Last modified: March 21, 2022
This Data Protection Agreement with Standard Contractual Clauses (“DPA”) forms part of the PerimeterX Subscription Agreement or other written or electronic agreement that expressly references this DPA ("Agreement") between PerimeterX, Inc. (“PerimeterX”) and Subscriber for the purchase of website security and monitoring services (“Services”) identified in an ordering document Subscriber has signed with PerimeterX (“Order Form”). By signing the Order Form, Subscriber enters into this DPA on behalf of itself and, to the extent required under applicable Data Privacy Laws, in the name and on behalf of its Authorized Affiliates, if and to the extent PerimeterX processes Personal Data for that Authorized Affiliate. For the purposes of this DPA only, and except where indicated otherwise, the term "Subscriber" shall include Subscriber and Authorized Affiliates. All capitalized terms not defined in this DPA shall have the meaning set forth in the Agreement.
"Affiliate" means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity where “control” means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
"Authorized Affiliate" means any of Subscriber's Affiliate(s) that is permitted to use the Services pursuant to the Agreement between Subscriber and PerimeterX but has not signed its own Order Form with PerimeterX.
“CCPA” means California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100, et. seq. and its implementing regulations.
"Controller" means the entity which determines the purposes and means of the processing of Personal Data.
“Data Privacy Laws” means applicable national, federal, state and provincial laws relating to data privacy, the protection of Personal Data, and the cross-border transfer of Personal Data (e.g., to the extent applicable, the CCPA and GDPR), excluding any law that requires data to be stored in a specific country.
“Data Subject Request” means a request from a data subject to exercise the data subject's right under applicable Data Privacy Laws, including, as applicable, rights to data rectification, data portability, access data, data erasure (“the right to be forgotten”), not to be subject to automated decision making, not to have Personal Data sold, to request for information, not to be discriminated against for exercising rights, restriction or objection to processing, and the applicable rights under CCPA §§ 1798.100(d), 1798.105, 1798.110, 1798.120, 1798.130(a)(2), 1798.140(y), 1798.145(g) and GDPR Art. 12-23.
“GDPR” means the General Data Protection Regulation, (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.
“IDTA” means the then-current International Data Transfer Addendum to the EU Commission Standard Contractual Clauses that was issued by the UK ICO, a current version found at https://ico.org.uk/media/for-organisations/documents/4019538/international-data-transfer-agreement.pdf
“Personal Data” means (i) any information relating to an identified or identifiable natural person where an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier or (ii) is defined as “Personal Information” or “Personal Data” by applicable Data Privacy Laws (e.g., CCPA § 1798.140(o) or GDPR Art. 4).
"process" and its cognates mean any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
"Processor" means the entity which processes Personal Data on behalf of the Controller, including, as applicable, any "service provider" as that term is defined by the CCPA.
“Standard Contractual Clauses” or “SCCs” means (i) where the GDPR applies, the standard contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council ("EU SCCs") and (ii) where the UK GDPR applies, the EU SCCs as amended by the IDTA (“UK SCCs”).
“Subprocessor” means any Processor engaged by PerimeterX to process Subscriber’s Personal Data.
“Subscriber” means “Customer” or “Subscriber” as defined in the Order Form.
“Supervisory Authority” means an independent public authority which is (i) established by a European Union member state pursuant to Article 51 of the GDPR; or (ii) the public authority governing data protection, which has authority and jurisdiction over Subscriber.
“UK ICO” means the United Kingdom Information Commissioners Office.
“UK GDPR” means the GDPR as implemented by the UK.
2. Processing of Data. PerimeterX will only process Subscriber Personal Data (i) in compliance with the instructions received from Subscriber and (ii) for the purposes expressly set forth in the Agreement, including providing, supporting and improving the Services. PerimeterX will not use or process the Subscriber Personal Data for any other purpose. PerimeterX will promptly inform Subscriber in writing if it cannot comply with the requirements of this DPA, in which case Subscriber may terminate the Agreement or take any other reasonable action, including suspending data processing operations.
3. Compliance with Law; Duty to Inform. PerimeterX will comply with all applicable Data Privacy Laws, including, as applicable, the CCPA and the GDPR. PerimeterX will promptly inform Subscriber if, in its opinion, a processing instruction from Subscriber violates Data Privacy Laws.
4. No Sale of Personal Information. PerimeterX will not “sell” any “personal information” as defined under the CCPA (§ 1798.140(d)).
5. Roles of the Parties. The parties agree that with respect to processing Personal Data that Subscriber is the Controller and PerimeterX is the Processor.
6. Confidentiality. All PerimeterX personnel and any Subprocessors are required to comply with the confidentiality obligations related to Subscriber Personal Data, including after the end of their respective employment, contract or assignment.
7. Standard Contractual Clauses. To the extent any Personal Data of European Economic Area (“EEA”) or United Kingdom (“UK”), or Swiss data subjects is processed, the Standard Contractual Clauses (“SCC”) as detailed in Exhibit A of this DPA apply, provided that for Swiss data subjects the SCC extends protection to the Personal Data of legal entities and personality profiles. For the avoidance of doubt, with respect to transfers of EEA, UK and Swiss Personal Data for processing by PerimeterX in a jurisdiction other than an EU member state, PerimeterX agrees to comply with applicable Data Privacy Laws in connection with that cross-border transfer of data (e.g., Art. 46 of the GDPR).
8. Data Subject Requests. PerimeterX will, to the extent legally permitted, promptly notify Subscriber if PerimeterX receives a Data Subject Request relating to a data subject’s Personal Data that is being processed for Subscriber. On request, PerimeterX will provide all necessary assistance and cooperation, materials and/or documentation as may be necessary for Subscriber to comply with its obligations under the Data Privacy Laws in connection with all Data Subject Requests.
9. Notice of Investigation, Complaint or Subpoena. PerimeterX will promptly inform Subscriber if it (a) receives any notice or inquiry from a Supervisory Authority relating to the processing of Subscriber Personal Data, (b) any complaint by a data subject regarding the processing of Subscriber Personal Data, and (c) any legally binding request for disclosure of Subscriber Personal Data by a law enforcement authority unless PerimeterX is prohibited by applicable law to inform Subscriber.
10. Cooperation. On request, PerimeterX will provide Subscriber with a summary of its security and privacy policies. On request, PerimeterX will cooperate with the Supervisory Authority and promptly provide Subscriber with all information in PerimeterX’s possession or control in relation to the processing of the Personal Data under this Agreement.
11. Data Breach. PerimeterX will notify Subscriber within twenty-four (24) hours after discovery of any unauthorized disclosure of or access to Personal Data while in the possession or control of PerimeterX or its Subprocessors (“Security Incident”). PerimeterX will promptly provide Subscriber with all information in its possession or control in relation to any Security Incident, including a description of the nature of the Security Incident; the categories and approximate number of data subjects concerned and the records of Personal Data affected; the name and contact details of PerimeterX’s point of contact from whom further information can be obtained; a description of the consequences of the Security Incident and the measures taken or proposed to be taken by PerimeterX to address the Security Incident; and with all reasonable assistance and cooperation as is necessary in order for the Subscriber to seek to mitigate the effects of the Security Incident and comply with its own obligations under the Data Privacy Laws with respect to the Security Incident. Except as may be required by applicable law, PerimeterX will not make any public announcement or notify any data subject about the Security Incident unless expressly authorized by Subscriber.
12. Subprocessors. If PerimeterX intends to engage Subprocessors, PerimeterX will (i) remain liable to Subscriber for the Subprocessors’ acts and omissions with regard to their processing; (ii) exclusive of the list of Subprocessors PerimeterX maintains online (currently available at http://www.perimeterx.com/legal/subprocessors), obtain the prior written consent of Subscriber to such subcontracting, such consent to not be unreasonably withheld; and (iii) enter into contractual arrangements with such Subprocessors binding them to provide a similar level of data protection provided for in this DPA. Further, PerimeterX will comply with Data Privacy Laws when engaging a Subprocessor (e.g., GDPR Art. 28(2) and 28(4)).
13. DPIA and Consultations. Upon request, PerimeterX will provide Subscriber with assistance in the preparation of data protection impact assessments and, where necessary, carrying out consultations with any Supervisory Authority.
(A) Supervisory Authority Audit. If a Supervisory Authority requires an audit of the data processing facilities from which PerimeterX processes Subscriber Personal Data in order to ascertain or monitor Subscriber's compliance with Data Privacy Laws, PerimeterX will cooperate with such audit. Subscriber is responsible for all costs and fees related to such audit, including all reasonable costs and fees for any and all time PerimeterX expends for any such audit, in addition to the rates for services performed by PerimeterX.
(B) Subscriber Audits. On request, PerimeterX will provide to Subscriber each year an opinion or Service Organization Control report provided by an accredited, third-party audit firm under the Statement on Standards for Attestation Engagements (SSAE) No. 18 (“SSAE 18”) (Reporting on Controls at a Service Organization) or the International Standard on Assurance Engagements (ISAE) 3402 (“ISAE 3402”) (Assurance Reports on Controls at a Service Organization) standards applicable to the services under the Agreement (each such report, a “Report”). If a Report does not provide, in Subscriber’s reasonable judgment, sufficient information to confirm PerimeterX’s compliance with the terms of this DPA, then Subscriber or an accredited third-party audit firm agreed to by both Subscriber and PerimeterX may audit PerimeterX’s compliance with the terms of this DPA during regular business hours, with reasonable advance notice to PerimeterX and subject to reasonable confidentiality procedures. Subscriber is responsible for all costs and fees related to such audit, including all reasonable costs and fees for any and all time PerimeterX expends for any such audit, in addition to the rates for services performed by PerimeterX. Before the commencement of any such audit, Subscriber and PerimeterX shall mutually agree upon the scope, timing, and duration of the audit. Subscriber shall promptly notify PerimeterX with information regarding any non-compliance discovered during the course of an audit. Subscriber may not audit PerimeterX more than once annually unless there is a Security Incident.
15. Data Destruction. PerimeterX will destroy all Personal Data within sixty (60) days following the expiration or termination of this Agreement or Subscriber’s request, cause its Subprocessors to do the same, and demonstrate to the satisfaction of Subscriber that it has taken such measures, unless Data Privacy Laws prevent PerimeterX from destroying all or part of the Subscriber Personal Data disclosed. For clarity, PerimeterX may continue to process Personal Data that has been aggregated in a manner that does not identify individuals or customers to improve Subscriber’s systems and services and data that PerimeterX, in good faith, believes it has identified as a threat (e.g., malware, a denial of service attack or other malicious activity) without identifying Subscriber as the source of the data.
16. Technical and Organizational Safeguards. PerimeterX will implement appropriate technical and organizational safeguards designed to protect Personal Data (i) from unauthorized or unlawful processing, (ii) against accidental or unlawful disclosure, alteration or loss, and/or (iii) unauthorized disclosure or access, including as applicable Art. 32 of the GDPR. PerimeterX will comply with strict internal controls in line with industry best practices, such as SOC2 guidelines. PerimeterX will implement security controls in the form of mandatory policies and procedures for all PerimeterX’s employees who have access to Subscriber Personal Data to follow. These policies and procedures cover: (1) measures, standards, norms, procedures, and rules to address the appropriate level of security, (2) the meaning and importance of Personal Data and the need to keep it secure, confidential, and accessed only on a need to know basis, (3) staff functions, obligations and access rights, (4) procedures for reporting, managing and responding to security incidents and (5) procedures for making backup copies and recovering Personal Data.
17. Miscellaneous. Neither party will assign the DPA in whole or in part without the other party’s prior written consent (which consent will not be unreasonably denied, delayed or conditioned), except to an Affiliate or a successor that is made in connection with a merger or sale of all or substantially all of a party’s assets or stock. Any attempted assignment in violation of this restriction is void. The DPA shall bind and inure to the benefit of the parties, their respective successors and permitted assigns. If a conflict exists between any of the terms in the DPA and the Order Form, then this DPA will govern. This DPA can be executed electronically and in counterparts, each of which is deemed to be an original and together comprise a single document. Each party represents and warrants that the individual binding a party under this DPA is authorized to do so.
1.1. Cross-Border Transfers Mechanisms – EU and Switzerland. If the Agreement requires the transfer of Personal Data of data subjects who reside in or based out of the EU or Switzerland to countries that are not recognized by the European Commission as providing an adequate level of protection of Personal Data, then such transfers will be made pursuant to the transfer mechanisms outlined in Module Two (Transfer controller to processor) of the EU SCCs. Where the EU SCCs identify optional provisions (or provisions with multiple options) the following shall apply in the following manner:
(a) In Clause 7 (Docking Clause) (Module 2) – the Optional provision shall apply;
(b) In Clause 9(a) (Use of subprocessors) (Module 2) – Option 2 shall apply with the specified time period being 10 business days.
(c) In Clause 11(a) (Redress) (Module 2) – the Optional provision shall NOT apply;
(d) In Clause 17 (Governing Law) (Module 2) – Option 1 shall apply with the laws of Ireland shall govern; and
(e) In Clause 18 (Choice of forum and jurisdiction) (Module 2) – the courts of Ireland shall have jurisdiction.
1.2. With respect to the Annexes to the EU SCCs, the following shall apply:
(a) In Annex 1.A (“List of the Parties”) of the EU SCC, the full name, address and contact details for the Data Exporter and Data Importer (as defined below) are set out in the Agreement; and in the case of Module 2, the data exporter and Controller is Subscriber and its relevant Affiliates (the “Data Exporter”), and the data importer and Processor is the PerimeterX and its relevant Subprocessor Affiliates located in non-adequacy approved third countries (the “Data Importer”). By entering and signing the Agreement or Order Form, Data Importer and Data Exporter are deemed to have signed the SCCs;
(b) In Annex 1.B (“Description of the Transfer”):
Categories of data subjects whose personal data is transferred:
An identifiable or identified natural person (“User”) who uses the Subscriber “Websites” and/or “Apps” (as defined and identified in the Order Form).
Categories of personal data transferred:
For PerimeterX’s Bot Defender Solution: Data Importer may process certain information about how a User uses the Subscriber Websites or Apps, including a User’s Internet Protocol (IP) address and other user engagement and interaction metrics and other statistics. For PerimeterX’s Account Defender solution, Data Importer may process name, email address, usernames, passwords and other login credentials, as well as the categories of Personal Data identified above for Bot Defender.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures:
No such data will be processed.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):
PerimeterX shall process Personal Data in its provision of Services on a continuous basis pursuant to the terms of the Agreement.
Nature of the processing:
PerimeterX shall process Personal Data in its provision of Services pursuant to the terms of the Agreement.
Purpose(s) of the data transfer and further processing:
The transfer is made for the purpose of providing Services to Subscriber pursuant to the Agreement.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:
PerimeterX shall process Personal Data in its provision of Services for a term outlined in the Agreement.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:
The subject matter, nature and duration of the processing of Personal Data by PerimeterX’s Subprocessors is the same as for PerimeterX, as outlined above.
(c) In Annex 1.C of the EU SCC: The competent supervisory authority shall be the supervisory authority applicable to Subscriber in its EEA country of establishment or, where it is not established in the EEA, in the EEA country where its representative has been appointed pursuant to Article 27(1) of Regulation (EU) 2016/679.
(d) In Annex 2 of the EU SCC: Data Importer will at a minimum institute the technical and organizational measures to ensure a level of security appropriate with the risk, as is required in Art. 32 of the GDPR. Data Importer will comply with strict internal controls in line with industry best practices, such as SOC2 guidelines and ISO 27001 guidelines. Data Importer will implement security controls in the form of mandatory policies and procedures for all Data Importer employees who have access to Data Exporter's data to follow. Data Importer will have, where appropriate measures of pseudonymization and encryption of Personal Data; Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services; Measures for ensuring the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing; Measures for user identification and authorization; Measures for the protection of data during transmission; Measures for the protection of data during storage; Measures for ensuring physical security of locations at which Personal Data are processed; Measures for ensuring events logging; Measures for ensuring system configuration, including default configuration; Measures for internal IT and IT security governance and management; Measures for certification/assurance of processes and products; Measures for ensuring data minimization; Measures for ensuring data quality; Measures for ensuring limited data retention; Measures for ensuring accountability and measures for ensuring erasure.
1.3. Cross-Border Transfers Mechanisms–UK. If the Agreement requires the transfer of Personal Data of data subjects who reside in the UK to countries that are not recognized by the UK ICO as providing an adequate level of protection of Personal Data, then such transfers will be made pursuant to the EU SCCs detailed in Sections 1.1 and 1.2 of this Exhibit and as amended by the IDTA. With respect to Table 1 of the IDTA, the “Exporter” is the Data Exporter and the “Importer” is the Data Importer, as both are identified in Section 1.2 (above). By entering and signing the Agreement or Order Form, Importer and Exporter are deemed to have signed the IDTA. With respect to Table 2 of the IDTA, the optional provisions of Clause 7 (Docking Clause) (Module 2) shall apply; Option 2 in Clause 9(a) (Use of subprocessors) (Module 2) shall apply with the specified time period being 10 business days; and Clause 11(a) (Redress) (Module 2) shall NOT apply. With respect to Table 3 of the IDTA, the information is provided in Section 1.2 of this Exhibit. With respect to Table 4 of the IDTA, only Exporter (aka Subscriber) may end the IDTA as is detailed in Section 19 of the IDTA if the UK ICO issues new changes to IDTA.
SUPPLEMENTARY TERMS TO SCCs
2.1. Communication. The Parties agree that all notices, requests, monitoring rights required under the SCCs shall be provided, as applicable, to PerimeterX and the Subscriber entity that is a party to the Agreement.
2.2. Erasure or return of data. For the purposes of Clause 8.5 – Module Two, PerimeterX shall delete Subscriber Data in accordance with respective data deletion and certification of deletion provisions set out in the Agreement. For the avoidance of doubt, if no such provisions are set out in the Agreement, PerimeterX shall delete all Personal Data within 60 days of termination of the Agreement.
2.3. Notification of supervisory authority. The Parties acknowledge and agree that the PerimeterX, where required by the SCCs, to notify the competent Supervisory Authority, shall first provide Subscriber with the details of the notification, permitting Subscriber to have prior written input into the relevant notification, where Subscriber so desires to do, and without delaying the timing of the notification unduly.
2.4. Documentation and compliance. For the purposes of Clause 8.9(e) – Module Two, the review and audit provisions in the Agreement/DPA shall apply.
2.5. Notification and Transparency. For purposes of Clause 8.3 – Module 2 and Clause 15.1(a), the Parties agree and acknowledge that it may not be possible for PerimeterX to make the appropriate communications to data subjects and accordingly, Subscriber shall (following notification by the Data Importer) be the party who makes any communication to the data subject, and PerimeterX shall provide the level of assistance set out in the Agreement.
2.6. Liability. For the purposes of Clause 12 (a), the liability of the parties shall be limited in accordance with the limitation of liability provisions in the Agreement.
2.7. Enforcement. The Data Exporter may enforce the terms of the SCCs against the Data Importer (and vice versa).
2.8. Signatories. Notwithstanding the fact that the SCCs are incorporated herein by reference without the signature page of the SCCs actually being signed by PerimeterX, Subscriber and/or their relevant Affiliates, it is agreed that the execution of the Agreement is deemed to constitute its execution of the SCCs on behalf of the Data Exporter or Data Importer (as applicable, as per clause 1.3 above), and that it is duly authorized to do so on behalf of, and to contractually bind, the Data Exporter or Data Importer (as applicable) accordingly.
The provisions in this DPA shall be without prejudice to the parties’ ability to rely on any other legally valid international data transfer mechanism for the transfer of data out of the EEA.