Last Updated: July 13, 2020
A Brief Summary of Our DPA
This Data Processing Addendum (“DPA”) sets out the terms that apply when Personal Data is Processed by Northern Lights Group, Inc., d/b/a ThirdPartyTrust, a Delaware C-corporation (“ThirdPartyTrust”), under the Agreement where the GDPR applies. The purpose of the DPA is to ensure that Processing is conducted in accordance with applicable law and respects the rights of individuals whose Personal Data is Processed under the Agreement.
This DPA does not apply where ThirdPartyTrust is the Controller.
Table of Contents:
- Processing Personal Data
- Security Rights of Data
- Subjects Deletion of Customer
- Personal Data Data Protection
- Impact Assessment
- Audit Rights
- Data Transfers
Processing Personal Data
- Relationship of the Parties. Customer is the “Controller” and ThirdPartyTrust is the “Processor”, as such terms are defined under the General Data Protection Regulation (GDPR) with respect to the Personal Data Processed under the Agreement. In some circumstances, Customer may be a Processor, in which case Customer appoints ThirdPartyTrust as Customer’s Subprocessor, which shall not change the obligations of either party under this DPA.
- Customer’s Processing of Personal Data. “Personal Data” and “Processing” will have the same meaning as set forth in the GDPR. Customers shall, in the use of the Services, Process Personal Data in accordance with the requirements of all applicable laws. To the extent Customer acquires Personal Data, Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data.
- ThirdPartyTrust’s Processing of Personal Data. As Customer’s Processor, ThirdPartyTrust shall only Process Personal Data for the following purposes:
- Processing in accordance with the Agreement;
- Processing initiated by Authorized Users in their use of the Services according to the Agreement; and
- Processing to comply with other reasonable instructions provided by Customers that are consistent with the terms of the Agreement.
Customer acknowledges and agrees that ThirdPartyTrust may retain certain Subprocessors to Process Personal Data on ThirdPartyTrust’s behalf in order to provide Services under the Agreement. ThirdPartyTrust’s Subprocessors are listed in ThirdPartyTrust’s GDPR Statement. Prior to a Subprocessor’s Processing of Personal Data, ThirdPartyTrust will impose contractual obligations on the Subprocessor that are substantially the same as those imposed on ThirdPartyTrust under this DPA. ThirdPartyTrust remains liable for its Subprocessors’ performance under this DPA to the same extent ThirdPartyTrust is liable for its own performance. If Customer would like to receive notifications of new Subprocessors ThirdPartyTrust plans to engage, Customer must contact ThirdPartyTrust in writing in order to be notified. Customer may reasonably object to ThirdPartyTrust’s use of a new Subprocessor by notifying ThirdPartyTrust promptly in writing. After receiving an objection to the use of a new Subprocessor, ThirdPartyTrust will work with Customer to determine the appropriate course of action.
- Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, ThirdPartyTrust shall in relation to Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.
- In assessing the appropriate level of security, Processor shall consider the risks that are presented by Processing, in particular from a Personal Data Breach. “Personal Data Breach” will have the same meaning as set forth in GDPR.
- Personal Data Breach. ThirdPartyTrust shall notify Customer without undue delay upon becoming aware of a Personal Data Breach affecting Customer Personal Data, providing Customer with sufficient information to allow Customer to meet any obligations to report or inform Data Subjects of the Personal Data Breach under applicable law. ThirdPartyTrust shall cooperate with Customer and take reasonable commercial steps as are directed by Company to assist in the investigation, mitigation and remediation of any such Personal Data Breach.
Rights of Data Subjects
“Data Subject” will have the same meaning as set forth in GDPR. Taking into account the nature of the Processing, ThirdPartyTrust shall assist Customer by implementing appropriate technical and organizational measures, insofar as possible, for the fulfillment of Customer’s obligations, as reasonably understood by Customer, to respond to requests to exercise Data Subject rights under applicable law. ThirdPartyTrust shall:
- Promptly notify Customer if it receives a request from a Data Subject under any applicable law in respect of Customer Personal Data; and
- Ensure that it does not respond to that request except on documented instructions of Customer or as required by applicable law to which ThirdPartyTrust is subject, in which case, ThirdPartyTrust shall, to the extent permitted by applicable law, inform Customer of that legal requirement before responding to the request.
Deletion of Customer Personal Data
Upon termination of the Services for which ThirdPartyTrust is Processing Personal Data, ThirdPartyTrust shall, upon Customer’s request and subject to the limitations in the Agreement and unless prevented by applicable law, securely destroy all Customer Personal Data.
Data Protection Impact Assessment
Upon Customer’s request, ThirdPartyTrust shall provide Customer with reasonable cooperation and assistance needed to fulfill Customer’s obligation under the GDPR to carry out a data protection impact assessment related to Customer’s use of the Services, to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is available to ThirdPartyTrust. ThirdPartyTrust shall provide reasonable assistance to Customer in the cooperation or prior consultation with the Supervisory Authority to the extent required under the GDPR or other applicable law. “Supervisory Authority” will have the same meaning as set forth in GDPR.
ThirdPartyTrust shall make available to the Customer, upon Customer’s request and subject to the confidentiality obligations set forth in the Agreement, all information necessary to demonstrate compliance with this DPA, and shall allow for and contribute to audits, including inspections, by Customer or an auditor in relation to the Processing of Customer Personal Data. Before the commencement of any such audit, Customer and ThirdPartyTrust shall mutually agree upon the scope, timing, and duration of the audit.
Customer authorizes ThirdPartyTrust and its Subprocessors to make international transfers of Personal Data in accordance with this DPA so long as applicable data protection laws are respected. If Personal Data processed under this DPA is transferred from a country within the European Economic Area to a country outside of the European Economic Area, the parties shall ensure that the Personal Data is adequately protected.
Annex 1 – Description of Processing
This Annex 1 forms part of the DPA and describes the processing that ThirdPartyTrust will perform on behalf of the Customer.
Nature and Purpose of Processing
The processing relates to the following activities:
- ThirdPartyTrust is a TPRM platform based in Chicago, IL, USA. ThirdPartyTrust processes Personal Data in connection with offering its services through its SaaS platform.
- ThirdPartyTrust collects information under the direction of its Customers and has no direct relationship with the individuals whose personal data it processes.
The personal data to be processed concern the following categories of data subjects:
- Authorized Users of the Customer (see more below under Categories of data)
- Clients/consumers of the Customer.
- Vendors invited to the platform.
Categories of Data
The personal data to be processed concern the following categories of data:
- Personal details provided by Customer including first and last name, email address, phone numbers.
- Information provided by client or customer of Customer for purposes of fulfilling Data Subject Access Requests. This information includes IP address, first and last name, email address, country of residence, and proof of identity.
Duration of the Processing
Personal Data will be processed for the duration of the Agreement.
Personal Data will be subject to the following basic processing activities:
- Customer provided Personal Data will be stored in Amazon Web Services (AWS).
- Personal Data will be entered into ThirdPartyTrust’s web-based SaaS tools for the purpose of creating user login accounts, so that Customer’s users can access such SaaS tools in connection with receiving ThirdPartyTrust’s services.
- Data from pending Data Subject Access Requests is stored in Amazon’s RDS in an encrypted form. The only personal data that ThirdPartyTrust keeps is the requestor’s email address, which is scrubbed upon completion of the request.