Effective date: September 30, 2024
This Data Privacy Addendum ("Addendum") is incorporated into and subject to the terms and conditions of the current version of the agreement ("Agreement") between you and any of your affiliates (collectively, "Customer") and CogniSync, Inc. ("CogniSync") (each a 'Party" and collectively the "Parties') governing the Customer's use of the Service.
All capitalized terms not defined in this Addendum shall have the meanings set forth in the Agreement. This Addendum reflects the Parties' agreement with respect to the terms governing CogniSync's processing of Personal Data protected by Data Privacy Laws. For any other data, including admin account information, this Addendum shall not apply.
In the event of any conflict or inconsistency between the terms of the main Agreement and this Addendum, the terms of this Addendum shall take precedence over the Agreement and any other associated contractual document between the Parties, to the extent of any such conflict.
The Parties agree as follows:
1. Definitions.
"Data Privacy Laws" means all data protection laws and regulations applicable to a Party's Processing of Personal Data
"Data Subject" means an identified or identifiable natural person about whom Personal Data relates.
"Personal Data" includes any Customer Data that is protected as "personal data." "personal information," or "personally identifiable information," under Data Privacy Laws and Processed by CogniSync on behalf of Customer via the Service in connection with the Service, as more particularly described in Exhibit A (Data Processing Description) of this Addendum.
"Process" and "Processing" mean any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means. such as collection, recording, organization, creating, structuring, storage adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
"Security Breach" means any breach of security that leads to the accidental or unlawful acquisition, destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed by CogiSync and/or its Sub-processors in connection with the provision of the Service. "Security Breach" shall not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts. pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.
“Sub-processor” means any processor engaged by CogniSync or its affiliates to
assist in fulfilling its obligations with respect to providing the Service pursuant to
the Agreement or this Addendum. Sub-processors may include third parties or affiliates of CogniSync but shall exclude any CogniSync employee, contractor or consultant.
The terms "controller", "personal data", and "processor" shall have the meanings given to them in The General Data Protection Regulation - GDPR
2. Scope and Purposes of Processing.
a. This Addendum applies to the extent CogniSync Processes as a processor or service provider (as applicable) any Personal Data protected by Data Privacy Laws. CogniSync will only Process Personal Data as set forth in this Addendum and in compliance with Data Privacy Laws.
b. The Parties acknowledge and agree that Customer is a (i) controller or processor or (ii) business (as applicable) with respect to the Processing of Personal Data, and CogniSync will Process Personal Data only as a (i) processor or (ii) service provider (as applicable) on behalf of Customer, as further described in Exhibit A (Data Processing Description) of this Addendum. If Customer is acting as processor, Customer agrees that it is unlikely that CogniSync will know the identity of Customer's controllers because CogniSync has no direct relationship with Customer's controllers and therefore, Customer will fulfill CogniSync's obligations to Customer's controllers under the P-to-P Clauses.
c. As a processor or service provider, CogniSync shall Process Personal Data only for the purposes described in this Addendum and only in accordance with Customer's written lawful instructions. The Parties agree that the Agreement (including this Addendum) sets out the Customer's complete and final instructions to CogniSync in relation to the Processing of Personal Data and Processing outside the scope of these instructions (if any) shall require prior written agreement between the Parties.
d. Without prejudice to Section 3 (Customer Responsibilities), CogniSync shall immediately notify Customer in writing, unless prohibited from doing so under Data Privacy Law, if it becomes aware or believes that any Processing instructions from Customer violates Data Privacy Laws.
3. Customer Responsibilities.
a. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data.
b. Customer represents and warrants that: (i) it has provided, and will continue to provide, all notices and has obtained, and will continue to obtain, all consents, permissions and rights necessary under applicable laws, including Data Privacy Laws, for CogniSync to lawfully Process Personal Data for the purposes contemplated by the Agreement (including this Addendum); (ii) it has complied with all applicable laws, including Data Privacy Laws in the collection and provision to CogniSync of such Personal Data; and (iii) it shall ensure its Processing instructions comply with applicable laws (including Data Privacy Laws) and that the processing of Personal Data by CogniSync in accordance with Customer's instructions will not cause CongiSync to be in breach of applicable Data Privacy Laws.
4. Data Subject Rights and Cooperation.
a. CogniSync will promptly notify Customer of: (i) any third-party or individual (e.g. on Customer's behalf); or (ii) any government or Data Subject requests for access to or information about CogniSync's Processing of Personal Data on Customer's behalf (each a "Communication"), unless prohibited by Data Privacy Laws. In the event CogniSync receives such Communication directly, CongiSync will not respond to such Communication except as appropriate (for example, to direct the Data Subject to contact Customer) or where legally required, without Customer's prior authorization.
b. Taking into account the nature of the Processing and upon written request of Customer, CogniSync will provide all reasonable co-operation to assist Customer, by appropriate technical and organizational measures, in so far as is possible, to respond to Communications.
c. To the extent required under applicable Data Privacy Laws, and taking into account the nature of the Processing and the information available to CogniSync, CogniSync will provide all reasonably requested information regarding the Service to enable Customer to carry out a data protection impact assessment or prior consultation with supervisory authorities, as required by Data Privacy Laws.
5. Data Security.
a. CogniSync will: (i) implement appropriate and reasonable administrative, technical, physical, and organizational measures designed to protect Personal Data from Security Breaches and to preserve the security and confidentiality of Personal Data; and (ii) ensure that person it authorizes to Process the Personal Data is under an appropriate obligation of confidentiality (whether statutory or contractual).
b. Customer is responsible for reviewing the information made available by CogniSync relating to data security and making an independent determination as to whether the Service meets Customer's requirements and legal obligations under Data Privacy Laws. Customer acknowledges that the Security Measures are subject to technical progress and development and that CogniSync may update or modify the Security Measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Service provided to Customer.
c. Notwithstanding the above, Customer agrees that except as provided by this Addendum, Customer is responsible for its secure use of the Service, including securing its account authentication credentials, protecting the security of Customer Data when in transit to and from the Service, and taking any appropriate steps to securely encrypt or backup any Customer Data uploaded to the Service.
6. Security Breach.
. Upon becoming aware of a Security Breach, CogniSync will: (i) notify Customer promptly, and where feasible, within 48 hours of becoming aware of any Security Breach; (ii) provide timely information relating to the Security Breach as it becomes known or as is reasonably requested by Customer; and (ill) promptly take reasonable steps to contain and investigate any Security Breach.
b. CogniSync's notification of or response to a Security Breach under this Section 7 shall not be construed as an acknowledgment by CogniSync of any fault or liability with respect to the Security Breach.
8. Personal Data Relating to Criminal Convictions and Offenses
We may process personal data related to criminal convictions and offenses only under the control of official authority or when the processing is authorized by Union or Member State law providing appropriate safeguards for the rights and freedoms of you as the data subject. Such data includes information about criminal convictions and offenses, including alleged offenses, the disposal of such proceedings (including acquittals and sentences), and the related security measures. We will only process this data if it is necessary for the prevention or detection of crime or the apprehension or prosecution of offenders, provided that we as the data controller or data processor are authorized by Union or Member State law.
7. Sub-Processors.
b. CogniSync shall: (i) enter into a written agreement with each Sub-processor containing data protection obligations that provide at least the same level of protection for Personal Data as those in this Addendum, to the extent applicable to the nature of the service provided by such Sub-processor; and (ii) remain responsible for such Sub-processor's compliance with the obligations of this Addendum and for any acts or omissions of such Sub-processor that cause CogniSync to breach any of its obligations under this Addendum.
8. Data Transfers
The EEA, UK and other countries outside the EEA have differing data protection laws, some of which may provide lower levels of protection of privacy.
It is sometimes necessary for us to transfer your personal data to countries outside the El order to support our business operations. In those cases we will comply with applicat UK and EEA laws designed to ensure the privacy of your personal data.
Under data protection laws, we can only transfer your personal data to a country outside the EEA where:
in the case of transfers subject to EEA data protection laws, the European Commission has decided that the particular country ensures an adequate level of protection of personal data (known as an 'adequacy decision') further to Article 45 of the EU GDPR. A list of countries the European Commission has currently made adequacy decisions in relation to is available here.
there are appropriate safeguards in place, together with enforceable rights and effective legal remedies for you, or
a specific exception applies under relevant data protection law
Where we transfer your personal data outside the EEA we do so on the basis of an adequacy
decision or (where this is not available) legally-approved standard data protection clauses
issued further to Article 46(2) of the EU GDPR. In the event we cannot or choose not to continue to rely on either of those mechanisms at any time we will not transfer your personal data outside the EEA unless we can do so on the basis of an alternative mechanism or exception provided by applicable data protection law and reflected in an update to this policy.]
9. Return or Destruction of Personal Data.
a. Upon termination or expiry of the Agreement, CogniSync will, at the choice and written request of Customer, return to Customer and/or securely destroy all Personal Data in its possession or control in accordance with the Agreement, save that this requirement shall not apply to the extent CogniSync is required by applicable law to retain some or all of the Personal Data, or to Personal Data it has archived on back-up systems, which data CogniSync shall securely isolate and protect from any further Processing and delete in accordance with its deletion practices.
10. Limitation of Liability.
a. CogniSync's liability arising out of or in connection with this Addendum is subject to he limitations and exclusions of liability stated in the Agreement
11. Term
a. The effective date of this Addendum is the date of the latest signature of a Party or, if no such date exists, the effective date of the Agreement.
12. Survival.
a. The provisions of this Addendum survive the termination or expiration of the Agreement for so long as CogniSync or its Sub-Processors Process Personal Data
Exhibit A: Description of Transfer
Subject matter, nature, and purpose of Processing: CogniSync will process Personal Data solely to fulfill its purposes under the Agreement, including Processing Personal Data: (i) to provide the Service in accordance with the Agreement; (ii) to perform any steps necessary for the performance of the Agreement; (iii) to perform any Processing activity initiated by Customer in its use of the Service: and (iv) to comply with other reasonable instructions provided by Customer that are consistent with the terms of the Agreement and this Addendum.
Anticipated duration of Processing: For the term of the Agreement plus the period from expiry or termination of the Agreement until deletion of all Personal Data by CogniSync in accordance with the Agreement.
Typical categories of Data Subjects: Data subjects include the individuals about whom data is provided to CogniSync via the Service by (or at the direction of) Customer or its Users.
Categories of Personal Data typically subject to Processing under the Agreement: The categories of Personal Data are determined by Customer in its sole discretion and include data relating to individuals provided to CogniSync via the Service, by (or at the direction of Customer or its Users - for example in the text in electronic form submitted to the Service.
Special categories of Personal Data: CogniSync does not intentionally collect or Process any special categories of Personal Data.
Exhibit B: Technical and organizational measures including technical and organizational measures to ensure the security of the data
CogniSync places a strong emphasis on data security and privacy, acknowledging the significance of our security measures and practices to you. While we are cautious about disclosing intricate details, which might compromise our protective efforts, we can share general information to assure you of our commitment to safeguarding the data you place in our trust.
ll CogniSync server-side infrastructure is hosted on an industry-leading secure cloud platforr hrough Amazon Web Services (AWS) in the United States and Europe. Only a small number o Denises sever and ever ones cal case in the tence and they are env 1 CogniSync's private network inside our secure cloud platform
CongiSync encrypts all data transfers between itself and data exporters by up-to-date encryption protocols, including TLS 1.2. Customer data is encrypted at rest in AWS using AES-256 server-side encryption. CogniSync utilizes AWS Key Management Services (KMS) for database encryption and key management. Access to the cryptographic keys is restricted to authorized personnel. CogniSync internal services are available via its virtual private network, with the exception of services that must have access to the public internet for CogniSync's product provisioning to customers.
Access to the Personal Data storage is performed only through usage of complicated passwords, multi-factor authentication and personalized user accounts of a limited number of employees who require the access to perform their job functions. Passwords are stored in encrypted databases with applied bcrypt hashing. Access to the information is logged and monitored by the Security team.
