Supplier Master Agreement Addendum

If you are a vendor, supplier or contractor of PerimeterX, the following additional terms in this Addendum will apply if: (1) You Process Personal Data on behalf of PerimeterX, (2) You are issued a PerimeterX email address, and/or (3) You are granted access to a software program or application licensed by PerimeterX.

  1. Definitions. Any terms not defined in this Addendum shall have the definition found in the Master Agreement.

"appropriate technical and organizational safeguards" shall be interpreted in accordance with the Data Protection Laws, which at a minimum shall mean those measures aimed at protecting Personal Data against accidental, unauthorized or unlawful destruction, loss, alteration, disclosure, access, or Processing of Personal Data.

CCPA” California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100, et. seq. and its implementing regulations.

Data Controller” or “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data; where the purposes and means of Processing are determined by EU or EU Member State laws or regulations, the Data Controller or the specific criteria for his nomination may be designed by EU or EU Member State law.

Data Processor” or “Processor” means the natural or legal person, public authority, agency or other body which Processes Personal Data.

"Data Protection Laws" means all applicable legislation and laws relating to Processing of Personal Data, data protection and privacy, and the cross-border transfer of Personal Data that may exist anywhere worldwide and any regulation made pursuant to it, or which amends, replaces, re-enacts or consolidates it, including but not limited to, as applicable, the GDPR and the CCPA.

EEA” means the European Economic Area.

EU” means the European Union.

GDPR” means the General Data Protection Regulation (EU) 2016/679.

Master Agreement” means the Supplier Master Agreement or any other agreement or contract that expressly references the inclusion of the contractual addendum found on this webpage.

PerimeterX” mean PerimeterX, Inc. and its affiliates.

PerimeterX Sourced Data” means any Personal Data, as applicable: (a) of PerimeterX customers or end users, (b) of PerimeterX employees, contingent workers, or contractors, or (c) otherwise made available to You by PerimeterX or which You Process on PerimeterX’s behalf.

Personal Data” means (i) any information relating to an identified or identifiable natural person or household where an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier or (ii) is defined as “Personal Information” or “Personal Data” by applicable Data Privacy Laws (e.g., CCPA § 1798.140(o) or GDPR Art. 4).

Personnel” means You (if an You are individual) and all of Your employees, agents, and subcontractors.

Process(ing)” means any operation or set of operations which is performed on personal data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

SCC” means the standard data protection clauses for the transfer of Personal Data to processors established in third countries that do not ensure an adequate level of protection, as described in Art. 46 of the GDPR, Standard Contractual Clauses for the Transfer of Personal Data to Processors Established in Third Countries under EU Directive 95/46 (pursuant to Commission Decision 2010/87/EU, currently available at http://ec.europa.eu/justice/data-protection/international-transfers/transfer/index_en.htm.

Services” means any goods or services provided by You to PerimeterX.

Sub-Processor” means any Data Processor engaged by You or by any other Sub-Processor of Yours that receives from Your, or from any other Sub-Processor of Yours, PerimeterX Sourced Data.

Supervisory Authority” means the independent public authority established by Data Protection Law to ensure compliance with those laws.

Sensitive Personal Data” means Personal Data identifying racial or ethnic origin; religious or philosophical beliefs; political opinions; membership of parties, trade-unions, associations or organizations of a religious, philosophical, political or trade-union character; records of criminal offenses; financial information; government issued identifiers (such as tax ID number); health conditions and sexual behaviors; and genetic data or biometric data for the purpose of uniquely identifying a Data Subject.

SOW” means any statement of work or order under the Master Agreement.

“Transfer” means the access by, transfer or delivery to, or disclosure of Personal Data to a person, entity or system located in a country or jurisdiction other than the country or jurisdiction where the Personal Data originated from.

You” or “Your” means the vendor, supplier or contractor that entered into the Master Agreement with PerimeterX.

2. If You are going to work onsite at a PerimeterX office, have PerimeterX.com email issued to You, or have any access to any email software or application licensed by PerimeterX, then the following provisions apply:

A. Background Checks. You acknowledge and agree that if one or more Your Personnel seeks access to PerimeterX's facilities or computer systems, PerimeterX reserves the right to conduct background checks on these Personnel. In such an event, Your Personnel will be asked to provide PerimeterX with sufficient background information (i.e., name, social security number and date of birth) and written authorization to permit PerimeterX to obtain a background check. Based in whole or in part on the results of the background check, PerimeterX, at its sole discretion, may deny Your Personnel(s) access to its facilities or computer systems, which may result in that person not being permitted to perform Services for PerimeterX.

B. Personnel Interview and Relationship. PerimeterX reserves the right to interview any Personnel that You desire to assign to perform the Services for PerimeterX and, at PerimeterX's sole discretion, to determine the acceptability of such employees. It is agreed that at all times Your Personnel shall be considered for all purposes Your employees or contractor(s), as applicable, and not employees of PerimeterX. PerimeterX shall have no authority, on Your behalf or otherwise, to discharge, promote, suspend or otherwise discipline any of Your Personnel assigned to perform Services for PerimeterX under a SOW except as specified in Sections2(C) and 2(D), below.

C. Personnel Removal. PerimeterX shall have the right, at any time, to request the removal of any Your Personnel assigned to PerimeterX’s account whom PerimeterX (in its sole reasonable discretion) deems to be unsatisfactory. Upon such request, You shall promptly replace the Personnel with a qualified substitute. A qualified substitute shall be an individual with substantially the same technical and business background, experience and training as the Personnel being replaced.

D. Exclusion. Without prior notice and without liability to You, PerimeterX reserves the right to exclude any of Your Personnel from PerimeterX's facilities or computer systems by denial of access, by suspension or revocation of access authorization, by expulsion or by any other reasonable means, if in PerimeterX's reasonable and good faith opinion such exclusion is deemed advisable in the interest of Services completion, employee safety or security at any of PerimeterX's facilities or system.

E. PerimeterX Computer Systems. Any of your Personnel that will be issued a PerimeterX email address or credentials to log on to PerimeterX computer system, servers, and/or software (“PX Systems”) will not have any privacy rights with respect to any communications sent to or received by those PX Systems used by Your Personnel. You and Your Personnel agree that PerimeterX is free to access any PX System and any communication sent to or received by Your Personnel on a PX System. You agree that Your Personnel will use PX Systems for the sole purpose of providing Service to PerimeterX and for no other customer. You agree that You will enter appropriate agreements with any of Your Personnel that will be issued a PerimeterX email address or credentials to log on to PX Systems in order to grant PerimeterX the rights set forth in this Section. Because PerimeterX reserves the right to access any personal communication without prior notice, employees should not use PerimeterX systems to transmit any messages or to access any information that they would not want a third party to hear or see. Although incidental and occasional personal use of PerimeterX's systems is permitted, any such personal use will be treated the same as all other communications under this policy. However, employees are at all times prohibited from accessing or downloading information from the Internet for personal use.

3. DPA. If You are Processing Personal Data, then the provisions of this Section 3 apply to You. Subject to the terms and conditions of this Section ( the “DPA”) and the Master Agreement, PerimeterX grants to You a non-exclusive, internal, limited license to use the PerimeterX Sourced Data solely for the purpose of providing Services to PerimeterX as described in the Master Agreement, and this license will terminate the earlier of (1) upon receiving notice of termination from PerimeterX, (2) upon termination or expiration of the Master Agreement, or (3) when the license is no longer necessary to perform the Services. If there is a conflict between the terms of this DPA and the Master Agreement, the terms of this DPA shall control with respect to such conflict, but solely as it relates to Personal Data. Nothing in this DPA shall be construed to limit the technology and security obligations required of You.

3.1. Controller and Processor. PerimeterX provides a software as a service solution(s) related to website monitoring and security services (“PerimeterX Services”) to customers and their affiliates and related parties (collectively, “PerimeterX Customer(s)”).

a. With respect to any PerimeterX Sourced Data of or relating to personnel of PerimeterX Customers and other PerimeterX Customer-designated individuals that receive PerimeterX Services, the PerimeterX Customer is the Controller (or any closest equivalent concept outside of the EU), PerimeterX is the Processor (or any closest equivalent concept outside of the EU).

b. With respect to any PerimeterX Sourced Data other than the data specified in Subsection “a” above, PerimeterX is the Controller (or any closest equivalent concept outside of the EU), You are the Processor (or any closest equivalent concept outside of the EU).

3.2. Obligations. Any reference to PerimeterX in this Section shall also mean the PerimeterX Customer if the PerimeterX Customer is the Controller. When Processing PerimeterX Sourced Data in the course of providing the Services under the Master Agreement, You agree:

a. You will Process the PerimeterX Sourced Data only in accordance with written instructions from PerimeterX (which may be specific instructions or instructions of a general nature as set out in this DPA, the Master Agreement or as otherwise notified by PerimeterX to You from time to time) and not for Your own purposes. You will not sell any PerimeterX Sourced Data, and in particular, You will not “sell” (as defined in Cal. Civil Code Section 1798.140(t)) any “Personal Information” (also as defined under the CCPA). You will only Process PerimeterX Sourced Data that is expressly authorized by PerimeterX and then only for the purpose of providing Your Services to PerimeterX.

b. All Your personnel authorized to Process PerimeterX Sourced Data have committed themselves to appropriate obligations of confidentiality and will only be accessed by Your personnel as is necessary to provide services to PerimeterX as set forth in the Master Agreement.

c. Taking into account the nature of the Processing, You will implement appropriate technical and organizational safeguards in accordance with Articles 32 the GDPR or equivalent provisions in the Data Protection Laws. These measures shall be appropriate to the harm which might result from any against accidental, unauthorized or unlawful destruction, loss, alteration, disclosure, access, or Processing of PerimeterX Sourced Data and having regard to the nature of the PerimeterX Sourced Data which is to be protected. At a minimum, these measures shall include the requirements required under applicable Data Protection Laws. PerimeterX may ask You at any time to provide a written description of the technical and organizational safeguards You employ for Processing PerimeterX Sourced Data within a reasonable period of time.

d. You will not give access to or transfer any PerimeterX Sourced Data to any third party (including any affiliates, group companies, Sub-Processors or sub-contractors) without the prior written consent of PerimeterX. Where PerimeterX consents to Your engaging another Sub-Processor to carry out any part of the services to PerimeterX, You must ensure the reliability and competence of the third party, its employees and agents who may have access to the PerimeterX Sourced Data and must include in any contract with the third party, provisions in favor of PerimeterX which are equivalent to those in this Section 3 and as are required by applicable Data Protection Laws. For the avoidance of doubt, where a third party fails to fulfill its obligations to You under any agreement or any applicable Data Protection Laws, You will remain fully liable to PerimeterX for the fulfilment of Your obligations under this DPA and the Master Agreement. Any Processor retained by You will meet the requirements of Article 28(4) of the GDPR or all other provisions of applicable Data Protection Laws.

e. On request, You will provide all necessary assistance and cooperation, materials and/or documentation as may be necessary for PerimeterX to comply with its obligations under the Data Privacy Laws, including as applicable, a data subjects rights under Art. 12-23 of the GDPR (e.g., a data subject’s right to access, rectification, data portability, erasure, not to be subject to automated Processing, right to be forgotten and right to object to Processing) or equivalent provisions in the Data Protection Laws.

f. Taking into account the nature of the Processing and information available to Processor, You will assist PerimeterX in ensuring compliance with its obligations under Articles 32-36 of the GDPR or equivalent provisions in the Data Protection Laws. You will notify PerimeterX within twenty-four (24) hours after discovery of any unauthorized disclosure of or access to PerimeterX Sourced Data while in the possession or control of Your or Your Processors (“Security Incident”). You will promptly provide PerimeterX with all information in Your possession or control in relation to any Security Incident, including a description of the nature of the Security Incident; the categories and approximate number of data subjects concerned and the records of PerimeterX Sourced Data affected; the name and contact details of Your point of contact from whom further information can be obtained; and a description of the consequences of the Security Incident and the measures taken or proposed to be taken by You to address the Security Incident; and with all reasonable assistance and cooperation as is necessary in order for the PerimeterX to seek to mitigate the effects of the Security Incident and comply with its own obligations under the Data Protection Laws with respect to the Security Incident. Except as may be required by applicable law, You will not make any public announcement or notify any data subject about the Security Incident unless expressly authorized by PerimeterX.

g. At the choice of PerimeterX, You will return or destroy all PerimeterX Sourced Data within thirty (30) days following the expiration or termination of the Master Agreement.

h. You will make available to PerimeterX all information necessary to demonstrate compliance with applicable Data Protection Laws and permit and contribute to audits including inspections conducted by PerimeterX or another auditor mandated by PerimeterX.

i. You will immediately inform PerimeterX if, in Your opinion, an instruction from PerimeterX violates Data Protection Laws.

j. You will cooperate on request with the Supervisory Authority and promptly provide PerimeterX on request with all information in Your possession or control in relation to the Processing of the PerimeterX Sourced Data under this Agreement.

3.3. SCC. In the event that PerimeterX Sourced Data Processed by You is subject to restrictions under Data Protection Laws concerning cross-border transfers of Personal Data, including without limitation where the PerimeterX Sourced Data originates from within the EEA and is Processed by You outside the EEA, then:

a. You shall take all reasonable steps to protect the PerimeterX Sourced Data Processed once it has been transferred cross-borders; and

b. To the extent any PerimeterX Sourced Data will be transferred from the EEA and Processed by You, any of Your Affiliates, or any Your Sub-Processors (each a “Receiving Party”) outside the EEA, PerimeterX and each Receiving Party the SCC will apply, as supplement in Attachment 2 to this DPA. In the event that the SCC are amended, replaced, or repealed by the European Commission or under applicable law, the parties shall work together in good faith to enter into any updated version of the SCC approved for data transfers under Data Protection Laws, or to negotiate in good faith an alternative solution to enable the Processing of PerimeterX Sourced Data by the Receiving Parties in compliance with Data Protection Laws.

3.4 Additional Agreements Necessary to comply with the Law. You, Your Affiliates, and Your Sub-Processors will enter into all such additional agreements and documents as may be necessary to ensure the lawful Processing of PerimeterX Sourced Data for the purposes of Data Protection Laws and this Master Agreement and to ensure the receipt of all necessary approvals for such Processing from appropriate regulatory authorities, and will co-operate with PerimeterX in order to obtain such approvals as soon as reasonably possible.

3.5 USE OF THIRD PARTIES IN DATA PROCESSING. Where You engage a Sub-Processor to process PerimeterX Sourced Data, then You shall ensure that:

a. You have the prior written consent of PerimeterX to do so;

b. such engagement shall be under a written contract that is governed by EU Member State law with respect to provisions applicable to the Processing of PerimeterX Sourced Data which originates in the EU; and

c. the subcontract shall require the Sub-Processor to comply with equivalent data protection obligations, covenants, representations and warranties applicable to You under this DPA and the Master Agreement (applicable to data protection) and Data Protection Laws.

3.6 You shall remain fully liable for the acts and/or omissions of Your Sub-Processors where such acts and/or omissions results in a violation of Data Protection Laws or a data subject’s rights under Data Protection Laws.

3.7 You shall list all approved Sub-Processors in Attachment 1. Subsequent Sub-Processors shall be approved in writing by PerimeterX and documented in writing.

4. Miscellaneous. Except as expressly amended by this Amendment, all of the provisions of the Master Agreement shall remain in full force and effect. All references to the Master Agreement, from and after the Amendment Effective Date, shall be to the Master Agreement as amended by this Amendment. In the event of a conflict between this Amendment and the Master Agreement, this Amendment shall govern. This Amendment and the Master Agreement together contain the entire agreement of the Parties with respect to this subject matter and may not be modified or changed in any manner except by a writing duly executed by both Parties. This Amendment may be executed in any number of counterparts, each of which when so executed and delivered will be deemed an original, and all of which together shall constitute one and the same agreement.

ATTACHMENT 1

[list proposed Sub-Processors, with contact address, country/ies where Sub-Processors will be Processing Personal Data, and method of compliance with Section 4 (Onward Transfer requirements)]

None unless expressly referenced in the Master Agreement or SOW

ATTACHMENT 2

SCC

  1. You agree to abide by the requirements of the Data Importer under the SCC, including Annexes 1 and 2, which are incorporated herein by reference.
  2. The following provisions shall apply to Appendix 1 to the SCC:

    a. Data Exporter is PerimeterX, Inc. and/or an Affiliate of PerimeterX, Inc.

    b. Data Importer is You as identified above.

    c. Data Subjects include PerimeterX, PerimeterX’s Affiliates and their Customers and Affiliates representatives and end users, such as employees, contractors, collaborators, partners, and customers of the Customer, as well as individuals attempting to communicate or transfer Personal Data to such persons.

    d. Categories of Data is Personal Data related directly or indirectly to the delivery of Your Services, may include, among others, personal contact information such as name, home address, home telephone or mobile number, fax number, email address, and passwords; information concerning family, lifestyle and social circumstances including age, date of birth, marital status, number of children and name(s) of spouse and/or children; employment details including employer name, job title and function, employment history, salary and other benefits, job performance and other capabilities, education/qualification, identification numbers, social security details and business contact details; financial details; and goods and services provided.

    e. Sensitive data may include racial or ethnic origin; political opinions, religious or other beliefs of a similar nature; trade union membership; sexual life; physical health or mental condition; and offences or alleged offenses.

    f. Processing operations are set forth in the Master Agreement and/or SOW include services to manage, develop, implement, support, and/or maintain computer hardware, computer software, computing environments or other business processes of PerimeterX and its Affiliates to facilitate their business activities and business processes (including compliance with legal requirements and other risk management functions). The SCC are governed by the substantive and procedural laws of the country of incorporation of the Customer which personal data are subject to the processing operations or if unknown the law of the Netherlands.

3. The following provisions shall apply to Appendix 2 to the SCC: Data Importer will at a minimum institute the technical and organizational measures to ensure a level of security appropriate with the risk, as is required in Art. 32 of the GDPR. Data Importer will comply with strict internal controls in line with industry best practices, such as SOC2 guidelines. Data Importer will implement security controls in the form of mandatory policies and procedures for all Data Importer employees who have access to Data Exporter's data to follow. These policies and procedures cover: (1) measures, standards, norms, procedures, and rules to address the appropriate level of security, (2) the meaning and importance of personal data and the need to keep it secure, confidential, and accessed only on a need to know basis, (3) staff functions, obligations and access rights, (4) procedures for reporting, managing and responding to security incidents and (5) procedures for making backup copies and recovering personal data.

© PerimeterX, Inc. All rights reserved.