This Data Processing Addendum, inclusive of Schedules 1 and 2 (“DPA”) sets out the essential terms required by Sojern, Inc., a Delaware corporation with its principal place of business located at 575 Market Street, 4th Floor, San Francisco, CA 94105 USA (“Sojern”). For the purposes of this DPA, the company that is a party to the Agreement (as defined below) in which this DPA is incorporated is referred to as “Company”.
“Agreement” means any and all agreements between the parties under which Sojern receives, collects, accesses or otherwise processes Personal Data for the purposes pursuant to the applicable data provider or service agreement. This DPA incorporates the terms and conditions of the Agreement and as set forth below. In the event of a conflict between the DPA and the Agreement, the terms of this DPA shall govern and prevail. All capitalized terms used but not defined herein shall have their respective meanings as set forth in the Agreement.
“Personal Data” means any information relating to an identified or identifiable natural person who can be directly or indirectly identified.
“Service” means the services provided by Sojern or Company, as applicable, under the Agreement.
For the purposes of the processing carried out by Sojern pursuant to the Agreement, Sojern’s role as a data processor or data controller with respect to Personal Data processed by Sojern shall be set forth in the applicable Agreement.
Except as expressly permitted herein or in writing by Company, Sojern will not directly or indirectly (a) disclose, sell, distribute or transmit Personal Data to any third party, or (b) use Personal Data for any purpose other than to provide Company the Service under the Agreement, and in accordance with all applicable privacy and data protection laws. Sojern will ensure that each person authorized to process Personal Data is subject to a duty of confidentiality with respect to that Personal Data.
Each party certifies it understands its obligations under applicable privacy and data protection laws and shall process Personal Data in accordance with all applicable privacy and data protection laws. Where Sojern is acting as a data processor, Sojern will perform the processing as documented and instructed by Company in the Agreement, unless otherwise notified by a regulatory authority that such processing does not comply with applicable privacy and data protection laws, in which case Sojern will promptly provide Company with written notice of that regulatory notice and may cease processing Personal Data until the regulatory issue is resolved.
To the extent required by applicable Data Protection Law, Company shall only instruct Sojern to Process Personal Data for those purposes permitted under applicable privacy and data protection laws and shall disclose Personal Data to Sojern only for the limited and specified purposes specified in the Agreement. Company reserves the right, upon reasonable notice, to take reasonable and appropriate steps to help ensure that Sojern uses Personal Data transferred in a manner consistent with Sojern’s obligations under applicable privacy and data protection laws, including reasonable and appropriate steps to stop and remediate unauthorized use of Personal Data. Sojern shall notify Company if it makes a determination that it can no longer meet its obligations under applicable privacy and data protection laws.
Each party will maintain a written or electronic record of the processing of Personal Data. Each party will reasonably cooperate with the other party in complying with applicable privacy and data protection laws with respect to data impact assessments, records of processing, related requests or consultations with data protection authorities, and audits in accordance with the applicable Agreement to enable Company to confirm that Sojern have complied with its obligations under applicable privacy and data protection laws and the Agreement.
The parties acknowledge that Sojern does not maintain a direct relationship with individuals whose Personal Data is provided to Sojern. As such, where required by applicable privacy and data protection laws, Company will make available the Sojern Privacy Policy available at https://www.sojern.com/privacy/privacy-policy/ to individuals whose Personal Data is processed by Sojern.
Company shall provide notice to, and obtain consents from, individuals as required by applicable privacy and data protection laws regarding Company’s collection, use, and disclosure of Personal Data. If applicable privacy and data protection laws require mechanisms by which individuals may exercise rights, including but not limited to opt-out rights, Company (or such other party who is responsible for the collection of Personal Data on behalf of Company), shall provide such mechanism to individuals. Company will be presumed to have provided appropriate notices and have obtained appropriate consents, if required, from any individuals whose Personal Data is provided to Sojern. Company shall promptly provide, upon request and at any time by Sojern, proof that appropriate consents have been obtained by Company from relevant individuals.
Each party will reasonably cooperate with the other party in response to any requests or complaints from individuals relating to the processing of Personal Data under the Agreement and pertaining to privacy rights under applicable privacy and data protection laws. If Sojern receives a request from an individual, Sojern will promptly: (a) forward the request to Company to manage the request; and (b) where Sojern is a data processor, implement Company’s decision with respect to how the request will be managed.
The parties acknowledge that Personal Data originating outside the USA (including the European Economic Area (EEA), the United Kingdom, or Switzerland) may be transferred to or processed by Sojern in a country or territory recognized as ensuring adequate protection under relevant privacy and data protection law. The parties also agree that transfers of such Personal Data to Sojern may be made in accordance with a solution, other than standard contractual clauses, that enables the lawful transfer of personal data to a third country in accordance with applicable privacy and data protection law (a “Transfer Solution.”) This includes, but is not limited to, an approved data protection framework recognized as ensuring that participating entities provide adequate protection of Personal Data.
To the extent Personal Data originating outside the USA (including the European Economic Area (EEA), the United Kingdom, or Switzerland) is transferred to Sojern, the data processing requires adequacy under the laws of the country of the Company, no adequacy decision or Transfer Solution applies, and the required adequacy can be met by the terms of this DPA, then the parties agree that this DPA incorporates by reference, as applicable, the (EU) 2021/914 European Commission standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016-679 by EU/EEA controllers to processors established outside the EU/EEA (“Module 2”) and/or by EU/EEA controllers to controllers established outside the EU/EEA (“Module 1”), and as they are amended or replaced from time to time by the European Commission (collectively, the “Clauses”). For convenience purposes, the Clauses hyperlinked above are generated based on the text made available by the European Commission for the sole purpose to incorporate the Clauses into the Agreement, select the appropriate Module(s), and to add information in the Appendix as permitted by the Clauses. For purposes of Personal Data transfers, Company shall be the “data exporter” and Sojern shall be the “data importer” (even if Company is an entity located outside the EU/EEA, provided the Company is otherwise subject to the Regulation (EU) 2016-679). Where the Clauses apply, Company and Sojern will be deemed to have entered into the Clauses in their respective names and on their own behalf, and the parties’ names, addresses, contact details, roles, and activities related to the Personal Data transferred under these Clauses will be provided in the Agreement. The execution of the Agreement shall be deemed execution of the Clauses, specifically execution of Annex I.A of the Clauses. To the extent there is any conflict between the terms of this DPA and the Clauses, the applicable Clauses shall govern and prevail.
Each party shall implement and maintain appropriate technical, physical, and organizational measures to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, or damage.
Company grants a general authorization to Sojern to use other data processors for the processing of Personal Data (“Sub-processors”), who are bound by confidentiality and data protection obligations consistent with this DPA and applicable privacy and data protection laws, listed at www.sojern.com/legal/partner-list/. Where required by the Agreement or where Sojern is acting as a data processor, Sojern will inform Company of any changes concerning the addition or replacement of Sub-processors by updating the above-mentioned list, thereby giving Company an opportunity to object to such changes, and instructions for objections are provided at the same URL. If Company reasonably objects to a change and Sojern is unable to resolve such objection, Company may terminate the Agreement and DPA.
This DPA shall remain in full force and effect until the latter of (a) the Agreement(s) remains in effect, and (b) Sojern retains copies of Personal Data. Either party may terminate this DPA immediately upon a material breach of this DPA or a regulatory authority and/or a tribunal or court with jurisdiction finds that processing of Personal Data by the parties materially violates applicable privacy and data protection laws, provided however, that the non-breaching party must provide notice of the alleged breach, and such breach shall have remained uncured for a period of fifteen (15) days following such notice.
This DPA shall be deemed to have been made in and shall be construed pursuant to the laws of the State of California, USA, without regard to conflicts of laws provisions thereof.
Travelers and other customers of the Company.
Personal Data transferred by Company is provided in accordance with the Agreement, and may include but is not limited to:
None
Continuous basis, for the duration of the applicable Agreement.
Collection of online browsing information through the use of cookies and other tracking technologies.
For any lawful purpose in connection with the Services provided under the Agreement between data exporter and data importer, particularly targeted advertising based on online browsing information. No further processing is permitted.
For the duration of the applicable Agreement, unless at the choice of data exporter Personal Data is deleted or returned.
Sub-processors are listed at www.sojern.com/legal/partner-list/ as permitted by Model 1 Clause 9(a).
The supervisory authority of one of the Member States in which the data subjects whose Personal Data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, as indicated in Annex I.C, shall act as competent supervisory authority.
1. General. Sojern will establish, implement, and maintain appropriate administrative, technical and organizational measures that are designed to protect against unauthorized or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data. These measures will be adequate to comply with applicable data protection laws and Sojern will comply at all times with its information security policies and information security program.
2. Information Security Policies and Standards. Sojern will maintain information security policies, standards, and procedures. These policies, standards, and procedures shall be kept up to date, and revised whenever relevant changes are made to the information systems that use or store Personal Data.
3. Vulnerability Management. Sojern will maintain a vulnerability management program for all systems that process Personal Data that includes without limitation internal and external vulnerability scanning with risk rating findings and formal remediation plans to address any identified vulnerabilities.
4. Risk Assessment. Sojern will conduct periodic risk assessments to identify and assess reasonably foreseeable risks to the security, confidentiality, and integrity of records containing Personal Data and evaluate and improve, where necessary, the effectiveness of its safeguards for limiting those risks.
5. Data Classification. Sojern will maintain policies and procedures to classify sensitive information assets, clarify security responsibilities, and promote awareness for all employees.
6. Encryption. Sojern will implement industry standard encryption mechanisms and strong cipher suites (AES 256-bit is recommended) for storage and transmission. Sojern will accept connections over encrypted channels (TLS is recommended).
7. Network Security. Sojern will secure its network by employing a defense-in-depth approach that utilizes commercially available equipment and industry standard techniques, including without limitation firewalls, intrusion detection systems, access control lists, and routing protocols.
8. Virus and Malware Controls. Sojern will protect Personal Data from malicious code and will install and maintain anti-virus and malware protection software on any system that handles Personal Data.
9. Access Control. Sojern will practice the principle of least privilege where access to Personal Data is only granted to those within the organization who have a business need for such access and permissions will be limited to the minimum amount required to perform the specific job function.
10. Processing Location. Personal Data will be Processed by Sojern in the United States, subject to applicable data protection laws that may require otherwise.
11. Incident Response. Sojern will maintain a data security incident response program and will document all suspected data security incidents. Sojern will investigate any data security incidents and take all necessary steps to eliminate or contain the data security incident.
12. Personnel. Sojern will maintain an information security awareness and training program and will train critical Sojern personnel on data protection measures and general cybersecurity protections.
13. Vendor. Sojern will maintain a vendor management program that will assess all vendors with whom Sojern exchanges Personal Data. Such vendors will be held to data security standards no less restrictive than those set forth herein.
