Last modified: December 16, 2022
This Data Protection Agreement with Standard Contractual Clauses (“DPA”) forms part of the PerimeterX Subscription Agreement or other written or electronic agreement that expressly references this DPA ("Agreement") between PerimeterX, Inc. (“PerimeterX”) and Subscriber for the purchase of website security and monitoring services (“Services”) identified in an ordering document Subscriber has signed with PerimeterX (“Order Form”). By signing the Order Form, Subscriber enters into this DPA on behalf of itself and, to the extent required under applicable Data Privacy Laws, in the name and on behalf of its Authorized Affiliates, if and to the extent PerimeterX processes Personal Data for that Authorized Affiliate. For the purposes of this DPA only, and except where indicated otherwise, the term "Subscriber" shall include Subscriber and Authorized Affiliates. All capitalized terms not defined in this DPA shall have the meaning set forth in the Agreement.
"Affiliate" means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity where “control” means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
"Authorized Affiliate" means any of Subscriber's Affiliate(s) that is permitted to use the Services pursuant to the Agreement between Subscriber and PerimeterX but has not signed its own Order Form with PerimeterX.
“CCPA” means California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100, et. seq. and its implementing regulations.
"Controller" means the entity which determines the purposes and means of the processing of Personal Data.
“Data Privacy Laws” means any law or regulation concerning information privacy or security applicable to PerimeterX’s Processing of the Personal Information to provide Services under the Agreement, including to the extent applicable to the Processing, (i) EU GDPR, (ii) UK GDPR, (iii) the Swiss Federal Act on Data Protection (“FADP”), and (iv) CCPA.
“Data Subject Request” means a request from a data subject to exercise the data subject's right under applicable Data Privacy Laws, including, as applicable, rights to data rectification, data portability, access data, data erasure (“the right to be forgotten”), not to be subject to automated decision making, not to have Personal Data sold, to request for information, not to be discriminated against for exercising rights, restriction or objection to processing, and the applicable rights under CCPA §§ 1798.100(d), 1798.105, 1798.110, 1798.120, 1798.130(a)(2), 1798.140(y), 1798.145(g) and GDPR Art. 12-23.
“GDPR” means the General Data Protection Regulation, (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.
“IDTA” means the then-current International Data Transfer Addendum to the EU Commission Standard Contractual Clauses that was issued by the UK ICO, a current version found at https://ico.org.uk/media/for-organisations/documents/4019538/international-data-transfer-agreement.pdf
“Personal Data” means (i) any information relating to an identified or identifiable natural person where an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier or (ii) is defined as “Personal Information” or “Personal Data” by applicable Data Privacy Laws (e.g., CCPA § 1798.140(o) or GDPR Art. 4).
"process" and its cognates mean any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
"Processor" means the entity which processes Personal Data on behalf of the Controller, including, as applicable, any "service provider" as that term is defined by the CCPA.
“Standard Contractual Clauses” or “SCCs” means (i) where the GDPR applies, the standard contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council ("EU SCCs") and (ii) where the UK GDPR applies, the EU SCCs as amended by the IDTA (“UK SCCs”).
“Subprocessor” means any Processor engaged by PerimeterX to process Subscriber’s Personal Data.
“Subscriber” means “Customer” or “Subscriber” as defined in the Order Form.
“Supervisory Authority” means an independent public authority which is (i) established by a European Union member state pursuant to Article 51 of the GDPR; or (ii) the public authority governing data protection, which has authority and jurisdiction over Subscriber.
“UK ICO” means the United Kingdom Information Commissioners Office.
“UK GDPR” means the United Kingdom Data Protection Act of 2018 and the United Kingdom General Data Protect Act and any successor legislation thereto.
Processing of Data. This DPA applies to all Personal Data that PerimeterX processes pursuant to the Agreement. PerimeterX will only process Subscriber Personal Data (i) in compliance with the instructions received from Subscriber, (ii) for the purposes expressly set forth in the Agreement and this DPA, including providing, supporting and improving the Services, and (iii) in compliance with Data Privacy Laws. PerimeterX will not use or process the Subscriber Personal Data for any other purpose. PerimeterX will promptly inform Subscriber in writing if it cannot comply with the requirements of this DPA, in which case Subscriber may terminate the Agreement or take any other reasonable action, including suspending data processing operations. PerimeterX will not retain, use, or disclose the Personal Data outside of the direct business relationship between PerimeterX and Subscriber. PerimeterX will not attempt to re-identify any pseudonymized, anonymized, aggregate, or de-identified Personal Data without Subscriber’s express written permission. PerimeterX will not attempt to link, identify, or otherwise create a relationship between Personal Data and non-Personal Data or any other data without the express authorization of Subscriber. PerimeterX will comply with any applicable restrictions under Data Privacy Laws on combining the Personal Data with personal data that PerimeterX receives from, or on behalf of, another person or persons, or that PerimeterX collects from any interaction between it and any individual. PerimeterX will provide the same level of protection for the Personal Data as is required under Data Privacy Laws applicable to Subscriber. PerimeterX will not otherwise engage in any processing of the Personal Data that is prohibited or not permitted by “processors” or “service providers” under Data Privacy Laws. PerimeterX certifies that it understands and will comply with its obligations under this DPA.
Compliance with Law; Duty to Inform. PerimeterX will comply with all applicable Data Privacy Laws, and will promptly inform Subscriber if (a) it can no longer meet its obligations under Data Privacy Laws; (b) it has breached this DPA, and shall cooperate to remediate such breach; or (3), in its opinion, a processing instruction from Subscriber violates Data Privacy Laws. Subscriber retains the right , upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Data, including any use of Personal Data not expressly authorized in this DPA.
No Sale of Personal Information. PerimeterX will not “sell” personal data or “share” personal data for purposes of “cross-context behavioral advertising” (as such terms are defined in applicable Data Privacy Law).
Roles of the Parties. The parties agree that with respect to processing Personal Data that Subscriber is the Controller and PerimeterX is the Processor.
Confidentiality. All PerimeterX personnel and any Subprocessors are required to comply with the confidentiality obligations related to Subscriber Personal Data, including after the end of their respective employment, contract or assignment.
Standard Contractual Clauses. To the extent any Personal Data of European Economic Area (“EEA”) or United Kingdom (“UK”), or Swiss data subjects is processed, the Standard Contractual Clauses (“SCC”) as modified below shall apply. For the avoidance of doubt, with respect to transfers of EEA, UK and Swiss Personal Data for processing by PerimeterX in a jurisdiction other than an EU member state, PerimeterX agrees to comply with applicable Data Privacy Laws in connection with that cross-border transfer of data (e.g., Art. 46 of the GDPR).
PerimeterX will not engage in any cross-border Processing of Personal Data, or transmit, directly or indirectly, any Personal Data to any country outside of the country from which such Personal Data was collected, without complying with applicable Data Protection Laws. Where PerimeterX engages in an onward transfer of Personal Data, PerimeterX shall ensure that a lawful data transfer mechanism is in place prior to transferring Personal Data from one country to another.
To the extent legally required, by signing this DPA, Subscriber and PerimeterX are deemed to have signed the EU SCCs, which form part of this DPA and (except as described in Section 7(c) and (d) below) will be deemed completed as follows:
Module 2 of the EU SCCs applies to transfers of Personal Data from Subscriber (as a controller) to PerimeterX (as a processor);
Clause 7 (the optional docking clause) is included;
Under Clause 9 (Use of sub-processors), the Parties select Option 2 (General written authorization). The initial list of sub-processors is set forth in Schedule B of this DPA and PerimeterX shall update that list and provide a notice to Subscriber in advance of any intended additions or replacements of sub-processors as provided in Section 6.
Under Clause 11 (Redress), the optional language requiring that Data Subjects be permitted to lodge a complaint with an independent dispute resolution body shall not be deemed to be included;
Under Clause 17 (Governing law), the Parties choose Option 1 (the law of an EU Member State that allows for third-Party beneficiary rights). The Parties select the laws of Ireland;
Under Clause 18 (Choice of forum and jurisdiction), the Parties select the courts of Ireland;
Annex I(A) and I(B) (List of Parties) is completed as set forth in Schedule A of this DPA;
Under Annex I(C) (Competent supervisory authority), the Parties shall follow the rules for identifying such authority under Clause 13 and, to the extent legally permissible, select the Irish Data Protection Commission.
Annex II (Technical and organizational measures) is completed with Schedule A of this DPA; and
Annex III (List of subprocessors) is not applicable as the Parties have chosen General Authorization under Clause 9, however a list of PerimeterX’s subprocessors is available in Schedule B.
With respect to Personal Data transferred from the United Kingdom for which United Kingdom law (and not the law in any European Economic Area jurisdiction or Switzerland) governs the international nature of the transfer, the UK SCCs form part of this DPA and takes precedence over the rest of this DPA as set forth in the UK SCCs. Undefined capitalized terms used in this provision shall mean the definitions in the UK SCCs. For purposes of the UK SCCs, they shall be deemed completed as follows:
Table 1 of the UK SCCs:
The Parties’ details shall be the Parties and their affiliates to the extent any of them is involved in such transfer.
The Key Contacts shall be the contacts set forth in Schedule A.
Table 2 of the UK SCCs: The Approved EU SCCs referenced in Table 2 shall be the EU SCCs as executed by the Parties.
Table 3 of the UK SCCs: Annex 1A, 1B, II, and III shall be set forth in Schedules A and B below.
Table 4 of the UK SCCs: Either Party may end this DPA as set out in Section 19 of the UK SCCs.
By entering into this DPA, the Parties are deemed to be signing the UK SCCs.
For transfers of Personal Data that are subject to the FADP, the EU SCCs form part of this DPA as set forth in this Section 7(b), but with the following differences to the extent required by the FADP: (1) references to the GDPR in the EU SCCs are to be understood as references to the FADP insofar as the data transfers are subject exclusively to the FADP and not to the GDPR; (2) references to personal data in the EU SCCs also refer to data about identifiable legal entities until the entry into force of revisions to the FADP that eliminate this broader scope; (3) the term “member state” in EU SCCs shall not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the EU SCCs; and (4) the relevant supervisory authority is the Swiss Federal Data Protection and Information Commissioner (for transfers subject to the FADP and not the GDPR), or both such Commissioner and the supervisory authority identified in the EU SCCs (where the FADP and GDPR apply, respectively).
Additional Safeguards for the Transfer and Processing of Personal Data from the EEA, Switzerland, and the United Kingdom. To the extent that PerimeterX Processes Personal Data of Data Subjects located in or subject to the applicable Data Protection Laws of the EEA, Switzerland, or the United Kingdom, PerimeterX agrees to the following safeguards to protect such data to an equivalent level as applicable Data Protection Laws:
PerimeterX and Subscriber shall encrypt all transfers of the Personal Data between them, and PerimeterX shall encrypt any onward transfers it makes of such Personal Data, to prevent the acquisition of such data by third parties.
PerimeterX will use all reasonably available legal mechanisms to challenge any demands for Personal Data access through national security process it receives as well as any non-disclosure provisions attached thereto.
PerimeterX will promptly notify Subscriber of any government demands for Subscriber Personal Data, unless prohibited under applicable law. To the extent PerimeterX is prohibited by law from providing such notification, PerimeterX shall: (i) review each request on a case-by-case basis; (ii) use best efforts to request that the confidentiality requirement be waived to enable PerimeterX to notify the Subscriber and/or the appropriate Supervisory Authority competent for the Subscriber; and (iii) maintain evidence of any such attempt to have a confidentiality requirement waived.
Upon Subscriber’s request, PerimeterX shall provide a transparency report indicating the types of binding legal demands for the Personal Data it has received, if any, including national security orders and directives.
PerimeterX will promptly notify Subscriber if PerimeterX can no longer comply with the applicable clauses in this Section. PerimeterX shall not be required to provide Subscriber with specific information about why it can no longer comply, if providing such information is prohibited by applicable law. Such notice shall entitle Subscriber to terminate the Agreement (or, at Subscriber’s option, affected statements of work, order forms, and like documents thereunder) and receive a prompt pro-rata refund of any prepaid amounts thereunder. This is without prejudice to Subscriber’s other rights and remedies with respect to a breach of the Agreement.
Data Subject Requests. PerimeterX will, to the extent legally permitted, promptly notify Subscriber if PerimeterX receives a Data Subject Request relating to a data subject’s Personal Data that is being processed for Subscriber and assist Subscriber through appropriate technical and organizational measures for the fulfilment of Subscriber’s obligation to respond to third party requests.
Notice of Investigation, Complaint or Subpoena. PerimeterX will promptly inform Subscriber if it (a) receives any notice or inquiry from a Supervisory Authority relating to the processing of Subscriber Personal Data, (b) any complaint by a data subject regarding the processing of Subscriber Personal Data, and (c) any legally binding request for disclosure of Subscriber Personal Data by a law enforcement authority unless PerimeterX is prohibited by applicable law to inform Subscriber.
Cooperation. On request, PerimeterX will provide Subscriber with a summary of its security and privacy policies. On request, PerimeterX will cooperate with the Supervisory Authority and promptly provide Subscriber with all information in PerimeterX’s possession or control in relation to the processing of the Personal Data under this DPA.
Data Breach. PerimeterX will notify Subscriber within forty-eight (48) hours after discovery of any unauthorized disclosure of or access to Subscriber’s Personal Data while in the possession or control of PerimeterX or its Subprocessors (“Security Incident”). PerimeterX will promptly provide Subscriber with relevant information in its possession or control in relation to the Security Incident, including a description of the nature of the Security Incident; the categories and approximate number of data subjects concerned and the records of Personal Data affected; the name and contact details of PerimeterX’s point of contact from whom further information can be obtained; a description of the expected consequences of the Security Incident and the measures taken or proposed to be taken by PerimeterX to address the Security Incident; and with all reasonable assistance and cooperation as is necessary in order for the Subscriber to seek to mitigate the effects of the Security Incident and comply with its own obligations under the Data Privacy Laws with respect to the Security Incident. Except as may be required by applicable law, PerimeterX will not make any public announcement or notify any data subject about the Security Incident unless expressly authorized by Subscriber.
Subprocessors. PerimeterX may engage third-party Subprocessors in connection with the provision of the Services provided that, before the Subprocessor first Processes Personal Data, PerimeterX: (a) enters into a written agreement with the Subprocessor on terms at least as protective as those set out in this DPA, and (b) carries out adequate due diligence to ensure the Subprocessor is capable of providing at least the same level of protection for Personal Data required by this DPA. PerimeterX shall provide Subscriber with a current list of the Sub-Processors that PerimeterX has engaged in connection with the provision of Services at https://www.perimeterx.com/legal/subprocessors/. PerimeterX shall remain fully liable to Subscriber for the performance of its obligations under this DPA even where a Sub-Processor carries out the Services or any part of the Services on PerimeterX’s behalf.
Subscriber hereby grants PerimeterX general written authorization to engage Sub-Processors in connection with the provision of the Services. PerimeterX shall provide to Subscriber written notice of any change to the list of Sub-Processors at least thirty (30) days prior to the date the change takes effect. If Subscriber reasonably objects to the use of a new Sub-Processor within thirty days of the notice date, then the parties shall use good faith and best efforts to find a reasonable replacement in a mutually agreeable manner.
DPIA and Consultations. Upon request, PerimeterX will provide Subscriber with assistance in the preparation of data protection impact assessments and, where necessary, carrying out consultations with any Supervisory Authority.
(A) Supervisory Authority Audit. If a Supervisory Authority requires an audit of the data processing facilities from which PerimeterX processes Subscriber Personal Data in order to ascertain or monitor Subscriber's compliance with Data Privacy Laws, PerimeterX will cooperate with such audit. Subscriber is responsible for all costs and fees related to such audit, including all reasonable costs and fees for any and all time PerimeterX expends for any such audit, in addition to the rates for services performed by PerimeterX.
(B) Subscriber Audits. On request, PerimeterX will provide to Subscriber each year an opinion or Service Organization Control report provided by an accredited, third-party audit firm under the Statement on Standards for Attestation Engagements (SSAE) No. 18 (“SSAE 18”) (Reporting on Controls at a Service Organization) or the International Standard on Assurance Engagements (ISAE) 3402 (“ISAE 3402”) (Assurance Reports on Controls at a Service Organization) standards applicable to the services under the Agreement (each such report, a “Report”). If a Report does not provide, in Subscriber’s reasonable judgment, sufficient information to confirm PerimeterX’s compliance with the terms of this DPA, then Subscriber or an accredited third-party audit firm agreed to by both Subscriber and PerimeterX may audit PerimeterX’s compliance with the terms of this DPA during regular business hours, with reasonable advance notice to PerimeterX and subject to reasonable confidentiality procedures. Subscriber is responsible for all costs and fees related to such audit, including all reasonable costs and fees for any and all time PerimeterX expends for any such audit, in addition to the rates for services performed by PerimeterX. Before the commencement of any such audit, Subscriber and PerimeterX shall mutually agree upon the scope, timing, and duration of the audit. Subscriber shall promptly notify PerimeterX with information regarding any non-compliance discovered during the course of an audit. Subscriber may not audit PerimeterX more than once annually unless there is a Security Incident.
Data Destruction. PerimeterX will destroy all Personal Data within sixty (60) days following the expiration or termination of this Agreement or Subscriber’s request, cause its Subprocessors to do the same, , unless Data Privacy Laws prevent PerimeterX from destroying all or part of the Subscriber Personal Data disclosed. For clarity, PerimeterX may continue to process Personal Data that has been de-identitied and/or aggregated in a manner that does not identify individuals or Subscribers to improve Subscriber’s systems and services and data that PerimeterX, in good faith, believes it has identified as a threat (e.g., malware, a denial of service attack or other malicious activity) without identifying Subscriber as the source of the data.
Technical and Organizational Safeguards. PerimeterX will implement appropriate technical and organizational safeguards designed to protect Personal Data (i) from unauthorized or unlawful processing, (ii) against accidental or unlawful disclosure, alteration or loss, and/or (iii) unauthorized disclosure or access, including as applicable Art. 32 of the GDPR. PerimeterX will comply with strict internal controls in line with industry best practices, such as SOC2 guidelines. PerimeterX will implement security controls in the form of mandatory policies and procedures for all PerimeterX’s employees who have access to Subscriber Personal Data to follow. These policies and procedures cover: (1) measures, standards, norms, procedures, and rules to address the appropriate level of security, (2) the meaning and importance of Personal Data and the need to keep it secure, confidential, and accessed only on a need to know basis, (3) staff functions, obligations and access rights, (4) procedures for reporting, managing and responding to security incidents and (5) procedures for making backup copies and recovering Personal Data.
Miscellaneous. Neither party will assign the DPA in whole or in part without the other party’s prior written consent (which consent will not be unreasonably denied, delayed or conditioned), except to an Affiliate or a successor that is made in connection with a merger or sale of all or substantially all of a party’s assets or stock. Any attempted assignment in violation of this restriction is void. The DPA shall bind and inure to the benefit of the parties, their respective successors and permitted assigns. If a conflict exists between any of the terms in the DPA and the Order Form, then this DPA will govern. This DPA can be executed electronically and in counterparts, each of which is deemed to be an original and together comprise a single document. Each party represents and warrants that the individual binding a party under this DPA is authorized to do so.
A. LIST OF PARTIES
The exporter (Controller) is Subscriber and Subscriber’s contact details and signature are as provided in the Agreement.
The importer (Processor) is PerimeterX and PerimeterX’s contact details and signature are as provided in the Agreement.
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred:
An identifiable or identified natural person (“User”) who uses the Subscriber “Websites” and/or “Apps” (as defined and identified in the Order Form).
Categories of personal data transferred:
For PerimeterX’s Bot Defender Solution: Data Importer may process certain information about how a User uses the Subscriber Websites or Apps, including a User’s Internet Protocol (IP) address and other user engagement and interaction metrics and other statistics. For PerimeterX’s Account Defender solution, Data Importer may process name, email address, usernames, passwords and other login credentials, as well as the categories of Personal Data identified above for Bot Defender.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures:
No such data will be processed.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):
PerimeterX shall process Personal Data in its provision of Services on a continuous basis pursuant to the terms of the Agreement.
Nature of the processing:
PerimeterX shall process Personal Data in its provision of Services pursuant to the terms of the Agreement.
Purpose(s) of the data transfer and further processing:
The transfer is made for the purpose of providing Services to Subscriber pursuant to the Agreement.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:
PerimeterX shall process Personal Data in its provision of Services for a term outlined in the Agreement.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:
The subject matter, nature and duration of the processing of Personal Data by PerimeterX’s Subprocessors is the same as for PerimeterX, as outlined above.
(c) In Annex 1.C of the EU SCC: The competent supervisory authority shall be the supervisory authority applicable to Subscriber in its EEA country of establishment or, where it is not established in the EEA, in the EEA country where its representative has been appointed pursuant to Article 27(1) of Regulation (EU) 2016/679.
Data Importer will at a minimum institute the technical and organizational measures to ensure a level of security appropriate with the risk, as is required in Art. 32 of the GDPR. Data Importer will comply with strict internal controls in line with industry best practices, such as SOC2 guidelines and ISO 27001 guidelines. Data Importer will implement security controls in the form of mandatory policies and procedures for all Data Importer employees who have access to Data Exporter's data to follow. Data Importer will have, where appropriate measures of pseudonymization and encryption of Personal Data; Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services; Measures for ensuring the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing; Measures for user identification and authorization; Measures for the protection of data during transmission; Measures for the protection of data during storage; Measures for ensuring physical security of locations at which Personal Data are processed; Measures for ensuring events logging; Measures for ensuring system configuration, including default configuration; Measures for internal IT and IT security governance and management; Measures for certification/assurance of processes and products; Measures for ensuring data minimization; Measures for ensuring data quality; Measures for ensuring limited data retention; Measures for ensuring accountability and measures for ensuring erasure.
Schedule B Subprocessors