Data Processing Addendum

This Data Processing Addendum and its schedules (“DPA”) is an addendum to the agreement between the parties pursuant to which Invicti provides the Services to Customer (“Agreement”) and addresses each party’s compliance obligations under Data Protection Laws and applies solely where the provision of Services by Invicti to Customer involves the Processing of Customer Personal Data subject to Data Protection Law.

1. DEFINITIONS.

1.1. Any capitalized term not defined in this DPA will have the meaning given to it in the Agreement.

“CCPA” means the California Consumer Privacy Act of 2018, along with its regulations, and as amended.

“Controller” means an entity that, alone or jointly with others, determines the purposes for and means of Processing. “Controller” has the same meaning as “Business”, as that term is defined under applicable Data Protection Laws.

“Customer Personal Data” means Personal Data Processed by Invicti (i) on behalf of Customer and (ii) in connection with its provision of the Services.

“Customer Audit” means a review of the security of the Services conducted by Customer at its expense;

“Data Protection Laws” means all laws and regulations applicable to the Processing of Personal Data under the Agreement, including, but not limited to, the CCPA, the EU GDPR, and all other applicable data protection and privacy legislation in force from time to time in the EU (as may be applicable depending on the location of Customer, Data Subjects and Processing of the relevant Personal Data).

“Data Subject” means an identified or identifiable person.

“EEA” means the European Economic Area.

“EU GDPR” means Regulation (EU) 2016/679 (General Data Protection Regulation) of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data.

“Process” or “Processing” means any operation or set of operations performed on Personal Data, whether or not by automated means, including but not limited to accessing, collecting, using, storing, transferring, retaining, disclosing, selling, sharing, deleting, and destroying Personal Data.

“Processor” means an entity that Processes Personal Data on behalf of a Controller. “Processor” has the same meaning as “Service Provider” as that term is defined under applicable Data Protection Laws.

“Restricted Country” means any country (i) which is not a member of the European Economic Area; or (ii) which has not been approved by the European Commission pursuant to Article 45, GDPR as ensuring an adequate level of data protection in relation to personal data.

“Restricted Transfer” means a transfer of personal data between Customer and Invicti to a Restricted Country.

“Personal Data” means information that Processor Processes on behalf of Controller that identifies, relates to, describes, is reasonably capable of being associated with or could reasonably be linked, directly or indirectly, to a Data Subject, or as that term or a similar term is defined under applicable Data Protection Laws.

“Personal Data Breach” means a breach of Invicti’s security obligations under this DPA leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to Customer Personal Data.

“Standard Contractual Clauses” means the standard contractual clauses set out in Commission Implementing Decision (EU)2021/914 for the transfer of Personal Data to third countries pursuant to EU GDPR as updated, amended, replaced, and superseded from time to time.

“Sub-processors” means any person or entity engaged by Invicti or an Affiliate to Process Customer Personal Data in the provision of the Services to Customer.

“Supervisory Authority” means a governmental or government-chartered regulatory body having binding legal authority over Customer.

“Services” means the Invicti Solution, Support and any other Services provided to Customer by Invicti under an Order Form.

“Third Party Audit Reports” means reports and certifications resulting from Invicti and/or its Sub-processors engaging qualified third party auditors to perform examinations and provide reports of its systems and services.   

“TOMs” means Invicti’s Technical and Organizational Measures found at the following URL: https://www.invicti.com/legal/toms/.

“UK Addendum” refers to the UK’s International Data Transfer Addendum to the Standard Contractual Clauses, available at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf.

2. PURPOSE.

2.1. Invicti has agreed to provide the Services to Customer in accordance with the terms of the Agreement. Subject to the sections of this DPA, Customer appoints Invicti to Process Customer Personal Data for the purpose of providing the Services.

2.2. With respect to Customer Personal Data under this DPA, the parties agree that Invicti may act as Processor to Customer, where Customer may act either as the Controller or Processor. Invicti may also act as a sub-processor. Where Customer acts as Controller, Customer shall be responsible for all Controller obligations under this DPA. Where Customer acts as Processor, Customer shall be responsible for all Controller obligations under this DPA; and Customer represents and warrants that the Controller has appointed Customer as Processor to Process Personal Data of the Controller on the Controller’s behalf and that it is authorized to instruct Invicti and otherwise act on behalf of Customer Affiliate(s) or Customer client in relation to the Customer Personal Data in accordance with the Agreement and this DPA. The details of Processing and the description of transfer are stated at Schedule 1.

3. INVICTI OBLIGATIONS.

3.1. Invicti may Process Customer Personal Data for the purpose of the Services and only in accordance with the scope of the Agreement, this DPA, and Customer’s documented instructions. This DPA is Customer’s complete and final documented instruction to Invicti in relation to Customer Personal Data. Additional instructions outside the scope of this DPA (if any) require prior written agreement between Invicti and Customer, including agreement on any additional fees payable by Customer to Invicti for carrying out such instructions.

3.2. Invicti will inform Customer if it becomes aware or reasonably suspects that Customer’s instructions regarding the Processing of Personal Data may violate any applicable Data Protection Laws.

3.3. Invicti will ensure that all employees, agents, officers, and contractors involved in the handling of Customer Personal Data: (i) are aware of the confidential nature of the Customer Personal Data and are contractually bound to keep the Customer Personal Data confidential; (ii) have received appropriate training on their responsibilities as a Processor; and (iii) are bound by terms materially no less restrictive than the terms of this DPA.

3.4. Invicti will implement appropriate administrative, technical, and organizational safeguards required of Invicti by the GDPR to ensure the security of Customer Personal Data. This requirement shall be deemed to have been fulfilled by adopting those measures detailed in the TOMs.

3.5. Any Restricted Transfer between Invicti and Customer shall be subject to the Standard Contractual Clauses, if the cross-border or onward transfer involves Personal Data about individuals in EEA or Switzerland, and in tandem with the UK Addendum, if the cross-border onward transfer involves Personal Data about individuals in the United Kingdom (“UK”). In the event the parties rely on the Standard Contractual Clauses for such transfers, references to a “Member State” and “EU Member State” will not be read to limit or prevent Data Subjects in Switzerland from seeking to exercise their rights. The Standard Contractual Clauses and UK Addendum are hereby incorporated into this DPA by reference and deemed executed by the parties as of the Effective Date. For the purposes of the Standard Contractual Clauses, as applicable:

(A). the data exporter is Customer;

(B). the data importer is Invicti;

(C). Where Customer is:

(i). a Controller and Invicti is a Processor, Module 2 of the Standard Contractual Clauses shall apply to such transfers; or

(ii). a Processor and Invicti is also a Processor, Module 3 of the Standard Contractual Clauses shall apply to such transfers.

(D). (i) Clause 7 shall not apply; (ii) for the purposes of clause 9 the parties select Option 2 (general authorization) with a time period of 14 days; (iii) the optional language in clause 11(a) shall not apply; (iv) the supervisory authority for the purposes of clause 13(a) shall be determined by the place of establishment of the data exporter; and (v) the governing law (clause 17) and choice of forum (clause 18) shall be Maltese law and the courts of Malta respectively.

(E). The technical and organizational security measures are as described in the TOMs.

3.6. Invicti will reasonably assist Customer in meeting its obligation under applicable Data Protection Laws, including to carry out data protection impact assessments, taking into account the nature of Processing and the Personal Data available to Invicti.

3.7. Customer and Invicti and, where applicable, their representatives, will cooperate, upon request, with a Supervisory Authority in the performance of their respective obligations under this DPA.

3.8. Upon Invicti’s or Sub-processors’ receipt of a legally-binding request for access to Personal Data from a Supervisory Authority and where permitted by applicable law, Invicti will (i) notify Customer of the request for access and provide details about the requesting party, the types of Personal Data requested, and the purpose and methods of the disclosure (so as to provide Customer the opportunity to comply with its notice and consent obligations with respect to affected Data Subjects or oppose the disclosure and obtain a protective order or seek other relief), and (ii) where applicable, also comply with the notice obligations set forth in Clause 15.1 of the Standard Contractual Clauses.

3.9. Invicti will not “sell” or “share” Personal Data, as those terms are defined under applicable Data Protection Laws.

3.10. Notwithstanding section 3.1, Invicti may Process Customer Personal Data outside of Customer’s instructions where that Processing is required by any law or order to which Invicti is subject. In such case, Invicti shall, except where prohibited by law from doing so, inform Customer of that requirement.

4. CUSTOMER OBLIGATIONS.

4.1. Customer represents and warrants that: (i) it will comply with the terms of the Agreement, this DPA, and the Data Protection Laws, including any applicable requirements to provide notice to and/or obtain consent from Data Subjects for Processing by Invicti; (ii) it will ensure that its use of the Services will not violate the rights of any Data Subjects; and (iii) its instructions to Invicti will comply with Data Protection Laws, and that the Processing of Personal Data in accordance with Controller’s instructions will not cause Processor to be in breach of the Data Protection Laws. All Customer Affiliates who use the Services will comply with the obligations of Customer set out in this DPA.

4.2. Customer has sole responsibility for (i) the quality, legality, and accuracy of Customer Personal Data, (ii) the means by which Customer acquired any such Personal Data, and (iii) the instructions it provides to Processor regarding the Processing of such Personal Data. Customer further represents and warrants that it has obtained any and all necessary permissions and authorizations necessary to permit Invicti, its Affiliates, and Sub-processors, to execute their rights or perform their obligations under this DPA.

4.3. Customer must inform Invicti of any notice, inquiry (including any notice, investigation, complaint, or request) relating to Invicti’s processing of Personal Data and provide Invicti with a copy thereof within 48 hours of receipt. Notices should be sent to: privacy@invicti.com.

4.4. Customer is responsible for making an independent determination as to whether the TOMs meet Customer’s requirements, including any of its security obligations under applicable Data Protection Laws. Customer agrees that the Services and the TOMs meet Customer’s needs with respect to Customer’s security obligations under applicable Data Protection Law.

5. NOTIFICATION OF SECURITY BREACH.

5.1. Invicti will notify Customer without undue delay after becoming aware of (and in any event within 72 hours of discovering) any confirmed Personal Data Breach.

5.2. Invicti will take all commercially reasonable measures to secure the Customer Personal Data, to remediate the Personal Data Breach, and to assist Customer in meeting Customer’s obligations under applicable Data Protection Law(s). In the event of a Personal Data Breach, Invicti’s System Administration Team and Security Team will perform a risk-based assessment of the situation and develop appropriate strategies in accordance with Invicti incident response procedures, which include contacting Customer and Customer’s primary (technical or business) point of contact or Security Operation Center (“SOC”) to brief them on the situation and provide resolution status updates.

6. AUDIT.

6.1. No more than once in any 12 month period, for a maximum period of 1 Business Day, and upon not less than 30 days’ prior written notice from Customer, unless in case of a confirmed Personal Data Breach, Invicti agrees to permit Customer to perform a Customer Audit of the security practices applicable to Personal Data processed by the Service, provided Invicti has not already provided adequate evidence to demonstrate its compliance with these data security practices. Customer Audits may only be conducted by Customer’s internal or external auditors who have entered into a nondisclosure agreement with and have been approved in writing by Invicti. The parties must mutually agree on the scope of the review, prior to the date of the Customer Audit. The Customer Audit must avoid disrupting Invicti operations and must be conducted strictly in accordance with Invicti’s security policies and procedures, and industry best practices. If the audit reveals that Invicti has breached its obligations under this DPA, Invicti will promptly initiate a remedy to such breach. Customer Audits must be limited in scope to the security of Customer Personal Data within Invicti premises, which are not covered by the Third Party Audit Reports or any other information made available to Customer by the Invicti outside of the Customer Audit.

7. DATA SUBJECTS.

7.1. Invicti shall, to the extent legally permitted, promptly notify Customer if Invicti receives a request from a Data Subject to exercise the Data Subject’s right of access, right to rectification, restriction of processing, erasure, data portability, object to the processing (“Data Subject Request”).

7.2. Taking into account the nature of the processing, Invicti shall assist Customer by appropriate TOMs, insofar as this is possible, for the fulfillment of Customer’s obligation to respond to a Data Subject Request under the Data Protection Laws.

7.3. If Customer does not have the ability to address a Data Subject Request, Invicti may upon Customer’s request, and to the extent possible and legally permitted, provide commercially reasonable efforts to assist Customer in responding to such Data Subject Request regarding Invicti’s processing of Personal Data. To the extent legally permitted, Customer will be responsible for any costs arising from Invicti’s provision of such assistance.

8. SUB-PROCESSORS.

8.1. Customer agrees (by way of the grant of a general authorization) that Invicti may engage Sub-processors in connection with the provision of the Services. The list of Sub-processors can be found at the following URL: https://www.invicti.com/legal/subprocessors/.

8.2. Invicti shall, with respect to each Sub-processor, ensure in each case that it has in place a written agreement with such Sub-processor which imposes equivalent data protection obligations to those contained in this DPA (“Sub-processor Agreement“).

8.3. During the term of this DPA, Invicti will provide Customer with prior notification, via email, of any changes to the list of Sub-processors who may process Customer Personal Data before authorizing any new or replacement Sub-processors to process Customer Personal Data in connection with the provision of the Services.

8.4. Customer may object to the use of a new or replacement Sub-processor, by notifying Invicti promptly in writing within 14 days after receipt of Invicti’s notice. If Customer objects to a new or replacement Sub-processor, that objection is reasonable, and such objection is not resolved within twenty (20) days of Invicti receiving the objection, Customer may terminate the Agreement with respect to those Services which cannot be provided by Invicti without the use of the new or replacement Sub-processor. Invicti shall have no penalty or liability for termination under this section, and this is Customer’s sole and exclusive remedy for termination under this section.

9. LIABILITY.

9.1. Each party and all of its Affiliates’ liability, taken together in the aggregate, arising out of or relating to this DPA, whether in contract, tort, or under any other theory of liability is subject to the “Limitation on Damages” section of the Agreement.

9.2. The parties agree that Invicti will, subject to the liability limit in section 9.1, be liable for any breaches of this DPA caused by the acts and omissions of its Sub-processors to the same extent Invicti would be liable if performing the services of each Sub-processor directly under the terms of this DPA.

9.3. The parties agree that Customer will be liable for any breaches of this DPA caused by the acts and omissions of its Affiliates and Users as if such acts and omissions had been committed by Customer itself.

10. TERM AND TERMINATION.

10.1. This DPA shall come into effect on the effective date of the Agreement (“Effective Date”) and will automatically terminate upon the termination of the Agreement.

10.2. Subject to section 10.3, Customer hereby instructs Invicti to delete the Customer Personal Data remaining with Invicti within a reasonable time period in line with Data Protection Laws (not to exceed six months) following the termination of the Agreement. If Customer wishes to retain any Customer Personal Data following the termination of the Agreement, it may instruct Invicti within 30 days following the date of termination to return that Customer Personal Data to Customer.

10.3. Invicti and each contracted Sub-Processor may (acting as a Controller) retain one archival copy of such Customer Personal Data solely for the purposes of ensuring compliance with the Agreement or to the extent and for such period as may be required by any applicable law, or by any order or direction of any competent Court, tribunal government or regulatory body, to which it may be subject.

10.4. Where any Customer Personal Data is retained for such reasons, the Customer Personal Data must be treated as Confidential Information.

11. GENERAL.

11.1. This DPA sets out the entire understanding of the parties, and supersedes all prior and contemporaneous agreements and understandings, with regards to the subject matter. No modification or waiver of any term in this DPA is effective unless both parties sign it.

11.2. Should a provision of this DPA be invalid or become invalid, then the legal effect of the other provisions will be unaffected. A valid provision is deemed to have been agreed upon, which comes closest to what the parties intended commercially and will replace the invalid provision. The same will apply to any omissions.

11.3. To the extent of any conflict or inconsistency between the terms of this DPA and the Agreement, the following order of precedent applies: (i) this DPA; and (ii) the Agreement. Subject to the amendments in this DPA, the Agreement remains in full force and effect.

11.4. Customer may send any questions or concerns regarding this DPA to: privacy@invicti.com.

SCHEDULE 1 – ANNEX/APPENDIX 1 OF THE APPROVED EU SCCS

1. LIST OF PARTIES

2. DESCRIPTION OF TRANSFER

3. COMPETENT SUPERVISORY AUTHORITY

The Office of the Information and Data Protection Commissioner (Malta) (https://idpc.org.mt/)

4. Table 4 of the UK Addendum:

Which Party can Terminate this DPA if the UK Data Protection Authority Changes this “Approved Addendum”

Last updated as of: 20 October 2022