Data Processing Agreement
Last updated November 19, 2021
This Data Processing Agreement (“DPA”) supplements the Order Form and Platform Access and Services Agreement (“Terms”) (the DPA, along with the Terms, is collectively referred to as the “Agreement”) entered into between Aumni, Inc. (“Aumni”) and the Customer (collectively with its affiliates and subsidiaries worldwide, “Customer”) the terms of this DPA are incorporated by reference therein. This DPA shall apply to all Processing of Customer Personal Data by Aumni to provide the Product as agreed to in the Order Form.
If there is any conflict between this DPA and the Terms, this DPA shall prevail solely to the extent of such conflict.
In this DPA, the following terms shall have the meanings set out below and their cognate terms shall be construed accordingly:
1.1 Customer Data has the meaning given to it in the Terms.
1.2 Customer Personal Data means any Customer Data that is Personal Data.
1.3 Data Breach means any unauthorized interference with the availability of, or any unauthorized, unlawful or accidental loss, misuse, destruction, alteration, acquisition of, access to, disclosure of, or damage to Customer Data or Confidential Information, or any other unauthorized Processing of Personal Data that may adversely affect the privacy or security of individuals or the Customer. Data Breach does not include unsuccessful attempts or activities that do not compromise the security of Customer Data or Confidential Information, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other similar incidents.
1.4 Data Protection Laws means all applicable laws relating to privacy, security, or protection of Personal Data, as may be defined in such laws, including, the EEA Law, the California Consumer Protection Act (“CCPA”), and any subsequent supplements, amendments, or replacements to the same.
1.5 EEA means the European Economic Area and the European Union, Switzerland, and the United Kingdom of Great Britain and Northern Ireland (“UK”).
1.6 EEA Law means EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”), the GDPR as amended and incorporated into UK law under the UK European Union (Withdrawal) Act 2018 and as amended by Schedule 1 to the Data Protection, Privacy and Electronic Communications (Addendums etc.) (EU Exit) Regulations 2019 (SI 2019/419) (“UK GDPR”), the Swiss Federal Data Protection Act of 19 June 1992 and its corresponding ordinances (“Swiss DPA”) and any successor or amendments thereto (including without limitation implementation of GDPR by Member States into their national law), and any other law relating to the data protection, security, or privacy of individuals that applies in the EEA.
1.7 Personal Data means any information processed by Aumni in connection with the performance of the Product, including that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household or with a particular individual’s or household’s device; or any inferences drawn therefrom. Personal Data includes, but is not limited to, name, alias, postal address, identification number, phone number, physical address, email address, details of orders and fulfilments, location data, online identifiers such as internet protocol addresses, cookie or other unique identifiers or as otherwise defined (including under similar terms such as “personal information,” “personal health information,” “personally identifiable information,” and “sensitive personal information”) under Data Protection Laws.
1.8 Process, processed, or processing means the collection, receipt, recording, organization, structuring, alteration, use, transmission, access, sharing, provision, disclosure, distribution, copying, transfer, storage, management, retention, deletion, combination, restriction, summarizing, aggregation, correlation, inferring, derivation, analysis, adaptation, retrieval, consultation, destruction, disposal, or other handling of Personal Data.
1.9 Services means services provided by Aumni as agreed to in the Order Form.
1.10 Standard Contractual Clauses means the standard contractual clauses for international transfers published by the European Commission on June 4, 2021 governing the transfer of EEA Personal Data to Third Countries as adopted by the European Commission, the UK Information Commissioner (as they may apply for UK to Third Country transfers) or Swiss Federal Data Protection and Information Commissioner (“Swiss FDPIC”) relating to data transfers to Third Countries or any successor clauses thereto.
1.11 Third Country means countries that have not received an adequacy decision relating to data transfers from the European Commission, UK ICO, or Swiss FDPIC relating to data transfers.
1.12 The terms Controller, Data Processor, Subprocessor, Data Subjects, Sell, and Service Provider shall have the same meaning as in the applicable Data Protection Laws, and their cognate terms shall be construed accordingly.
2. GENERAL DATA PROCESSING OBLIGATIONS
2.1 Role of Parties. The parties acknowledge and agree that with respect to processing of Customer Personal Data, Aumni is a Data Processor, and a Service Provider and Customer is a Controller, except that if Customer is a Data Processor in which case Aumni is a Subprocessor. If Customer is a Processor of Customer Personal Data, Customer represents and warrants that Customer’s instructions and Processing of Customer Personal Data, including its appointment of Aumni as a Subprocessor, have been authorized by the respective Controller. Notwithstanding the foregoing, Aumni will be an independent Controller with respect to any Personal Data of Customer employees and other personnel using the Services or acting as administrative or business representatives with respect to the Services. Customer also represents and warrants that the Customer is responsible for the security and integrity of Customer Data in the Customer’s environment.
2.2 Compliance with Data Protection Laws. Each party will comply with obligations under applicable Data Protection Laws in connection with Processing of Customer Personal Data.
2.3 Purpose of Processing. The purpose of Processing under this DPA is the provision of the Services pursuant to the Agreement. Exhibit 1 (Details of Processing of Customer Personal Data) describes the subject matter and details of the Processing of Customer Personal Data.
2.4 Customer Instructions and Restrictions on Processing.
2.4.1. Aumni shall use, retain, disclose, or otherwise Process Customer Personal Data only on behalf of the Customer and for the specific business purpose of providing the Services and in accordance with Customer’s instructions, including as described in the Agreement. Aumni shall not Sell Customer Personal Data, nor use, retain, disclose, or otherwise Process Customer Personal Data outside of its business relationship with the Customer or for any other purpose except as required by law. Aumni will inform Customer if, Aumni determines that it is no longer able to meet its obligations under Data Protection Laws or where in Aumni’s reasonable opinion, any of Customer’s instructions infringes any Data Protection Laws. Customer reserves the right to take reasonable appropriate steps to discontinue and remediate unauthorized use of Customer Personal Data.
2.4.2. Aumni shall have rights to use Customer Personal Data solely (i) to the extent necessary to (a) perform its obligations under this Agreement; (b) operate, manage, test, maintain and enhance the Service including as part of its business operations; (c) to disclose aggregate statistics about the Service in a manner that prevents individual identification or reidentification of the Customer, Customer Data, any individual device, or individual person; and/or (d) protect the Service from a threat to the Service or Customer Personal Data; or (ii) if required by court order of a court or authorized governmental agency, provided that prior notice first be given to the Customer; (iii) as otherwise expressly authorized by the Customer.
2.4.3. Aumni will not combine the Customer Personal Data, with Personal Data which it receives from or on behalf of another person or persons, or collects from its own interaction with individual, provided that Aumni may combine Personal Data to perform any business purpose permitted or required under the Agreement to perform the Services.
2.4.4. Aumni certifies that it understands these restrictions and will comply with them.
3. CUSTOMER’S OBLIGATIONS
3.1 Customer shall have sole responsibility for the accuracy, quality, and legality of Customer Personal Data and the means by which Customer obtained the Personal Data. Customer will not provide or cause to provide any data or information that is not necessary for Aumni to provide Customer the Services identified in the Order Form. Customer is responsible for the security and integrity of any Customer’s systems from where Customer Data is provided to Aumni.
3.2 Customer shall, in its use of the Services, Process Personal Data in compliance with the requirements of Data Protection Laws, including any applicable industry standards and self-regulatory programs that are binding on Customer. Customer shall be responsible for complying with any notice and consent obligations under such Data Protection Laws.
3.3 Customer understands and agrees that Customer is solely responsible for its own actions and activity in connection with the Customer Account and that Customer will keep its account passwords and login information confidential.
4. CONFIDENTIALITY OBLIGATIONS
4.1 Each party agrees, both during and after termination of this Agreement, to hold the Confidential Information in the strictest confidence and comply with the applicable confidentiality obligations in the Terms.
5. AUMNI OBLIGATIONS
5.1 Data Protection Compliance Assistance.
5.1.1 Where Aumni is acting as a Processor, Aumni will reasonably assist Customer in complying with its obligations under the applicable Data Protection Laws, including without limitation, conducting data protection impact assessments, and any consultations with the supervisory or regulatory authority.
5.1.2 Aumni shall not perform its obligations under this Agreement in such a way as to cause Customer to breach any of its obligations under applicable Data Protection Laws.
5.2 Data Subject Rights.
5.2.1 Where Aumni is acting as a Processor or Subprocessor, Aumni will promptly notify Customer in writing, and in any case without undue delay, if Aumni receives (i) any requests from a Data Subject, with respect to Customer Personal Data, including individual opt-out requests, requests for access and/or deletion and all similar individual rights requests; or (ii) any complaint or inquiry relating to the Processing of Customer Personal Data, including allegations that the Processing infringes on any individual's or third party's rights. Aumni will not respond to any such request or complaint unless expressly authorized to do so by Customer or required to respond under applicable Data Protection Laws.
5.2.2 To the extent Customer, in its use of the Services, does not have the ability to respond to a request under this Section 5, Aumni shall upon Customer’s written request provide reasonable assistance to the Customer in responding to such request.
5.2.3 Aumni shall comply with any instructions given by the Customer regarding responding to requests under this Section 5.
5.3.1 The Customer hereby consents to the use of the Subprocessors by Aumni for the purposes of providing the Services pursuant to the Agreement. The Subprocessors that are currently authorized to Process Customer Personal Data will be provided to Customer upon request.
5.3.2 Aumni must ensure that it has a written agreement in place with all Subprocessors which contains obligations on the Subprocessors which are no less onerous on the relevant Subprocessor than the obligations on Aumni under this DPA.
5.4 Staff Confidentiality. Aumni shall ensure that all employees, agents, officers, consultants, Subprocessors and any third party authorized to Process the Customer Personal Data or Confidential Information are subject to written confidentiality agreements or are under an appropriate statutory obligation of confidentiality.
5.5.1 Aumni will implement and maintain commercially reasonable administrative, technical and physical safeguards, including procedures and practices commensurate with the level of sensitivity of the Customer Personal Data and Confidential Information and the nature of its activities under the Agreement, to protect the security, confidentiality and integrity of such information Processed by Aumni or in its possession and control including such safeguards (a) designed to ensure the security of systems upon which such information is Processed; and (b) designed to prevent a Data Breach. The description of technical and organization measures designed to ensure the security of Personal Data is described more fully in Exhibit 2 (Aumni Security Measures) to the DPA.
5.6 Data Breach.
5.6.1. In the event Aumni discovers or learns of a Data Breach affecting Customer Data, Aumni shall take appropriate and prompt steps to: (a) investigate, mitigate, and remedy the Data Breach and prevent further Data Breaches, (b) notify Customer of such Data Breach without unreasonable delay; (c) furnish to Customer necessary and relevant details of the Data Breach as may be available; (d) assist Customer, as needed, in its investigation, mitigation, and remedying of the Data Breach; (e) provide information and reasonably assist Customer, as needed, in meeting Customer’s legal obligations, including any applicable obligations to notify individuals affected by the Data Breach; and (f) cooperate with Customer in any other reasonable action, step, or proceeding as may be deemed necessary by Customer in connection with the Data Breach and any dispute, inquiry or claim concerning the Data Breach.
5.6.2. Unless prohibited by an applicable statute or court order, Aumni shall notify Customer of any third-party legal process relating to any Data Breach, including, but not limited to, any legal process initiated by any governmental entity.
5.6.3. Aumni will comply with any reasonable instructions given by the Customer regarding any requests in connection with a Data Breach.
5.6.4. Aumni’s cooperation or obligation to report or respond to Data Breaches under this DPA is not and will not be interpreted as an acknowledgment by Aumni of any fault or liability of Aumni with respect to a Data Breach.
5.7.1. Upon written request from the Customer, Aumni shall make available to the Customer once a year such information as is reasonably required by the Customer to demonstrate Aumni’s compliance with its obligations under this DPA.
5.7.2. If the Customer in its reasonable opinion determines that the information provided under Section 5.7.1 is not sufficient, Aumni will assist with Customer’s request for additional information through completing a reasonable questionnaire or request for information provided by Customer (“Questionnaire”), or a third party acting on Customer’s behalf, regarding Aumni’s compliance with this Addendum.
5.7.3. If the Customer in its reasonable opinion determines that the information provided under Section 5.7.2 is not sufficient, Aumni will allow the Customer or a third party acting on behalf of the Customer to conduct audits solely as necessary to fulfill Customer's obligations under Data Protection Laws no more than once annually.
5.7.4. Any such audit under this Section 5.7 will occur only after Customer has provided Aumni with at least 60 days’ prior written notice and during a mutually agreed upon date, time, and location. Audits must not unreasonably interfere with Aumni’s business or operations and the scope of such audit will be subject to Aumni’s reasonable pre-approval. Individuals responsible for conducting such audit shall be subject to a contract of confidentiality with Aumni. The work required by Aumni to participate in any audit may result in additional fees (at a mutually agreed upon hourly rate) to be paid by the Customer, unless otherwise agreed in writing prior to the commencement of such audit. If the audit reveals any vulnerability or inadequacy, Aumni shall correct any such vulnerability or inadequacy at its sole cost and expense and shall certify the same in writing to Customer.
5.7.5. To ensure that Aumni complies with applicable Data Protection Laws and its contractual obligations regarding data privacy and security, the Customer agrees that Aumni is not required to provide the Customer with access to the Aumni’s systems or information in a manner that may compromise the security, privacy, or confidentiality of Aumni’s other Customers’ confidential or proprietary information. Any information disclosed pursuant to this Section 5.7 will be deemed Aumni’s Confidential Information.
6. DATA TRANSFERS
6.1. As of the date this DPA was last updated, all Customer Personal Data is Processed in the United States. In its role as a Processor, Aumni will not Process any Customer Personal Data subject to EEA Law outside of the United States or country recognized as “adequate” by the E.U. Commission without Customer’s written authorization.
6.2. Aumni may Process Customer Personal Data in various jurisdictions in which it operates provided Aumni reasonably cooperates with the Customer to comply with applicable data transfer restrictions and obligations required by this DPA and applicable Data Protection Laws.
6.3. To the extent Customer Personal Data that is subject to EEA Law is processed, the parties will execute appropriate data processing terms (including any transfer terms) in connection with such processing and transfer.
6.4. To the extent Data Protection Laws require any further steps to be taken in order to permit the transfer of Customer Personal Data to Aumni (including in relation to data export restrictions under applicable Data Protection Laws outside the EEA), Aumni will work with Customer in good faith (including, where reasonably necessary, by entering into contractual clauses with Customer) to ensure that the transfer of Customer Personal Data meets the requirements of Data Protection Laws. To the extent Customer Personal Data is subject to EEA Laws, the parties will execute appropriate data processing and transfer terms for such processing and transfer.
7. RETURN OR DESTRUCTION OF CUSTOMER PERSONAL DATA
7.1. Either upon request or direction by Customer or termination or expiration of this Agreement, Aumni will (a) provide a copy of all Customer Personal Data in Aumni’s possession to the Customer and upon written verification from Customer of Customer’s receipt of such Customer Personal Data, destroy such information in accordance with this Section 7; (b) subject to Section 7.1 (a), promptly and securely destroy all such Customer Personal Data in accordance with applicable Data Protection Laws; and (c) certify in writing that it has complied with this Section 7, except to the extent that Aumni is required by applicable law to keep a copy of the Customer Personal Data and notifies Customer of the same.
7.2. Aumni agrees to comply with the terms of this DPA to the extent any Customer Personal Data is remains in its possession or control in accordance with this Section 7.1.
Exhibit 1 to Data Protection Agreement
DETAILS OF PROCESSING OF CUSTOMER PERSONAL DATA
This Exhibit 1 includes details of the Processing of Customer Personal Data by Aumni.
1. Data Exporter
Company Name - As mentioned in the applicable Order Form
Address - As mentioned in the applicable Order Form
Contact name, position, and contact information - As mentioned in the applicable Order Form
Role - Controller
2. Data Importer
Company Name - Aumni, Inc.
Address - 2800 E. Cottonwood Parkway, Suite 110, Cottonwood Heights, Utah 84121
Contact name, position, and contact information - As mentioned in the applicable Order Form
Role - Processor
3. Activities relevant to the data transferred under these Clauses
The activities relevant to the data transferred at the Services more fully described in the Agreement and applicable ordering documents.
4. Processing Information
Categories of data subjects whose personal data is processed –
Customer may submit or give access to Customer Data to Aumni, the extent of which is determined and controlled by Customer in its sole discretion, and which may include but is not limited to Customer Data relating to the following categories of data subjects:
• Customer’s authorized users, employees, agents, or representatives
• Customer’s customers
Categories of personal data processed –
Customer may submit Customer Data to Aumni which may include the following categories of Customer Data:
As to Customer’s authorized users, employees, agents, or representatives, contact details of the individual which may include first and last name, email address and IP address.
To the extent Customer provides or causes to provide the following data to Aumni, the following categories of personal data may be processed:
• Government identification numbers (e.g., W-9 (including SSN), passport, driver’s license, national ID card, etc.)
• Documents for address verification (e.g., copies of utility bills)
• Financial account numbers and related information (e.g., wire transfer details)
• Documents for verification of relationships between the investor and its beneficial owners.
Sensitive personal data processed – None
Frequency of the processing – Continuous
Nature of the processing and purpose of the data processing and further processing - The objective of Processing of Customer Data by Aumni is the performance of the Agreement and this DPA.
Period for which the personal data will be retained or criteria used to determine that period - Subject to Section 7 (Return or Deletion of Customer Personal Data) of this DPA, Aumni will process Customer Data for the duration of the Agreement, unless otherwise agreed upon in writing.
Subprocessor (subject matter, nature, and duration of processing) - In addition to the following, the subject matter, nature, and duration of the Processing more fully described in the Agreement, DPA, and accompanying order forms.
Exhibit 2 to Data Protection Agreement
Aumni Security Measures
Aumni will implement and maintain a written security program with commercially reasonable administrative, technical, and physical safeguards, including procedures and practices commensurate with the level of sensitivity of the Customer Data and the nature of its activities under the Agreement, to protect the security, confidentiality, availability, and integrity of Customer Data Processed by Aumni or in its possession and control including such safeguards (a) to protect the security of systems upon which such data is Processed; and (b) designed to prevent a Data Breach.
Aumni’s personnel will not Process Customer Data without authorization. Aumni’s Personnel are obligated to maintain the confidentiality of any Customer Data and this obligation continues even after their engagement ends.
Without limiting the foregoing, Aumni will:
1. Develop and use reasonable steps to select and retain agents and subcontractors that assist Aumni in performing its obligations under the Agreement that are capable of maintaining security practices consistent with this DPA and requiring such Subprocessors to agree by written contract to comply with terms substantially similar to those contained in this DPA;
2. Conduct routine risk assessments to identify, document, and remediate material internal and external risks to the security, confidentiality, availability, and integrity of Customer Data that could result in a Data Breach, and assess the sufficiency of any security measures in place to control these risks;
3. At a minimum, the risk assessments required by subpart (2) should include assessment of risks in each area of relevant operation, including, but not limited to:
i. employee training and management;
ii. secure system design and testing;
iii. quarterly (at a minimum) security and vulnerability scans; and
iv. review, assessment, and response to internal and third-party security vulnerability reports;
4. Design and implement reasonable safeguards to control the risks identified through the risk assessments, including through reasonable and appropriate security policies and guidelines and regular testing or monitoring of the effectiveness of the safeguards’ key controls, systems, and procedures;
5. Establish and enforce written procedures that follow role based access control principles to control access to systems, networks, services, and facilities that may Process or store Customer Data and make such procedures available to Customer upon request.
6. Monitor access by Aumni personnel to Customer Data and limit any such access to those with a need to know in order to perform its obligations under the Agreement;
7. Implement multi-factor authentication for any system Processing Customer Data;
8. Implement and conduct routine security training for Aumni personnel with access to Customer Data;
9. Implement anti-malware software on any systems that Process Customer Data;
10. Commensurate with the nature and sensitivity of the Customer Data, encrypt Customer Data in transit across public networks or outside of Aumni’s physical or logical controls and at rest when stored on any device or storage media (such as servers, databases, backups, etc.) using industry standard encryption tools.
11. Provide reasonable assistance to Customer in Customer’s assessment and implementation of appropriate administrative, technical, and physical safeguards to provide an appropriate level of security of Customer Data, including (upon Customer’s reasonable request) completion of periodic assessments;
12. Automatically collect system, application, and user level logs on an ongoing basis for any network or system Processing Customer Data and retain such logs for security response for at least one year;
13. Implement, maintain, and monitor physical security controls for any processing facilities that are used for Processing Customer Data, including without limitation appropriate perimeter security that provide protection against unauthorized access, damage, or interference; and
14. Evaluate and adjust its security program in light of the results of the testing and monitoring required by subpart (2), any material changes to Aumni’s operations or business arrangements, or any other circumstances that Aumni knows or has reason to know may have a material impact on the effectiveness of its security program.
Business Continuity and Disaster Recovery Requirements:
During the term of the Agreement or so long as Aumni Processes Customer Data, whichever is longer, Aumni shall implement and maintain a disaster recovery plan that ensures that all Customer Data Processed by Aumni is capable of being recovered, and that the integrity of all such recovered Customer Data is retained, in the event that Aumni's network, systems or other facilities experience a Data Breach or any significant interruption or impairment of operation or any loss, deletion, corruption, or alteration of Personal Information (“Disaster Recovery Plan”).