Match Onboarding Processor Agreement
This Match Onboarding Processor Agreement for Match Onboarding Services (“Agreement”) is entered into effective as of the date of execution of the applicable statement of work, order form or similar document (“Effective Date”), by and between Acxiom LLC, with its principal place of business at 301 East Dave Ward Drive, Conway, Arkansas 72032-7114 USA (“Acxiom”), and the data provider listed on the applicable statement of work, order form or similar document(“Provider”). The parties hereby agree as follows:
1. General. In connection with processing services to be provided by Acxiom (“Services”), as further set forth in the “Services Attachment,” attached hereto and incorporated herein, Provider may provide to Acxiom one or more lists or files of Provider customer or prospective customer data, including name, address, transactional, or other associated data (collectively, “Provider Data”). This Agreement is separate from any other agreement between Provider and an Acxiom affiliate and solely applies to Acxiom’s Services provided hereunder.
2. Confidentiality / Processing Restrictions. The Provider Data is the sole and exclusive property of Provider. Acxiom shall have no rights in or to the Provider Data that are not expressly granted herein. Provider grants to Acxiom all necessary rights and licenses for Acxiom to process the Provider Data and convey all necessary rights and licenses to Partner in order for Partner to provide services to Provider in connection with Partner products and services, including for Partner to combine the Provider Data with Partner data. Acxiom may use the Provider Data for the sole purpose of performing the Services for Partner. Acxiom shall do nothing inconsistent with Provider’s copyright or other proprietary rights in the Provider Data. Acxiom will use commercially reasonable efforts to prevent the unauthorized access to or disclosure of the Provider Data. Except as authorized by Provider in writing or as required to complete the Services, Acxiom will not: (a) disclose the Provider Data to any third party, other than Partner; (b) overlay or merge Provider Data with any data other than in connection with the Services or such other purposes as agreed to between Provider and Partner that have been made known to Acxiom in writing; (c) conduct any analyses of the Provider Data; or (d) use any information it obtains as a result of its handling, processing, or possession of the Provider Data to create, test, promote, market, sell, or license any Acxiom product or service. Acxiom’s obligations to maintain the confidentiality of Provider Data and only use it as set forth herein shall survive any termination of this Agreement. In providing the Partner Services, Provider Data may be processed or stored, in whole or in part, in an environment provided from any location by an established third-party cloud service provider (e.g., Amazon Web Services (AWS); Google Cloud; Microsoft Azure) that resides in a segmented, secured instance managed by Acxiom, its affiliates, or its or their subcontractors. Minimum cloud service provider (“CSP”) information security, certification, and independent audit standards will include ISO/IEC 27001 and AICPA SSAE 18 SOC 2 Type II / SOC 3 (collectively, “CSP Standards”). A description and evidence of the CSP Standards will be available at the CSP’s public-facing website. Any terms in this Agreement inconsistent with applicable CSP standards or requiring further documentation of the CSP Standards will not apply to the CSP. Acxiom shall discontinue use of the Provider Data upon the termination or expiration of this Agreement, and upon written request of Provider, Acxiom shall return or, at Provider’s election, destroy all copies of the Provider Data.
3. Prohibited Data and Encryption. Provider shall not provide to Acxiom any of the following information (“Prohibited Data”): (a) a government-issued identification number (e.g., Social Security Number, driver’s license number, state identification number, or passport number); (b) a financial or customer account number, including financial institution or bank account number or a credit or debit card number; (c) information regarding an individual’s health or medical condition, including Protected Health information, as defined in 45 CFR 160.103; (d) unique biometric data or digital representation of biometric data; (e) an individual’s full date of birth; (f) maiden name of the individual’s mother; (g) an individual’s digitized or other electronic signature; or (h) a user name, email address, or other unique electronic identifier or routing code that is sent in combination with a personal identification code, password, or security question and answer that would permit access to an online account. If Provider should transfer Prohibited Data to Acxiom in violation of this Section and Provider becomes aware of such transfer, Provider shall promptly notify Acxiom and inform Acxiom of the date, time, and other pertinent information related to the transfer so Acxiom may take the steps necessary to remove the Prohibited Data from its systems. Provider must encrypt any personally identifiable information (PII), using industry standard encryption measures, before transferring such information to Acxiom over a public network or on physical media.
4. US DATA PROTECTION LAW. As the Services described in the Services Attachment will involve Acxiom processing Provider Data that is subject to the data protection laws or regulations of the United States or any state or local jurisdictions thereof, then in addition to the terms of this Agreement, the US Data Protection Exhibit attached hereto will apply.
5. EU / UK GDPR. As the Services described in the Services Attachment will involve Acxiom processing Provider Data that is subject to the data protection laws and regulations of the European Union (EU) or the United Kingdom (UK), in addition to the terms and conditions contained herein, such processing will be subject to the GDPR Data Protection Exhibit attached hereto.
6. Warranty. Provider represents and warrants that Provider has all necessary rights to provide the Provider Data and that Provider’s acquisition and provision of the Provider Data, and Acxiom and Partner’s uses of the Provider Data contemplated hereunder, do not and will not infringe upon any rights (including any intellectual property rights) of any third party and do not and will not violate any applicable laws, rules, regulations, or Provider’s own published privacy policies or notice and disclosure statements under which the Provider Data was collected. Except for this limited warranty, the Provider Data is provided “AS IS” and without warranty of any kind, express or implied.
7. Term. The term of this Agreement shall begin on the Agreement Effective Date and continue for a period of six (6) months, unless earlier terminated for cause as set forth herein, and shall automatically renew for subsequent terms of six (6) months each, unless either party provides written notice of non-renewal at least thirty (30) days prior to the expiration of the then-current Term. The initial term and any renewal terms shall be referred to collectively as the “Term”. Either party may immediately terminate this Agreement upon written notice if the other party is in default of this Agreement and fails to cure such default within thirty (30) days of written notice from the other party specifying the nature of such default and requiring its remedy. Either party may terminate this Agreement for convenience and without cause upon thirty (30) days prior notice to the other party.
8. Remedies for Misuse. Each party may seek injunctive or other equitable relief against the breach or threatened breach of this Agreement in addition to any other legal remedies that may be available.
9. Limitation of Liability. Notwithstanding anything to the contrary in this Agreement, Acxiom, as a processor of Provider Data on behalf of Partner, shall not be liable to Provider for any damages which Provider may incur as a result of any misuse or unauthorized use of Provider Data by Partner. NEITHER PARTY shall be liable for any special, indirect, incidental, or consequential damages, including, but not limited to, lost income or lost revenue, whether based in contract, tort, or any other theory. Except for Provider’s direct damages caused by acxiom’s gross negligence or intentional misconduct, ACXIOM’s aggregate liability to Provider shall not exceed $250,000.00.
10. Indemnities. Provider will defend, indemnify and hold harmless Acxiom and Partner, and their directors officers, employees, or agents against any third-party claim, action, or liability (including damages, costs, expenses, and reasonable attorneys’ fees) that may arise against Acxiom or Partner as the result of Acxiom or Partner’s use of the Provider Data or any other materials provided by Provider under this Agreement. Notwithstanding the foregoing, this indemnification provision will not apply to the extent that a third-party claim, action, or liability, or any portion thereof, arises from Acxiom or Partner’s own acts or omissions.
11. Insurance. During the Term, Acxiom will maintain in force the following insurance coverage for claims arising out of Services performed under this Agreement:
11.1 Worker’s Compensation Insurance, including coverage for occupational injury, illness and disease, and other social insurance in accordance with the laws of the country, state, or territory exercising jurisdiction over the employee.
11.2 Employer’s Liability Insurance, in accordance with the laws of the country, state, or territory exercising jurisdiction over the employee, with limits of: $1,000,000 per accident, $1,000,000 per employee – disease, and $1,000,000 per employee – policy limit.
11.3 Commercial General Liability Insurance, including Products and Completed Operations, Personal Injury, and Bodily Injury and Property Damage liability coverages, on an occurrence basis, with a limit per occurrence of $1,000,000 and aggregate limit of $2,000,000.
11.4 If Acxiom’s creation and delivery of any of the Services involves the use of automobiles, Business Automobile Liability Insurance covering use of all owned, non-owned, and hired automobiles for bodily injury, property damage, with a combined single limit per accident of $1,000,000 or the minimum limit required by law, whichever is greater.
11.5 If Acxiom’s creation and delivery of any of the Services involves handling any Provider assets, including cash or securities, Commercial Crime Insurance, including blanket coverage for Employee Dishonesty and Computer Fraud, for loss or damage arising out of or in connection with any fraudulent or dishonest acts committed by the employees of Acxiom, acting alone or in collusion with others, including the property and funds of others in their possession, care, custody, or control, with an annual aggregate limit of $1,000,000.
11.6 Network Security and Privacy Liability (Cyber) and Technology Errors and Omissions Insurance, with limits of $1,000,000 per claim and aggregate if the Services create exposures generally covered by such a policy.
11.7 The policies governing the coverage specified in Section 11.3 and 11.4 will name Provider as an additional insured and will provide that such insurance is primary coverage with respect to all insureds and additional insureds. Insurance policies required by this Section will be maintained with insurers that have an A.M. Best Rating of “A-” or better, or, if such ratings are no longer available, with a comparable rating from a recognized insurance rating agency.
12. Miscellaneous. The Agreement shall be governed and construed in accordance with the laws of the State of Delaware, without regard to conflict of law principles. Neither party shall be liable for any losses arising out of the delay or interruption of its performance of obligations under the Agreement due to any act of God, act of governmental authority, act of public enemy, terrorism, war (whether or not declared), riot, flood, civil commotion, insurrection, severe weather conditions, or any other cause beyond the reasonable control of the party delayed.Failure or delay by either party in exercising any right hereunder shall not operate as a waiver of such right. Any provision of this Agreement that contemplates performance or observance subsequent to any termination of this Agreement, including all provisions with respect to fees due and payable, proprietary information, confidentiality, and limitation of liability, shall survive any termination of this Agreement and continue in full force and effect. Except for communications made in the normal course of performance, any notice or other communication required hereunder will be made in writing and sent to the other party.
.
Services Attachment
Match Onboarding Services
1. SCOPE OF SERVICES. The following describes the scope of the data matching services (“Match Onboarding”) being performed by Acxiom in order to facilitate the delivery of Provider Data (as defined in the Agreement) to Acxiom for use in accordance with the Agreement. In connection with the Services, Provider permits Acxiom to transfer the Output File and all matching records to its affiliates, Initiative and/or Kinesso (“Partner(s)”).
1.1 Source File Requirements: As mutually agreed by the parties, Provider will send to Acxiom certain data file(s) (each a “Source File”) that may include the following elements assigned to each record where applicable:
| Provider ID | City |
| Customer Name | Province |
| Customer First Name | Zip code Plus 4 |
| Customer Middle Name | Customer Phone |
| Customer Last name | |
| Address |
The Source Files will: (i) be in text delimited format and the layout agreed upon by the parties; (ii) be delivered to Acxiom via Secure File Transfer Protocol (SFTP) using the location, username, and password provided to Provider by Acxiom; and (iii) will consist of consumer data from the following: (i) United States; (ii) additional available markets as mutually agreed by the parties.
Acxiom will review each Source File for readability, usability, and quality assurance notifying Provider if such review process reveals errors in a Source File, at which time Provider will resolve such errors and re-send the corrected Source File to Acxiom.
1.2 Match Onboarding. Acxiom will perform a match between the Source File and Acxiom’s proprietary Real ID graph, or addressable universe as applicable, to append Acxiom’s persistent identifiers to matching records (“Real ID(s)”). For all matching Source File records, Acxiom will append a Real ID that is specifically encoded for use by Partner. The Real ID will be used solely to assist in the delivery of the Services and shall not be sent to Provider.
1.3 Outputs. Acxiom will send to Partner an output file of the processed Source File records per each Source File received (each an “Output File”) containing the following fields only: (i) Provider ID where applicable; (iii) Real ID; and (iv) any Provider supplied, non-PII segmentation fields. Acxiom will send no files or reports to Provider pursuant to this Agreement. Partner services supplied to Provider, including use of Provider Data in the Output File, shall be performed pursuant to a separate agreement between Partner and Provider.
1.4 Destruction. All Source Files and Output Files will be purged from their respective Acxiom landing zones after seven (7) days. All data files, and copies thereof, housed internally at Acxiom and containing Provider Data, shall be purged from Acxiom’s systems no later than twenty (20) days from receipt/creation. Upon Provider request, Acxiom will provide written certification of destruction.
US DATA PROTECTION EXHIBIT
This US Data Protection Exhibit, which is incorporated into and forms part of the Agreement to which it is attached, is intended to ensure that the collection, processing, and use of Provider Data conducted by Acxiom on behalf of, and as instructed by, Provider, in compliance with this Agreement, complies with Data Protection Law (defined below). All terms not otherwise defined herein shall have the meanings ascribed to them in the Agreement or under applicable law.
1. Definitions. The following defined terms apply to this US Data Protection Exhibit. All other capitalized terms not defined elsewhere in the Agreement are defined in the same way as in Data Protection Law.
1.1 “Data Protection Law” means all applicable privacy, data security, and data protection laws, rules, or regulations of the United States or any state or local jurisdictions thereof, and any legislation replacing or updating any of the foregoing.
1.2 “Personal Information” shall have the meaning ascribed to it under Data Protection Law as it relates to Provider Data. The term includes similar terms, such as “Personal Data” and “Personally Identifiable Information” or “PII”, as used in the Agreement or defined under Data Protection Law.
1.3 “Sell” means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, an individual’s Personal Information to another person for monetary or other valuable consideration (or as otherwise defined in Data Protection Law).
2. Description of the Processing. Acxiom is authorized to process Personal Information provided by or on behalf of Provider under the Agreement for the duration of the Agreement as necessary to provide the Services or as otherwise authorized by Provider in writing, subject to the requirements of the Agreement. The nature and purpose of the processing is to support the match onboarding services in order to transfer Provider Data to Partner as set forth in the Agreement. The types of Personal Information that will be subject to processing are as described in the Agreement. The categories of relevant data subjects will be individual Provider customers or prospective customers.
3. Obligations. Acxiom will, and will take measures to ensure that any person acting under Acxiom’s authority will:
3.1 Handle Personal Information in compliance with all Data Protection Law;
3.2 Retain, use, disclose, transfer, or otherwise process the Personal Information only: (i) as needed to provide the Services; and (ii) in accordance with Provider’s and/or Partner’s instructions, as limited by the Agreement and this US Data Protection Exhibit;
3.3 Keep Personal Information logically segregated in Acxiom’s or any of its external parties’ environments;
3.4 Require through a separate agreement that any persons accessing or processing the Personal Information through Acxiom hold the information confidential, other than any Provider third-party contractors or other Provider-engaged entities to whom Provider has directed Acxiom to disclose or grant access to Personal Information, which shall be Provider’s responsibility; and
3.5 Within a reasonable period of time following a written request from Provider (email sufficient), but within a timeframe sufficient for Provider to fulfill its obligations under Data Protection Law, assist Provider with honoring consumer requests that are provided by Provider (Acxiom may require Provider to send a new file in lieu of Acxiom making individual changes to elements in the existing file); and
3.6 Implement and maintain for the duration of the Agreement an information security program that contains administrative, technical, and physical safeguards that are appropriate to its size and complexity, the nature and scope of its activities, and the sensitivity of any consumer information at issue.
4. Restrictions. Acxiom will not, and will take reasonable measures to ensure that any person acting under Acxiom’s authority will not:
4.1 Unless otherwise required to perform the Services, combine Personal Information with other information other than Partner data (and in any event will keep Provider Data logically segregated); or
4.2 Unless otherwise expressly authorized by Provider, respond to any requests or complaints with respect to use of Personal Information provided to Acxiom by or on behalf of Provider, including any requests to exercise privacy rights under Data Protection Law, other than to direct the individual to contact Provider.
5. Prohibition on Selling. Except as expressly authorized by Provider in writing, Acxiom will not Sell, use, disclose, or retain Personal Information for: (i) any purposes outside of providing the Services; (ii) for its own commercial purposes; or (iii) outside of the direct business relationship between Acxiom, Partner, and Provider.
6. Subprocessors. Provider authorizes Acxiom to disclose or transfer Personal Information to, or allow access to Personal Information by, Subprocessors (including, without limitation, Acxiom’s affiliates) solely for purposes of providing the Services. All such subprocessors shall be listed at /legal/subprocessors/. Acxiom confirms that it has entered or (as the case may be) will enter into a written agreement(s) with such Subprocessors as required by this US Data Protection Exhibit.
7. Independent Assessments. For the purpose of providing Provider evidence of its implementation of technical and organizational measures required by applicable law, Acxiom may present up-to-date attestations, reports, or extracts thereof from independent bodies (e.g., external auditors, internal audit, the data protection officer, the IT security department, or quality auditors) or suitable certification by way of an IT security or data protection audit.
8. Interpretation. Any ambiguity in the provisions of this US Data Protection Exhibit shall be resolved to permit the parties to comply with Data Protection Law. To the extent there is any conflict between this US Data Protection Exhibit and the rest of the Agreement, the terms of this exhibit will control and resolve the conflict with respect to the subject-matter hereof.
9. Entire Agreement. The Agreement and this US Data Protection Exhibit supersede and replace any and all previous Data Protection Agreements, Data Protection Addenda, Data Privacy Agreements, Data Processing Agreements, or contractual clauses relating to the subject-matter hereto.
GDPR EXHIBIT
European Union and United Kingdom Data Protection Law
Controller to Processor Only
(Acxiom as Processor; Provider as Controller)
This GDPR Exhibit, which is incorporated into and forms part of the Agreement to which it is attached, is intended to ensure that the following complies with EU Data Protection Law and UK Data Protection Law, as applicable, the collection, processing and use of Personal Data conducted by Acxiom, as Processor, on behalf of and as instructed by Provider, as Controller. All terms not otherwise defined herein shall have the meanings ascribed to them in the Agreement or under applicable law.
1. DEFINITIONS. The following defined terms apply to this GDPR Exhibit. All other capitalized terms not defined elsewhere in the Agreement are defined in the same way as in EU Data Protection Law or UK Data Protection Law, as applicable.
1.1 “Data Transfer” means: (a) a transfer of Personal Data from a Controller to a Processor; or (b) an onward transfer of Personal Data from a Processor to a Sub-Processor. In the context of UK Data Protection Law and UK Personal Data, the term “Data Transfer” includes a Restricted Transfer, as defined in the UK SCCs Addendum.
1.2 “EU Data Protection Law” means (i) the EU General Data Protection Regulation (Regulation 2016/679) (GDPR); (ii) the EU e-Privacy Directive (Directive 2002/58/EC), as amended (e-Privacy Law); (iii) any national or European data protection laws made under, pursuant to, replacing or succeeding (i) or (ii); and (iv) any legislation replacing or updating any of the foregoing.
1.3 “EU Personal Data” means Personal Data as defined in and subject to EU Data Protection Law.
1.4 “EU Standard Contractual Clauses” or “EU SCCs” means the standard contractual clauses approved by the European Commission from time to time for the transfer of EU Personal Data to Data Importers established in third countries, the current version of which (as of the Effective Date of the Agreement) is available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX%3A32021D0914&locale=en, and, upon execution of the Agreement, is hereby incorporated therein. The EU SCCs also include the Annexes thereto, which are attached to this GDPR Exhibit.
1.5 “UK Data Protection Law” means (i) the UK GDPR; (ii) the Data Protection Act 2018 (“DPA 2018”); (iii) any UK data protection laws made under, pursuant to, replacing or succeeding (i) or (ii); and (iv) any legislation replacing or updating any of the foregoing.
1.6 “UK Personal Data” means Personal Data as defined in and subject to UK Data Protection Law.
1.7 “UK SCCs Addendum” means the International Data Transfer Addendum to the EU SCCs approved by the United Kingdom Information Commissioner from time to time for the transfer of UK Personal Data to Data Importers established in third countries, the current versions of which (as of the Effective Date of the Agreement) are available at https://ico.org.uk/media/for-organisations/documents/4019483/international-data-transfer-addendum.pdf, and, upon execution of the Agreement, are hereby incorporated therein. The UK SCCs Addendum also includes the applicable Annexes to the EU SCCs, which are attached to this GDPR Exhibit.
1.8 “Controller”, “Processor”, “Data Exporter”, “Data Importer”, “Data Subject”, “Commissioner”, “Personal Data”, “Processing” (and “Process”), “Personal Data Breach”, “Restricted Transfer”, “Special Categories of Personal Data”, and “Sub-Processor” are defined in the same way as in EU Data Protection Law or the UK Data Protection Law, as applicable.
2. INTERNATIONAL DATA TRANSFERS.
2.1 EU Personal Data. Where EU Data Protection Law applies, neither party shall transfer or permit any EU Personal Data shared by the other party to be transferred to a territory outside of the European Economic Area (EEA) unless it has taken such measures as are necessary to ensure the transfer is in compliance with EU Data Protection Law. Such measures may include (without limitation) transferring the EU Personal Data to a recipient in a country that the European Commission has decided provides adequate protection for EU Personal Data or the use of the EU SCCs. The adequacy measures that the parties have taken as of the Effective Date of the Agreement are completion and execution of the EU SCCs, as described and incorporated herein.
2.2 UK Personal Data. Where UK Data Protection Law applies, neither party shall transfer or permit any UK Personal Data shared by the other party to be transferred to a territory outside of the UK unless it has taken such measures as are necessary to ensure the transfer is in compliance with UK Data Protection Law. Such measures may include (without limitation) transferring the UK Personal Data to a recipient in a country that provides adequate protection for UK Personal Data in accordance with the UK adequacy regulations issued under Section 17A DPA 2018 or Paragraphs 4 and 5 of Schedule 21 of the DPA 2018, or the use of the UK SCCs Addendum, in conjunction with the EU SCCs. The adequacy measures that the parties have taken as of the Effective Date of the Agreement are completion and execution of the UK SCCs Addendum, in conjunction with the EU SCCs, as described and incorporated herein.
3. ROLES OF THE PARTIES. If any Services will involve Acxiom processing Provider Data that is subject to EU Data Protection Law or UK Data Protection Law, Provider will act as Data Exporter and Controller and Acxiom will act as Data Importer and Processor with respect to such Provider Data.
4. STANDARD CONTRACTUAL CLAUSES.
4.1 Controller to Processor Terms (Module Two). For Provider Data that constitutes EU Personal Data provided to Acxiom for processing, the EU SCCs will apply. For Provider Data that constitutes UK Personal Data provided to Acxiom for processing, the EU SCCs will apply, as supplemented and modified by the UK SCCs Addendum. In either case, in addition to the general clauses not indicated in the EU SCCs as Module One, Module Two, Module Three, or Module Four, all Module Two clauses (for Controller to Processor) will apply, and Modules One, Three, and Four clauses will not apply..
4.2 Optional Terms Elections. The following optional terms under the EU SCCs are elected with respect to Data Transfers involving EU Personal Data or UK Personal Data:
(a) Clause 7 (Docking clause) is retained;
(b) For the purpose of Clause 9(a) of the EU SCCs, subcontracting will be in accordance with Option 2;
(c) The optional language in Clause 11 (Redress) is removed;
(d) Where the transfer relates to EU Personal Data or UK Personal Data, the parties agree that: (i) for the purpose of Clause 17 of the EU SCCs, the EU SCCs will be governed by the laws of the Republic of Ireland for EU Personal Data, and the UK SCCs Addendum, in conjunction with the EU SCCs, will be governed by the laws of England and Wales; and (ii) for the purpose of Clause 18 of the EU SCCs, any dispute arising from the EU SCCs will be resolved by the courts of the Republic of Ireland for EU Personal Data, and any dispute arising from the UK SCCs Addendum, in conjunction with the EU SCCs, will be resolved by the courts of England and Wales
(e) A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK, in which case the parties agree to submit themselves to the jurisdiction of such courts;
(f) The parties may agree to change Clauses 17 and/or 18 of the EU SCCs, when used in conjunction with the UK SCCs Addendum, to refer to the laws and/or courts of Scotland or Northern Ireland; and
(g) For any Data Transfer of UK Personal Data or any onward transfer of such UK Personal Data to a Data Importer located in a country outside the United Kingdom for which there is no adequacy decision: (i) the EU SCCs, together with the UK SCCs Addendum, including Part 2 (Mandatory Clauses), shall apply in full and are hereby incorporated by reference to this GDPR Exhibit; (ii) Table 1 of the UK SCCs Addendum, the names of the parties, their roles, and their details shall be considered populated by Annex I; (iii) Tables 2 and 3 of the UK SCCs Addendum shall be considered populated by the EU SCCs Module Two, as applicable (see Sections 4.1 and 4.2 above), including the information set out in the Annexes I, II, and, as applicable, III; and (iv) for the purpose of Table 4 of the UK SCCs Addendum, any party may end the UK SCCs Addendum for the purposes set out in Section 19 of the UK SCCs Addendum.
5. SUB-PROCESSORS. Provider authorizes Acxiom to disclose or transfer Personal Data to, or allow access to Personal Data by, Sub-Processors (including, without limitation, Acxiom’s Affiliates) solely for purposes of providing the Services or Products. Acxiom confirms that it has entered or (as the case may be) will enter into a written agreement(s) with its Sub-Processors as required by this GDPR Exhibit.
6. SUB-PROCESSORS. ADDITIONAL WARRANTY. Each party warrants, to the best of its knowledge, and undertakes that: (i) neither it, nor any of its Affiliates, is considered an “electronic communications service provider” as defined by Section 702 of the U.S. Foreign Intelligence Surveillance Act; and (ii) in the event of any onward transfer of Personal Data to a contracted Processor or Sub-Processor, it shall ensure appropriate measures are in place to guarantee essential equivalence to the protections afforded by EU Data Protection Law and UK Data Protection Law and, upon request, provide a written copy of such measures to the requesting party.
7. AMENDMENT. The parties agree to take such actions necessary to amend this GDPR Exhibit from time to time to comply with the requirements of EU Data Protection Law and UK Data Protection Law. Any reference in this GDPR Exhibit to any section or provision within the EU Data Protection Law or UK Data Protection Law means such section or provisions currently in effect or as subsequently amended.
8. INTERPRETATION. Any ambiguity in the provisions of this GDPR Exhibit shall be resolved to permit the parties to comply with EU Data Protection Law and/or UK Data Protection Law. To the extent there is any conflict between this GDPR Exhibit and the Agreement, the terms of this exhibit will control and resolve the conflict with respect to the subject-matter hereof. To the extent there is any conflict between this GDPR Exhibit and the terms of the EU SCCs and UK SCCs Addendum (as applicable), the terms of the EU SCCs and UK SCCs Addendum will prevail.
9. ENTIRE AGREEMENT. The parties agree that the execution of the Agreement with this GDPR Exhibit attached will also be considered the execution of the EU SCCs and UK SCCs Addendum incorporated by reference in this GDPR Exhibit. The Agreement, this GDPR Exhibit, and their related documents supersede and replace any and all previous Data Protection Agreements, Data Protection Addenda, Data Privacy Agreements, Data Processing Agreements, or contractual clauses relating to the subject-matter hereto, including any of the foregoing agreements, addenda, or clauses referencing or relying upon EU-US Privacy Shield Framework for Data Transfers between the parties.
ANNEX I TO EU STANDARD CONTRACTUAL CLAUSES
CONTROLLER (Provider) – PROCESSOR (Acxiom) – MODULE TWO
A. LIST OF PARTIES
Data exporter(s):
Name: As listed in the applicable statement of work, order form or similar document
Address: As listed in the applicable statement of work, order form or similar document
Contact person’s name, position and contact details: As listed in the applicable statement of work order form or similar document
Activities relevant to the data transferred under these Clauses: Processor may access Controller’s data in connection with the Services provided by Processor as described in the Services Attachment to the Agreement.
Role (Controller/Processor): Controller
Data importer(s): [Identity and contact details of the Data Importer(s), including any contact person with responsibility for data protection]
Name: Acxiom LLC, on behalf of itself and its affiliates, Acxiom Ltd, Acxiom Deutschland GmbH, and Acxiom Global Service Center Polska Sp.z.o.o.
Address: 301 East Dave Ward Drive, Conway, Arkansas 72032-7114 USA
Contact person’s name, position and contact details:
Consumer Advocate
Acxiom LLC
P.O. Box 2000
Conway, AR USA 72033-9928
Telephone: 001-501-342-2722
Email: privacyshieldoptout@acxiom.com
Data Protection Point of Contact: Mr. J. Abbott
Activities relevant to the data transferred under these Clauses: Processor may access Controller’s data in connection with the Services provided by Processor as described in the Services Attachment to the Agreement.
Role (Controller/Processor): Processor
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose Personal Data is transferred
● The categories of data subjects are individuals, and/or business contacts in the commercial database of Controller, customers, and prospective customers of Controller, and/or Controller employees and processors.
Categories of Personal Data transferred
● The categories of Personal Data are customer number (or any other unique internal reference ID), name (first and last name), address or other contact details, client contact username, ID, or job role (where applicable), other identification or employment data, and marketing and/or customer relationship management (CRM) data.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
● Not applicable.
The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis).
● Periodic transfer as required by the Services performed in the Services Attachment to the Agreement.
Nature of the processing
● The Services to be provided by Processor are as described in the Services Attachment to the Agreement.
Purpose(s) of the data transfer and further processing
● In the performance of the Services by Processor as described in the Services Attachment to the Agreement.
The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period
● During the Term of the Agreement, unless otherwise provided therein.
For transfers to (sub-) Processors, also specify subject matter, nature and duration of the processing
● As provided in the Services Attachment to the Agreement.
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13: Republic of Ireland
Annex II to EU Standard Contractual Clauses
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
CONTROLLER (Provider) – PROCESSOR (Acxiom) – MODULE TWO
Description of the technical and organisational measures implemented by the Data Importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.
For transfers from Processor to (sub-) Processors, also describe the specific technical and organisational measures to be taken by the (sub-) Processor to be able to provide assistance to the Controller and, for transfers from a Processor to a Sub-Processor, to the Data Exporter.
The Data Importer shall structure its in-house organisation in such a way that it conforms to the specific requirements of data protection. A Data Importer acting as a Processor shall take appropriate organisational and technical measures – particularly state of the art encryption techniques – and ensure that these are also applied by its Sub-Processors in order to: (i) guarantee the security and confidentiality of Personal Data; and (ii) protect such data against actual or potential attacks from third parties or other security loopholes. This includes, in particular (as may be further supplemented or otherwise provided in the Agreement):
1. PHYSICAL ACCESS CONTROL
Measures are to be taken so that unauthorised individuals do not have access to the data processing systems with which Personal Data is processed.
Measures taken by Data Importer:
▣ Established Policy for Monitoring Access to facility
▣ Established Policy/Process for granting and revoking physical access
▣ Regular review of physical access
▣ All Employees have gone through background check
▣ Permanently locked doors and windows
▣ Security locks
▣ Permanently manned reception (building)
▣ Single access entry control systems
▣ Automated system of access control
▣ ID or chip card readers
▣ Monitoring installations (e.g., alarm device, video surveillance)
▣ Logging of visitors
▣ Compulsory wearing of ID cards
▣ Security personnel
▣ Careful selection of cleaning and maintenance personnel
▣ Security Awareness Training
2. IDENTITY AND ACCESS MANAGEMENT
Measures are to be taken in order to prevent unauthorised individuals using the data processing systems and methods.
Measures taken by Data Importer:
▣ Individuals have unique IDs
▣ Authentication by username and password
▣ Use of Multi-Factor Authentication (MFA)
▣ Minimum requirements for passwords (i.e., at least eight characters, alphanumeric combinations allowing use of special characters, no acceptance of trivial passwords (e.g., 12345), no acceptance of same characters in a row)
▣ Password management (storage of password only as hash, blocking of account after three failed log in attempts, logging of failed log in attempts, presentation of last log in (date, time) to user for self-control; compulsory change of password every three month, no acceptance of same password in a row)
3. ENDPOINT MANAGEMENT
Measures are taken to ensure that endpoints are secured to industry best practices.
Measures taken by Data Importer:
▣ Virus protection
▣ Firewall enabled
▣ HIPS/HIDS(Host Based Intrusion Prevention and Detection) System
▣ Hardened to industry standards
▣ Baseline configurations for endpoints connecting to the network
▣ Established Session timeout
4. SECURITY AWARENESS TRAINING
Measures are taken to ensure that endpoints are secured to industry best practices.
Measures to be taken by Data Importer:
▣ Organization requires Security Awareness training
5. APPLICATION DEVELOPMENT
Measures are taken for Processors that do application development to ensure that application code is developed in a secure manner.
Measures to be taken by Data Importer:
▣ Configuration policy for application deployment
▣ Defined Secure Development Life Cycle (SDLC) process
▣ Updates to software is done by authorized users
▣ Default credentials utilized with initial installs are changed
6. DATA ACCESS CONTROL
Measures are to be taken to ensure that the parties authorised to use the data processing methods can only access the Personal Data which they are entitled to access.
Measures taken by Data Importer:
▣ Data Management Policy defining requirements for: data retention, encryption, data storage, and data disposal procedures
▣ Access to Personal Data only on a need-to-know-basis
▣ Secured storage of data carriers
▣ Secure transport containers in case of physical transports
▣ Recording of data transfers
▣ Logical client separation
▣ Defining and implementing database access properties
▣ Development of a role-based authorization concept
▣ Separation of test and live data
7. NETWORK CONTROLS
Measures are to be taken which ensure that Personal Data cannot be read, copied, modified or removed in an unauthorised manner during their electronic transmission, transport or storage on data carriers, and that it is possible to check and ascertain to which recipients the transmission of Personal Data is provided for by means of data transmission facilities.
Measures taken by Data Importer:
▣ Use of VPN tunnels
▣ Firewall
▣ Deploy a DMZ when applications are utilized
▣ Encryption of mobile data carriers (such as USB sticks or external USB hard drives), laptops, tablets, and smartphones
▣ Secure data lines, distribution boxes and sockets
8. INPUT CONTROL
Data loss prevention measures are to be taken which ensure that it can subsequently be checked and ascertained whether and by whom Personal Data has been entered, modified or removed in/from data processing systems.
Measures taken by Data Importer:
▣ Logging of entering, modification and removal of Personal Data in/from the system
▣ Traceability of entering, modification and removal of Personal Data by logging usernames (not user groups)
▣ Individual allocation of user rights to enter, modify or remove based on a role-based authorization concept
9. JOB CONTROL
Measures are to be taken which guarantee contract data processing in accordance with instructions.
Measures taken by Data Importer:
▣ Diligent selection of service providers (in particular with respect to IT security)
▣ Conclusion of a commissioned data processing agreement
▣ Written instructions to service provider
▣ Service provider has appointed a data protection officer
▣ Service provider has obligated its employees to comply with data secrecy
▣ Audit rights and continuous review of compliance
▣ Contractual penalties for violations of commissioned data processing agreement by service provider
▣ Documentation of technical and organizational IT security measures implemented by service provider
▣ Return and final deletion of processed data is ensured after termination of commissioned data processing
10. AVAILABILITY AND RESILIENCE CONTROL
Physical and logical measures are to be taken in order to ensure that Personal Data is protected against accidental destruction or loss.
Measures taken by Data Importer:
▣ Uninterruptible power supply and auxiliary power unit
▣ Backup and recovery systems (such as RAID)
▣ Physical backup in separate location
▣ Climate monitoring and control for servers
▣ Fire and smoke detection
▣ Fire extinguishing system
▣ Fire resistant doors
▣ Malware protection
▣ Redundant Array of Independent Disks System (RAID System)
11. VULNERABILITY MANAGEMENT
Measures are to be taken which ensure that systems are patched in a timely manner and regularly scanned for vulnerabilities.
Measures taken by Data Importer:
▣ Monitor and scan systems for vulnerabilities on a regular basis
▣ Patch management timeline and process
▣ Annual penetration testing
12. INCIDENT RESPONSE
Measures are to be taken to ensure that the Processor has a process in which incidents are identified and handled.
Measures taken by Data Importer:
▣ A policy that is reviewed Annually
▣ Training provided to personnel on the process
▣ Roles and responsibilities are defined in policy including notification on a timely basis to Data Exporter
13. SYSTEMS MONITORING
Measures should be taken where a process is defined where system logs are stored and monitored for any malicious activity.
Measures taken by Data Importer:
▣ Logs cannot be modified
▣ Process where anomalies and exceptions are detected and reviewed
ANNEX III TO EU STANDARD CONTRACTUAL CLAUSES
LIST OF SUB-PROCESSORS
CONTROLLER (Provider) – PROCESSOR (Acxiom) – MODULE TWO
A listing of Acxiom’s commonly used Sub-Processors that collect, process, use, or have access to the Personal Data that are collected, processed, or used under the Agreement is set forth at acxiom.com/legal/subprocessors/. A list of Sub-Processors that Processor utilizes for a specific Schedule to the Agreement may be set forth in the Schedule.
For transfers to (sub-) Processors, also describe the specific technical and organisational measures to be taken by the (sub-) Processor to be able to provide assistance to the Controller and, for transfers from a Processor to a sub-Processor, to the data exporter: See Annex II.