DATA PROTECTION ADDENDUM
Sep 17, 2024
This Data Protection Addendum (“Addendum”) is entered into by and between Customer and Bowtie Inc. (together with its related subsidiary or affiliated entities, “Bowtie”). Customer and Bowtie shall be referred together as the “Parties” and each, a “Party.” This Addendum forms part of one or more written agreements, including the Bowtie Software and Services Agreement, along with the related Order Form and/or SOWs (“Agreement”). Except as modified below, the terms of the Agreement shall remain in full force and effect to the extent they are not inconsistent with this Addendum. The terms of the Addendum shall otherwise supersede any such inconsistent terms under the Agreement, but in the event of a conflict with any applicable Order Form, the Order Form shall govern and control in all such respects. In consideration of the mutual obligations set out herein, the Parties hereby agree that the terms and conditions set out below shall be added as an Addendum to the Agreement.
Definitions. In this Addendum, the following terms shall have the meanings set out below and similar terms shall be construed accordingly: (A) “Applicable Data Protection Laws” means all applicable data privacy and security laws, legislation, regulations and regulatory guidance, each as updated or replaced from time to time. (B) “Affiliates” means any entity which directly or indirectly controls, is controlled by, or is under common control by either party. For the purposes of the preceding sentence, “control” means direct or indirect ownership or control of more than 50% of the voting securities of the subject entity or that the applicable entity otherwise has direct or indirect authority to control the management of the subject entity, whether by contract or otherwise. (C) “Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Information transmitted, stored or otherwise processed, and also includes like terms as defined under Applicable Data Protection Laws. (D) “Data Subject” means a natural person or consumer whose Personal Information is processed and who receives rights and protections under Applicable Data Protection Laws. (E) “Personal Information” means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with an individual, along with other like terms, such as “personal data” and “personally identifiable information.” All other terms used in this Addendum and not defined herein have the respective meanings ascribed to such terms and related terms under Applicable Data Protection Laws.
Instructions and Details of Processing. The parties acknowledge and agree that Customer does not intend to provide Bowtie with access to any Personal Information under this Agreement; provided, that, if Bowtie receives or processes any Personal Information under this Agreement, the terms and conditions of this Exhibit A shall apply.
Compliance with Applicable Data Protection Laws. Bowtie shall comply with all Applicable Data Protection Laws under the Agreement and this Addendum. Bowtie shall notify Customer no later than five (5) business days after it makes a determination that it can no longer meet its obligations under Applicable Data Protection Laws and this Addendum. Customer may take reasonable and appropriate steps to ensure Bowtie uses Customer’s Personal Information in a manner consistent with Customer’s obligations under Applicable Data Protection Laws. Customer may take reasonable and appropriate steps to stop and remediate Bowtie’s unauthorized use of Customer’s Personal Information.
Duty of Confidentiality. Bowtie shall ensure that persons authorized to process Customer’s Personal Information are subject to an appropriate duty of confidentiality.
Security of Processing and Notification of Data Breach. Bowtie shall use, implement, and maintain all reasonable safeguards to protect Customer’s Personal Information.
Bowtie shall promptly and thoroughly investigate (with Customer’s participation if so desired by Customer) all potential Data Breaches involving Customer’s Personal Information and provide, within 24 hours, a detailed description of the event to Customer in writing and by telephone, together with a list of all corrective or protective measures that have been taken or that will be taken by Bowtie. Bowtie shall promptly provide Customer with updated and additional information as it continues its investigation or as otherwise becomes available. Customer shall have the right at any time after learning of a Data Breach impacting Customer’s Personal Information to engage and involve external forensic firms in the investigation of the incident (which will include a right to investigate Bowtie’s systems), and Bowtie shall comply with all reasonable requests of such external forensic firm.
Bowtie shall also help and assist Customer to meet its obligations under Applicable Data Protection Laws in relation to the Data Breach or security incident.
Unless required by applicable Privacy Laws, Bowtie shall not inform any third party of any security incident without first obtaining Customer’s prior written consent. Customer shall have the sole right to determine (A) whether and how notice of a Data Breach is to be provided to any Data Subjects, supervisory authorities, law enforcement agencies, consumer reporting agencies, or others as may be required by Applicable Data Protection Laws or in Customer’s discretion, and (B) the contents of such notice.
To the extent any Data Breach involving Customer’s Personal Information arises out of or is connected to a breach by Bowtie of its obligations under the Agreement, Bowtie shall bear, in addition to any other damages for which Bowtie may be liable for under the Agreement, the following costs incurred by the Customer in responding to such breach, to the extent applicable: (1) the cost of providing notice to affected individuals; (2) the cost of providing notice to government agencies, credit bureaus, authorities, other required entities and/or other affected third parties; (3) the cost of providing affected individuals with credit monitoring services for a period required by applicable law; (4) call center support for such affected individuals for a specific period not to exceed ninety (90) days; and (5) the cost of any other measures required under Applicable Data Protection Laws.
Monitoring Compliance. Bowtie shall make available to Customer all information necessary to demonstrate compliance with the Addendum and Applicable Data Protection Laws. Bowtie shall permit Customer to monitor Bowtie’s compliance with the Addendum and Applicable Data Protection Laws through measures, including, but not limited to, ongoing manual reviews, audits, or other testing once every 12 months. Bowtie shall allow for, and contribute to such reasonable audits, assessments, and inspections by Customer or another auditor designated and mandated by Customer. The audit, assessment, or inspection shall be conducted using appropriate and accepted control standards or frameworks and audit processors, at Customer’s expense, and Bowtie shall provide a report for Customer’s audit, assessment, or inspection upon request.
Bowtie Assistance to Customer. Bowtie shall promptly, but no later than within five (5) business days of Customer’s request, provide assistance requested by Customer to enable Customer to comply with its obligations under Applicable Data Protection Laws, including in relation to Data Subject requests, data protection impact assessments, prior consultations, and responding to any regulator or state attorneys’ general request, investigation, or legal action. Customer shall inform Bowtie of any Data Subject requests made pursuant to Applicable Data Protection Laws that Bowtie must comply with, and provide the information necessary for Bowtie to comply with the Data Subject requests, where required by Applicable Data Protection Laws. Bowtie’s assistance shall not be unreasonably withheld.
Indemnification. Bowtie will indemnify, keep indemnified and hold harmless Customer and its clients, officers, directors, employees, agents, representatives, and associates from and against all third-party loss, harm, cost, expense, fine, penalty, damage, and liability they may suffer or incur, including reasonable legal fees and expenses, as a result of Bowtie’s non-compliance with the requirements of this Addendum or Applicable Data Protection Laws.
Use of Subcontractors. Bowtie has Customer’s general authorization for the engagement of subcontractors for this Agreement; however, Bowtie shall not subcontract with any third party for services that include direct or indirect access to, storage or processing of, or other contact with Personal Information, without the prior consent of Customer. Bowtie shall inform Customer in writing of any replacement of subcontractors in advance, thereby giving Customer sufficient time to be able to object to such changes prior to the engagement of the subcontractor(s). If Customer objects to a subcontractor, and Bowtie is unable to resolve Customer’s objections, Customer may terminate the services that use the objected-to subcontractor. Bowtie shall ensure that each of its subcontractors are bound by contractual obligations with respect to Personal Information that are the same as, or no less than, those contained in this Addendum. Bowtie shall provide, on request, a copy of such subcontractor data protection agreement (and any subsequent amendments) to Customer. Bowtie is responsible for the performance of the subcontractor’s obligations in compliance with the terms of this Addendum and Applicable Data Protection Laws.
Restrictions on Processing of Personal Information. Bowtie is subject to all restrictions on processing of Personal Information as applicable to Processors under Applicable Data Protection Laws. Bowtie is prohibited from selling or sharing Personal Information. Bowtie is prohibited from retaining, using, or disclosing Personal Information for any purpose other than for the business purposes set forth in this Addendum and the Agreement, or as otherwise permitted by Applicable Data Protection Laws. Bowtie is prohibited from retaining, using, or disclosing Personal Information for a commercial purpose other than the business purposes specified in this Addendum and the Agreement, or as otherwise permitted by Applicable Data Protection Laws. Bowtie is prohibited from retaining, using, or disclosing Personal Information outside of the direct business relationship between Bowtie and Customer, unless permitted by Applicable Data Protection Laws. Bowtie is prohibited from combining or updating the Personal Information that Bowtie receives from, or on behalf of, Customer with Personal Information that it receives from, or on behalf of, another person or persons, or collects from its own interaction with the Data Subject.
Return or Delete Personal Information. Bowtie shall delete or return all Personal Information to Customer after the end of the provision of services relating to processing under the Agreement, and delete existing copies unless retention of the Personal Information is required by applicable law. If Bowtie is unable to delete or return Customer’s Personal Information, Bowtie shall inform Customer of that obligation and comply with the requirements of Applicable Data Protection Laws until the Personal Information is securely deleted or returned to Customer.
Warranties. Bowtie represents and warrants that no Applicable Data Protection Law, or privacy or information security enforcement action, investigation, litigation or claim prohibits Bowtie from (a) fulfilling its obligations under this Addendum; or (b) complying with instructions it receives from Customer concerning Personal Information. In the event an Applicable Data Protection Law, or privacy or information security enforcement action, investigation, litigation or claim, or any other circumstance, is reasonably likely to adversely affect Bowtie’s ability to fulfill its obligations under this Addendum, Bowtie shall promptly notify Customer in writing and Customer may, in its sole discretion and without liability to Customer, suspend (1) the transfer or disclosure of Personal Information to Bowtie and/or (2) access to Personal Information by Bowtie, and terminate any further processing of Personal Information by Bowtie.
Coverage. During the term of the Agreement, Bowtie shall carry and maintain at its own cost, with such companies as are reasonably acceptable to Customer, cyber liability insurance for not less than $2,000,000 USD per occurrence and in the aggregate. Bowtie shall, prior to providing any services hereunder, provide Customer with certificates of insurance evidencing the coverages and amounts set forth above. Bowtie will give thirty (30) days’ prior written notice to Customer of any cancellation of the coverage afforded under this section. The insurance shall contain a waiver of subrogation and a waiver of right of recovery against Customer, in a form satisfactory to Customer.
Disclosure of Personal Information. Subject to Applicable Data Protection Laws, Bowtie shall notify Customer immediately in writing of any subpoena or other judicial or administrative order by a government authority or proceeding requiring access to or disclosure of Personal Information which notice shall describe the Personal Information to be disclosed and the identity of the third party requiring such disclosure so that Customer may interpose an objection to such disclosure, take action to assure confidential handling of the Personal Information, or take such other action as it deems appropriate to protect the Personal Information. In either case, Bowtie shall reasonably cooperate with Customer in its efforts to seek a protective order or other appropriate remedy or, in the event such protective order or other remedy is not obtained, to obtain assurance that confidential treatment will be accorded such Personal Information.
Survival. Bowtie’s obligations under this Addendum shall survive termination or expiration of the Agreement, so long as Bowtie has possession, custody, or control of any Personal Information received from or on behalf of Customer.
Certification. Bowtie certifies, under Applicable Data Protection Laws, that it understands the restrictions in this Addendum and will comply with them.
IN WITNESS WHEREOF, this Addendum represents a binding obligation at such time as any Bowtie Order From is executed and delivered between Bowtie and Customer.
Take the Next Step to an AI-first Enterprise
Schedule a Call
Bowtie Inc. © 2024. Designed by WMD