Data Protection Addendum (DPA)
This Data Protection Addendum (DPA) has the following sections:
Customer’s Instructions to Service Providers
Personal Data Breach Notification
Assistance Responding to Consumers
Assistance with Data Protection Assessments
Return or Destruction
Schedule 1 to the DPA
In this DPA:
- “Applicable Law” means all laws, regulations and other legal requirements applicable to either (i) Service Provider in its role as provider of the Services or (ii) Customer. This may include, for example, the California Consumer Privacy Act of 2018, as amended, and regulations promulgated thereunder (“CCPA”); and laws and regulations similar to the CCPA as they become effective, such as the Virginia Consumer Data Protection Act; the Colorado Privacy Act and related regulations, the Utah Consumer Privacy Act, the Iowa Consumer Privacy Act, and the Connecticut Act Concerning Personal Data Privacy and Online Monitoring (together with the CCPA, the “U.S. State Privacy Laws”); and the Gramm-Leach-Bliley Act and related regulations (“GLBA”). Each party is responsible only for the Applicable Law applicable to it.
- “Agreement” means the Master Services Agreement (or any similar agreement) between the parties.
- “Personal Data Breach” means the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or exfiltration of, or access to, Personal Data.
- “Personal Data” means (i) any information relating to an identified or identifiable individual, within the meaning of Applicable Law, (ii) any other information constituting “personal information” as such term is defined in the CCPA (regardless of whether the CCPA applies); and (iii) any other information constituting nonpublic personal information within the meaning of the GLBA (regardless of whether the GLBA applies);
- “Process” and “Processing” mean any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, creating, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- “Services” means the Service Provider Services described in the Agreement.
- “Subprocessor” means any Service Provider affiliate or subcontractor engaged by Service Provider for the Processing of Personal Data.
Capitalized terms not otherwise defined herein will also have the meaning set forth in the Agreement.
This DPA applies only to the Personal Data about Borrowers and (if applicable) their personnel that Service Provider receives through the Services, regardless of whether Service Provider receives it from or on behalf of Customer, the Borrower itself, or a third party such as an insurer or insurance broker.
3. Customer’s Instructions to Service Provider
- Service Provider will retain, use, disclose, and otherwise Process the Personal Data only to provide the Service, unless obligated to do otherwise by Applicable Law. In such case, Service Provider will inform Customer of that legal requirement before the Processing unless legally prohibited from doing so. Without limiting the foregoing:
- Service Provider will not retain, use, disclose, or otherwise Process the Personal Data in a manner inconsistent with Service Provider’s role as Customer’s “service provider,” as such term is defined in the CCPA (regardless of whether the CCPA applies) or as Customer’s “processor” under any other applicable U.S. State Privacy Laws (regardless of whether they apply);
- Service Provider will not retain, use, or disclose the Personal Data outside of the direct business relationship between Customer and Service Provider;
- Service Provider will not “sell” the Personal Data, as such term is defined in the U.S. State Privacy Laws (regardless of whether any of those laws applies);
- Service Provider will not “share” the Personal Data as such term is defined in the CCPA;
- Service Provider will not attempt to re-identify any pseudonymized or otherwise de-identified Personal Data received from Customer without the Customer’s express written permission;
- Service Provider will comply with any applicable restrictions under Applicable Law on combining the Personal Data that Service Provider receives from, or on behalf of, Customer with Personal Data that Service Provider receives from, or on behalf of, another person or persons, or that Service Provider collects from any other interaction between Service Provider and a data subject;
- Service Provider will provide the same level of protection for the Personal Data subject to the CCPA as is required under the CCPA;
- Service Provider will notify Customer as soon as legally permissible if Service Provider determines that Service Provider can no longer meet its obligations under applicable Applicable Law; and
- Customer has the right to take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Data.
- Customer will not instruct Service Provider to Process Personal Data in violation of Applicable Law.
- The Agreement, including this DPA, along with Customer’s configuration of any settings or options in the Services (as Customer may be able to modify from time to time), constitute Customer’s complete and final instructions to Service Provider regarding the Processing of Personal Data.
- Service Provider may subcontract the collection or other Processing of Personal Data in compliance with Applicable Law to provide the Services. Prior to a Subprocessor’s Processing of Personal Data, Service Provider will impose contractual obligations on the Subprocessor that comply with Applicable Law and are substantially the same as those imposed on Service Provider under this DPA. Subprocessor security obligations will be deemed substantially the same if they provide a commercially reasonable level of security.
- Service Provider’s current Subprocessors are:
When any new Subprocessor is engaged, Service Provider will make an updated Subprocessor List available at least 15 days before the new Subprocessor Processes any Personal Data by posting an update there and on the same day sending an email to the email address listed for notices in the Agreement, if any (the “Update”).
- Sendgrid / Customer Communications / USA / https://sendgrid.com/
- AWS / Cloud Hosting / USA / https://aws.amazon.com/
- MongoDB / Database Hosting / USA / https://www.mongodb.com/
- New Relic / Web tracking and analytics / USA / https://newrelic.com/
- Slack / Internal Communications / USA / https://slack.com/
- Sentry / Error Tracking / USA / https://sentry.io/
- Stripe / Third-Party Payment Proc. / USA / https://stripe.com/
- Github / Issue Tracking / USA / https://github.com
- Front App / Internal Communications / USA / https://front.com/
- Notion / Internal Communications / USA / https://www.notion.so/
- Office365 / Collaboration & Cloud Services / USA / https://www.office.com/
- Linear / Issue Tracking / USA / https://linear.app/
- If Customer has a reasonable basis for objecting to appointment of a Subprocessor, it may send Service Provider a written notice of such basis within 10 days of the Update, including a termination date (which may be no earlier than 15 days after the date of the Update. If Service Provider cannot accommodate Customer’s objection to Customer’s reasonable satisfaction by such termination date, then the Agreement will terminate on such date. Following such termination, Customer will be entitled to a refund of unused prepaid fees. This is without prejudice to any right Customer may have under the Agreement to termination for breach of contract.
- Service Provider remains liable for its Subprocessors’ performance to the same extent Service Provider is liable for its own performance, consistent with the limitations of liability set forth herein.
- Service Provider will assist Customer in Customer’s compliance with the security obligations under Applicable Law, as relevant to Service Provider’s role in Processing the Personal Data, taking into account the nature of Processing and the information available to Service Provider, by implementing technical and organizational measures that comply with Schedule 1 to the DPA without prejudice to Service Provider’s right to make future replacements or updates to the measures that do not lower the level of protection of Personal Data.
- Service Provider will ensure that the Service Provider personnel it authorizes to Process the Personal Data are subject to an appropriate written confidentiality agreement covering such data.
6. Personal Data Breach Notification
- Service Provider will comply with the Personal Data Breach-related obligations applicable to it under Applicable Law. Taking into account the nature of Processing and the information available to Service Provider, Service Provider will assist Customer in complying with those applicable to Customer by informing Customer of a confirmed Personal Data Breach without undue delay, and in no case more than 48 hours after becoming aware of it. To the extent available, this notification will include Service Provider’s then-current assessment of the following, which may be based on incomplete information:
Nothing shall be construed to require Service Provider to violate, or delay compliance with, any legal obligation it may have with respect to a Personal Data Breach or other security incidents generally.
- The nature of the Personal Data Breach, including, where possible, the categories and approximate number of consumers concerned, and the categories and approximate number of Personal Data records concerned;
- The likely consequences of the Personal Data Breach; and
- Measures taken or proposed to be taken by Service Provider to address the Personal Data Breach, including, where applicable, measures to mitigate its possible adverse effects.;
7. Assistance Responding to Consumers
8. Assistance with Data Protection Assessments
Taking into account the nature of the Processing and the information available to Service Provider, Service Provider will provide reasonable assistance to and cooperation with Customer for Customer’s performance of any data protection assessment of the Processing of the Personal Data involving Service Provider.
Service Provider will make available to Customer all information reasonably necessary to demonstrate compliance with this DPA, and allow for and contribute to audits, including inspections, conducted by Customer or an independent auditor at its own expense.
10. Return or Destruction
Service Provider will, at Customer’s choice, return to Customer and/or destroy all Personal Data after the termination or expiration of Customer’s subscription to the relevant Services, except to the extent Applicable Law requires storage of the Personal Data, within 30 days, except as otherwise agreed by the parties.
11. Schedule 1 to the DPA
- Ownership of the Advocate Platform. As between Customer and Advocate, the Advocate Platform and all Intellectual Property Rights therein or relating thereto are and shall remain the exclusive property of Advocate. Nothing in this Agreement shall be interpreted to provide Customer with any rights in the foregoing, except the limited right to use the Services subject to this Agreement.
- Customer Data. Customer retains all ownership rights, including ownership of all Intellectual Property Rights in and to the Customer Data. Customer grants to Advocate a nonexclusive, worldwide, royalty-free, irrevocable, fully paid-up right to access, collect, use, process, store, disclose, and transmit Customer Data to: (i) provide the Services; and (ii) produce data, information, machine learning models, or other materials that are not identifiable as relating to Customer, Borrowers, the personnel of either of them or the insured asset (such data, information and materials, the "Aggregated Data"). Customer Data shall not include Aggregated Data, and Advocate may use, process, store, disclose and transmit the Aggregated Data for any purpose and without restriction or obligation to Customer of any kind.
- Advocate Metadata. Advocate or its licensors retain all rights, title and interest including all Intellectual Property Rights in and to the metadata that is generated by the Services resulting from Customer’s use of the Advocate Platform ("Advocate Metadata").
- Deliverables. Except as set forth in this paragraph, and provided that Customer has paid Advocate all Fees (as defined below) owed under this Agreement, Advocate shall assign all Intellectual Property Rights in and to any deliverables created in connection with the provision of the Insurance Review Services to Customer. Notwithstanding the foregoing, Advocate shall retain ownership, including all Intellectual Property Rights therein, of all its Confidential Information that is included in the deliverables as well as any pre-existing or independently developed materials owned or licensed by Advocate (“Embedded Materials”). Advocate grants Customer a non-exclusive, worldwide, perpetual license in and to the Embedded Materials to use solely in connection with the deliverables.
- Feedback. Customer hereby assigns to Advocate all right, title and interest in and to all feedback, suggestions, ideas, improvements and other comments provided by Customer to Advocate relating to the Services (collectively, "Feedback"), and Advocate will have the unrestricted right to use and disclose Feedback, without duty or obligation to Customer, and Customer acknowledges that any improvements, modifications and changes arising from or in connection with Customer’s contribution to the Services are the exclusive property of Advocate.
- Retention of Rights. Except for the limited rights or licenses that Advocate grants to Customer hereunder, Advocate or its licensors retain all rights, title and interest including all Intellectual Property Rights in and to: (i) the Services; and (ii) any modifications, improvements, customizations, patches, bug fixes, updates, enhancements, aggregations, compilations, derivative works, translations and adaptations to the foregoing.
Schedule 1 to the DPA
Service Provider has established and agrees to maintain a written information security program (the “Information Security Program”) designed to comply with this Information Security Addendum and Applicable Law. Terms not defined herein have the meaning set forth in the rest of the DPA.
As part of its program, Service Provider has implemented and agrees to maintain administrative, technical, and physical security safeguards designed to protect the confidentiality, integrity, and availability of Personal Data, including but not limited to:
1.Administrative and Organizational Safeguards
- Service Provider maintains policies and procedures for the security of Personal Data, including the following:
i. Written information security policies that set forth Service Provider’s procedures with regard to maintaining the safeguards set forth in this Information Security Addendum.
ii. Incident Response Plan, which sets forth Service Provider’ procedures to investigate, mitigate, remediate, and otherwise respond to security incidents.
- Service Provider conducts regular assessments of the risks and vulnerabilities to the confidentiality and security of Personal Data.
- Service Provider regularly tests and monitors the effectiveness of its Information Security Program, including through security audits, and will evaluate its Information Security Program and information security safeguards in light of the results of the testing and monitoring and any material changes to its operations or business arrangements.
- Service Provider has appointed an individual to oversee and manage its Information Security Program and lead the response to any Personal Data Breach.
- Service Provider maintains role-based access restrictions for its systems, including restricting access to only those Service Provider employees that require access to perform the Service Provider Services or to facilitate the performance of such Service Provider Services, such as system administrators, consistent with the concepts of least privilege, need-to-know, and separation of duties.
- Service Provider periodically reviews its access lists to ensure that access privileges have been appropriately provisioned and regularly reviews and terminates access privileges for Service Provider employees that no longer need such access.
- Service Provider assigns unique usernames to authorized Service Provider employees and requires that Service Provider employees’ passwords satisfy minimum length and complexity requirements.
- Service Provider regularly provides training to employees, as relevant for their roles, on confidentiality and security.
- Service Provider requires relevant Service Provider employees to acknowledge Service Provider’ Information Security Program annually.
- Service Provider has a policy in place to address violations of its Information Security Program.
- Service Provider logs certain system activity—including authentication events, changes in authorization and access controls—and regularly reviews and audits such logs.
- Service Provider maintains network security measures, including but not limited to firewalls, to segregate its internal networks from the internet, risk-based network segmentation, intrusion prevention or detection systems to alert Supplier to suspicious network activity, and anti-virus and malware protection software.
- Service Provider has implemented workstation protection policies for its systems, including automatic logoff after a period of inactivity.
- Service Provider requires multi-factor authentication on its systems for administrative users.
- Service Provider conducts periodic vulnerability scans and assessments on systems storing, processing, or transmitting Personal Data to identify potential vulnerabilities and risks to Personal Data.
- Service Provider remediates identified vulnerabilities in a risk-prioritized and timely manner, including timely implementation of all high-risk mitigating manufacturer- and developer-recommended security updates and patches to systems and software storing, transmitting, or otherwise Processing Personal Data.
- Service Provider restricts access to its facilities, equipment, and devices to Service Provider employees with authorized access on a need-to-know basis.
- Service Provider tracks the location of its equipment, devices, and electronic media and maintains a record of such locations.