Data Processing Addendum
This Data Processing Addendum (“DPA”) is by and between Advisor360°®, LLC with a place of business at 400 First Ave, Needham Heights, MA 02494 (collectively, “Advisor360°”) and the undersigned (“Customer”) and forms part of, and is incorporated into, the terms between Advisor360° and Customer for the provision of services (“Services”) to Customer by Advisor360° (the “Agreement”).
1. Advisor360°’s processing of personal information
- By entering into this DPA, Customer instructs Advisor360° to process information contained within the data provided to or accessed by Advisor360° in connection with the Services that identifies a particular individual or household (“Personal Information”) to provide the Services as described in Exhibit 1. Advisor360° agrees to process Personal Information in compliance with applicable laws, regulations and orders relating to privacy, consumer protection, information security, or the processing of Personal Information (“Applicable Privacy Laws”).
- Advisor360° will not: (a) sell or share Personal Information; (b) process Personal Information outside the direct business relationship between the parties or for any purpose other than to provide the Services in accordance with the Agreement, unless required by applicable laws; or (c) combine the Personal Information that Advisor360° receives from or on behalf of Customer with Personal Information that Advisor360° collects or receives from another person. Customer shall have the right, upon notice to Advisor360°, to take reasonable and appropriate steps to stop and remediate Advisor360°’s unauthorized processing of Personal Information, and Advisor360° shall cooperate with Customer in taking such steps.
- The parties acknowledge and agree that the disclosure of Personal Information by the Customer to the Advisor360° does not form part of any monetary or other valuable consideration exchanged between the parties.
2. Assistance with requests
- Advisor360° will notify Customer upon receipt (and in no event later than five (5) days thereafter) of a request, inquiry, complaint or claim from any individual, governmental authority or other person relating to the processing of Personal Information, unless Advisor360° is prohibited from providing such notice under applicable laws. Advisor360° will not respond to any such request without Customer’s prior written instruction, except as required under applicable laws.
- Advisor360° will provide cooperation and assistance as Customer may reasonably request on reasonable timelines requested by Customer (including assistance by appropriate technical and organizational measures) to allow Customer to respond to any request, inquiry, complaint or claim relating to Personal Information or to perform any privacy or data protection impact assessments required under Applicable Privacy Laws.
3. Security measures
- Advisor360° will limit access to Personal Information to Advisor360° employees, contractors or other personnel who in respect of the Personal Information have executed written confidentiality agreements that survive termination of the personnel engagement.
- Advisor360° will protect the confidentiality, integrity, availability and resilience of Advisor360° systems used for processing Personal Information and protect against the accidental, unauthorized or unlawful disclosure, alteration, acquisition of or access to, or other processing of Personal Information. Such measures will be appropriate to the risks presented by processing the Personal Information and no less protective than accepted industry standards and practices for information security and any minimum requirements under Applicable Privacy Laws.
4. Subcontractors
- Prior to permitting an Advisor360° service provider to process Personal Information as part of the Services (a “Subcontractor”), Advisor360° will conduct reasonable due diligence of such Subcontractor to verify that it is capable of maintaining the privacy, confidentiality and security of Personal Information in compliance with this DPA.
- Upon request from Customer, Advisor360° will provide Customer with a list of all Subcontractors. Advisor360° will ensure that all processing of Personal Information by any Subcontractor is subject to a written agreement with Advisor360° that imposes on the Subcontractor obligations substantially equivalent to those to which Advisor360° is subject under this DPA. Advisor360° will be responsible and liable for the acts, omissions or defaults of its Subcontractors in the performance of obligations under this DPA as if they were Advisor360°’s own acts, omissions or defaults.
5. Security Incidents and Incident Response
- Advisor360° will notify Customer promptly (and in any event within seventy-two (72) hours) upon learning of a any material security compromise that results in accidental, unauthorized or unlawful disclosure, alteration, acquisition of or access to, or other processing of Personal Information (a “Security Incident”) via the notices requirement set forth in the Agreement.
- Advisor360° will without undue delay provide Customer with the following information as it becomes available: (a) a detailed description of the nature of the Security Incident, including where possible the categories and approximate number of individuals and Personal Information records concerned; (b) a description of the measures taken or proposed to be taken to address the Security Incident; and (c) whether any regulatory authority, affected individuals, or the media have been informed or are otherwise aware of the Security Incident.
- Advisor360° will use best efforts to mitigate and remediate the Security Incident and prevent similar Security Incidents from occurring in the future. Advisor360° agrees to keep Customer informed of the progress of such efforts, and to provide Customer with all facts about the Security Incident as appropriate for Customer to conduct its own assessment of the risk to Personal Information and to Customer’ business.
6. Audits
- Advisor360° will maintain and, upon request, provide to Customer all information, materials, assessments and other documentation necessary to demonstrate compliance with this DPA.
- Subject to reasonable prior written notice of at least thirty (30) days, Customer or its designated third party may audit Advisor360°’s information security and privacy policies, practices, procedures, and processing activities to verify compliance with this DPA. Any such audit conducted by an independent third-party auditor mutually agreed upon by the parties, who shall be bound by written confidentiality obligations no less stringent than those set forth in this DPA. Advisor360° will, at its own expense, provide all information and assistance reasonably requested by Customer in connection with any such audits and inspections. Advisor360° will promptly take such remedial actions as Customer may reasonably require following such inspection. Customer may request such audit up to once per year and additionally any time after a Security Incident.
7. Termination
- On expiration or termination of the Agreement, or upon written request from Customer at any time, Advisor360° will promptly return or securely delete and destroy all Personal Information in Advisor360°’s possession or control, except as otherwise required by law or by express data retention requirements of the Agreement. Upon request from Customer, Advisor360° will certify such secure deletion in writing within thirty (30) days of Customer’s request.
8. General
- This DPA will terminate when Advisor360° ceases to process Personal Information, unless otherwise agreed in writing between the parties.
- If any provision of this DPA is found by any court or administrative body of competent jurisdiction to be invalid or unenforceable, then the invalidity or unenforceability of such provision does not affect any other provision of this DPA and all provisions not affected by such invalidity or unenforceability will remain in full force and effect.
- Advisor360°’s obligations under this DPA are in addition to and not in lieu of its obligations under other provisions of the Agreement. If the terms of the Agreement conflict with the terms of this DPA, the of this DPA will apply.
Exhibit 1: Personal Information Processing Details
Nature and purposes of processing |
Advisor360°’s provision of the Services to Customer under the Agreement. |
Duration of the processing |
Advisor360° will process Personal Information only for the duration of the Agreement and in accordance with Section 8.1 of the DPA |
Categories of data |
Advisor360° process Personal Information provided by the Customer, such as:
Additionally, if Customer is procuring the Advisor360°’s Parrot AI Product, Advisor360° may also process Customer’s video and audioconference calls. |