General Terms and Conditions
These General Terms and Conditions accompany each Service Order. In the event of a conflict between the General Terms and Conditions and a Service Order (as amended), the Service Order shall take precedence. Until such time as the Client Contract has been fully executed by the parties, all documents and materials submitted by DecisionWise to the Client represent a proposal and not an offer nor an acceptance under general contract law.
“Client” shall mean the party receiving services from DecisionWise as set forth in the Service Order.
“Client Contract” shall mean, the Service Order, the General Terms and Conditions, and the Data Processing Addendum (DPA), including all Annexes to the DPA.
“Client Contract Effective Date” is the date listed in the signature block to the Service Order.
“DecisionWise” shall mean DecisionWise, LLC, a Utah limited liability company, U.SA.
“DPA” shall mean the Data Processing Addendum that accompanies both the Service Order and these General Terms and Conditions.
“Service Order” shall mean the written document outlining the key business terms and is the document to which these General Terms and Conditions are attached.
“Services” shall mean the project management, analytics, survey, assessment, and consulting services provided by DecisionWise to the Client as described in the Service Order.
“Services Agreement” shall mean the Service Order and the General Terms and Conditions.
- SERVICES; EFFECTIVE DATE
1.1 Each project to be performed by DecisionWise at Client’s request shall be described in a Service Order. The effective date for the Contact shall be the date listed in the signature block on the Service Order. Nothing in the Client Contract shall constitute a binding legal agreement on the parties until the Client Contract shall have been fully executed by both parties by signing the signature page on the Service Order. Electronic signatures or signatures transmitted by email or other electronic means will be binding upon the parties.
1.2 Client may, by written notice to DecisionWise, request changes to a Service Order. DecisionWise shall promptly provide Client with an estimate of the impact, if any, of the requested change on payment terms, completion schedule, and any other applicable provision of the Service Order. If the parties mutually agree to such changes, a written amendment to the Service Order will be prepared. No verbal agreement will have any effect unless an agreement is made in writing, with acknowledgement from both parties. An email acknowledgement from an authorized representative of both parties that describes any amendments will be considered approval to complete the work and alter the Service Order.
1.3 In the event Client believes the Services are not being rendered in accordance with the Service Order, it shall notify DecisionWise in writing, and DecisionWise will have 10 business days to cure the problem.
2. WARRANTIES; CUSTOMER SUPPORT
2.1. DecisionWise shall provide all Services in accordance with the schedule agreed upon in the Service Order.
2.2. DecisionWise shall provide personnel who have the appropriate technical skills, training, education, and experience to perform the Services. DecisionWise may use third-party providers in order to deliver debriefing services, non-material portions of the Services (e.g., comment transcription), or to act as a data sub-processor under the DPA. DecisionWise warrants that it will cause any third-parties to be bound by the confidentiality provisions of these General Terms and Conditions and that the quality of any Services provided by third-parties will meet or exceed the standards set forth in these General Terms and Conditions and the Service Order.
2.3. DecisionWise provides a limited warranty that it will render the Services in a workmanlike manner and that the Services will generally fulfill the material purposes for which they are intended under the Service Order.
2.4. DecisionWise shall not be responsible for failures or errors that are attributable to the Client.
2.5. EXCEPT FOR THE EXPRESS WARRANTIES STATED IN THIS SECTION 2, THE SERVICES ARE PROVIDED “AS IS”, AND “AS AVAILABLE” AND TO THE FULLEST EXTENT PERMITTED BY LAW, DECISIONWISE EXPRESSLY DISCLAIMS ANY AND ALL OTHER WARRANTIES, CONDITIONS AND OTHER TERMS, WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, WITH RESPECT TO THE SERVICES, INCLUDING ANY WARRANTIES, CONDITIONS OR OTHER TERMS AS TO MERCHANTABILITY, SATISFACTORY QUALITY, FITNESS FOR A PARTICULAR PURPOSE, OR ANY IMPLIED WARRANTY, CONDITION OR OTHER TERM ARISING FROM A COURSE OF DEALING OR COURSE OF PERFORMANCE. NO ORAL OR WRITTEN INFORMATION PROVIDED BY DECISIONWISE OR ITS EMPLOYEES OR REPRESENTATIVES WILL CREATE ANY WARRANTY, AND THIS WARRANTY DISCLAIMER SUPERSEDES ANY SUCH INFORMATION. CLIENT ACKNOWLEDGES AND AGREES IT HAS SELECTED THE SERVICES AND IS SOLELY RESPONSIBLE FOR ANY RESULTS OBTAINED FROM THE SERVICES AFTER DELIVERY BY DECISIONWISE AND HAS NOT AND SHALL NOT RELY UPON ANY REPRESENTATIONS OR WARRANTIES AS TO THE SUITABILITY OR UTILITY OF THE SERVICES TO MEET CLIENT’S NEEDS OR REQUIREMENTS. DECISIONWISE DOES NOT REPRESENT OR WARRANT THAT THE SERVICES SHALL BE UNINTERRUPTED OR ERROR-FREE. NOTHING IN THIS SECTION 2 LIMITS OR EXCLUDES DECISIONWISE’S LIABILITY FOR FRAUDULENT MISREPRESENTATION.
2.6. Except in instances where DecisionWise has failed to provide the Services and related information as promised in the Service Order, or except as agreed upon in the Service Order, DecisionWise shall have no obligation to provide ongoing customer support under the Client Contract after the time frames established in the Service Order.
- PAYMENT Client shall pay DecisionWise for the Services at the times and in the manner established in the Service Order.
- TERM AND TERMINATION
4.1. DecisionWise may terminate the Client Contract immediately upon written notice to Client in the event that one or more of the following occur:
(i) Client becomes insolvent, ceases to pay its debts in the ordinary course of business, is unable to pay its debts as they become due, or makes an assignment for the benefit of creditors;
(ii) A trustee or receiver is appointed for any or all of Client’s assets;
(iii) Any bankruptcy or insolvency proceeding under any federal or state bankruptcy or insolvency code, or similar law, whether voluntary or involuntary, is commenced by or against Client;
(iv) Client is dissolved or liquidated;
(v) The Service Order is terminated.
4.2. Client may terminate the Client Contract with DecisionWise, for convenience, upon providing 30-days advance written notice; provided that, Client shall be responsible for all fees earned and un-reimbursed costs that have been advanced to the Client through the termination date.
4.3. DecisionWise may terminate the Client Contract with the Client, without cause, upon providing 60-days advance written notice, and, provided that, DecisionWise may reasonably terminate the Client Contract without material harm or prejudice to the Client. DecisionWise will refund the Client any portion of the fees that have not been earned by DecisionWise through the termination date.
- FORCE MAJEURE (Impossibility of Performance)
5.1. If the performance of the Client Contract, or any obligation except the making of payments, is prevented, restricted, or interfered with by reason of fire, flood, earthquake, explosion, or other casualty or accident; strikes or labor disputes; pandemics; inability to procure or obtain delivery of parts, supplies, or power; war, terrorist act, cyber-attack, or other violence; any law, order, proclamation, regulation, ordinance, demand or requirement of any governmental agency; or any act or condition whatsoever beyond the reasonable control of the affected party; the party so affected, upon giving proper notice to the other party, shall be excused from such performance to the extent of such prevention, restriction, or interference.
6.1. “Confidential Information” means all documents, software and documentation, reports, financial or other data, records, forms, tools, products, services, methodologies, present and future research, technical knowledge, marketing plans, customer lists, proprietary information, trade secrets, and other materials obtained by DecisionWise and Client from each other in the course of performing any Services, whether tangible or intangible and whether or not stored, compiled, or memorialized physically, electronically, graphically, in writing, or by any means now known or later invented. Confidential Information shall include all information intended to be confidential as described in the DPA. Confidential Information shall not include information that has been fully anonymized by the permanent removal of personally identifiable information or other information that might link the data to the Client or the Client’s employees.
6.2. Confidential Information includes without limitation records and information
(i) that has been marked as proprietary or confidential;
(ii) whose confidential nature has been made known by Client or DecisionWise; or
(iii) that due to its character and nature, a reasonable person under like circumstances would treat as confidential.
6.3. Notwithstanding the foregoing, Confidential Information does not include information which:
(i) is already known to the recipient at the time of disclosure;
(ii) is or becomes publicly known through no wrongful act or failure of recipient;
(iii) is independently developed by recipient without benefit of the other party’s Confidential Information; or
(iv) is received from a third party which is not under and does not thereby breach an obligation of confidentiality.
6.4. Each party agrees to protect the other’s Confidential Information at all times and in the same manner as each protects the confidentiality of its own proprietary and confidential materials, but in no event with less than a reasonable standard of care.
6.5. Neither party shall disclose to any third party any Confidential Information of the other party without such other party’s express, prior written permission; provided, however, that either party may disclose Confidential Information to the extent that it is required to be disclosed pursuant to a statutory or regulatory provision or court order so long as it provides reasonable prior notice of such intent to disclose.
6.6. CLIENT AGREES TO NEVER DELIVER TO DECISIONWISE ANY SOCIAL SECURITY NUMBERS, GOVERNMENT IDENTIFICATION NUMBERS (OR OTHER SIMILAR INFORMATION), CREDIT CARD INFORMATION, HEALTHCARE INFORMATION, PROTECTED HEALTH INFORMATION, OTHER PERSONAL FINANCIAL INFORMATION, FAMILY INFORMATION, OR ANY DATA OR INFORMATION WHERE IT IS UNLAWFUL FOR DECISIONWISE OR CLIENT TO POSSESS SUCH INFORMATION OR DATA. NO DATA OR INFORMATION RELATED TO A MINOR SHALL EVER BE DELIVERED TO DECISIONWISE.
- ASSESMENTS AND HR FEEDBACK
7.1. If the Service Order indicates, DecisionWise may administer individual psychometric assessments to the Client’s employees. DecisionWise will not be liable for damages caused by the actions of employees, contractors, or third parties as a result of any psychological triggering or adverse employment consequences arising from any individual assessment administered by DecisionWise.
7.2. The Client understands that individual assessments must not be used as the sole source of information from which to make strategic, administrative, personnel, or other decisions.
7.3. During the rendering of Services to the Client, DecisionWise may ask the Client’s employees to provide open-ended comments. Employees may choose to disclose information to DecisionWise that should otherwise be reported directly to the Client’s human resources or legal functions (“HR Feedback”). In connection with HR Feedback, Client acknowledges that: (i) DecisionWise is under no obligation to review any of the comments it receives in order to identify HR Feedback for the Client and Client agrees to review all comments to determine if it contains HR Feedback; and (ii) DecisionWise shall not be liable to the Client for any damages suffered by the Client as a result of the HR Feedback.
- LIABIILTY; INDEMNIFICATION
8.1. NEITHER PARTY SHALL, TO THE FULLEST EXTENT ALLOWED BY LAW AND UNDER ANY CIRCUMSTANCES, REGARDLESS OF THE FORM OF ACTION OR THE BASIS OF THE CLAIM, BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, PUNITIVE OR EXEMPLARY DAMAGES HOWSOEVER CHARACTERIZED, ARISING FROM OR IN ANY MANNER RELATED TO THE CLIENT CONTRACT.
8.2. IN NO EVENT, SHALL THE AGGREGATE LIABILITY OF EITHER PARTY TO EACH OTHER EXCEED 200% OF THE TOTAL AMOUNT PAID TO DECISIONWISE BY CLIENT DURING THE PRECEDING TWELVE MONTHS.
8.3. SUBJECT TO THE LIMITS DESCRIBED IN SECTION 8.2 ABOVE, A PARTY SHALL INDEMNIFY THE OTHER PARTY FOR DAMAGES CLAIMED BY A THIRD PARTY AS A RESULT OF A PARTY’S GROSS NEGLIGENCE, WILFUL MISCONDUCT, OR A PARTY’S BREACH OF THE CLIENT CONTRACT.
- PRIVACY AND SECURITY; ASSESSMENT CONFIDENTIALITY
9.2. Client acknowledges and agrees that all survey responses collected by DecisionWise in connection with the Client Contract are to be confidential and any personally identifiable information shall be held confidential by DecisionWise and shall not be given to the Client without the express written consent of the individual at question unless such information is needed:
188.8.131.52. To prevent the commission of a crime.
184.108.40.206. Because the material health or safety of an individual is at stake.
220.127.116.11. Where required by law.
18.104.22.168. Where the Client has agreed in writing (under a separate contract) with DecisionWise to maintain the same level of confidentiality required of DecisionWise under the Client Contract.
- INTELLECTUAL PROPERTY; DATA RETENTION
10.1. Client acknowledges and agrees that DecisionWise has performed prior to DecisionWise’s Client Contract with Client, and will during the Client Contract, continue to perform work that resulted in or will result in the creation of designs, products, or materials that constitute DecisionWise’s intellectual property.
10.2. The parties agree that all ideas know-how, processes, information, documents, designs, surveys, reports, inventions, copyrightable material and other tangible and intangible materials authorized, prepared, created, made, delivered, conceived or reduced to practice, in whole or part, by DecisionWise (the “IP Works”) are and will be recognized for all purposes as the property of DecisionWise and shall not be considered “work for hire” as defined by 17 S.C. §101 and §201. DecisionWise, however, grants to Client a non-exclusive, worldwide, fully-paid, perpetual license to any unique IP Works that are created in the course of the Client Contract and which are specific to the Client. DecisionWise shall be considered the author and/or creator of the Works and shall own all right, title, and interest in and to the copyright to the Works and in any and all of its derivative works.
10.3. Except for instances where all identifying information has been removed, the Parties agree that the IP Works may not be published or distributed to the general public without the prior written consent of the other party.
- NON-EXCLUSIVITY; NON-SOLICITATION OF CLIENT’S EMPLOYEES The Client Contract shall not create an exclusive relationship between the parties, and during the term of the Client Contract and for a period of two (2) years thereafter, DecisionWise will not solicit any employee or contractor of the Client to terminate or alter its relationship with the Client.
12.1. The Client Contract shall be construed and enforced under the laws of State of Utah. All legal proceedings that may be brought between the parties in connection with the Client Contract shall be brought only in the state courts located within Utah County, Utah or the federal courts located within the State of Utah and each party hereby irrevocably consents to the jurisdiction of such courts.
12.2. No modifications or amendments to the Client Contract or any waiver of any terms or conditions hereof shall be effective unless put in writing and signed by both parties.
12.3. In any action to enforce the terms of the Client Contract, the substantially prevailing party shall be entitled to recover from the non-substantially prevailing party its reasonable attorneys’ fees, courts costs, litigation expenses, deposition fees and costs, reasonable travel costs, court filing fees, and other similar expenses, including all such expenses incurred in connection with any appeals.
12.4 The Client Contract may not be assigned by the Client without the express written consent of DecisionWise. DecisionWise may assign the Client Contract without Client’s consent as part of a merger or asset acquisition where more than 50% of the equity interests or assets of DecisionWise are being acquired in a single transaction or a series of related transactions.
DATA PROCESSING ADDENDUM
In the event of a conflict between this Data Processing Addendum (also referred to as the “DPA”) and a Service Order, this Data Processing Addendum must and shall take precedence. The Client will be referred to in the Data Processing Addendum as the “Data Controller.” Capitalized terms not otherwise defined in this Data Processing Addendum shall have the meanings given them above in the Service order and the General Terms and Conditions. The effective date for this Data Processing Addendum shall be the same as the Services Agreement.
DECISONWISE AND DATA CONTROLLER AGREE AS FOLLOWS:
- Subject matter of this Data Processing Addendum
1.1. This Data Processing Addendum applies exclusively to the processing of personal data that is subject to Data Protection Law, and which processing is anticipated under the terms and conditions of the Client Contract entered into between the parties.
“Data Protection Law” shall mean those laws by applicable jurisdiction that govern Personal Data as follows:
(a) Under the laws of the United States, Personal Data shall include any “non-public personal information” as that term is defined in the Gramm-Leach-Bliley Act found at 15 USC Subchapter 1 §6809(4), and “protected health information” as defined in the Health Insurance Portability and Accountability Act found at 45 CFR §160.103.
(b) Under the laws of the countries in the European Economic Area (“EEA”), Personal Data shall have the meaning given to it in Directive 95/46/EC (the “EU Directive”) and in the General Data Protection Regulation (“GDPR”).
(c) Under the laws of Australia, Personal Data shall include information or an opinion about an identified individual or an individual who is reasonably identifiable: (a) whether the information is true or not; and (b) whether the information or opinion is recorded in a material form or not.
(d) Under the laws of the state of California, Personal Data shall include “personal information” as defined in the California Consumer Privacy Act (“CCPA”), Cal. Civ. Code § 1798.140(o).
1.2. In the context of the EEA, the specific term “EU Data Protection Law” shall mean Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and which repeals Directive 95/46/EC (“General Data Protection Regulation” or “GDPR”).
1.3. Terms such as “Processing”, “Personal Data”, “Data Controller” and “Processor” shall have the meaning ascribed to them in Data Protection Law.
1.4. Insofar as DecisionWise will be processing Personal Data subject to Data Protection Law on behalf of the Data Controller in the course of the performance of the Services Agreement with the Data Controller, the terms of this Data Processing Addendum shall apply. An overview of the categories of Personal Data, the types of Data Subjects, and purposes for which the Personal Data are being processed is provided in the Services Agreement or as specifically described in Annex 2, if applicable.
- The Data Controller and DecisionWise
2.1. The Data Controller will determine the scope, purposes, and manner by which the Personal Data may be accessed or processed by DecisionWise. DecisionWise will process the Personal Data as set forth in Data Controller’s written instructions. It is understood that, due to the transactions contemplated by the Services Agreement, it may be that DecisionWise is considered a Controller under EU Data Protection Law. As such, DecisionWise agrees to the follow and adhere to the data processing principles as outlined by EU Data Protection Law.
2.2. DecisionWise will only process the Personal Data on documented instructions of the Data Controller in such manner as – and to the extent that – this is appropriate for the provision of the Services, except as required to comply with a legal obligation to which DecisionWise is subject. In such a case, DecisionWise shall inform the Data Controller of that legal obligation before processing, unless that law explicitly prohibits the furnishing of such information to the Data Controller. DecisionWise will never process the Personal Data in a manner inconsistent with the Data Controller’s documented instructions. DecisionWise shall immediately inform the Data Controller if, in its opinion, an instruction infringes upon a requirement imposed by Data Protection Law, including EU Data Protection Law.
2.3. The Parties have entered into a Services Agreement in order to benefit from the expertise of DecisionWise in securing and processing the Personal Data for the purposes set out in the Service Order and as supplemented by the instructions listed in Annex 2. DecisionWise shall be allowed to exercise its own discretion in the selection and use of such means as it considers necessary to pursue those purposes, subject to the requirements of this Data Processing Addendum.
2.4. Data Controller warrants that it has all necessary rights to provide the Personal Data to DecisionWise for the Processing to be performed in relation to the Services. To the extent required by applicable Data Protection Law, Data Controller is responsible for ensuring that any necessary data subject consents to this Processing are obtained, and for ensuring that a record of such consents is maintained. Should such a consent be revoked by the data subject, Data Controller is responsible for communicating the fact of such revocation to DecisionWise, and DecisionWise remains responsible for implementing any Data Controller instruction with respect to the further processing of that Personal Data.
2.5. In addition to the obligations stated hereunder, DecisionWise shall comply with all applicable provisions of the CCPA, Cal. Civ. Code §§ 1798.100 – 1798.199.
- Confidentiality Without prejudice to any existing contractual arrangements between the Parties, DecisionWise shall treat all Personal Data as strictly confidential and it shall inform all its employees, agents and/or approved sub-processors engaged in processing the Personal Data of the confidential nature of the Personal Data. DecisionWise shall ensure that all such persons or parties have signed an appropriate confidentiality agreement, are otherwise bound to a duty of confidentiality, or are under an appropriate statutory obligation of confidentiality.
4.1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, without prejudice to any other security standards agreed upon by the Parties, the Data Controller and DecisionWise shall implement appropriate technical and organizational measures to ensure a level of security of the processing of Personal Data appropriate to the risk.
These measures shall include as appropriate:
(a) measures to ensure that the Personal Data can be accessed only by authorized personnel for the purposes set forth in the Services Agreement and Annex 2 of this Data Processing Addendum;
(b) In assessing the appropriate level of security, account shall be taken in particular of all the risks that are presented by processing, for example from accidental or unlawful destruction, loss, or alteration, unauthorized or unlawful storage, processing, access or disclosure of Personal Data;
(c) the pseudonymization and encryption of personal data;
(d) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(e) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident that limits access;
(f) a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing of Personal Data;
(g) measures to identify vulnerabilities with regard to the processing of Personal Data in systems used to provide services to the Data Controller; and
(h) any other specific measures agreed upon by the Parties in Annex 3.
4.2. DecisionWise shall at all times have in place an appropriate written security policy with respect to the processing of Personal Data, outlining in any case the measures set forth in Section 4.1.
4.3. At the request of the Data Controller, DecisionWise, shall demonstrate the measures it has taken pursuant to this Section 4 and shall allow the Data Controller to audit and test such measures. The Data Controller shall be entitled, on giving at least 14 days’ advance written notice to DecisionWise, to carry out, or have carried out by a third party who has entered into a confidentiality agreement with DecisionWise, audits of DecisionWise’s premises and operations as these relate to the Personal Data. DecisionWise shall cooperate with such audits carried out by or on behalf of the Data Controller and shall grant the Data Controller’s auditors reasonable access to any premises and devices involved with the Processing of the Personal Data. DecisionWise shall provide the Data Controller and/or the Data Controller’s auditors with access to any information relating to the Processing of the Personal Data as may be reasonably required by the Data Controller to ascertain DecisionWise’s compliance with this Data Processing Addendum.
- Improvements to Security
5.1. The Parties acknowledge that security requirements are constantly changing, and that effective security requires frequent evaluation and regular improvements of outdated security measures. DecisionWise will therefore evaluate the measures as implemented in accordance with Section 4 on an on-going basis and will tighten, supplement, and improve these measures in order to maintain compliance with the requirements set out in Section 4. The Parties will negotiate in good faith the cost, if any, to implement material changes required by specific updated security requirements set forth in Data Protection Law or by data protection authorities of competent jurisdiction.
5.2. Where an amendment to the Services Agreement is necessary in order to execute a Data Controller instruction to DecisionWise to improve security measures as may be required by changes in Data Protection Law from time to time, the Parties shall negotiate an amendment to the Services Agreement in good faith.
- Data Transfers
6.1. Except for those transfers already contemplated in this Data Processing Addendum or int eh Client Contract, DecisionWise shall immediately notify the Data Controller of any additional planned, permanent, or temporary transfers of Personal Data to a country outside of the EEA without an adequate level of protection and shall only perform such a transfer after obtaining authorization from the Data Controller.
6.2. Data Controller and DecisionWise agree to use Model Clauses as the transfer mechanism, as more particularly outlined in Annex 4 to this Data Processing Addendum.
- Information Obligations and Incident Management
7.1. When DecisionWise becomes aware of an Incident that impacts the Processing of the Personal Data that is the subject of the Services Agreement, it shall promptly notify the Data Controller about the Incident, shall at all times cooperate with the Data Controller, and shall follow the Data Controller’s instructions with regard to such Incident, in order to enable the Data Controller to perform a thorough investigation into the Incident, to formulate a correct response, and to take suitable further steps in respect of the Incident.
7.2. The term “Incident” used in this Data Processing Addendum shall be understood to mean in any case:
(a) a formal complaint to a data protection authority with respect to the exercise of a data subject’s rights under EU Data Protection Law;
(b) an investigation into or seizure of the Personal Data by government officials, or a specific indication that such an investigation or seizure is imminent;
(c) any actual unauthorized or accidental access, processing, deletion, loss or any form of unlawful processing of the Personal Data;
(d) any breach of the security and/or confidentiality as set out in Sections 3 and 4 of this Data Processing Addendum leading to the actual, accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, the Personal Data; or
(e) where, in the opinion of DecisionWise, implementing an instruction received from the Data Controller would violate applicable laws to which the Data Controller or DecisionWise are subject.
7.3. DecisionWise shall at all times have in place written procedures which enable it to promptly respond to the Data Controller about an Incident. Where it would be reasonably likely to require a data breach notification by the Data Controller under applicable Data Protection Law, DecisionWise shall implement its written procedures in such a way that it is in a position to notify the Data Controller no later than 24 hours of having become aware of such an Incident.
7.4. Any notifications made to the Data Controller pursuant to this Section 7 shall be addressed to the employee of the Data Controller whose contact details are provided in Annex 1 of this Data Processing Addendum, and shall contain:
(a) a description of the nature of the Incident, including where possible the categories and approximate number of data subjects concerned and the categories and approximate number of Personal Data records concerned;
(b) the name and contact details of DecisionWise’s data protection officer or another contact point where more information can be obtained;
(c) a description of the likely consequences of the Incident; and
(d) a description of the measures taken or proposed to be taken by DecisionWise to address the Incident including, where appropriate, measures to mitigate its possible adverse effects.
- Contracting with Sub-Processors
8.1. The Data Controller authorizes DecisionWise to engage the sub-processors as specified in the Services Agreement, or as specifically described in Annex 2. DecisionWise shall inform the Data Controller of any addition or replacement of such sub-processors giving the Data Controller an opportunity to object to such changes.
8.2. Notwithstanding any authorization by the Data Controller within the meaning of the preceding paragraph, DecisionWise shall remain fully liable vis-à-vis the Data Controller for the performance of any such sub-processor that fails to fulfil its data protection obligations.
8.3. The consent of the Data Controller pursuant to Section 8.1 shall not alter the fact that consent is required under Section 6 for the engagement of sub-processors in a country outside the European Economic Area without a suitable level of protection.
8.4. DecisionWise shall ensure that the sub-processor is bound by the same data protection obligations of DecisionWise under this Data Processing Addendum, shall supervise compliance thereof, and must in particular impose on its sub-processors the obligation to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of Data Protection Law.
8.5. The Data Controller may request that DecisionWise audit a third party Sub-processor or provide confirmation that such an audit has occurred (or, where available, obtain or assist customer in obtaining a third-party audit report concerning the third Party Sub-processor’s operations) to ensure compliance with its obligations imposed by DecisionWise in conformity with this Agreement.
- Returning or Destruction of Personal Data
9.2. DecisionWise shall notify all third parties supporting its own processing of the Personal Data of the termination of the Data Processing Addendum and shall ensure that all such third parties shall either destroy the Personal Data or return the Personal Data to the Data Controller, at the discretion of the Data Controller.
- Assistance to Data Controller
10.1. DecisionWise shall assist the Data Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Data Controller’s obligation to respond to requests for exercising the data subject’s rights under the EU Data Protection Law.
10.2. DecisionWise shall assist the Data Controller in ensuring compliance with the obligations pursuant to Section 4 (Security) and prior consultations with supervisory authorities required under Article/Section 36 of the GDPR taking into account the nature of processing and the information available to DecisionWise.
10.3. DecisionWise shall reasonably make available to the Data Controller all information necessary to demonstrate compliance with DecisionWise’s obligations and allow for and contribute to audits, including inspections, conducted by the Data Controller or another auditor mandated by the Data Controller.
10.4. All obligations of the parties under this Section 10 shall be both requested and provided in good faith, and in such a manner and in such timeframes as may be commercially reasonable, taking into account such factors as the scope of the Incident , industry norms and best practices, the prior course of dealing between the parties, the state of the art, the costs of implementation ,and the nature, scope, context and purposes of the request and/or the response.
- Miscellaneous If there is a specific conflict between the language of this Data Processing Addendum and the Services Agreement, this Data Processing Addendum shall prevail. However, to the extent there is no conflict between the documents, other terms and conditions of the Services Agreement shall apply to this Data Processing Addendums, such as (without limitation) choice of law, venue, liability for damages, and all other non-conflicting terms and conditions.
DATA PROCESSING ADDENDUM
Contact information of the data protection officer/compliance officer of the Data Controller (i.e., the Client).
Unless indicated, reference is made to the Client Contact person and contact information set forth on the Service Order.
Contact information of the data protection officer/compliance office of DecisionWise.
Matthew Wride, Data Protection Officer
815 W. 450 S.
Springville, Utah 84663
Reference is made to the instructions in the Services Agreement.
Additional Instructions: NONE
Additional Security Measures: NONE
Current Subprocessors: Confirmit (www.confirmit.com)
ANNEX 4 TO DATA PROCESSING ADDENDUM
(DATA TRANSFER MECHANISM)
- Relationship of the Parties. As between DecisionWise and Client, Client is the Data Controller of Personal Data belonging to Client (also referred to as “Client Data”) and DecisionWise is a Data Processor acting on behalf of Client. Capitalized terms shall have the meanings given them in the Client Contract, the DPA, or under applicable law or model documents, as is the case for the Model Clauses.
- Model Clauses. To the extent that DecisionWise processes any Client Data protected by Data Protection Law or that originates from the EEA under the Client Contract, and the processing occurs in a country that has not been designated by the European Commission or Swiss Federal Data Protection Authority (as applicable) as providing an adequate level of protection for Personal Data, the parties acknowledge that DecisionWise will be deemed to have adequate protection (within the meaning of Data Protection Law) by DecisionWise hereby agreeing to comply with the Model Clauses, as amended and which are incorporated herein by reference.
- “Model Clauses” means the standard contractual clauses for Processors as approved by the European Commission and available at http://ec.europa.eu/ (as may be amended or updated from time to time) along with the specific Additions outlined below.
- Any claims brought under the Model Clauses shall be subject to the terms and conditions, including but not limited to, the exclusions and limitations set forth in the Client Contract. Any regulatory penalties incurred by DecisionWise in relation to the Client Data that arise as a result of, or in connection with DecisionWise’s failure to comply with its obligations under the DPA or any applicable Data Protection Laws will count toward and reduce DecisionWise’s aggregate liability under the Client Contract as if it were a liability to Client under the Client Contract.
Addition 1 to the Model Clauses
This Addition 1 forms part of the Model Clauses and must be completed by the parties.
Data exporter: The data exporter is the entity identified as the Client in the Data Processing Addendum in place between data exporter and data importer and to which these Clauses are appended.
Data importer: The data importer is the US headquartered company, DecisionWise, LLC (“DecisionWise”). DecisionWise is a provider of employee feedback data and software, which enable data exporter to collect, analyze, and respond to feedback from its employees.
Description of Data Processing: Please see the DPA for a detailed description of the data subjects, categories of data, special categories of data and processing operations.
Addition 2 to the Model Clauses
This Addition 2 forms part of the Model Clauses and must be completed by the parties.
Description of the technical and organizational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):
See the DPA, which describes the technical and organizational security measures implemented by DecisionWise.
Addition 3 to the Model Clauses
This Addition 3 forms part of the Clauses and must be completed by the parties.
This Addition sets out the parties’ interpretation of their respective obligations under specific Model Clauses identified below. Where a party complies with the interpretations set out in this Addition, that party shall be deemed by the other party to have complied with its commitments under the Model Clauses.
Clause 4(h) and 8: Disclosure of these Clauses
- Data exporter agrees that these Model Clauses constitute data importer’s Confidential Information as that term is defined in the Client Contract and may not be disclosed by data exporter to any third party without data importer’s prior written consent unless permitted pursuant to the Client Contract. This shall not prevent disclosure of these Model Clauses to a data subject pursuant to Clause 4(h) or a supervisory authority pursuant to Clause 8.
Clause 5(a): Suspension of data transfers and termination
- The parties acknowledge that data importer may process the personal data only on behalf of the data exporter and in compliance with its instructions as provided by the data exporter and the Clauses.
- The parties acknowledge that if data importer cannot provide such compliance for whatever reason, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract.
- If the data exporter intends to suspend the transfer of personal data and/or terminate these Model Clauses, it shall endeavor to provide notice to the data importer and provide data importer with a reasonable period of time to cure the non-compliance (“Cure Period”).
- If after the Cure Period, the data importer has not or cannot cure the non-compliance then the data exporter may suspend or terminate the transfer of personal data immediately. The data exporter shall not be required to provide such notice in instance where it considers there is a material risk of harm to data subjects or their personal data.
Clause 5(j): Disclosure of subprocessor agreements
- The parties acknowledge the obligation of the data importer to send promptly a copy of any onward subprocessor agreement it concludes under the Clauses to the data exporter, except for the subprocessor, Confirmit, which has already been identified and approved in Annex 3 to the DPA.
- The parties further acknowledge that, pursuant to subprocessor confidentiality restrictions, data importer may be restricted from disclosing onward subprocessor agreements to data exporter. Notwithstanding this, data importer shall use reasonable efforts to require any subprocessor it appoints to permit it to disclose the subprocessor agreement to data exporter.
- Even where data importer cannot disclose a subprocessor agreement to data exporter, the parties agree that, upon the request of data exporter, data importer shall (on a confidential basis) provide all information in connection with such subprocessing agreement to data exporter.
Clause 11: Onward subprocessing
- The parties acknowledge that, pursuant to FAQ II.1 in Article 29 Working Party Paper WP 176 entitled “FAQs in order to address some issues raised by the entry into force of the EU Commission Decision 2010/87/EU of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC” the data exporter may provide a general consent to onward subprocessing by the data importer.
- Accordingly, data exporter provides a general consent to data importer, pursuant to Clause 11 of these Clauses, to engage onward subprocessors. Such consent is conditional on data importer’s compliance with the requirements set out in the DPA.