Skip to content
Close
SEARCH
Login
Talk to an Advisor
Login
Talk to an Advisor

Global Data Processing Addendum

This Data Processing Addendum (“Addendum”) supplements the agreement between the Customer and The Advantage Group International, Inc. (“TAGI”) into which it is incorporated by reference (“Agreement”).

The TAGI Privacy Notice contains further information on relating to TAGI’s usage and protection of personal data.

Definitions

”Applicable Data Protection Law” refers to all laws and regulations applicable to TAGI’s processing of personal data under the Agreement including, without limitation, the General Data Protection Regulation (EU 2016/679) (“GDPR”).

“Data controller”, “data processor”, “data subject”, “personal data” and “processing” (and “process”) have the meanings given in accordance with Applicable Data Protection Law.

For the purposes of Applicable Data Protection Law, including Article 28(3) of the GDPR,

the Customer (the data controller)

and

The Advantage Group International, Inc.(“TAGI”)
Ontario Incorporation Number 1732733
40 University Avenue, Suite 903, Toronto, Ontario, M5J 1T1, Canada,

or its authorized legal entity, as applicable in the governing jurisdiction,

(the data processor)

each a ‘party’; together ‘the parties’

HAVE AGREED on the following Contractual Clauses (the “Clauses”) in order to meet the requirements of Applicable Data Protection Law and to ensure the protection of the rights of the data subject.

1. Preamble

  1. These Clauses set out the rights and obligations of the data controller and the data processor, when processing personal data on behalf of the data controller.

  2. The Clauses have been designed to ensure the parties’ compliance with Applicable Data Protection Law, including Article 28(3) of Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).

  3. The data processor will comply with obligations under Canadian privacy law, including PIPEDA and any successor legislation (e.g. CPPA).

  4. In the context of the provision of TAGI reporting solutions, including the Advantage ReportTM and other benchmarking outputs, the data processor will process personal data on behalf of the data controller in accordance with the Clauses.

  5. The Clauses shall take priority over any similar provisions contained in other agreements between the parties, except that the applicable Order Form shall take precedence over these Clauses, but only to the extent that any such Order Form provisions are consistent with Applicable Data Protection Law.

  6. Appendices are attached to the Clauses and form an integral part of the Clauses.

  7. Appendix A contains details about the processing of personal data, including the purpose and nature of the processing, type of personal data, categories of data subject and duration of the processing.

  8. Appendix B contains the data controller’s conditions for the data processor’s use of sub-processors and a list of sub-processors authorized by the data controller.

  9. Appendix C contains the data controller’s instructions with regards to the processing of personal data, the minimum security measures to be implemented by the data processor and how audits of the data processor and any sub-processors are to be performed.

  10. Appendix D contains jurisdiction-specific terms relating to Applicable Data Protection Law.

  11. The Clauses along with the appendices shall be retained in writing, including electronically, by both parties.

  12. The Clauses shall not exempt the data processor from obligations to which the data processor is subject pursuant to the Applicable Data Protection Law, which may include the GDPR, or other applicable legislation.

2. The rights and obligations of the data controller

  1. The data controller is responsible for ensuring that the processing of personal data takes place in compliance with Applicable Data Protection Law, which may include the GDPR (see Article 24 GDPR), the applicable EU or Member State1 data protection provisions and the Clauses.
  2. The data controller has the right and obligation to make decisions about the purposes and means of the processing of personal data.
  3. The data controller shall be responsible, among other, for ensuring that the processing of personal data, which the data processor is instructed to perform, has a legal basis.

3. The data processor acts according to instructions

  1. The data processor shall process personal data only on documented instructions from the data controller, unless required to do so by other applicable law to which the processor is subject. Such instructions shall be specified in Appendices A and C. Subsequent instructions can also be given by the data controller throughout the duration of the processing of personal data, but such instructions shall always be documented and kept in writing, including electronically, in connection with the Clauses.
  2. The data processor shall immediately inform the data controller if instructions given by the data controller, in the opinion of the data processor, contravene Applicable Data Protection Law, including the GDPR or applicable EU or Member State data protection provisions.

4. Confidentiality

  1. The data processor shall only grant access to the personal data being processed on behalf of the data controller to persons under the data processor’s authority who have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality and only on a need to know basis. The list of persons to whom access has been granted shall be kept under periodic review. On the basis of this review, such access to personal data can be withdrawn, if access is no longer necessary, and personal data shall consequently not be accessible anymore to those persons.
  2. The data processor shall at the request of the data controller demonstrate that the concerned persons under the data processor’s authority are subject to the abovementioned confidentiality.

5. Security of processing

  1. Applicable Data Protection Law, including Article 32 GDPR, stipulates that, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the data controller and data processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

    The data controller shall evaluate the risks to the rights and freedoms of natural persons inherent in the processing and implement measures to mitigate those risks.

    Depending on their relevance, the measures may include the following:

    a.      Pseudonymization and encryption of personal data;

    b.      the ability to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and         services;

    c.      the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;

    d.      a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

  2. According to Applicable Data Protection Law, including Article 32 GDPR, the data processor shall also – independently from the data controller – evaluate the risks to the rights and freedoms of natural persons inherent in the processing and implement measures to mitigate those risks. To this effect, the data controller shall provide the data processor with all information necessary to identify and evaluate such risks.
  3. Furthermore, the data processor shall assist the data controller in ensuring compliance with the data controller’s obligations pursuant to Applicable Data Protection Law, including Article 32 GDPR, by inter alia providing the data controller with information concerning the technical and organizational measures already implemented by the data processor pursuant to Article 32 GDPR along with all other information necessary for the data controller to comply with the data controller’s obligation under Article 32 GDPR.

    If subsequently – in the assessment of the data controller – mitigation of the identified risks require further measures to be implemented by the data processor, than those already implemented by the data processor pursuant to Applicable Data Protection Law, including Article 32 GDPR, the data controller shall specify these additional measures to be implemented in Appendix C.

6. Use of sub-processors

  1. The data processor shall meet the requirements specified in Applicable Data Protection Law, including Article 28(2) and (4) GDPR, in order to engage another processor (a sub-processor).
  2. The data processor shall therefore not engage another processor (sub-processor) for the fulfillment of the Clauses without the prior general written authorization of the data controller.
  3. The data processor has the data controller’s general authorization for the engagement of sub-processors. The data processor shall inform in writing the data controller of any intended changes concerning the addition or replacement of sub-processors at least one month in advance, thereby giving the data controller the opportunity to object to such changes prior to the engagement of the concerned sub-processor(s). If objection cannot be resolved, data controller may terminate without penalty. Longer time periods of prior notice for specific sub-processing services can be provided in Appendix B. The list of sub-processors already authorized by the data controller can be found in Appendix B.
  4. Where the data processor engages a sub-processor for carrying out specific processing activities on behalf of the data controller, the same data protection obligations as set out in the Clauses shall be imposed on that sub-processor by way of a contract or other legal act under applicable law, including EU or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the Clauses and Applicable Data Protection Law, including the GDPR.

    The data processor shall therefore be responsible for requiring that the sub-processor at least complies with the obligations to which the data processor is subject pursuant to the Clauses and Applicable Data Protection Law, including the GDPR.
  5. A copy of such a sub-processor agreement and subsequent amendments shall – at the data controller’s request – be submitted to the data controller, thereby giving the data controller the opportunity to ensure that the same data protection obligations as set out in the Clauses are imposed on the sub-processor. Clauses on business related issues that do not affect the legal data protection content of the sub-processor agreement, shall not require submission to the data controller.
  6. The data processor shall agree a third-party beneficiary clause with the sub-processor where – in the event of bankruptcy of the data processor – the data controller shall be a third-party beneficiary to the sub-processor agreement and shall have the right to enforce the agreement against the sub-processor engaged by the data processor, e.g. enabling the data controller to instruct the sub-processor to delete or return the personal data.
  7. If the sub-processor does not fulfill their data protection obligations, the data processor shall remain fully liable to the data controller as regards the fulfillment of the obligations of the sub-processor. This does not affect the rights of the data subjects under Applicable Data Protection Law, including the GDPR – in particular those foreseen in Articles 79 and 82 GDPR – against the data controller and the data processor, including the sub-processor.

7. Transfer of data to third countries or international organizations

  1. Any transfer of personal data to third countries or international organizations by the data processor shall only occur on the basis of documented instructions from the data controller and shall always take place in compliance with Applicable Data Protection Law, including Chapter V GDPR.
  2. In case transfers to third countries or international organizations, which the data processor has not been instructed to perform by the data controller, are required under applicable law, including EU or Member State law to which the data processor is subject, the data processor shall inform the data controller of that legal requirement prior to processing unless that law prohibits such information on important grounds of public interest.
  3. Without documented instructions from the data controller, the data processor therefore cannot within the framework of the Clauses:

    a.      transfer personal data to a data controller or a data processor in a third country or in an international organization;
    b.      transfer the processing of personal data to a sub-processor in a      third country;
    c.      have the personal data processed in by the data processor in a third country.

  4. The data controller’s instructions regarding the transfer of personal data to a third country including, if applicable, the transfer tool under Chapter V GDPR on which they are based, shall be set out in Appendix B.
  5. The Clauses shall not be confused with standard data protection clauses within the meaning of Article 46(2)(c) and (d) GDPR, and the Clauses cannot be relied upon by the parties as a transfer tool under Chapter V GDPR.

8. Assistance to the data controller

  1. Taking into account the nature of the processing, the data processor shall assist the data controller by appropriate technical and organizational measures, insofar as this is possible, in the fulfillment of the data controller’s obligations to respond to requests for exercising the data subject’s rights laid down in Applicable Data Protection Law, including Chapter III GDPR.
    This entails that the data processor shall, insofar as this is possible, assist the data controller in the data controller’s compliance with:

    a.      the right to be informed when collecting personal data from the data subject
    b.      the right to be informed when personal data have not been obtained from the data subject
    c.      the right of access by the data subject
    d.      the right to rectification
    e.      the right to erasure (‘the right to be forgotten’)
    f.       the right to restriction of processing
    g.      notification obligation regarding rectification or erasure of personal data or restriction of processing
    h.      the right to data portability
    i.       the right to object
    j.       the right not to be subject to a decision based solely on automated processing, including profiling.

  2. In addition to the data processor’s obligation to assist the data controller pursuant to Clause 5.3, the data processor shall furthermore, taking into account the nature of the processing and the information available to the data processor, assist the data controller in ensuring compliance with:

    a.      The data controller’s obligation to without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the competent supervisory authority, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons;
    b.      the data controller’s obligation to without undue delay communicate the personal data breach to the data subject, when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons;
    c.      the data controller’s obligation to carry out an assessment of the impact of the envisaged processing operations on the protection of personal data (a data protection impact assessment);
    d.      the data controller’s obligation to consult the competent supervisory authority, prior to processing where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the data controller to mitigate the risk.

9. Notification of personal data breach

  1. The TAGI Security, Privacy & Compliance team are contactable via email at security@advantagegroup.com and privacy@advantagegroup.com.

  2. In case of any personal data breach, the data processor shall, without undue delay after having become aware of it, notify the data controller of the personal data breach.

  3. The data processor’s notification to the data controller shall, if possible, take place within 72 hours after the data processor has become aware of the personal data breach to enable the data controller to comply with the data controller’s obligation to notify the personal data breach, including to the competent supervisory authority if applicable, in accordance with Applicable Data Protection Law, including Article 33 GDPR.

  4. In accordance with Clause 9.3, the data processor shall assist the data controller in notifying the personal data breach to the competent supervisory authority, meaning that the data processor is required to assist in obtaining the information listed below which, pursuant to Applicable Data Protection Law including Article 33(3) GDPR, shall be stated in the data controller’s notification to the competent supervisory authority:

    a.     The nature of the personal data including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;

    b.     the likely consequences of the personal data breach;

    c.      the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

  5. The data processor undertakes to update the data controller as new details emerge with respect to a data breach.

10. Erasure and return of data

  1. On termination of the provision of personal data processing services, the data processor shall be under obligation to return or delete all personal data processed on behalf of the data controller in accordance with its data deletion schedule unless applicable law, including Union or Member State law, requires storage of the personal data.

  2. The data processor commits to exclusively process the personal data for the purposes and duration provided for by this law and under the strict applicable conditions.

11. Audit and inspection

  1. The data processor shall make available to the data controller all information necessary to demonstrate compliance with the obligations laid down in Applicable Data Protection Law, including Article 28 GDPR, and the Clauses and allow for and contribute to audits, including inspections, conducted by the data controller or another auditor mandated by the data controller.
  2. Procedures applicable to the data controller’s audits, including inspections, of the data processor are specified in Appendix C.
  3. The data processor shall be required to provide the supervisory authorities, which pursuant to applicable legislation have access to the data controller’s and data processor’s facilities, or representatives acting on behalf of such supervisory authorities, with access to the data processor’s physical facilities on presentation of appropriate identification.

12. The parties’ agreement on other terms

  1. The data processor agrees to indemnify, keep indemnified and defend at its own expense the data controller against all direct costs, claims, damages or expenses incurred by the data processor or for which the data processor may become liable due to any material breach and failure to implement appropriate, reasonable or proportionate measures (as finally determined by a court of competent jurisdiction) by the data processor or its employees, subcontractors or agents to comply with any of its obligations under these Clauses and/or Applicable Data Protection Law, including the GDPR.

  2. Each party’s total aggregate liability under these Clauses shall not exceed the amount of insurance coverage maintained by such party and available to respond to the relevant claim. The data processor warrants that it will maintain at its own expense adequate and appropriate insurance coverage sufficient to support the indemnification and other obligations for which it may be liable under these Clauses. Upon request, the data processor will provide to the data controller the certificates of insurance. Commercial liability caps do not affect data subject rights to full compensation.

  3. The data controller represents and guarantees that the methods used to collect the personal data transferred to the data processor are lawful and undertakes to indemnify the data processor against any harmful consequences that may arise in connection with the data controller’s failure to comply with the obligations regarding the provision of information under Applicable Data Protection Law including Articles 13 and 14 of the GDPR. Accordingly, the data processor shall be held harmless from and against any civil liability arising from non-compliance by the data controller at the time of data collection and up until the transfer of such data to the data processor.

  4. The parties may agree other clauses concerning the provision of the personal data processing service, as long as they do not contradict directly or indirectly the Clauses or prejudice the fundamental rights or freedoms of the data subject and the protection afforded by Applicable Data Protection Law, including the GDPR.

13. Commencement and termination

  1. The Clauses shall become effective on the date of the Agreement.

  2. Both parties shall be entitled to require the Clauses renegotiated if changes to the law or inexpediency of the Clauses should give rise to such renegotiation.

  3. The Clauses shall apply for the duration of the provision of personal data processing services. For the duration of the provision of personal data processing services, the Clauses cannot be terminated unless other Clauses governing the provision of personal data processing services have been agreed between the parties.

  4. If the provision of personal data processing services is terminated, and the personal data is deleted or returned to the data controller pursuant to Clause 10 and Appendix C, the Clauses may be terminated by written notice by either party.

Appendix A

Information about the processing

A.1. The purpose of the data processor’s processing of personal data on behalf of the data controller is:

The data processor will use the business contact information provided by the data controller to invite the data subjects to take part in market research activity. This will be specified in the Order Form but may include online surveys, online surveys and online depth (qualitative) interviews, qualitative depth interviews.

For Syndicated market research activities, TAGI is the data processor for the purposes of contact list management and survey invitations.

For Custom projects, TAGI is the data processor for the end to end market research activities including the analysis of responses and production of outputs.

The market research will be used to produce TAGI reporting solutions, including the Advantage ReportTM and other benchmarking outputs such as Custom reports, as specified in the Order Form.

This Data Processing Addendum applies to data processor activities only. Personal data processing for which TAGI is the data controller is outside the scope of this agreement.

A.2. The data processor’s processing of personal data on behalf of the data controller shall mainly pertain to (the nature of the processing):

The data will be collected, recorded, structured, organized, stored, retrieved, disclosed by transmission to sub-processors, erased.

A.3. The processing includes the following types of personal data about data subjects:

Name and business contact information to include company name, email address, job title and telephone number.

A.4. Processing includes the following categories of data subject:

Data subjects may include employees (including volunteers, agents and temporary workers), customers/clients, suppliers and other business contacts.

A.5. The data processor’s processing of personal data on behalf of the data controller may be performed when the Clauses commence. Processing has the following duration:

For each tranche of business contact information provided by the data controller, the duration of processing will be a maximum of 24 months unless otherwise specified in the Order Form.

Appendix B

Authorized sub-processors

B.1. Approved sub-processors

On commencement of the Clauses, the data controller authorizes the engagement of the following sub-processors:

NAME ADDRESS DATA HOUSING DESCRIPTION OF PROCESSING
Forsta Inc 1173 Ignition Drive
South Bend
IN 46601
USA		 EU or UK: adequacy decision Issue and management of survey invitations to data subjects
Sherweb CA Inc. 95 Jacques Cartier S Blvd
Suite 400
Sherbrooke
QC
Canada J1J 2Z3		 Canada: partial adequacy decision applies Microsoft 365 provision including Outlook and SharePoint
K2 Data Limited 2 Knowland Mews
CR7 8FQ
UK		 UK: adequacy decision Issue and management of survey invitations to data subjects
Tresorit AG Franklinstrasse 27
8050 Zurich
Switzerland		 EU Secure data storage and file sharing
Zerobounce, Inc 10 E Yanonali St Santa Barbara California, 93101 EU Preparation and cleaning of contact lists
Twilio Inc 101 Spear Street
Fifth Floor
San Francisco
California 94105
USA		 USA Contact management: distribution of survey invitations via SMS or WhatsApp (project-specific)
Meta Platforms, Inc. 650 Castro Street
Suite 120-219
Mountain View
California 94041
USA		 USA Contact management: distribution of survey invitations via WhatsApp (project-specific)
Google LLC 1600 Amphitheatre Parkway
Mountain View
California 94043
USA		 EU Google Cloud Platform
Okta, Inc. 100 1st St
San Francisco
California 94105
USA		 EU Identity and access management
Kapiche Pty Ltd L 4 80 Ann St
Brisbane City
Queensland 4000
Australia		 Canada LiveLens development and support

The data controller shall on the commencement of the Clauses authorize the use of the abovementioned sub-processors for the processing described for that party. The data processor shall not be entitled – without the data controller’s explicit written authorization – to engage a sub-processor for a ‘different’ processing than the one which has been agreed upon or have another sub-processor perform the described processing.

Appendix C

Instructions pertaining to the use of personal data

C.1. The subject of/instruction for the processing

The data processor’s processing of personal data on behalf of the data controller shall be carried out by the data processor performing the following:

The data processor will record, structure, organize, store and disclose by transmission to sub-processors the personal data on behalf of the data controller. The data processor and authorized sub-processors will use the personal data to contact the data subjects to invite them to take part in market research as specified in the Order Form.

C.2. Security of processing (Technical & Organizational Security Measures)

TAGI has robust methods and internal controls for management of personal data. Specific employees are responsible for design, development and assurance of TAGI’s processes and products.

Personal data processing is limited to only what is necessary to achieve the purpose. Data is retained for limited periods.

Information is received directly from the data controller or their nominated contacts.

TAGI follows a data retention policy which includes data deletion timepoints.

TAGI has internal governance, policies and processes in place for oversight and monitoring of compliance. This includes for IT and information security activities.

Data subjects may exercise their information rights under Applicable Data Protection Law, including the GDPR. Technical and organizational measures are in place to support these requests.

TAGI’s Privacy Notice is routinely included in correspondence and survey invitations and is publicly available.

Sub-processors are engaged via contracts which meet the requirements of Applicable Data Protection Law, including Article 28 of the GDPR.

The controller may contact their key liaison at TAGI or info@advantagegroup.com or the Security, Privacy and Compliance team (via security@advantagegroup.com or privacy@advantagegroup.com) to request assistance. TAGI has resources and processes in place to respond to reasonable requests in accordance with this Agreement, any other agreement between the parties and the requirements of Applicable Data Protection Law, including the GDPR.

Information Security Management Program 

Overview

  1. Security Policies

  2. Physical Security Measures

  3. Computing Security Measures

  4. Secure System Development Lifecycle

  5. Dealing with Security Breaches

  6. Business Continuity and Disaster Recovery

1.1 Security Policies

  • TAGI has security policies in place for its main location in Canada as well as its offices around the world. These are contractually binding on all parties.

  • TAGI conducts periodic external security reviews.

  • TAGI’s Enterprise Operations team has overall responsibility for security management.

  • Security issues are assigned to a specific individual in all locations.

  • TAGI assigns responsibility for security to specific individuals who are recruited on the basis of their skills and knowledge necessary to fulfill this role.

  • Staff and contractors are bound to maintain the confidentiality of all appropriate data including personal data.  Specifically for customer data, they are bound by confidentiality clauses.

  • Data protection training is required, is made available to all personnel and attendance/completion is monitored.

  • All personnel who are the intended recipient of personal data for the purpose of performing tasks assigned to TAGI are vetted and undergo essential training.

  • Regular random audit/assurance checks are carried out to check that security procedures are operating as expected.

1.2 Physical Security Measures

  • All personnel entering a TAGI facility are greeted and vetted before they enter the premises.

  • Visitors are accompanied at locations where personal data is accessible.

  • All sites where data are processed are adequately secure. Measures have been taken to make them resistant to attack.

  • Access to the main computing facility in Canada is card and fingerprint access-protected and equipped with video surveillance.

  • A list contained within our Active Directory documents all personnel (including authorized third parties) with access to facilities storing data.

  • The inside of the computing facility is not visible from the outside.

  • Security procedures for personnel outside the organization:

- In some cases, access is given to outside personnel to provide infrastructure design and support and application support.  Appropriate security is in place and onsite access is supervised.

  • Handling of paper-based information:

    -  Sensitive printed material is disposed of securely when no longer needed.

1.3 Computing Security Measures

  • The inside of our computing facility is not visible from the outside. For desks, users are instructed in the proper handling of private and personal data.

  • Authentication and logical access controls, including passwords, are applied to control different levels of access to information depending upon requirements.

  • Unique IDs are assigned to all personnel.

  • Strong password criteria are in place.

  • Users are locked out after repeated unsuccessful login attempts and must be reinstated by a system administrator.

  • Password rotation is mandated every 90 days.

  • All customer data is virtually separated from other customer data using robust access rights.

    • Data access is restricted based on a need-to-know basis.

  • Data is stored within Canada, on GCP Servers in the EU, and in the UK.

    • Data is encrypted.

  • Employee data storage:

    • The use of VPN and secure operating systems and processes are required. Laptops have industry-standard encryption and access is managed by TAGI IT Administrators.

  • Remote access:

    • Personnel may work remotely through enterprise VPN solutions and secure operating systems.

  • Security technologies are in place to detect potential breaches or malware infections.

    • TAGI’s firewalls and antivirus have reporting mechanisms to detect potential breaches or malware infections.

  • Antivirus and anti-hacking measures are in place.

    • Devices are patched automatically whenever they come online. Servers are patched regularly or as needed.

  • Phishing tests are conducted periodically.

  • Log retention:

    • Logs are retained with information about who has access to our systems.

    • Access to confidential systems is controlled.

  • Procedures for secure destruction of systems and media used for data storage:

    • Server hard drives are destroyed before computers are recycled.

    • Data on end-computing devices is removed prior to re-use.

  • MFA/2FA required for all our systems that internal users connect to, including:

    • Enterprise VPN solutions.

    • Secure operating systems.

    • Internal systems and tools.

  • In-house penetration testing to be conducted at regular intervals. Top 10 OWASP vulnerabilities documented to be addressed in a timely manner.

1.4 Secure System Development Lifecycle

  • TAGI has processes in place to comply with the Top 10 OWASP criteria.
  • Change management process:
    • All changes need to be approved and tested prior to any change in production.
  • Change Management includes roll back procedures.
  • Segregation of duties is in place and enforced to prevent developers from making unauthorized changes to production.
  • TAGI has implemented a fully segregated development environment.

1.5 Dealing with Security Breaches

  • TAGI has implemented the following procedures to prevent Security breaches:
    • Effective antivirus and anti-hacking measures to prevent the compromising of the integrity of data or systems.
    • Procedure for secure erasure of systems and media used for data storage before re-use.
    • Secure disposal of media and/or printed material when no longer required (e.g. through secure shredding).
    • Procedure for authenticating the intended recipients of information prior to disclosure.
    • Procedure for authorizing and securing temporary removal of personal data, and security measures in place for working remotely.
    • Company ownership of all data and equipment. Data should not be stored locally on the user’s device. Users are required to use VPN, Network drives, and secure operating systems. User access is granted on a need-to-know basis.
  • TAGI has policies in place to support the prevention and handling of data incidents/breaches.
    • Staff and system users are trained to recognize and report security incidents including data breaches to the nominated security officer.
    • Procedures to manage and mitigate risks arising from such breaches are agreed.
    • Incident response procedure is in place to ensure security incidents are investigated and resolved including lessons learned.
    • Key employees are trained to respond to data incidents across relevant jurisdictions.
  • Audit trails are maintained for security actions in the event of a data incident.

1.6 Business Continuity and Disaster Recovery

  • Business continuity and disaster recovery plans are in place to provide effective protection against likely risks, for example, loss, damage, or corruption of information arising from e.g. human error, computer virus, network failure, theft, fire and flood:
    • Regular backups.
    • Sunset of redundant systems.
    • Replacement of component/s.
    • Windows login is required to access computers.
    • All servers are hosted in secure data centres with UPS backups and diesel generators (in the event of power failure).
    • Operating systems are secure.
    • Offsite back up.
  • Business continuity and disaster recovery plans are under continuous improvement and testing.
  • Data backup and system recovery operations are managed and tested.

C.3. Storage period/erasure procedures

Personal data is stored for a maximum of 24 months after which the personal data is automatically erased by the data processor.

Upon termination of the provision of personal data processing services, the data processor shall either delete or return the personal data in accordance with Clause 10, unless the data controller – after the signature of the contract – has modified the data controller’s original choice. Such modification shall be documented and kept in writing, including electronically, in connection with the Clauses.

C.4. Procedures for the data controller’s audits, including inspections, of the processing of personal data being performed by the data processor

During the term of this contract and subject to a minimum written notice period, which may not be less than fifteen (15) working days, the data controller reserves the right to carry out any data protection audit to establish compliance by the data processor with its obligations under this contract, in particular through an audit. The data controller will also indicate the planned date of the audit, the elements verified and the identity of the auditors. Auditors must have access to the data processor’s offices and comply with the internal health and safety rules applicable to these offices.

The data controller may not carry out more than one (1) audit per year, plus additional audits in case of breach, material incident, or regulator request.

The data processor undertakes to respond to requests for an audit made by the data controller or by another qualified auditor selected by the data controller, recognized as independent (i.e. independent of the data processor) and free to provide details of its audit remarks and conclusions to the data controller. The Parties agree that the audit will focus on the data processor ‘s compliance with the provisions of Article 28 of the GDPR and in particular on the following elements:

  • verification of all technical and organizational security measures implemented by the data processor,
  • checking personal data location, copy and delete logs,
  • analysis of the measures implemented to delete the personal data, to prevent any illegal transmission of personal data or to prevent the transfer of personal data to a country not authorized by the data controller.

The audit costs shall be borne by the data controller. Notwithstanding the foregoing, if the audit reveals that the obligations set forth herein have been breached by the data processor, the audit costs shall in that case be borne by the data processor.

Appendix D

Jurisdiction specific terms

1. Australia

1.1 The definition of “Applicable Data Protection Law” includes the Australian Privacy Principles and the Australian Privacy Act (1988).

1.2 The definition of “personal data” includes “Personal Information” as defined under Applicable Data Protection Law.

2. Brazil

2.1 The definition of “Applicable Data Protection Law” includes the Lei Geral de Proteção de Dados Pessoais (LGPD).

2.2 The definition of “personal data breach” includes a security incident that may result in any relevant risk or damage to the data subjects.

2.3 The definition of “processor” includes “operator” as defined under Applicable Data Protection Law.

3. California

3.1 The definition of “Applicable Data Protection Law” includes the California Consumer Privacy Act (CCPA).

3.2 The definition of “personal data” includes “Personal Information” as defined under Applicable Data Protection Law.

3.3 The definition of “data subject” includes “Consumer” as defined under Applicable Data Protection Law. Any data subject rights, as described in this Addendum, apply to Consumer rights. In regards to data subject requests, TAGI can only verify a request from Customer and not from Customer’s end user or any third party.

3.4 The definition of “controller” includes “Business” as defined under Applicable Data Protection Law.

3.5 The definition of “processor” includes “Service Provider” as defined under Applicable Data Protection Law.

3.6 TAGI will process, retain, use, and disclose personal data only as necessary to provide the Services under the Agreement, which constitutes a business purpose. TAGI agrees not to (a) sell (as defined by the CCPA and CPRA) Customer’s personal data or Customer end users’ personal data; (b) retain, use, or disclose Customer’s personal data for any commercial purpose (as defined by the CCPA and CPRA) other than providing the Services; or (c) retain, use, or disclose Customer’s personal data outside of the scope of the Agreement. TAGI understands its obligations under the Applicable Data Protection Law and will comply with them.

3.7 TAGI certifies that its sub-processors, as described in this Addendum, are Service Providers under Applicable Data Protection Law, with whom TAGI has entered into a written contract that includes terms substantially similar to this Addendum. TAGI conducts appropriate due diligence on its sub-processors.

3.8 TAGI will implement and maintain reasonable security procedures and practices appropriate to the nature of the personal data it processes as set forth in this Addendum.

4. Canada

4.1 The definition of “Applicable Data Protection Law” includes the Federal Personal Information Protection and Electronic Documents Act (PIPEDA).

4.2 TAGI’s sub-processors, as described in this Addendum, are third parties under Applicable Data Protection Law, with whom TAGI has entered into a written contract that includes terms substantially similar to this Addendum. TAGI has conducted appropriate due diligence on its sub-processors.

4.3 TAGI will implement technical and organizational measures as set forth in this Addendum.

5. Israel

5.1 The definition of “Applicable Data Privacy Law” includes the Protection of Privacy Law (PPL).

5.2 The definition of “controller” includes “Database Owner” as defined under Applicable Data Privacy Law.

5.3 The definition of “processor” includes “Holder” as defined under Applicable Data Privacy Law.

5.4 TAGI will require that any personnel authorized to process Client Data comply with the principle of data secrecy and have been duly instructed about Applicable Data Privacy Law. Such personnel are under confidentiality obligations in accordance with this DPA.

5.5 TAGI must take sufficient steps to ensure the privacy of data subjects by implementing and maintaining the security measures as specified in this DPA and complying with the terms of the Agreement.

5.6 TAGI must ensure that the personal data will not be transferred to a sub-processor unless such sub-processor has executed an agreement with TAGI pursuant to this DPA.

6. Japan

6.1 The definition of “Applicable Data Privacy Law” includes the Act on the Protection of Personal Information (APPI).

6.2 The definition of “personal data” includes “Personal Information” as defined under Applicable Data Privacy Law.

6.3 The definition of “controller” includes “Business Operator” as defined under Applicable Data Privacy Law. As a Business Operator, TAGI is responsible for the handling of personal data in its possession.

6.4 The definition of “processor” includes a business operator entrusted by the Business Operator with the handling of personal data in whole or in part (also a “trustee”), as defined under Applicable Data Privacy Law. As a trustee, TAGI will ensure that the use of the entrusted personal data is securely controlled.

7. Mexico

7.1 The definition of “Applicable Data Protection Law” includes the Federal Law for the Protection of Personal Data Held by Private Parties and its Regulations (FLPPIPPE).

7.2 When acting as a processor, TAGI will:

7.2.1 treat personal data in accordance with Customer’s instructions as outlined in this Addendum;

7.2.2 process personal data only to the extent necessary to provide the services;

7.2.3 implement security measures in accordance with Applicable Data Protection Law and this Addendum;

7.2.4 keep confidentiality regarding the personal data processed in accordance with the Agreement;

7.2.5 delete all personal data upon termination of the Agreement in accordance with this Addendum; and

7.2.6 only transfer personal data to sub-processors in accordance with this Addendum.

8. Singapore

8.1 The definition of “Applicable Data Privacy Law” includes the Personal Data Protection Act 2012 (PDPA).

8.2 TAGI will process personal data to a standard of protection in accordance with the PDPA by implementing adequate technical and organizational measures as set forth in this DPA and complying with the terms of the Agreement.

9. Switzerland

9.1 The definition of “Applicable Data Privacy Law” includes the Swiss Federal Act on Data Protection, as revised (FADP).

9.2 To the extent that personal data transfers from Switzerland are subject to the EU Standard Contractual Clauses in accordance with Section 2.2 of Schedule III (Cross Border Data Transfer Mechanisms), the following amendments will apply to the EU Standard Contractual Clauses:

9.2.1 references to “EU Member State” and “Member State’ will be interpreted to include Switzerland, and

9.2.2 insofar as the transfer or onward transfers are subject to the FADP:

9.2.2.1 references to “Regulation (EU) 2016/679” are to be interpreted as references to the FADP

9.2.2.2  the “competent supervisory authority” in Annex I, Part C will be the Swiss Federal Data Protection and Information Commissioner;

9.2.2.3 in Clause 17 (Option 1), the EU Standard Contractual Clauses will be governed by the laws of Switzerland; and

9.2.2.4 in Clause 18(b) of the EU Standard Contractual Clauses, disputes will be resolved before the courts of Switzerland.

10. Turkey

10.1 The definition of “Applicable Data Protection Law” includes the Personal Data Protection Law No. 6698, Kişisel Verileri Koruma Kanunu (KVKK).

10.2 It will be necessary for the Standard Contractual Clauses to be signed in accordance with the KVKK.

11. United Kingdom
11.1 References in this Addendum to GDPR will to that extent be deemed to be references to the corresponding laws of the United Kingdom (including the UK GDPR and Data Protection Act 2018).

12. New Zealand

12.1 The definition of “Applicable Data Protection Law” includes the New Zealand Privacy Act 2020 and the Information Privacy Principles (IPPs).

12.2 For the purposes of the Privacy Act 2020, the Customer is an “agency” and TAGI acts as a service provider processing personal information on behalf of the agency.

12.3 TAGI will collect, use, disclose, store, and otherwise process personal information only in accordance with the Customer’s documented instructions and only for purposes permitted under the Privacy Act 2020 and this Agreement.

12.4 TAGI will not disclose personal information except as authorized by the Customer or as otherwise permitted under Information Privacy Principle 11.

12.5 Where personal information originating from New Zealand is disclosed or made available outside New Zealand, TAGI will ensure that such disclosure complies with Information Privacy Principle 12, including by ensuring that:

- the recipient is subject to privacy laws that provide comparable safeguards, or

- contractual protections are in place requiring the recipient to protect the information in a manner consistent with the Privacy Act 2020.

12.6 TAGI will promptly notify and reasonably cooperate with the Customer in relation to any privacy breach involving New Zealand personal information, including by providing information reasonably required to enable the Customer to assess whether the breach is a notifiable privacy breach under Part 6 of the Privacy Act 2020.

12.7 TAGI will implement reasonable safeguards to protect New Zealand personal information against loss, access, use, modification, or disclosure that is unauthorized or unlawful, having regard to the nature of the information and the risks associated with the processing.

See How Benchmarking Strengthens Retailer-Supplier Relationships

Gain a clear, comparable view of partnership performance and identify the actions that drive measurable improvement.
Talk to an Advisor