A cloud-based administration,
engagement, and analytics platform
Data Processing Addendum
This Data Processing Addendum (“Addendum”) amends the terms and forms part of the Master V3locity® Service Subscription Agreement (“Agreement”) by and between the customer set forth on the Agreement (“Customer,” “You,” or “Your”) and Vitech Systems Sub LLC, a New York limited liability company, (“Vitech”) from which You are purchasing or have purchased a subscription to the Subscription Services.
This Addendum will be effective as of the Effective Date of the Agreement. This Addendum shall apply to Personal Data Processed by Vitech on Your behalf in the course of providing the Subscription Services to You (“Customer Personal Data”).
The scope and duration, as well as the extent and nature of the Processing of Customer Personal Data under this Addendum, shall be as follows: (i) Customer Personal Data is processed for the purposes of providing the Subscription Services in accordance with the Agreement, and (ii) the term of this Addendum corresponds to the duration of the Agreement.
Data Processing Terms
The parties agree:
1.1 The terms below shall have the following meanings:
• “Affiliate” means, with respect to any legally recognizable entity, any other entity Controlling, Controlled by, or under common Control with such entity. “Control” means direct or indirect (i) ownership of more than fifty percent (50%) of the outstanding shares representing the right to vote for members of the board of directors or other managing officers of such entity, or (ii) for an entity that does not have outstanding shares, more than fifty percent (50%) of the ownership interest representing the right to make decisions for such entity. An entity will be deemed an Affiliate only so long as Control exists;
• “Subscription Service(s)” means the specific Applications for Vitech’s cloud-based proprietary administrative or investment platform, including the V3locity Service, as those terms are defined in the Agreement and provided to You under the Agreement;
• “Controller” means the entity which determines the purposes and means of the processing of Personal Data, including as applicable any “business” as defined under the CCPA;
• “Data Subject” means identified or identifiable natural person(s);
• “Data Protection Laws” means data privacy and data security laws applicable to the Processing of Personal Data, specifically including: (i) United States state and federal data breach and data privacy laws, including the California Consumer Privacy Act of 2018 (“CCPA”), the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), and the Health Information Technology for Economic and Clinical Health Act (“HITECH”); (ii) Canadian provincial and federal data breach and data privacy laws, including the Personal Information Protection and Electronic Documents Act (“PIPEDA”) or its successor; and (iii) the European Union General Data Protection Regulations 2016/679 (“GDPR”);
• “Personal Data” means any information relating to a Data Subject which can identify, directly or indirectly that Data Subject, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity;
• “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
• “Processor” means the entity which processes Customer Personal Data on behalf of the Controller, including as applicable any “service provider” as defined by the CCPA;
• “Standard Contractual Clauses” means the standard contractual clauses for Processors approved pursuant to the European Commission’s decision (C(2010)593) of 5 February 2010, as amended, superseded or replaced from time to time in accordance with this Addendum;
• “Subprocessor” means a subprocessor appointed by Vitech to assist with the provision of the Subscription Services to a customer or the performance of Vitech’s obligations under the Agreement; and
• “Supervisory Authority” shall mean the data protection authority in the applicable European state.
2. Scope of Data Protection Law. The parties acknowledge that Data Protection Laws will only apply to Personal Data to the extent that such Personal Data is covered under definitions contained within those applicable Data Protection Laws.
3. Processing of Personal Data
3.1 In processing your Customer Personal Data, we will comply with Data Protection Laws.
3.2 The subject-matter of the data Processing is providing the Subscription Services and the Processing will be carried out until we cease to provide Subscription Services to You.
3.3 Vitech agrees that it shall, acting as a Processor in the provision of the Subscription Services:
• Process the Customer Personal Data only in accordance with documented instructions from Customer (as set forth in this Addendum or the Agreement or as directed by Customer through the Subscription Services). If applicable law requires Vitech to Process the Customer Personal Data for any other purpose, Vitech shall inform Customer of this requirement first, unless such law(s) prohibit this on important grounds of public interest;
• not Process Customer Personal Data for Vitech’s own purposes or for the benefit of anyone other than Customer;
• notify You promptly if, in Vitech’s opinion, an instruction for the Processing of Customer Personal Data given by You infringes applicable Data Protection Law;
• make available to Customer all information, reasonably requested by Customer in writing, for the purpose of demonstrating that Your obligations relating to the appointment of Processors have been met, including those reasonably required for Customer to comply with its regulatory reporting requirements under Data Protection Laws;
• only permit employees, agents, or any other person or entity acting on its behalf to access Customer Personal Data if that access is in compliance with the Agreement, conducted by individuals who have a need-to-know and who have been appropriately trained and are bound by commercially reasonable and legally enforceable confidentiality, data privacy, and data security obligations that are no less protective of Customer’s interests than those set forth in this Addendum;
• Customer hereby authorizes and consents to the engagement of each of Vitech’s Subprocessors, listed on Exhibit 1. Other than as set forth in the Agreement regarding a change in Public Cloud provider, prior to engaging a Subprocessor not listed (or otherwise incorporated) on Exhibit 1, Vitech shall provide notice to Customer of its intent to engage a new Subprocessor and Customer will have ten (10) days from Vitech’s notification to provide written notice of its objection, which must be detailed and reasonable in basis, to the engagement of the new Subprocessor (“Objection Period”). If Vitech and Customer are unable to reach agreement on the Subprocessor and after using good faith efforts Vitech is unable to reasonably redress Customer’s concerns, including by providing an alternative Subprocessor, Customer shall be entitled to terminate the Agreement without cause. If Customer does not provide notice of its objection within the Objection Period, it shall be deemed consent, and such Subprocessor shall be incorporated into Exhibit 1 to this DPA;
• Vitech shall (i) be responsible for the performance of each Subprocessor, (ii) will ensure that any transfers of Customer Personal Data to Subprocessors will be subject to contractual requirements to safeguard Customer Personal Data equivalent to those set out in this Addendum, and (iii) Vitech shall remain liable to Customer for any breaches of Vitech’s obligations under this Agreement caused by Subprocessors;
• reasonably assist You in amending, correcting, deleting, adding to, ceasing use of, or restricting use of Customer Personal Data, by providing You with the ability to directly amend, correct, delete, add to, cease using or restrict the use of Customer Personal Data relating to such Data Subjects through the Subscription Services. In the event that Vitech receives a direct request from a Data Subject looking to exercise their rights under Data Protection Laws, unless prohibited by law, Vitech shall refer such Data Subjects to You;
• upon Your written request or following the expiration or earlier termination of the Agreement, securely delete Customer Personal Data in Vitech’s or Vitech’s Subprocessor’s possession in compliance with applicable Data Protection Laws and our internal procedures and retention periods, such being available to You upon Your written request. If Vitech retains any Customer Personal Data after expiration or earlier termination of the Agreement, Vitech shall retain Customer Personal Data only until Vitech no longer needs to retain it in order to provide the Subscription Services to You, unless otherwise required by applicable Data Protection Law to retain Customer Personal Data for a longer duration. In the event applicable Data Protection Law does not permit Vitech to comply with the destruction of the Customer Personal Data, Vitech shall continue to protect the confidentiality of the Customer Personal Data in accordance with this Addendum and it shall not use, disclose or otherwise Process the Customer Personal Data except in accordance with applicable Data Protection Laws and its data retention policies. Upon Your written request, Vitech will certify to You, in writing, that Vitech has complied with its obligations under this Section 3.3.9;
• allow Customer to access and review Vitech’s annual SOC 2 Type 2 (or subsequent successor) audit of Vitech’s security policies and procedures (“Audit Report”). Unless otherwise required by a Supervisory Authority, regulatory agency, or mutually agreed by the Parties in writing, any audit of Vitech shall be limited to the provision of the Audit Report.
4. California Consumer Privacy Act. Vitech shall comply with the CCPA and treat all Personal Data subject to the CCPA in accordance with the provisions of the CCPA. In addition to Vitech’s confidentiality obligations in the Agreement, where Vitech is acting as a “service provider” for purposes of the CCPA, Vitech shall not sell, retain, use or disclose Personal Data for any purpose other than for the purpose of performing its obligations set out in the Agreement. For purposes of this Section 4, the term “sell” shall have the meanings given in the CCPA.
5.1 Vitech shall implement and maintain appropriate technical and organizational measures to protect the Customer Personal Data against unauthorized or unlawful Processing and against accidental loss, destruction, damage, theft, alteration or disclosure. These measures shall (i) comply with Data Protection Laws, (ii) include safeguards reasonably designed to identify, assess, and protect against foreseeable anticipated or actual threats to the security of Customer Personal Data, and (iii) be appropriate to the harm which might result from any unauthorized or unlawful Processing, accidental loss, destruction, damage or theft of Customer Personal Data and appropriate to the nature of the Customer Personal Data which is to be protected. Vitech may update the technical and organizational measures, provided however, that such modifications shall not diminish the overall level of security.
5.2 Vitech shall (i) include training and security awareness programs for Vitech’s personnel who have access to Customer Personal Data, (ii) monitor its personnel’s compliance with its internal policies and procedures regarding the protection of the confidentiality and security of the Personal Data, (iii) prior to Vitech’s personnel receiving access to Customer Personal Data, screen such personnel to confirm suitability of the performance of their duties in connection with the Agreement, (iv) impose disciplinary measures for violations of internal policies and procedures, (v) prevent terminated personnel from accessing records containing Customer Personal Data; and (vi) impose reasonable restrictions on access to records containing Customer Personal Data, making it only accessible to personnel on a need-to-know basis.
5.3 If Vitech becomes aware of and confirms any accidental, unauthorized or unlawful destruction, loss, alteration, disclosure of, or access to Customer Personal Data that Vitech Processes in the course of providing the Subscription Services (“Security Incident“), Vitech will notify Customer without undue delay, but in any event within 48 hours of confirmation of the Security Incident.
6. GDPR Data Transfers.
6.1 Transfer Mechanism. When Vitech Processes Customer Personal Data that is subject to the GDPR in a country that does not ensure an adequate level of protection (within the meaning of the GDPR), Vitech shall Process Customer Personal Data in accordance with the Standard Contractual Clauses (which shall be incorporated by reference into and form a part of this Addendum), or a similar, successor data export mechanism that complies with the GDPR (or its successor).
6.2 Clarifications to Standard Contractual Clauses. The parties agree that in the event the Standard Contractual Clauses apply, then (i) the audits described in Clauses 5(f) and 12(2) of the Standard Contractual Clauses shall be carried out in accordance with Section 3.3.10 above; (ii) the copies of the Subprocessor agreements that must be sent by the Data Importer to the Data Exporter pursuant to Clause 5(j) of the Standard Contractual Clauses may have all commercial information, or clauses unrelated to the Standard Contractual Clauses or their equivalent, removed by the Data Importer beforehand; and, that such copies will be provided by Data Importer only upon reasonable written request by Data Exporter; and (iii) the names and addresses of Customer and Vitech shall be considered to be incorporated into the Standard Contractual Clauses.
6.3 Data Impact Assessments. To the extent the GDPR applies, Vitech agrees that it shall, acting as a Processor in the provision of the Subscription Services, reasonably assist You in the performance of any data protection impact assessments to the extent required by applicable Data Protection Law.
7. Ownership; Confidentiality. As between Vitech and You, all Customer Personal Data is and shall remain Your sole and exclusive property pursuant to the terms of Agreement to which this Addendum is attached.
8.1 In the event of any conflict or inconsistency between the provisions of the Agreement and this Addendum, the provisions of this Addendum shall prevail. This Addendum is subject to the governing law and venue terms in the Agreement, except as otherwise provided in Standard Contractual Clauses, to the extent applicable.
8.2 Notwithstanding the foregoing, to the extent allowed by applicable law, all liability arising under this Addendum will be governed by the Agreement.
Vitech List of Subprocessors
County of Location
Amazon Web Services, Inc. (US), Amazon Web Services, Inc. (Canada) [customer dependent]
United States or Canada [customer dependent]
Cloud Service Provider
Vitech Systems Asia Private Limited
Customer Support Services