Data Processing Addendum

DATA PROCESSING ADDENDUM

This Data Processing Addendum (“DPA”) amends and forms part of the Master Agreement between Redaptive Sustainability Services, LLC and/or an Affiliate of Redaptive (together, “Redaptive”) and Customer. This DPA prevails over any conflicting term of the Master Agreement but does not otherwise modify the Master Agreement.

1.     Definitions

1.1.       In this DPA:

a)     “Affiliate” Any entity that directly or indirectly controls, is controlled by, or is under common control with another entity and for these purposes “control” means having beneficial ownership of more than 50% of the issued share capital of a company or the legal power to direct or cause the direction of the general management of the company, and “controls” and “controlled” shall be construed accordingly;

b)     “Controller”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Processing”, “Processor”, and “Supervisory Authority” have the meaning given to them in the GDPR;

c)     “Country” shall be the country where the Redaptive entity providing Services is registered, unless agreed otherwise in writing between the parties;

d)     “Customer” means the entity or individual that has engaged Redaptive to provide Services pursuant to the Master Agreement;

e)     “Customer Personal Data” means any Personal Data that is subject to Data Protection Law, for which Customer or Third-Party Controller is the Controller, and which is Processed by Redaptive to provide the Services to Customer;

f)      “Data Protection Law” means the General Data Protection Regulation (EU) 2016/679 (“GDPR”), and the e-Privacy Directive 2002/58/EC (as amended by Directive 2009/136/EC), their national implementations in the European Economic Area (“EEA”), and all other data protection laws of the EEA including laws of the European Union (“EU”), the data protection laws of the United Kingdom (“UK”) and Switzerland, each as applicable, and as may be amended or replaced from time to time;

g)     “Data Subject Rights” means all rights granted to Data Subjects’ by Data Protection Law, including the right to information, access, rectification, erasure, restriction, portability, objection, the right to withdraw consent, and the right not to be subject to automated individual decision-making;

h)     “EEA Standard Contractual Clauses” or “EEA SCCs” means the clauses annexed to the EU Commission Implementing Decision 2021/914 of June 4, 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (OJ L 199, 7.6.2021, p. 31-61), as amended or replaced from time to time;

i)      “EEA International Data Transfer” means any transfer of Customer Personal Data from the EEA to an international organization or to a country outside of the EEA, and includes any onward disclosure of Customer Personal Data to another recipient within that country, as well as any onward transfer of Customer Personal Data from the international organization or the country outside of the EEA to another country outside of the EEA;  

j)      “International Data Transfer” means an EEA International Data Transfer, a Swiss International Transfer, or a UK International Data Transfer;

k)     “Master Agreement” means the agreement between Redaptive and the Customer, under which Redaptive is providing Services to the Customer;

l)      “Personnel” means any natural person acting under the authority of Redaptive;

m)    “Sensitive Data” means any type of Personal Data that is designated as a sensitive or special category of Personal Data, or otherwise subject to additional restrictions under Data Protection Law or other laws to which the Controller is subject;

n)     “Services” means the services provided by Redaptive to Customer under the Master Agreement;

o)     “Subprocessor” means a Processor engaged by a Processor to carry out Processing on behalf of a Controller;

p)     “Swiss International Data Transfer” means any transfer of Personal Data from Switzerland to an international organization or to a country outside of Switzerland, and includes any onward disclosure of Personal Data to another recipient within that country, as well as any onward transfer of Personal Data from the international organization or the country outside of Switzerland to another country outside of Switzerland;

q)     “UK International Data Transfer” means any transfer of Customer Personal Data from the UK to an international organization or to a country outside of the UK, and includes any onward disclosure of Customer Personal Data to another recipient within that country, as well as any onward transfer of Customer Personal Data from the international organization or the country outside of the UK to another country outside of the UK;

r)      “Third-Party Controller” means a Controller for which Customer is a Processor.

1.2.       Capitalized terms used but not defined herein have the meaning given to them in the Master Agreement.

2.     Scope and applicability

2.1.       This DPA applies to Processing of Customer Personal Data by Redaptive to provide the Services.

2.2.       The subject matter, nature and purpose of the Processing, the types of Customer Personal Data and categories of Data Subjects are set out in Appendix I, the Master Agreement, and any applicable order, addendum, schedule or statement of work.

2.3.       Customer is a Controller and appoints Redaptive as a Processor on behalf of Customer. Customer is responsible for compliance with the requirements of Data Protection Law applicable to Controllers.

2.4.       To the extent that Customer is a Processor on behalf of a Third-Party Controller, Customer engages Redaptive as a Subprocessor to Process Customer Personal Data on behalf of that Third-Party Controller. When Customer is acting on behalf of Third-Party Controller(s), then Customer: is the single point of contact for Redaptive; must obtain all necessary authorizations from such Third-Party Controller(s); undertakes to issue all instructions and exercise all rights on behalf of such Third-Party Controller(s); and is responsible for compliance with the requirements of Data Protection Law applicable to Processors.

2.5.       Customer acknowledges that Redaptive may Process Personal Data, relating to the operation, support, or use of the Services for its own business purposes, such as billing, account management, data analysis, benchmarking, technical support, and product development. Redaptive is the Controller for such Processing and will Process such data in accordance with Data Protection Law.

3.     Instructions

3.1.       Redaptive will Process Customer Personal Data to provide the Services and in accordance with Customer’s documented instructions.

3.2.       Customer’s instructions are documented in this DPA, the Master Agreement, and any applicable order, addendum, schedule or statement of work.

3.3.       Customer may reasonably issue additional instructions as necessary to comply with Data Protection Law. Redaptive may charge a reasonable fee to comply with any additional instructions.

3.4.       Unless prohibited by applicable law, Redaptive will inform Customer if Redaptive is subject to a legal obligation that requires Redaptive to Process Customer Personal Data in contravention of Customer’s documented instructions.

4.     Personnel

4.1.       Redaptive will ensure that all Personnel authorized to Process Customer Personal Data are subject to an obligation of confidentiality.

5.     Security and Personal Data Breaches

5.1.       Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Redaptive will implement appropriate technical and organizational security measures.

5.2.       Redaptive will notify Customer without undue delay after becoming aware of a Personal Data Breach involving Customer Personal Data. If Redaptive’s notification is delayed, it will be accompanied by reasons for the delay.

6.     Subprocessing

6.1.       Customer hereby authorizes Redaptive to engage Subprocessors. A list of Redaptive’s current Subprocessors is included in Appendix III.

6.2.       Redaptive will enter into a written agreement with Subprocessors which imposes the same obligations as required by Data Protection Law.

6.3.       Redaptive will inform Customer prior to any intended change to Subprocessors. Customer may object to the addition of a Subprocessor based on reasonable grounds relating to a potential or actual violation of Data Protection Law by providing written notice detailing the grounds of such objection within thirty (30) days following Redaptive’s notification of the intended change. Customer and Redaptive will work together in good faith to address Customer’s objection. If Redaptive chooses to retain the Subprocessor, Redaptive will inform Customer at least thirty (30) days before authorizing the Subprocessor to Process Customer Personal Data, and Customer may immediately discontinue using the relevant parts of the Services, and may terminate the relevant parts of the Services within thirty (30) days.

7.     Assistance

7.1.       Taking into account the nature of the Processing, and the information available to Redaptive, Redaptive will assist Customer, including, as appropriate, by implementing technical and organizational measures, with the fulfilment of Customer’s own obligations under Data Protection Law to: comply with requests to exercise Data Subject Rights; conduct data protection impact assessments, and prior consultations with Supervisory Authorities; and notify a Personal Data Breach.

7.2.       Redaptive may charge a reasonable fee for assistance under this Section 7. If Redaptive is at fault, Redaptive and Customer shall each bear their own costs related to assistance.

8.     Audit

8.1.       Redaptive must make available to Customer all information necessary to demonstrate compliance with the obligations of this DPA and allow for and contribute to audits, including inspections, as mandated by a Supervisory Authority or reasonably requested by Customer and performed by an independent auditor as agreed upon by Customer and Redaptive.

8.2.       Redaptive will inform Customer if Redaptive believes that Customer’s instruction under Section 8.1 infringes Data Protection Law. Redaptive may suspend the audit or inspection, or withhold requested information until Redaptive has modified or confirmed the lawfulness of the instructions in writing.

8.3.       Redaptive and Customer each bear their own costs related to an audit.

9.     International Data Transfers

9.1.       Customer hereby authorizes Redaptive to perform EEA International Data Transfers and Swiss International Data Transfers:

a)       to any country subject to a valid adequacy decision of the EU Commission;

b)       to the extent authorized by Supervisory Authorities on the basis of an organization’s binding corporate rules;

c)       to any data importer with whom Redaptive has entered into EEA SCCs.

9.2.       By signing this DPA, Customer and Redaptive hereby agree to conclude the provisions of module two (Controller to Processor) and, to the extent Customer is a Processor on behalf of a Third-Party Controller, module three (Processor to Subprocessor) of the EEA Standard Contractual Clauses, which shall apply to EEA International Data Transfers and Swiss International Data Transfers, and which are hereby incorporated into this DPA and completed as follows: the “data exporter” is Customer; the “data importer” is Redaptive; the optional docking clause in Clause 7 is implemented; Clause 9(a) option 2 is implemented and the time period therein is specified as thirty (30) days; the optional redress clause in Clause 11(a) is struck; the competent Supervisory Authority in Clause 13(a) is the Supervisory Authority indicated in Appendix I.C; Clause 17 option 1 is implemented and the governing law is the law of the Country; the courts in Clause 18(b) are the Courts of the Country; Annexes I and II to the EEA SCCs are Appendixes I and II to this DPA respectively.

9.3.       Customer hereby authorizes Redaptive to perform UK International Data Transfers:

a)       to any country subject to a valid adequacy decision of the UK government;

b)       to the extent authorized by the competent UK authority on the basis of an organization’s binding corporate rules;

c)       to any data importer with whom Redaptive has entered into UK SCCs.

9.4.         To the extent that the Parties cannot rely on Section 9.3 for UK International Data Transfers, the Parties will conclude the EEA Standard Contractual Clauses. Further, Redaptive and the Customer agree to execute Part 2 (Mandatory Clauses) of the International Data Transfer Addendum to the EEA Standard Contractual Clauses, available at: https://ico.org.uk/media/for-organisations/documents/4019483/international-data-transfer-addendum.pdf (the “UK Addendum”), which is hereby incorporated by reference.   

9.5.       If Redaptive implements a different mechanism to comply with Data Protection Laws applicable to International Data Transfers, then the Standard Contractual Clauses will be terminated. If Redaptive’s compliance with Data Protection Law applicable to International Data Transfers is affected by circumstances outside of Redaptive’s control, including if a legal instrument for International Data Transfers is invalidated, amended, or replaced, then Customer and Redaptive will work together in good faith to reasonably resolve such non-compliance.

10.   Notifications

10.1.     Customer will send all notifications, requests and instructions under this DPA to Redaptive via email to legal@redaptiveinc.com.

10.2.     Redaptive will send all notifications under this DPA to Customer’s contact for notice stated in the Master Agreement.

11.   Liability

11.1.     To the extent permitted by applicable law, where Redaptive has paid compensation, damages or fines, Redaptive is entitled to claim back from Customer that part of the compensation, damages or fines, corresponding to Customer’s part of responsibility for the compensation, damages or fines.

12.   Termination and return or deletion

12.1.     This DPA is terminated upon the termination of the Master Agreement.

12.2.     Customer may request return of Customer Personal Data up to thirty (30) days after termination of the Master Agreement. Unless required or permitted by applicable law, Redaptive will delete all remaining copies of Customer Personal Data within thirty (30) days after returning Customer Personal Data to Customer. Redaptive support will notify Customer prior to deletion.

13.   Modification of this DPA

13.1.     This DPA may only be modified by a written amendment signed by both Redaptive and Customer.

14.   Invalidity and severability

14.1.     If any provision of this DPA is found by any court or administrative body of competent jurisdiction to be invalid or unenforceable, then the invalidity or unenforceability of such provision does not affect any other provision of this DPA and all provisions not affected by such invalidity or unenforceability will remain in full force and effect.

APPENDIX I 
DESCRIPTION OF THE TRANSFER

A. LIST OF PARTIES

Data exporter:

  • Name: The entity or individual identified as the Customer in the Master Agreement
  • Address: Customer’s notice address stated in the Master Agreement
  • Contact person’s name, position and contact details: Customer’s contact for notice stated in the Master Agreement
  • Activities relevant to the data transferred under these Clauses: Receiving the Services as described in the Master Agreement
  • Signature and date: The signature page in the Master Agreement
  • Role (controller/processor): Controller, or Processor on behalf of Third-Party Controller

Data importer:

  • Name: Redaptive Sustainability Services, LLC
  • Address: Redaptive’s notice address stated in the Master Agreement
  • Contact person’s name, position and contact details: Redaptive’s contact for notice stated in the Master Agreement
  • Activities relevant to the data transferred under these Clauses: Providing the Services as described in the Master Agreement
  • Signature and date: The signature page in the Master Agreement
  • Role (controller/processor): Processor on behalf of data exporter or Subprocessor on behalf of Third-Party Controller

B. DESCRIPTION OF INTERNATIONAL DATA TRANSFER

  • Categories of Data Subjects whose Personal Data is transferred: Customer’s clients, Customer’s personnel, staff and contractors
  • Categories of Personal Data transferred: Contact information (e.g., name, email address, telephone), unique identifiers such as username, account number or password, IP address (geolocation based upon IP address), cookie identifiers, any other Personal Data transmitted by, sent to, or received by Customer including data provided by Customer to facilitate Redaptive’s provision of services to Customer
  • The following categories of sensitive data are transferred: The Parties do not anticipate the transfer of sensitive data.
  • Where sensitive data is transferred, the following restrictions or safeguards are applied: Strong password requirements and/or multifactor authentication into relevant systems, strict purpose limitation, access Restrictions only to necessary personnel within Redaptive, logging of data access
  • The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis): The data is transferred on a continuous basis.
  • Nature of the Processing: The Processing concerns the provision of Services as set out in the Master Agreement and any applicable statement of work, order, schedule, addendum etc…
  • Purpose(s) of the data transfer and further Processing: To provide the Services to Customer as described in the Master Agreement.
  • The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period: Personal Data will be retained for as long as necessary taking into account the purpose of the Processing, and in compliance with applicable laws, including laws on the statute of limitations and Data Protection Law.
  • For transfers to (Sub)Processors, also specify subject matter, nature and duration of the Processing: For the subject matter and nature of the Processing, reference is made to the Master Agreement and this DPA. The Processing will take place for the duration of the Master Agreement.

C. COMPETENT SUPERVISORY AUTHORITY

The competent Supervisory Authority, in accordance with Clause 13 of the EEA Standard Contractual Clauses, is the Supervisory Authority of the Country.

APPENDIX II
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Redaptive will, at a minimum, implement the following types of security measures:

    1. Physical access control

Technical and organizational measures to prevent unauthorized persons from gaining access to the data processing systems available in premises and facilities (including databases, application servers and related hardware), where Customer Personal Data are Processed, include: establishing security areas, restriction of access paths; establishing access authorizations for employees and third parties; access control system (ID reader, magnetic card, chip card); Key management, card-keys procedures; door locking (electric door openers etc.); security staff, janitors; surveillance facilities, video/CCTV monitor, alarm system; and securing decentralized data processing equipment and personal computers.

     2. Virtual access control

Technical and organizational measures to prevent data processing systems from being used by unauthorized persons include: User identification and authentication procedures; ID/password security procedures (special characters, minimum length, change of password); automatic blocking (e.g. password or timeout); monitoring of break-in-attempts and automatic turn-off of the user ID upon several erroneous passwords attempts; and encryption of archived data media.

     3. Data access control

Technical and organizational measures to ensure confidentiality and that persons entitled to use a data processing system gain access only to such Customer Personal Data in accordance with their access rights, and that Customer Personal Data cannot be read, copied, modified or deleted without authorization, include: internal policies and procedures; control authorization schemes; differentiated access rights (profiles, roles, transactions and objects); monitoring and logging of accesses; reports of access; access procedure; change procedure; deletion procedure; and encryption.

      4. Disclosure control

Technical and organizational measures to ensure that Customer Personal Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage on storage media (manual or electronic), and that it can be verified to which companies or other legal entities Customer Personal Data are disclosed, include: encryption/Pseudonymization/tunneling; logging; and transport security.

       5. Entry control

Technical and organizational measures to monitor whether Customer Personal Data have been entered, changed or removed (deleted), and by whom, from data processing systems, include: logging and reporting systems; and audit trails and documentation.

        6. Control of instructions

Technical and organizational measures to ensure that Customer Personal Data are Processed solely in accordance with the instructions of the Controller include: criteria for selecting the Processor.

        7. Availability control

Technical and organizational measures to ensure the integrity, availability and resilience of the processing systems, and that Customer Personal Data are protected against accidental destruction or loss (physical/logical) include: backup procedures; uninterruptible power supply (UPS); remote storage; and Anti-virus/firewall systems.

        8. Separation control

Technical and organizational measures to ensure that Customer Personal Data collected for different purposes can be Processed separately include: “internal client” concept / limitation of use; segregation of functions (production/testing); and procedures for storage, amendment, deletion, transmission of data for different purposes.

       9. Testing controls

Technical and organizational measures to test, assess and evaluate the effectiveness of the technical and organizational measures implemented in order to ensure the security of the processing include: testing and evaluation of software updates before they are installed; and authenticated (with elevated rights) vulnerability scanning.

        10. IT governance

Technical and organizational measures to improve the overall management of IT and ensure that the activities associated with information and technology are aligned with the compliance efforts include: certification/assurance of processes and products; processes for data quality; processes for ensuring accountability; and data subject rights policies.

 

The measures in this Appendix apply to all transfers described in this DPA. Where Redaptive acts as (sub-)processor, the specific technical and organizational measures taken by Redaptive to provide assistance to the Customer or the Third-Party Controller are described in Section 7 of this DPA.

APPENDIX III
LIST OF SUBPROCESSORS

The table below contains a list of Redaptive’s current Subprocessors, pursuant to the general authorization provided by Customer in Section 6.1.

    #

  Name

  Description of Processing

  Location

    1.      

   Amazon Web Services, Inc.

   United States

  Cloud Service Provider

  United States

     2.      

  Plotly

   Python-based data visualization (Hosted on Redaptive’s AWS instance)

  United States

    3.      

  Tableau Software, LLC (Salesforce)

  Analytics and data visualization

  United States

    4.      

  Google Analytics

  Website and portal analytics (basic, sunsetting)

  United States

    5.      

  Gainsight

  Website and portal analytics (advanced, newly   implemented)

  United States

    6.      

  Stitch Data (Talend)

   Data ETL Tool

  United States

    7.      

  SendGrid

  Transactional Emails

  United States