EXHIBIT A - DATA PROTECTION EXHIBIT (THE “EXHIBIT”)
LAST REVISED: July 20, 2023.
1. INTERPRETATION
1.1 Capitalized terms used but not defined in this Exhibit have the meanings given to them in the Agreement unless the context requires otherwise.
1.2 In this Exhibit:
Agreement means the Agreement to which this Exhibit is attached;
Approved Subprocessors means the subprocessors that have been approved by the Client in accordance with Section 15 of the Agreement;
Data Protection Legislation means any law, enactment, regulation, regulatory policy, by law, ordinance or subordinate legislation relating to the processing of Personal Data, as applicable to Client, Sequoia Connect and/or the Services, including, but not limited to the Regulation of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (GDPR), California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, the CCPA) and any corresponding or equivalent national or state laws or regulations, in each case, as in force and applicable, and as may be amended, supplemented or replaced from time to time;
Data Subject means any person in respect of whom Personal Data is processed;
Personnel means officers, employees, workers, or independent contractors.
Standard Contractual Clauses means the following transfer agreements where relevant Personal Data is transferred between the Client, including any Client affiliates, and Sequoia Connect, including Sequoia Connect’s affiliates, to jurisdictions deemed inadequate by Data Protection Legislation, as applicable:
- The relevant European Standard Contractual Clauses adopted per Commission Implementing Decision (EU) 2021/914. For transfers from the UK, the Parties agree that references in the European Standard Contractual Clauses to the GDPR will mean the UK General Data Protection Regulation, references to the EU or Member States will mean the UK, and references to a supervisory authority will mean the ICO. For transfers from Switzerland, the Parties agree that references to the GDPR will mean the Swiss Federal Act on Data Protection, references to the EU or Member States will mean Switzerland, and references to a supervisory authority will mean the Federal Data Protection and Information Commissioner (FDPIC); and
- Any other legally mandatory data transfer agreements required by Data Protection Legislation as notified by Sequoia Connect in writing, effective thirty (30) days after written notice.
The Parties agree that the processing or security details included in the Sequoia Connect pre-signed European Standard Contractual Clauses are incorporated into any other Standard Contractual Clauses where relevant. The Parties intend that this Exhibit clarifies, but does not modify or contradict, the rights and obligations of the Standard Contractual Clauses.
1.3 The Parties acknowledge and agree that this Exhibit forms an integral part of the Agreement. If there is any conflict or inconsistency between any
1.3.1 term in the Standard Contractual Clauses,
1.3.2 term in the main part of this Exhibit, and
1.3.3 term in the General Terms and Conditions,
The term falling into the category first appearing in the list above takes precedence. The Parties intend that this Exhibit clarifies, but does not modify or contradict, the rights and obligations of the Standard Contractual Clauses.
2. SCOPE AND PURPOSE
2.1 Where Sequoia Connect processes Personal Data on Client’s behalf as a data processor or equivalent under Data Protection Legislation, Sequoia Connect will process Personal Data: (a) solely on Client’s behalf, in the manner and for the purposes set out in this Exhibit and as documented in the Agreement; (b) upon other specific reasonable documented instruction of Client; or (c) as needed to comply with Data Protection Legislation. Sequoia Connect will comply with Data Protection Legislation applicable to Sequoia Connect and provide the same level of privacy protection, including individual rights, as is required by Data Protection Legislation. Sequoia Connect certifies its understanding that it is restricted from (i) selling, sharing (for cross-context behavioral advertising purposes, as defined under the CCPA) or disclosing in exchange for consideration, Personal Data to a third party; (ii) retaining, using, or disclosing the Personal Data outside the direct business relationship of the Parties for any purpose, including commercial purposes, other than for purposes specified in the Agreement or Data Protection Legislation; and (iii) combining Personal Data Sequoia Connect receives pursuant to the Agreement with personal data that it receives from or on behalf of another person or persons, or collects from its own interaction with the Data Subject, provided that Sequoia Connect may combine Personal Data as permitted under Data Protection Legislation. This Attachment does not apply where the Parties process Personal Data as independent data controllers, or equivalent, under Data Protection Legislation.
2.2 The types of Personal Data that may be processed by Sequoia Connect are those provided by Client through its use of the Services, including Personal Data comprising business contact information of Client employees and contact information, survey responses, and assessment evaluation data of Client-nominated assessment participants, including information on race, ethnic origin, sexual orientation, disability, and veteran status if requested by Client. Personal Data will be processed for the purposes of communication, assessment, analysis, and generating reports in the course of providing the Services. The processing will continue until the deletion of the Personal Data in accordance with Section 9 of this Exhibit.
2.3 Client hereby:
2.3.1 instructs Sequoia Connect to take such steps in the processing of Personal Data on behalf of Client as are reasonably necessary for the provision of the Services;
2.3.2 ensures that all fair processing notices have been given (and/or, where necessary, valid consents have been obtained and not withdrawn) and are sufficient in scope and kept up-to-date in order to enable Sequoia Connect to process the Personal Data in accordance with the Data Protection Legislation; and
2.3.3 authorizes Sequoia Connect to provide to the Approved Subprocessors and on behalf of the Client instructions that are equivalent to the instructions set out in Section 2.3.1.
2.4 In the event Sequoia Connect provides Client with data in de-identified form, Client will ensure that any such information qualifies and remains qualified as de-identified data as defined under applicable Data Protection Legislation. The client will make no attempt to re-identify any Data Subject to whom such data relates, will publicly commit to maintaining and using such data without attempting to re-identify it, will take reasonable measures to prevent such re-identification, and will indemnify Sequoia Connect for direct damages incurred by third parties as a result of Client’s non-compliance with this section.
2.5 Where either Party is responsible for collecting and transferring Personal Data the provision of the Services, it will use its reasonable endeavors to ensure that it is not subject to any prohibition or restriction which would prevent the other Party from processing that Personal Data in the manner reasonably necessary for Sequoia Connect to perform, or Client to benefit from, the Services.
2.6 Sequoia Connect will inform the Client if it believes that any Client instructions regarding Personal Data processing would violate the GDPR. Sequoia Connect will notify the Client if Sequoia Connect makes a determination that Sequoia Connect can no longer meet its obligations under CCPA and is unable to cure within a reasonable period of time (“Self Reporting”). The Client may, upon notice to Sequoia Connect, including in the case of Self Reporting, take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Data
3. CONFIDENTIALITY AND SECURITY
3.1 Sequoia Connect undertakes to treat all Personal Data as confidential. Sequoia Connect will ensure that persons authorized to process Personal Data are bound by obligations of confidentiality consistent with those imposed upon Sequoia Connect under this Exhibit and under the Agreement.
3.2 Where legally allowed, Sequoia Connect will promptly notify Client of any legally binding request from a law enforcement authority or others for disclosure of Personal Data before making any disclosure and will reject any non-legally binding requests.
3.3 Refer to Sections 9 and 10 of the General Terms and Conditions for further security requirements.
4. SECURITY BREACH
Sequoia Connect will provide Client with written notice as soon as reasonably possible upon becoming aware of any actual breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, any Personal Data processed by Sequoia Connect (a Security Breach). Sequoia Connect shall assist or support Client at Client’s request in complying with Client’s notification obligations regarding a Security Breach.
5. SUBPROCESSING
Refer to Section 15 of the General Terms and Conditions.
6. CROSS-BORDER TRANSFERS OF PERSONAL DATA
Sequoia Connect may transfer Personal Data to various locations, which may include locations both inside and outside of the European Economic Area. Sequoia Connect will ensure that any cross-border transfers of Personal Data comply with applicable Data Protection Legislation. At the Client’s request, Sequoia Connect and any relevant Sequoia Connect affiliate will enter into an appropriate data processing agreement or the standard contractual clauses with the Client to allow the Client to transfer Personal Data to Sequoia Connect and any Sequoia Connect affiliate. The Standard Contractual Clauses are incorporated by reference, and the Parties’ execution of the Agreement also constitutes the execution of the Standard Contractual Clauses. Notwithstanding terms to the contrary in the Agreement, Sequoia Connect may amend the Standard Contractual Clauses from time to time, only as required by Data Protection Legislation, by sending Client written notice, and such amendment will be deemed accepted by Client and become effective thirty (30) days after such notice.
7. AUDIT
7.1 Security and Compliance Audit. The client may conduct one security and compliance audit in any rolling 12-month period. The audit may include an inspection, examination, or review of relevant security controls and processing activity in Sequoia Connect’s physical and technical environment solely as applicable to Client’s Personal Data processed by Sequoia Connect pursuant to the Agreement and as is reasonably necessary to demonstrate Sequoia Connect’s compliance with the Agreement. As part of such security and compliance audit and upon Client’s reasonable request, Sequoia Connect will make available to Client all information in its possession necessary to demonstrate compliance with its obligations under the Data Protection Legislation applicable to Sequoia Connect. Requests to conduct security and compliance audits must be made in writing to protecciondedatos@sequoiaconnect.com or data-protection-office@sequoiaconnect.com. Sequoia Connect will provide access, at Sequoia Connect’s discretion, to the relevant documentation, knowledgeable personnel, physical premises, summary audit reports, and infrastructure and application software that actually process the Client’s Personal Data. If security testing is permitted, the Client assumes sole and total responsibility and risk for any damages or liabilities arising directly or indirectly as a result of the testing. Permitted audits will be completed in a professional and ethical manner that does not, in Sequoia Connect’s reasonable judgment, compromise the integrity of Sequoia Connect’s (or its other customers’) data, system security, or operational performance. Client will notify Sequoia Connect in writing at least twenty (20) business days prior to any audit taking place. Audits will be conducted during Sequoia Connect’s normal business hours. The client will bear all costs and expenses relating to each audit. The client and its agents must keep all information learned during any audit confidential. Sequoia Connect may require outside auditors to sign an appropriate confidentiality agreement. Sequoia Connect will not provide the Client or its agents with access to proprietary or confidential information concerning its other customers. All information learned or acquired by the Client during any audit is Sequoia Connect Confidential Information.
7.2 Security Questionnaire. Upon Client’s written request but no more than once in any rolling 12-month period, Sequoia Connect will complete Client’s written information security questionnaire regarding Sequoia Connect’s processing of Client’s Personal Data.
8. SEQUOIA CONNECT ASSISTANCE
Taking into account the nature of the Personal Data processing and the information available to Sequoia Connect, Sequoia Connect will assist Client with Client’s obligation to respond to Data Subjects’ requests to exercise their rights under the Data Protection Legislation, and, at Client’s request, using appropriate technical and organization measures, assist Client in meeting its compliance obligations regarding carrying out privacy and data protection impact assessments and related consultations of data protection authorities. Sequoia Connect may charge a reasonable fee to Client for such requested assistance, to the extent permitted by Data Protection Legislation and as agreed to by the Parties.
9. DESTRUCTION OF PERSONAL DATA
Upon request from the Client, Sequoia Connect will destroy all Personal Data processed by Sequoia Connect on behalf of the Client that is in the possession or under the control of Sequoia Connect. In the event that the Client does not make such a request, Sequoia Connect will destroy all Personal Data in accordance with its business practices. Sequoia Connect shall be entitled to retain such back-ups of Personal Data to the extent it is not technologically feasible to delete such Personal Data provided that if it becomes technologically feasible, Sequoia Connect will delete such information. Sequoia Connect will provide certification of deletion of Personal Data as described in Clause 12(1) of the Standard Contractual Clauses to Client only upon Client’s written request. For the avoidance of doubt, the foregoing specifically excludes information provided by Sequoia Connect to Client regarding candidates in connection with an executive or professional search.