Updated February 2022
This Data Protection Addendum ("Addendum") forms part of the applicable Eagle Point Software Corporation TERMS AND CONDITIONS (where Licensee has purchased a License to one or more Eagle Point Services defined therein) and/or part of the Eagle Point Software Corporation TERMS AND CONDITIONS – PINNACLE LITE SERVICES (where Licensee has purchased a License to the Pinnacle Lite Services) (each, the “Terms and Conditions”), where and to the extent that Licensee or any of its Permitted Users (as defined in the applicable Terms and Conditions) are citizens or residents of the European Union.
“Data Protection Law” means the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and any European Union Member State data protection laws implementing or supplementing the GDPR applicable to Licensee, Eagle Point, or the Services.
“Data processor” or “processor”, “data controller” or “controller”, “data subject”, “personal data”, “personal data breach”, “processing”, and “supervisory authority” shall have the meanings given to such terms in the GDPR. “Licensee personal data” means all personal data subject to Data Protection Law that Eagle Point may process on Licensee’s behalf.
“Data Subject Request” means a communication from a data subject regarding the exercise of rights pursuant to applicable Data Protection Law, including rights to access, rectification, restriction of processing, erasure, and portability of personal data.
“Information Security Incident” means any actual or reasonably suspected personal data breach, security breach, or other unauthorised access, misappropriation, loss, damage, or other compromise of the security, confidentiality, or integrity of any Licensee personal data processed by Eagle Point or a Subprocessor.
“Model Clauses” means the Standard Contractual Clauses for the Transfer of Personal Data to Third Countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council and the Standard Contractual Clauses for the Transfer of Personal Data between Controllers and Processors under Article 28(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council and Article 29(7) of Regulation (EU) 2018/1725 of the European Parliament and of the Council, approved by EC Commission Decision of 4 June 2021 as applicable and as may be found at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32021D0914&qid=1639413653623.
“Services” means the services and other activities that Eagle Point shall provide or carry out for Licensee as set forth in the applicable Terms and Conditions.
“Subprocessor” means another processor engaged by Eagle Point to process Licensee personal data on behalf of Licensee, in accordance with Licensee’s instructions.
2.1 The Parties agree that with respect to the provision of the Services, Licensee is the data controller of the personal data and, to the extent that Eagle Point’s performance of the Services in the relevant instance are in such capacity, Eagle Point is the data processor of such personal data.
2.2 In accordance with GDPR Article 28(3)(a), Eagle Point and any Subprocessor acting under its authority shall only process Licensee personal data upon Licensee’s documented instructions, as evidenced by the applicable Terms and Conditions.
3.1 This Addendum applies solely to Eagle Point’s processing of Licensee personal data that is subject to Data Protection Law in providing Services to Licensee in accordance with the applicable Terms and Conditions.
3.2 As required by Article 28(3) of the GDPR, the subject matter, nature and purpose of the processing, type of Licensee personal data, and the categories of data subjects associated with Eagle Point’s processing of personal data in the provision of the Services, shall be as set forth in, and in accordance with, the applicable Terms and Conditions and Annex 1 of this Addendum.
3.3 The duration of the processing is the term of the applicable Terms and Conditions and until all Licensee personal data has been deleted or returned by Eagle Point in accordance with Section 10 and Annex 1 of this Addendum.
In performing the Services, Eagle Point shall:
4.1 Implement appropriate technical and organizational measures to provide a level of security appropriate to the risk associated with the processing activity, including the measures referred to in Article 32(1) of the GDPR;
4.2 Implement appropriate security measures in accordance with good industry practice in the United States and in accordance with the requirements of all applicable Data Protection Law; and
4.3 Regularly monitor compliance with such security safeguards to avoid material decrease in the level of security afforded to Licensee personal data during the duration of the processing.
Annex 2 to this Addendum further describes the technical and organization security measures that Eagle Point has implemented with respect to its personal data processing activities, as required by Article 28(3) of the GDPR.
5.1 Eagle Point shall treat all personal data processed on behalf of Licensee in accordance with the applicable Terms and Conditions as confidential information. Except as is necessary for its granting of consent set forth in Section 6.1 below, Licensee shall not use or disclose any nonpublic information provided it by Eagle Point, including without limitation the identities of Subprocessors, without the express prior written approval of Eagle Point in each instance.
5.2 Eagle Point shall provide persons authorized by Eagle Point to process Licensee personal data with appropriate training on their responsibilities and require them to have executed written confidentiality agreements that endure through the duration of the processing and after termination or conclusion of processing.
5.3 Eagle Point shall limit access to Licensee personal data to Eagle Point’s personnel who require such access in order to perform the Services. Any such access to Licensee personal data shall be granted on a “need to know” basis.
5.4 The parties acknowledge that any breach of this Section 5 by either of them will result in irreparable harm to the other of them; that money damages will be an incomplete remedy for such breach; and that the nonbreaching party will be entitled to an injunction or other equitable remedies awarded by a court of competent jurisdiction to prevent or restrain such breach and harm. This Section 5 shall survive the termination or expiration of this Agreement or the applicable Terms and Conditions.
6.2 Eagle Point shall respect the conditions imposed by Article 28(2) and (4) of the GDPR regarding the engagement of Subprocessors.
6.3 Eagle Point shall remain fully liable for any Licensee personal data processing by Subprocessors.
7.1 Eagle Point shall, without undue delay, and in any event within ten (10) business days, notify Licensee if it receives a Data Subject Request. Eagle Point shall not respond to any Data Subject Request unless and until expressly instructed to do so by Licensee.
7.2 Eagle Point shall provide all reasonable assistance to Licensee to enable Licensee to comply with its obligation to respond to Data Subject Requests under applicable Data Protection Law, at Eagle Point’s standard rates and terms. If authorized by Licensee, such assistance may include complying with a Data Subject Request in accordance with applicable Data Protection Law and Licensee’s instructions.
7.3 If Licensee requests information from Eagle Point to fulfill its obligation to respond to a Data Subject Request, Eagle Point shall provide the requested information without undue delay, and in any event within ten (10) business days of Licensee’s request for assistance. Eagle Point shall notify Licensee as soon as is reasonably practicable under the circumstances if Eagle Point is unable to comply with the request for assistance within this ten (10) business day period. Such notification shall provide a reasonably detailed explanation as to why Eagle Point considers compliance with such request for assistance to be impossible.
7.4 Eagle Point shall provide Licensee with any personal data that it processes on Licensee’s behalf in a structured, commonly used, electronic, and machine-readable format or in such format as otherwise requested by Licensee.
8.1 Eagle Point shall notify Licensee without undue delay after becoming aware of an Information Security Incident affecting Licensee personal data. Eagle Point shall take action to contain such Information Security Incident and mitigate potential risks to affected data subjects.
8.2 Eagle Point shall provide all reasonable assistance to Licensee to assist Licensee in complying with its obligations regarding any Information Security Incident under applicable Data Protection Law. Eagle Point shall not communicate with any third party (including any affected data subjects or regulatory authorities) regarding any Information Security Incident, except for its attorneys or financial advisors, or its representatives whose duties on behalf of Eagle Point include work related to data security incidents, unless and until expressly instructed to do so by Licensee or required by compulsory process.
Subject to Section 5 and attorney-client privilege, Eagle Point shall make available to Licensee any information of Eagle Point that Licensee may require for purposes of demonstrating compliance with Licensee’s obligations under applicable Data Protection Law.
10.1 Eagle Point shall, upon receipt of Licensee’s written request, securely delete or return Licensee personal data to Licensee and delete existing copies, unless EU law or EU Member State law requires storage of Licensee personal data, or unless otherwise prohibited by applicable law.
10.2 Eagle Point shall return all Licensee personal data in a commonly used, structured, electronic, and machine-readable format or in such format as otherwise requested by Licensee.
10.3 Immediately after deleting the Licensee personal data, Eagle Point shall provide to Licensee certified written confirmation of such secure deletion.
11.1 Eagle Point has self-certified to the EU-U.S. Privacy Shield Framework and Swiss-U.S. Privacy Shield Framework for the transfer of non-HR personal data.
11.2 The Model Clauses are incorporated in this Addendum by this reference and, in the event of any inconsistency between the provisions of this Addendum and the Model Clauses, the Model Clauses shall govern.
Eagle Point’s Data Protection Officer is its CEO.
If Licensee faces an actual or potential claim arising out of or related to an alleged violation of any Data Protection Law, Eagle Point shall promptly provide all materials and information requested by Licensee that are relevant to the defense of such claim and the underlying circumstances concerning the claim to the extent not privileged.
In accordance with the requirements of Article 30(2) of the GDPR, Eagle Point shall maintain a record of all processing activities carried out on Licensee’s behalf. Eagle Point shall make such record available to Licensee and the applicable supervisory authority upon request. As of the Effective Date, however, the Parties stipulate that the requirements of Article 30(2) do not apply to Eagle Point, and at such time as when they do, Eagle Point shall comply with those requirements.
This Annex 1 includes certain details of the Processing of Company Personal Data as required by Article 28(3) GDPR.
This Annex 2 describes the technical and organizational security measures that Eagle Point has implemented in accordance with Section 4 of this Addendum and applicable Data Protection Law.
Eagle Point undertakes the pseudonymisation, encryption, and security of personal data as follows:
Eagle Point may collect relevant personal information from employees or customers or data subjects for equal opportunities monitoring purposes. Where such information is collected, the organization will anonymize it unless the purpose to which the information is put requires the full use of the individual's personal information.
Eagle Point will ensure that personal information about a data subject, including information in personnel files, is securely retained. The organization will keep hard copies of information in a locked filing cabinet. Information stored electronically will be subject to access controls, and passwords and encryption software will be used where necessary.
Eagle Point ensures the ongoing confidentiality, integrity, availability and resilience of its processing systems and services, and has a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing, as follows:
The objective of Eagle Point information security is to ensure that its core and supporting business operations continue to operate by preventing and minimizing the impact of security incidents. Eagle Point endeavors to ensure that all information that is disbursed or produced by Eagle Point has integrity and that all relevant information is managed and stored with appropriate confidentiality procedures. In deploying the Eagle Point information security systems, the Information Security Team aims to maintain known risks at their current low level and ensure that new and changing risks are managed in an equally consistent and professional manner.
The compliance to this policy and supporting policies shall be audited on a yearly basis.
This security policy shall be reviewed annually unless there is a major change in the organization or the environment affecting the organization, in which case it shall be done on a need basis.
This security policy shall be reviewed and revised whenever a major security risk or an incident is identified.
All employees of Eagle Point, contractors, vendors and partners who require access to information and associated assets are responsible for ensuring that this policy is adhered to. The Information Security Team is responsible for ensuring that the users are aware of, and adhere to, this policy.
Violation of information security policy shall result in corrective action. Disciplinary action shall be taken in accordance with the severity of the violation, as determined by an investigation, and may include, but not limited to:
Violation or deviation of the policy shall be reported to the Information Security Team and a security incident record shall be created for the further investigation of the incident.
Any exception to the information security policy or supporting policies shall be assessed and approved by the Information Security Team. All the exceptions requests and approvals shall be formally documented.
Eagle Point will implement the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident as follows:
Once it’s established that a breach has happened, Eagle Point should not only try to contain the incident, but should also perform a risk analysis. This will help Eagle Point in taking appropriate measures to contain and address the breach and to determine whether notification is required to the Supervisory Authority and to Data Subjects.
The following factors can be taken into consideration while performing a Risk Assessment.
When assessing the risk that is likely to result from a breach, Eagle Point should consider the severity of the impact on the rights and freedoms of individuals and the likelihood of the breach occurring. When the consequences of a breach or the likelihood of these occurrences are severe or higher, the risk is higher.
Should the breach cause a disruption in Eagle Point’s services or operations, Eagle Point has adopted a policy to facilitate business continuity through the development of contingency plans as follows:
Information Security Team shall identify and document the following
Contingency plans shall be reviewed on an annual basis to determine the effectiveness of the plan and Eagle Point’s readiness to execute the plan.
The following areas should be addressed in a contingency plan review, as applicable:
Information Security Team along with representatives from all departments shall coordinate the review activity.
Results of the review shall be documented for analysis and continual improvement of the business continuity plan.
Training related to contingency procedures shall be given to Eagle Point staff and contractors at least once a year.
Training shall be customized according to the roles and responsibilities of the personnel.
Budget for the procurement of additional resources during contingency shall be approved by the senior management.