employees or representatives of Ridgeline that is collected and used by Supplier in order to administer or manage Supplier’s Performance, or Ridgeline’s account, for Supplier’s own business purposes. Administrative Data may include Personal Data and information about the contractual commitments between Ridgeline and Supplier, whether collected at the time of the initial registration or thereafter in connection with the delivery, management, or Performance. Administrative Data is Protected Data.
“Affiliate” means any person or entity directly or indirectly Controlling, Controlled by or under common Control with a party to the Agreement, where “Control” means the legal power to direct or cause the direction of the general management of the company, partnership or other legal entity.
“Agreement” means the applicable master agreement, contractor services agreement, terms of service, order form, purchase order, contract or other legal document that governs Supplier’s provision of the Services or relationship of the Parties.
“Confidential Information” has the meaning set forth in the Agreement.
“Controller” means the entity which determines the purposes and means of the Processing of Personal Data.
“Controller Affiliate” means any of Ridgeline’s Affiliate(s) (a) (i) that are subject to applicable Data Protection Laws, and (ii) permitted to use the Services pursuant to the Agreement between Ridgeline and Supplier, but have not signed their own Order Form and are not a “Customer” as defined under the Agreement, (b) if and to the extent Supplier processes Personal Data for which such Affiliate(s) qualify as the Controller.
“Customer Data” means all data (including text, audio, video, or image files) that are either provided by a customer in connection with the customer’s use of products or services, or data developed at the specific request of a customer pursuant to a statement of work or contract. Customer Data does not include Administrative Data, Support Data, or Telemetry Data.
“Data Protection Laws” means all laws and regulations regarding the Processing of Personal Data, including laws and binding regulations applicable to the Processing of Personal Data under the Agreement. For avoidance of doubt, Data Protection Laws includes data protection and privacy laws of each jurisdiction where a Ridgeline entity is legally responsible for such Personal Data and those of each jurisdiction where Personal Data is collected or otherwise Processed. If any of the Data Protection Laws are superseded by new or modified Data Protection Laws (including any decisions or interpretations by a relevant court or governmental authority relating thereto), the new or modified Data Protection Laws shall be deemed to be incorporated into this DPA, and Supplier will promptly begin complying with such Data Protection Laws.
“Data Subject” means the identified or identifiable person to whom Personal Data relates. © Ridgeline, Inc. 2022 Confidential
“Instruction” means Controller’s documented data Processing instructions issued to Processor in compliance with this DPA.
“Personal Data” means any information relating to, directly or indirectly, a Data Subject or household that is collected, accessed, used, disclosed or otherwise Processed by Supplier in its provision of Services under applicable Data Protection Laws.
“Process” or “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Processor” means the entity which Processes Personal Data on behalf of the Controller.
“Protected Data” means Administrative Data, Confidential Information, Customer Data, Support Data, Telemetry Data, Personal Data, and Sensitive Personal Data.
“Representatives” means either Party and its Affiliates’ officers, directors, employees, agents, contractors, temporary personnel, subprocessors, subcontractors, and consultants.
“Ridgeline Data” means all Ridgeline data processed by Supplier pursuant to the terms of the agreement. “Ridgeline Group” means Ridgeline and its Affiliates engaged in the Processing of Personal Data.
“Sensitive Personal Data” refers to sensitive personal information (as defined under the CCPA), special categories of personal data (as described in Article 9 of the GDPR), and other similar categories of Personal Data that are afforded a higher level of protection under Data Protection Laws.
“Service(s)” means a service offering from Suppliers described in an applicable service or offer description, order form, statement of work, or purchase order selected by Ridgeline.
“Special Categories of Personal Data” means sensitive Personal Data under applicable Data Protection Law and may include racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic or biometric data, criminal offense, health and sex life.
“Sub-processor” means any entity engaged by Supplier to Process Personal Data in connection with the Services.
“Supplier” means the entity that provides the Service to Ridgeline under an Order Form or the Agreement.
“Supplier Affiliate” means any of Supplier’s Affiliate(s) (a) (i) that are subject to applicable Data Protection Laws, and (ii) permitted to provide the Services pursuant to the Agreement between Ridgeline and Supplier, but have not signed their own Order Form and are not a “Supplier” as defined under the Agreement, (b) if and to the extent processes Personal Data for which such Affiliate(s) qualify as the Processor.
“Support Data” means information that Supplier collects when Ridgeline submits a request for support services or other troubleshooting, including information about hardware, software and other details related to the support incident, such as authentication information, information about the condition of the product, system and registry data about software installations and hardware configurations, and error-tracking files. Support Data is Protected Data.
“Telemetry Data” means information generated by instrumentation and logging systems created through the use and operation of the products and/or services. Telemetry Data is Protected Data.
© Ridgeline, Inc. 2022 Confidential
The parties acknowledge and agree that with regard to the Processing of Personal Data, Ridgeline is the Controller and Supplier is the Processor under Data Protection Laws.
Supplier shall only Process Personal Data for the following purposes: (i) Processing in accordance with the Agreement and applicable Order Form(s); (ii) Processing initiated by Authorized Users in their use of the Services; and (iii) Processing to comply with other reasonable written Instructions provided by Ridgeline that are consistent with the terms of the Agreement (individually and collectively, the “Purpose”). Supplier acts on behalf of and on the instructions of Ridgeline in carrying out the Purpose. However, in the event that the Parties agree that: (i) Supplier is actually acting as Controller in writing; or (ii) Supplier is in fact a Controller pursuant to Data Protection Laws with respect to the delivery of some or all of the Services, then Supplier shall comply with Controller related obligations set out in Clauses 3 and 5 hereof. All other provisions in this DPA apply irrespective of whether Supplier acts as Controller or Processor.
2.2.1 Supplier certifies that it understands all of its restrictions and obligations under applicable Data Protection Laws and shall comply with all Data Protection Laws that apply to its Processing of Personal Data under the Agreement, including, where applicable, Data Protection Laws on collection, sharing and transfer of Personal Data.
Ridgeline shall, in its use of the Services and provision of instructions, Process Personal Data in accordance with the Agreement and the requirements of applicable Data Protection Laws. Ridgeline shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Ridgeline acquired Personal Data. For the avoidance of doubt, Controller shall not use additional or alternate Instructions to alter the scope of the Agreement. Controller is responsible for ensuring its Instructions to Processor comply with Data Protection Laws. Controller specifically acknowledges that its use of the Services will not violate the rights of any Data Subject that has opted-out from the sale, use, or other disclosures of Personal Data.
3.1 Where Supplier Processes Personal Data as a Controller pursuant to the terms of the Agreement, Supplier shall unless otherwise agreed by the Parties, do so as an independent Controller, and not a joint Controller with Ridgeline. Supplier represents and warrants that it has all necessary rights and a valid legal basis (as defined by applicable Data Protection Laws) to Process such Personal Data (including but not limited to, where applicable, to disclose Personal Data to Ridgeline). Upon request by Ridgeline, Supplier shall promptly provide proof of its legal basis of Processing.
Supplier is solely responsible for any Data Subject requests stemming from the administration of this Agreement, including, but not limited to, requests for access and deletion, it receives with respect to Ridgeline Personal Data it Processes or any Personal Data it may collect or share with Ridgeline. Supplier will fully cooperate and assist Ridgeline in responding to requests related to Data Subject’s rights granted under Data Protection Laws, including rights to access, rectify, restrict Processing, erasure (“right to be forgotten”), data portability, object to the Processing, or not be subject to an automated individual decision making (collectively, “Data Subjects Requests”) upon Ridgeline’s request.
3.2 At least forty-five (45) days prior to engaging any third-party that may access Personal Data (“Third-Party Provider”), notify Ridgeline by email to privacy@ridgelineapps.com of its intent to use a Third-Party Provider. Such prior notification shall identify the name and the services the Third-Party Provider is engaged to provide. Supplier shall enter into a written agreement with such Third-Party Provider that protects Ridgeline Data to the same standard required of Supplier under this DPA and the Agreement.
© Ridgeline, Inc. 2022 Confidential
4.1 Where Supplier Processes Personal Data as a Processor pursuant to the terms of the Agreement, Supplier shall process Personal Data as required for the provision of Services.
4.2 Supplier promptly notify Ridgeline if it receives any Data Subject Requests made directly by Data Subjects or a Data Subject’s representative as permitted by law. Supplier shall not respond to any such Data Subject Request without Ridgeline’s prior written consent except to confirm that the request relates to Ridgeline.
4.3 When appropriate under 4.2, either provide Ridgeline with the ability to fulfill such Data Subject Requests independently or shall fully cooperate with Ridgeline so that Ridgeline can respond to such Data Subject Requests within the timeframe required under Data Protection Laws. For the avoidance of doubt, Supplier shall provide all reasonable assistance to Ridgeline in complying with any Data Subject Requests.
4.4 Supplier ensures its applicable Representatives who may Process Personal Data have written contractual obligations in place with Supplier to keep the Personal Data confidential that are no less protective of Personal Data than the terms of this DPA, and that these Representatives are aware of these obligations.
4.5 If required by Data Protection Laws, court order, warrant, subpoena, or other legal or judicial process to Process Personal Data other than in accordance with Ridgeline’s instructions, notify Ridgeline without undue delay of any such requirement before Processing the Personal Data (unless mandatory applicable law prohibits such notification, in particular on important grounds of public interest).
4.6 Maintain reasonably accurate records of the Processing of any Personal Data received from Ridgeline under the Agreement, including all records of Processing as may be required by Data Protection Laws and make reasonable efforts to ensure that Personal Data are accurate and up to date at all times while in its custody or under its control, to the extent Supplier has the ability to do so. In addition, do not lease, sell, distribute, make available, or otherwise encumber Personal Data unless mutually agreed to by the Parties in a separate written agreement.
4.7 Supplier will provide such information and assistance as Ridgeline may reasonably require (taking into account the nature of the Processing and the information available to Supplier) to enable compliance by Ridgeline with its obligations under Data Protection Laws with respect to (i) security of Processing, (ii) data protection impact assessments (as such term is defined by Data Protection Laws), (iii) prior consultation with a supervisory authority regarding high-risk Processing, (iv) responding to requests from supervisory authorities, Data Subjects, customers, or others to provide information related to Supplier’s Processing of Personal Data), (v) notifications by the applicable supervisory authority and/or communications to Data Subjects by Ridgeline in response to any Information Security Incident; and (vi) Ridgeline’s ability to meet any applicable filing, approval or similar requirements in relation to Data Protection Laws.
4.8 Upon Ridgeline’s request, Supplier agrees to enter into additional terms as may be required by Data Protection Law.
5.1 Before transferring Personal Data outside of the jurisdiction where the Personal Data is obtained, Supplier shall first provide Ridgeline advance notice by email to privacy@ridgelineapps.com and legal@ridgelineapps.com and an opportunity to object. If Ridgeline reasonably objects to the proposed cross border transfer and the Parties do not mutually agree to an alternative method of Processing, Ridgeline may terminate the Agreement with respect to the Products and/or Services which Supplier is unable to Perform due to the objection.
Ridgeline acknowledges and agrees that (a) Supplier’s Affiliates may be retained as Sub-processors through written agreement with Supplier and (b) Supplier and Supplier’s
© Ridgeline, Inc. 2022 Confidential
Affiliates respectively may engage third-party Sub-processors in connection with the provision of the Services. As a condition to permitting a third-party Sub-processor to Process Personal Data, Supplier or a Supplier’s Affiliate will enter into a written agreement with each Sub-processor containing data protection obligations that provide reasonable protection for Personal Data as those in this DPA, to the extent applicable to the nature of the Services provided by such Sub-processor. Further, if privity of contract is required by Data Protection Laws, Supplier shall undertake to ensure that any such Sub-processors are contractually bound to cooperate and to enter into any necessary additional agreements as directed by Ridgeline.
Supplier shall not subcontract its obligations under this DPA to any subprocessors, in whole or in part, without providing Ridgeline with at least thirty (30) days’ advance written notice via email to privacy@ridgelineapps.com with an opportunity for Ridgeline to object. If Supplier receives a valid objection pursuant to this Section 6.2, Supplier will use commercially reasonable efforts to make available to Ridgeline a change in the Services or recommend a commercially reasonable change to Ridgeline’s configuration or use of the Services to avoid Processing of Personal Data by the objected-to new Sub-processor without unreasonably burdening Ridgeline. If Supplier is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, either party on written notice to the other may terminate without penalty the applicable Order Form(s) with respect only to those Services which cannot be provided by Supplier without the use of the objected-to Sub-processor. Supplier will refund Ridgeline any prepaid fees covering the remainder of the term of such Order Form(s) following the effective date of termination with respect to such terminated Services, without imposing a penalty for such termination on Ridgeline.
Supplier shall be liable for the acts and omissions of its Sub processors to the same extent Supplier would be liable if performing the Services of each Sub-processor directly.
Supplier shall maintain appropriate technical and organizational measures for protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Personal Data), confidentiality and availability of Personal Data, including as set forth in the Security Exhibit contained in the Agreement. Supplier regularly monitor compliance with these measures. Supplier will not materially decrease the overall security of the Services.
Upon Ridgeline’s request, and subject to the confidentiality obligations set forth in the Agreement, Supplier shall make available to Ridgeline (or Ridgeline’s independent, third-party auditor, and customers) information regarding the Supplier’s compliance with the obligations set forth in this DPA in the form of the third-party certifications.
Supplier shall make available to Ridgeline and its customers, upon Ridgeline’s reasonable written request, such information as is reasonably necessary to demonstrate Supplier’s compliance with the obligations of this DPA.
Supplier maintains security incident management policies and procedures. Supplier shall notify Ridgeline without undue delay but in no event later than seventy-two (72) hours of any breach relating to Personal Data (within the meaning of applicable Data Protection Law) of which Supplier becomes aware and which may require a notification to be made to a Supervisory Authority or Data Subject under applicable Data Protection Law or which Supplier is required to notify to Ridgeline under applicable Data Protection Law (a “Personal Data Incident”) at security@ridgelineapps.com and legal@ridgelineapps.com respectively. Supplier shall provide commercially reasonable cooperation and assistance in identifying the cause of such Personal Data Incident and take commercially reasonable steps to remediate the cause to the extent the remediation is within Supplier’s control. Except as required by applicable Data Protection Law, the obligations herein shall not apply to incidents that are caused by Ridgeline, Authorized Users and/or any Non-Supplier Service.
© Ridgeline, Inc. 2022 Confidential
In the event that (a) Supplier receives any official complaint, notice, or communication that relates to Supplier’s Processing of Personal Data or either Party’s compliance with Data Protection Laws in connection with Protected Data, or (b) any investigation or any litigation or dispute arises in relation to Supplier’s Processing of Protected Data, Supplier shall promptly notify Ridgeline and, to the extent applicable, Supplier shall provide Ridgeline with all reasonable cooperation that Ridgeline may request in connection therewith.
Upon termination of the Services for which Supplier is Processing Personal Data, Supplier shall, upon Ridgeline’s request, and subject to the limitations described in the Agreement, return all Personal Data in Supplier’s possession to Ridgeline or securely destroy such Personal Data and demonstrate to the satisfaction of Ridgeline that it has taken such measures, unless applicable law prevents it from returning or destroying all or part of Personal Data.
Each party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA, and all DPAs between Ridgeline Affiliates and Supplier, whether in contract, tort or under any other theory of liability, is subject to the ‘Limitation of Liability’ section of the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and all DPAs together.
For the avoidance of doubt, Supplier’s and its Affiliates’ total liability for all claims from Ridgeline and all of its Controller Affiliates arising out of or related to the Agreement and each DPA shall apply in the aggregate for all claims under both the Agreement and all DPAs established under the Agreement, including by Ridgeline and all Controller Affiliates, and, in particular, shall not be understood to apply individually and severally to Ridgeline and/or to any Controller Affiliate that is a contractual party to any such DPA.
This DPA shall only become legally binding between Ridgeline (and Ridgeline, Inc., if different) and Supplier when the Agreement or other agreement expressly referencing this DPA has been executed.
List of Exhibits
© Ridgeline, Inc. 2022 Confidential
EXHIBIT A
DESCRIPTION OF PROCESSING ACTIVITIES
Nature and Purpose of Processing
Processor will Process Personal Data as required to provide the Service and Professional Services in accordance with the Agreement. Controller acknowledges that all Personal Data it instructs Processor to Process for the purpose of providing Professional Services must be limited to the Customer Data Processed with in the Service.
Duration of Processing:
Data Processor will Process Personal Data for the duration of the Agreement and in accordance with Section 2 (Scope of the Processing of Personal Data) of this DPA.
Data Controller
The data controller means the entity which deter mines the purposes and means of the Processing of Personal Data.
Data Processor
The data processor means the entity which Processes Personal Data on behalf of the Controller. Data Subjects
Ridgeline may submit Personal Data to the Service, the extent of which is determined and controlled by Ridgeline and which may include, but is not limited to, personal data relating to the following categories of data subject:
Categories of data
The Personal Data transferred concern the following categories of data:
Ridgeline may transfer Special Categories of Personal Data for Supplier’s access and processing of the Service. Ridgeline may submit Special Categories of Personal Data to the Service, the extent of which is determined and controlled by Ridgeline in compliance with applicable Data Protection Law.
© Ridgeline, Inc. 2022 Confidential
Processing operations
The Personal Data transferred will be processed in accordance with the Agreement and any Order Form and may be subject to the following processing activities:
© Ridgeline, Inc. 2022 Confidential
