1.
General Definitions. All capitalized terms not otherwise defined herein shall have the meanings set forth in the Agreement.
2.
Scope of Addendum. As of the Addendum Effective Date and for any period of time thereafter during which Service Provider is a data importer and has possession of or access to FireEye Personal Data in connection with the Services until expiration or termination of the Agreement, Service Provider shall have implemented at its Facilities, and shall thereafter maintain policies, procedures and practices that satisfy the applicable requirements set forth in this Data Processing Addendum. Additionally, at all times during the duration of the Agreement and for any period of time thereafter during which Service Provider is a data importer and has possession of or access to FireEye Personal Data in connection with the Services, Service Provider shall maintain compliance with all applicable Data Protection Laws, including, when it comes into force, Regulation 2016/EC/679 (“General Data Protection Regulation” or “GDPR"). Notwithstanding the foregoing, if Service Provider cannot provide such compliance for whatever reasons, it agrees to promptly inform FireEye of its inability to comply, in which case the FireEye is entitled to suspend the transfer of Personal Data and/or terminate the related Design Services or Work as provided in Section 11.2 of the Agreement.
3.
Data Processing/Privacy Definitions. For purposes of this Data Processing Addendum, "Personal Data", "Process(ing)" and “Data Subject(s)” will have the meaning given to these terms in accordance with the applicable country-specific Data Protection Laws, including but not limited to, the EU General Data Protection Directive (GDPR). During the term of the Agreement:
4.
Processing. In performing its obligations in the Agreement, if Service Provider at any time from the Addendum Effective Date and until termination of the Services or the Agreement undertakes Processing of Personal Data for or on behalf of FireEye, Service Provider will process all Personal Data fairly and lawfully, respecting the Data Subject's privacy, and in accordance with all Data Protection Laws applicable to such Processing of Personal Data. Service Provider will take reasonable measures to require that all of its Personnel and each of its Sub-processors process all Personal Data in a similar manner as further described in Section 5 below. Service Provider will only Process FireEye Personal Data for the purposes of and in compliance with the terms set out in the Agreement or this Data Processing Addendum and in compliance with mutually agreed FireEye's instructions as issued from time to time. Service Provider will not (i) obtain any rights to any Personal Data by virtue of complying with its obligations in the Agreement and/or this Addendum; (ii) except with respect to approved Sub-processors or pursuant to applicable law, transfer or disclose any Personal Data (in part or in whole) to any third party, except as stipulated in this Data Processing Addendum, (iii) except as technically necessary to perform its obligations under the Agreement, transfer, access or store any Personal Data outside of the country in which the applicable Service Provider Facility is established ( the “Country Of Origination”), including via cloud services, without the explicit prior consent of FireEye, or (iv) Process or use any Personal Data for its own purposes or benefit. Service Provider will keep all Personal Data confidential and secure.
5.
Third Parties & Sub-processors. Service Provider may subcontract its processing work that relates to Personal Data under the Agreement only with prior written consent of FireEye. Additionally, Service
6.
International Transfers. All transfers of FireEye Personal Data outside of the Country Of origination by Service Provider (if any) will be in strict compliance with the relevant provisions of the Data Protection Laws in the originating country. Where the Personal Data originates in the EU, transfers can only occur either to a country with adequate Data Protection Laws or pursuant to Privacy Shield, the EU Standard Contractual Clauses, or Binding Corporate Rules. All transfers of Personal Data by Service Provider not technically necessary to perform its obligations under the Agreement will be done with the prior written consent of FireEye and will be made in strict accordance with applicable Data Protection Laws or contractual obligations on such transfers provided such contractual obligations do not violate applicable Data Protection Laws. All transfers of Personal Data outside of Canada, or countries within Asia Pacific and Latin America will be done so in accordance with applicable Data Protection Laws.
7.
Cooperation & Enquiries. Service Provider will inform FireEye without undue delay if Service Provider receives any enquiry, complaint or claim from any court, governmental official, third parties or individuals (including but not limited to the Data Subjects) arising out of the Services and will provide FireEye reasonable support and cooperation in a timely manner in responding to any such request. Should FireEye, on the basis of applicable law, be obliged to provide access or information to a Data Subject about the Processing of Personal Data relating to him or her, Service Provider will, without levying a fee, reasonably assist FireEye in providing such access or information.
8.
Confidentiality & Information Security. In addition to any other agreement and/or terms governing confidentiality between the parties, Service Provider will adopt adequate (taking into account the nature of Processing and the information available to Service Provider) technical and organizational measures reasonably necessary to secure the Personal Data and to prevent unauthorized access, alteration or loss of the same, including measures required by applicable Data Protection Laws. Service Provider will also ensure confidentiality of the Personal Data, including taking appropriate measures to ensure the same of its Personnel and Sub-processors. At the reasonable written request of FireEye, Service Provider will provide the former with a comprehensive and up-to-date data protection and security concept for the FireEye Personal Data obtained under the Agreement while performing the Services under the Agreement.
9.
Privacy Violations, Security and Data Breach Incidents. When known or reasonably suspected by Service Provider while performing the Services under the Agreement, Service Provider will inform FireEye promptly if: (i) Service Provider or its Personnel infringe the applicable Data Protection Laws or obligations under the Agreement, (ii) significant failures during the Processing occur, or (iii) third parties have unauthorized or unintended access to the Personal Data. The parties are aware that the applicable Data Protection Law may impose a duty to inform the competent authorities or affected Data Subjects in the event of the loss or unlawful disclosure of Personal Data or access to it. These incidents should therefore be notified by Service Provider to FireEye without delay, regardless of their origin. This also applies to serious operational faults or where there is any suspicion of an infringement of provisions relating to the
10.
Inspection & Audit Rights. Upon at least 30 days prior written notice as described in Section 12.11 of the Agreement and subject to the obligations herein, FireEye may inspect Service Provider's operating Facilities or conduct an audit (each an “Audit”), Service Provider’s security, manufacturing processes, quality processes and environmental systems controls used for processing FireEye Personal Data to ascertain compliance with this Data Processing Addendum at FireEye’s expense (although FireEye shall in no way be responsible for any expenses or costs incurred by Service Provider’s commercially reasonable support in assisting FireEye with the Audit or allowing FireEye to inspect their Facilities, and in the event a violation of Service Provider’s obligations under this Addendum is found that has the potential to compromise FireEye Personal Data, Service Provider shall be responsible for all reasonable costs and expenses incurred by FireEye in conducting the Audit). To the extent applicable to Service Provider’s obligations under this Addendum, this Audit may include, but is not limited to, the verification of whether the procedures for the technical and organizational requirements of data protection and information security are appropriate in accordance with FireEye’s Third Party Information Security Requirements Addendum (or similar obligations negotiated by the parties either in an agreement and/or separate amendment/addendum). Service Provider will provide FireEye with any reasonably necessary information and documents during the Audit. The Audit may be carried out once a year by FireEye’s data protection officer or a mutually accepted authorized representative unless a violation of Service Provider’s obligations under this Data Processing Addendum is found, and in such an event, FireEye may conduct another Audit within six months or if FireEye reasonably believes that Service Provider is not complying with the obligations contained in this Addendum. All Audits will be performed during normal working hours; subject to Service Provider’s reasonable security, safety, and confidentiality requirements; and in such a way that the Audit does not disrupt or compromise Service Provider’s infrastructure or ability to process normal business operations. In addition, Service Provider will reasonably allow and assist in the Audit of its obligations (at its own expense) under this Addendum. In addition, Service Provider will cooperate with any audit ordered by a relevant Data Protection Authority that arises from its performance under the Agreement.
i.
Not directly related to FireEye Data Processed by Service Provider;
ii.
Not directly related to the Design Services or Work provided to FireEye under the Agreement;
iii.
In violation of applicable laws; and/or
iv.
In violation of Service Provider’s confidentiality obligations owed to a third party
11.
Indemnity. Subject to the remaining provisions of this Section 11, the parties hereby agree that Service Provider shall have the obligation of defense and indemnification for any Claim incurred by or assessed
12.
Return of Personal Data. Following termination of the Agreement, Service Provider, except to the extent prohibited by applicable law, at the sole discretion and written request of FireEye, will return to FireEye or destroy and delete all FireEye Personal Data subject to Processing. Service Provider must certify in writing to FireEye that it has complied with the foregoing obligations.
13.
Counterparts. This Addendum may be executed in counterparts, each of which when executed and delivered shall constitute an original of the Addendum, but all the counterparts shall together constitute the same document. No counterpart shall be effective until each party has executed at least one counterpart. Facsimile or electronic signatures shall be binding to the same extent as original signatures.
14.
Integration. Except as otherwise set forth in this Addendum, all terms and conditions contained in the Agreement and not amended herein shall remain in full force and effect. In the event of a conflict between the Agreement and this Addendum or any other confidentiality term in an agreement between the parties, the order of precedence in respect of the Processing of FireEye Personal Data shall be: this Addendum and then the Agreement.
Name of Sub-processor
Country Location of Sub-processor
none