Data Processing Addendum
DATA PROCESSING ADDENDUM
This Data Processing Addendum (“DPA”) is incorporated by reference into the Twosense Standard Terms and Conditions or other document that references this DPA (the “Agreement”) between Twosense, Inc. (“Twosense”) and the Twosense customer bound by the Agreement (“Client”, and collectively, the “Parties”) for the provision of software and services by Twosense (“Services”) with regard to the Processing of Client Personal Information.
In the course of providing the Services to Client, Twosense may Process Client Personal Information on behalf of Client, and in such case, the Parties agree to comply with the following provisions with respect to Client Personal Information.
1. DEFINITIONS
Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement. In this DPA, the following terms shall have the meanings set out below:
“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means ownership (directly or indirectly) of more than 50% of the voting rights in the applicable entity.
“Aggregate Data” means information that relates to a group or category of individuals, from which individual identities have been removed, and that is not linked or reasonably linkable to any individual or household.
“Client Personal Information” means any Personal Information provided by Client to Twosense, pursuant to the express terms of an applicable statement of work or order under the Agreement.
“Data Protection Assessment” means an assessment of the impact of processing operations on the protection of Personal Information and the rights of Data Subjects, which may also be called a “Data Protection Assessment,” “Data Protection Impact Assessment,” or “Risk Assessment” by applicable Data Protection Laws.
“Data Protection Laws” means any and all applicable data protection, security, or privacy-related laws, statutes, directives, or regulations, including but not limited to: (a) the EU General Data Protection Regulation 2016/679 (“GDPR”) together with any amending or replacement legislation, and any EU Member State laws and regulations promulgated or incorporated thereunder; (b) the UK Data Protection Act 2018 and the GDPR as it forms part of the law of England and Wales, Scotland, and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”); (c) the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et seq. (“CCPA”), together with any amending or replacement legislation, including the California Privacy Rights Act of 2020 and any regulations promulgated thereunder; (d) the Virginia Consumer Data Protection Act of 2021, Va. Code Ann. § 59.1-571 to -581; (e) the Colorado Privacy Act of 2021, Co. Rev. Stat. § 6-1-1301 et seq.; (f) Connecticut Public Act No. 22-15, “An Act Concerning Personal Data Privacy and Online Monitoring”; (g) the Utah Consumer Privacy Act of 2022, Utah Code Ann. § 13-61-101 et seq.; (h) the Texas Data Privacy and Security Act and (i) all other equivalent or similar laws and regulations relating to Personal Information and privacy, and as each may be amended, extended or re-enacted from time to time.
“Data Subject” means an identified or identifiable natural person whose Personal Information is being Processed. The term “Data Subject” shall refer to a “Consumer” as that term is defined under Data Protection Laws.
“Deidentified Data” means information that cannot reasonably identify, relate to, describe, be capable of being associated with, be linked directly or indirectly with, or be reasonably be used to infer information about an identifiable natural person.
“Personal Information” means information that is protected by applicable Data Protection Laws or that otherwise that identifies, relates to, describes, is capable of being associated with, or can reasonably be linked, directly or indirectly, with a particular individual or household.
“Personnel” means officers, directors, employees, Subprocessors, agents and representatives.
“Regulatory Authority” means the applicable public authority or government agency responsible for supervising compliance with Data Protection Laws, including, but not limited to: the UK Information Commissioner’s Office; EU Member State supervisory authorities; the California Privacy Protection Twosense; and U.S. state attorneys general.
“Security Breach” means any security incident that adversely impacts the security of Client Personal Information.
“Subprocessor” means any third party appointed by Twosense to Process Client Personal Information as a Processor for the benefit of Client in connection with the Agreement.
The terms “Business,” “Business Purpose,” “Controller,” “Process,” “Processor,” “Sell,” “Service Provider,” and “Share” shall have the same meaning as in the Data Protection Laws, and their cognate terms shall be construed accordingly.
2. PROCESSING OF PERSONAL INFORMATION
2.1 Roles of the Parties. The Parties acknowledge and agree that with regard to the Processing of Client Personal Information, Client is the Controller or Business (as applicable), Twosense is the Processor or Service Provider (as applicable), and that Twosense will engage Subprocessors pursuant to the requirements set forth in Section 5 below. The Parties acknowledge and agree that neither Party has reason to believe that the other Party is unable to comply with the provisions of this DPA or otherwise that such Party is in violation of any Data Protection Law. For clarity, Twosense is not responsible for compliance with any Data Protection Laws applicable to Client or Client’s industry that are not otherwise generally applicable to Twosense.
2.2 Twosense’s Processing of Personal Information. Twosense shall treat Client Personal Information as confidential and shall only Process Client Personal Information as necessary to perform its obligations on behalf of and in accordance with Client’s documented instructions for the following permitted purposes: (i) in accordance with the Agreement and applicable order or scope of work and applicable Data Protection Laws (including without limitation, the CCPA); and/or (ii) as applicable, if initiated by Data Subjects in their use of the Services. Twosense shall not (A) Sell, Share, or otherwise make available Client Personal Information to any third party in exchange for monetary or other valuable consideration, and (B) retain, use or disclose Client Personal Information outside of the direct business relationship with the Client or for any other purpose than what is specified in the Agreement and/or this DPA. When acting as a Service Provider under the CCPA, Twosense shall not combine Client Personal Information with Personal Information it receives from, or on behalf of, another person or persons, or that it processes as a Business, except as expressly permitted by Data Protection Laws. Twosense shall promptly notify Client after it makes a determination that it can no longer meet its obligations under applicable Data Protection Laws. Nothing herein shall limit or restrict Twosense’s right to use Aggregate Data and/or Deidentified Data or limit Twosense’s right to use Client Personal Information in any manner that is not restricted by specific Data Protection Laws.
2.3 Client Disclosures. For clarity, (i) Client hereby informs Twosense that all applicable Data Subjects have been provided with the necessary notices and opt-out rights and consented to and not opted-out from the Sale or Sharing of their Personal Information to the extent required by CCPA and (ii) when acting in the capacity of a Processor or Service Provider under applicable Data Protection Laws (but not as a Third Party under the CCPA), Twosense shall comply with all other obligations in this DPA applicable to Processors or Service Providers under applicable Data Protection Laws.
2.4 Client’s Processing of Personal Information. Client shall, in its use of the Services, Process Personal Information in accordance with the requirements of Data Protection Laws. Client’s instructions to Twosense related to the Processing of Client Personal Information shall comply with Data Protection Laws. Client instructs Twosense (and authorizes Twosense to instruct each Subprocessor) to Process Client Personal Information, and in particular, transfer Client Personal Information to any jurisdiction, as necessary for the provision of the Services and consistent with the Agreement and this DPA. Twosense shall immediately inform Client if, in its opinion, an instruction violates Data Protection Laws. Client represents and warrants that it shall (i) not provide Twosense with (or instruct Twosense to Process) any Personal Information unless it shall first have given and received the necessary notices and consents (and honored any opt-out rights) under Data Protection Laws; and (ii) comply with any other requirements under applicable Data Protection Laws.
2.5 Details of the Processing. The subject matter of Processing, the duration of the Processing, the nature and purpose of the Processing, the types of Client Personal Information, and categories of Data Subjects Processed under this DPA are specified in Annex I attached hereto or in another mutually agreed upon document executed by the Parties.
3. RIGHTS OF DATA SUBJECTS
3.1 Taking into account the nature of the Processing and the Client Personal Information, Twosense shall assist Client by implementing appropriate technical and organizational measures, insofar as this is possible, to assist the Client in responding to Data Subject rights requests (“Data Subject Request”) and complying with requirements of Data Protection Laws in relation thereto. To the extent legally permitted, Client shall be responsible for any costs arising from Twosense’s provision of such assistance.
3.2 If a Data Subject Request is made directly to Twosense, Twosense will promptly inform Client and will advise the Data Subject to submit the request to Client. Client will be solely responsible for responding substantively to any such Data Subject Requests or other communications involving Personal Information.
4. TWOSENSE PERSONNEL
4.1 Confidentiality. Twosense shall ensure that its Personnel engaged in the Processing of Client Personal Information are informed of the confidential nature of the Client Personal Information, and have received appropriate training regarding the Processing of Client Personal Information.
4.2 Reliability. Twosense shall endeavor, in the exercise of its reasonable business discretion, to ensure the reliability of any Personnel engaged in the Processing of Client Personal Information.
4.3 Limitation of Access. Twosense shall ensure that Twosense’s access to Client Personal Information is limited to those Personnel performing the Services in accordance with the Agreement.
4.4 Data Protection Officer. To the extent required by applicable Data Protection Laws, each Party has appointed a data protection officer.
5. SUBPROCESSORS
5.1 Appointment of Subprocessors. With respect to the Processing of Client Personal Information, Client authorizes Twosense to appoint Subprocessors to Process Client Personal Information for a business purpose on behalf of Client, and consistent with the business purpose set forth herein, pursuant to a written contract that includes obligations that are at least as protective as those set out in this DPA and as required by Data Protection Laws.
5.2 Notification of New Subprocessors and Client’s Right to Object. Client authorizes Twosense’s engagement of Subprocessors that are used by Twosense as of the date hereof. Twosense shall give Client written notice of the appointment of any new Subprocessor, including details of the Processing to be undertaken by the Subprocessor. With the exception of commonly engaged vendors over whom Twosense exercises little control (such as Google or Amazon), if, within fifteen (15) business days of receipt of that notice, Client (acting reasonably and in good faith) notifies Twosense in writing of any objections to the appointment, Twosense shall cease disclosing any Client Personal Information to the proposed Subprocessor until reasonable steps have been taken to address the objections raised by Client and Client has been provided with notice thereof. Twosense remains fully liable for any breach of this DPA that is caused by an act, error, or omission of its Subprocessor.
6. SECURITY
6.1 Controls for the Protection of Client Personal Information. Twosense shall maintain appropriate physical, technical and organizational measures designed to protect the security, confidentiality, and integrity of Client Personal Information. In the event of any (i) unauthorized acquisition, alteration, or disclosure of Client Personal Information that requires notification to an individual, government or regulatory body, or law enforcement authority under Data Protection Laws, or (ii) breach of Data Protection Laws with respect to Client Personal Information, Twosense shall notify Client promptly. Twosense shall monitor compliance with these measures in accordance with their respective internal information security programs. Twosense shall, taking into account the nature of processing and the information available to Twosense, assist Client in meeting Client’s obligations in relation to the security of processing Client Personal Information. Twosense shall, at a minimum, implement and maintain the security measures specified in Annex II attached hereto.
6.2 Data Security Incident Management and Notification. Twosense shall maintain security incident management policies and procedures, and if at any time Twosense determines that there has been a Security Breach, Twosense shall promptly: (i) notify Client in writing of such Security Breach; (ii) investigate and take steps to remediate the Security Breach, and (iii) provide information regarding the specific Client Personal Information adversely impacted by the Security Breach as reasonably requested by Client.
7. INFORMATION PROVISION AND COOPERATION
7.1 Demonstration of Twosense’s Compliance. Twosense shall, upon Client’s reasonable request and to the extent required by Data Protection Laws, make available to Client all information in Twosense’s possession necessary to demonstrate Twosense’s compliance with its obligations under Data Protection Laws.
7.2 Audits and Assessments.
7.2.1 If required of Twosense under applicable Data Protection Laws, Twosense shall reasonably cooperate with Client at Client’s expense, in relation to any audit of Twosense reasonably necessary to enable Client to comply with its obligations under Data Protection Laws (“Audit”), and shall seek the equivalent cooperation from relevant Subprocessors. Any Audit shall be: (i) subject to a mutually agreed upon scope; (ii) conducted by an independent third party who has signed a nondisclosure agreement with Twosense or the Subprocessor, as the case may be; and (iii) subject to the confidentiality obligations set forth in the Agreement. Client shall use reasonable endeavours to minimize any disruption caused to the Twosense’s (or, Subprocessor’s, as the case may be) business activities as a result of an Audit. Audits shall take place no more than once in any calendar year except as otherwise required of Twosense under applicable Data Protection Laws. In addition, if required of Twosense under applicable Data Protection Laws, Twosense shall allow Client to take reasonable and appropriate steps to (a) ensure that Twosense’s use of Client Personal Information is consistent with Client’s obligations under applicable Data Protection Laws, and (b) stop and remediate unauthorized use of Client Personal Information. In lieu of an Audit, Twosense may provide its most recent independent third party audit report, such as a SOC 2 or similar audit.
7.2.2 Any information disclosed in connection with an Audit shall be the Confidential Information of Twosense (and/or Subprocessor, as the case may be).
7.3 Data Protection Assessments. Upon Client’s request and to the extent required of Twosense under applicable Data Protection Laws, Twosense shall provide Client, at Client’s reasonable expense with the reasonably necessary information needed for Client to carry out a Data Protection Assessment related to Client’s use of the Services, to the extent that Client does not otherwise have access to the relevant information and that such information is reasonably available to Twosense. To the extent required under the GDPR or UK GDPR, Twosense shall provide reasonable assistance to Client in its cooperation or prior consultation with a Regulatory Authority in the performance of its tasks relating to this Section 7.
8. RETURN AND DELETION OF CLIENT PERSONAL INFORMATION
Twosense shall, on the written request of Client, return all Client Personal Information to Client and/or at Client’s request delete the same from its systems, except as otherwise permitted by applicable Data Protection Laws.
9. TRANSFER MECHANISMS FOR CROSS-BORDER DATA TRANSFERS
9.1 Transfers of EEA, Swiss, or UK Personal Information. If the Processing of Client Personal Information includes transfers from the EEA, Switzerland, or the United Kingdom to countries which are deemed to provide inadequate levels of data protection (“Other Countries”), if required by Data Protection Laws, the Parties shall: (i) execute the model clauses adopted by the relevant data protection authorities of the European Commission or the UK Secretary of State as set forth in this Section 9 (if applicable); or (ii) comply with any of the other mechanisms provided for under Data Protection Laws for transferring Client Personal Information to such Other Countries. Additional information required by the Standard Contractual Clauses is set forth in Annexes I and II attached hereto.
9.2 EU SCCs Modules. The Parties agree that for transfers of Client Personal Information from the European Economic Area (“EEA”), the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (the “EU SCCs”), as annexed to Commission Implementing Decision 2021/914, are hereby incorporated by reference into this DPA as follows:
9.2.1 Where Twosense Processes Personal Information as a Controller pursuant to the terms of the Agreement, Twosense and its relevant Affiliates are located in non-adequacy approved third countries, and Client and its relevant Affiliates are established in the EEA or are otherwise transferring the Personal Information of EEA Data Subjects (either directly or via onward transfer); Module 1: Transfer controller to controller, Clauses 1 to 8, and 10 to 18 apply.
9.2.2 Where Twosense Processes Personal Information as a Processor for Client pursuant to the terms of the Agreement, Twosense and its relevant Subprocessor Affiliates are located in non-adequacy approved third countries, and Client and its relevant Affiliates are established in the EEA or are otherwise transferring the Personal Information of EEA Data Subjects (either directly or via onward transfer); Module 2: Transfer controller to processor, Clauses 1 to 18 apply.
9.2.3 Where Client Processes Personal Information as a Processor under the instructions of a third-party Controller, Twosense Processes Personal Information as a Subprocessor for Client pursuant to the terms of the Agreement, Twosense and its relevant Subprocessor Affiliates are located in non-adequacy approved third countries, and Client and its relevant Affiliates are established in the EEA or are otherwise transferring the Personal Information of EEA Data Subjects (either directly or via onward transfer); Module 3: Transfer processor to processor, Clauses 1 to 18 apply.
9.2.4 Where Twosense Processes Personal Information as a Processor for Client pursuant to the terms of the Agreement, Twosense and its relevant Subprocessor Affiliates are located in the EEA or are otherwise transferring the Personal Information of EEA Data Subjects (either directly or via onward transfer), and Client and its relevant Affiliates are located in non-adequacy approved third countries; Module 4: Transfer processor to controller, Clauses 1 to 8, 10 to 12, and 14 to 18 apply.
9.3 EU SCCs Optional Provisions. In addition to Section 9.2, where the EU SCCs identify optional provisions (or provisions with multiple options) the following shall apply in the following manner:
9.3.1 In Clause 7 (Docking Clause) (Modules 1, 2, 3, or 4) – the Optional provision shall NOT apply;
9.3.2 In Clause 9(a) (Use of sub-processors) (Module 2 or 3) – Option 1 shall apply (and the parties shall follow the process and timings agreed in the DPA to appoint sub-processors);
9.3.3 In Clause 11(a) (Redress) (Module 1, 2, 3, or 4) – the Optional provision shall NOT apply;
9.3.4 In Clause 17 (Governing Law) (Module 1, 2, 3, or 4) – Option 1 shall apply, and the courts of Ireland shall govern; and
9.3.5 In Clause 18 (Choice of forum and jurisdiction) (Module 1, 2, 3, or 4) – the courts of Ireland shall have jurisdiction.
9.4 UK Model Clauses. The Parties agree that for transfers of Client Personal Information from the United Kingdom, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, issued by the UK ICO under S119A(1) Data Protection Act 2018 and in force March 21, 2022 (the “UK Addendum”), shall apply. The start date in Table 1 of the UK Addendum shall be the date that the Parties have executed Annex I. The selection of modules and optional clauses shall be as described in Sections 9.2 and 9.3 above, subject to any revisions or amendments required by the UK Addendum. All other information required by Tables 1-3 is set forth in Annexes I and II. For the purposes of Table 4, the Parties agree that the Exporter may end the UK Addendum as set out in Section 19.
9.5 Swiss Data Transfers. The Parties agree that for transfers of Client Personal Information from Switzerland, the terms of the EU SCCs shall be amended and supplemented as specified by the relevant guidance of the Swiss Federal Data Protection and Information Commissioner, and the competent supervisory authority shall be the Swiss Federal Data Protection and Information Commissioner.
10. GOVERNING LAW
Without prejudice to the relevant provisions of any applicable transfer mechanisms identified in Section 9 of this DPA, including the EU SCCs and UK Addendum, the Parties to this DPA hereby submit to the choice of jurisdiction stipulated in the Agreement with respect to any disputes or claims howsoever arising under this DPA, including disputes regarding its existence, validity or termination or the consequences of its nullity; and this DPA is governed by the laws of the country or territory stipulated for this purpose in the Agreement.
11. LIMITATION OF LIABILITY
THE “LIMITATION OF LIABILITY” SECTION OF THE AGREEMENT (OR THE EQUIVALENT THEREOF) SHALL APPLY TO ALL CLAIMS, DEMANDS, SUITS, CAUSES OF ACTION, AWARDS, JUDGMENTS AND LIABILITIES, INCLUDING REASONABLE ATTORNEYS' FEES AND COSTS, ARISING OUT OF OR ALLEGED TO HAVE ARISEN OUT OF TWOSENSE’S BREACH OF ITS OBLIGATIONS UNDER THIS DPA. WITHOUT LIMITING THE FOREGOING, IF THE AGREEMENT DOES NOT INCLUDE A LIABILITY CAP, TWOSENSE’S AGGREGATE LOSSES OR LIABILITY UNDER THIS DPA, INCLUDING WITH RESPECT TO LIABILITY RELATING TO A SECURITY BREACH, BREACH OF THIS DPA, OR ALLEGED OR ACTUAL VIOLATION OF DATA PROTECTION LAWS, SHALL BE LIMITED TO THE AMOUNT PAID BY CLIENT TO TWOSENSE UNDER THE AGREEMENT IN THE 12 MONTHS PRIOR TO THE CLAIM GIVING RISE TO SUCH LOSSES.
12. CHANGE IN DATA PROTECTION LAWS
In the event of any change to or new Data Protection Law(s), the Parties shall mutually agree upon any reasonably necessary amendments or revisions to this DPA.
ANNEX I
A. LIST OF PARTIES
Data exporter(s):
- Name: Client named in the Agreement
Role: Controller
Data importer(s):
Name: Twosense, Inc.
Address: 2108 5th Ave STE 5, New York, NY, 10035
Contact person’s name, position and contact details: Dawud Gordon, Ph.D., CEO & Co-Founder, privacy@twosense.ai
Role: Processor
B. DESCRIPTION OF THE TRANSFER
Categories of Data Subjects whose Personal Information is transferred:
The Subjects are employees of the Client (licensor) of the Twosense product and service.
Categories of Personal Information transferred:
All personal information is data required for Client system administrator logs and alerts to identify and remediate security breaches. Information includes the employees name, username, device identifier, and IP address as personally identifiable indicators.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures:
Information is kept and used strictly for the purpose of security logging and event notification to be used by Client system administrators and information security team. Access within Twosense is limited to those Twosense employees that are building and maintaining the product or service, or providing support to the Client.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):
The information is transmitted on a continuous basis in near real-time for the purpose of creating a near real-time capability of detecting security risks to our Client.
Nature of the Processing:
The data is stored and displayed on an access-controlled administrator interface available to system administrators and information security personnel of the Client, as well as transmitted in notifications, alerts, and event streams to the Client’s infrastructure, e.g. via a SIEM integration, or when notification the Client’s SOC that unauthorized access was detected on a certain account and endpoint just now.
Purpose(s) of the data transfer and further Processing:
The purpose of the transfer is to create a continuous security perimeter for the Client’s employee endpoints and infrastructure.
The period for which the Personal Information will be retained, or, if that is not possible, the criteria used to determine that period:
The retention period is by default 1 year to comply with security log retention standards, or as required by law or the contract with the Client.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the Processing:
Subprocessors are not used with the exception of AWS which hosts the cloud infrastructure of the product and service.
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13:
For transfers of Personal Information from the EEA, the supervisory authority of the EU Member State in which the data subjects whose personal data is transferred pursuant to the Agreement are located shall act as competent supervisory authority.
ANNEX II
TECHNICAL AND ORGANIZATIONAL MEASURES INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Description of the technical and organizational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.
- All security controls are assessed and audited at least annually using a 3rd party certified CPA as part of our SOC2 Type II certification process.
- Data is protected through technical controls that ensure secure storage and transmission, preventing unauthorized access or disclosure.
- System vulnerabilities are mitigated through regular patching, continuous monitoring, and vulnerability assessments to identify and address potential risks promptly.
- Technical and organizational measures are implemented to maintain confidentiality, integrity, availability, and resilience of systems and services, ensuring continuous and reliable operation.
- Disaster recovery and backup procedures are in place to restore availability and access to data promptly in the event of a physical or technical incident.
- Regular audits, assessments, and tests are conducted to evaluate the effectiveness of security measures, ensuring ongoing protection and improvement of data processing systems.
- Encryption and secure protocols are used to protect data during transmission, and strong access controls along with encryption ensure data is securely stored.
- Comprehensive logging mechanisms are implemented to capture, store, and review events, ensuring traceability and monitoring of system activities.
- Strong identity verification and multi-factor authentication mechanisms are enforced to ensure only authorized individuals can access systems and data.
- Structured governance frameworks and management practices are established to oversee IT and security operations, ensuring alignment with security policies and risk management strategies.
- Processes and products undergo regular audits and assessments to ensure compliance with established standards and certifications, verifying their effectiveness and security (SOC2 Type II certified).
For transfers to (sub-) processors, also describe the specific technical and organizational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter.
Amazon AWS is subject to rigorous safety and physical/cyber security controls.