BLOCKSTACK—COINLIST DATA PROCESSING ADDENDUM
BLOCKSTACK—COINLIST DATA PROCESSING ADDENDUM
This Data Processing Addendum (“DPA”) amends and forms part of the written agreement between Blockstack Token LLC (“Blockstack”) and CoinList Services, LLC, a subsidiary of Amalgamated Token Services Inc. (collectively, “Vendor”), titled COMPLIANCE AND TECHNICAL SERVICES AGREEMENT, dated May 8, 2019 (the “Agreement”). This DPA prevails over any conflicting term of the Agreement, but does not otherwise modify the Agreement.
1. Definitions. In this DPA:
a) “Controller”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Processing”, “Processor”, and “Supervisory Authority” have the meaning given to them in European Data Protection Law;
b) “European Data Protection Law” means Directive 95/46/EC, Regulation (EU) 2016/679, Directive 2002/58/EC (as amended by Directive 2009/136/EC), and all other European Data Protection Laws of Europe, each as applicable, and as may be amended or replaced from time to time;
c) “Europe” and “European” mean the European Union, the European Economic Area, their respective member states, Switzerland and the United Kingdom; and
d) “Subprocessor” means a Processor engaged by a Processor to carry out Processing on behalf of a Controller.
2. Scope and Applicability. This DPA applies to Processing of Personal Data by Vendor in the context of the Agreement. The subject matter, nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects are set out in Appendix 1, this DPA, and the Agreement. Section 3 (Global Data Processing Terms) applies to all Processing of Personal Data. Section 4 (European Data Processing Terms) applies to Processing of Personal Data regulated by European Data Protection Law, including Processing of any Personal Data relating to Data Subjects located in Europe.
3. Global Data Processing Terms
3.1. Instructions. Vendor must only Process Personal Data on documented instructions of Blockstack, and may not Process Personal Data for any other purpose. Blockstack’s instructions are documented in Appendix 1, the Agreement, and any applicable statement of work. Blockstack may issue additional instructions to Vendor as it deems reasonably necessary to comply with applicable laws, including European Data Protection Law.
3.2. Data Security. Vendor must implement technical and organizational measures to ensure a level of security appropriate to the risks presented by the Processing, including: encryption and pseudonymization of Personal Data; measures to ensure the ongoing confidentiality, integrity, availability, and resilience of Processing; measures to detect Personal Data Breaches in a timely manner; measures to restore the availability and access to Personal Data in a timely manner in the event of an incident; processes for regularly testing, assessing and evaluating the effectiveness of the security measures; and as appropriate, and without limiting the foregoing, the measures listed in Appendix 2.
3.3. Assistance. Vendor must assist Blockstack, including by implementing appropriate technical and organizational measures, with the fulfilment of Blockstack’s own obligations under applicable privacy laws, including European Data Protection Law, including: complying with Data Subjects’ requests to exercise their rights; replying to inquiries or complaints from Data Subjects; replying to investigations and inquiries from Supervisory Authorities; conducting data protection impact assessments, and prior consultations with Supervisory Authorities; and notifying Personal Data Breaches.
3.4. Personal Data Breach. Vendor must inform Blockstack without undue delay and no later than 48 hours after becoming aware of a Personal Data Breach. Vendor must, either in the initial notice or in subsequent notices as soon as the information becomes available, inform Blockstack of the nature of the Personal Data Breach, the categories and number of Data Subjects, the categories and amount of Personal Data, the likely consequences of the Personal Data Breach, and the measures taken or proposed to be taken to address the Personal Data Breach and mitigate possible adverse effects. If Vendor’s notice or subsequent notices are delayed, they must be accompanied by reasons for the delay. Vendor must document all Personal Data Breaches, including at least the information referred to in this Section, and provide a copy to Blockstack upon request.
3.5. Personnel. Vendor must implement appropriate technical and organizational measures to ensure that all persons acting under its authority Process Personal Data only on the instructions of the Controller. Vendor must ensure that all persons authorized to Process Personal Data are subject to a contractual or statutory obligation of confidentiality. Vendor must regularly train its personnel regarding the protection of Personal Data.
3.6. Confidentiality. Vendor must keep all Personal Data and all information relating to the Processing thereof, in strict confidence.
3.7. Notifications. Vendor must make all notifications required under this DPA at least via email to xxxxx@xxxxxxxxxx.xxx. In addition, Vendor must make all notifications relating to the security of Processing via email to xxxxx@xxxxxxxxxx.xxx.
3.8. Term and Duration of Processing. The Processing will last no longer than the term of the Agreement. Upon termination of the Processing, Vendor must, at Blockstack’s choice, delete or return all Personal Data and must delete all remaining copies within ninety (90) days after confirmation of Blockstack’s choice. This DPA is terminated upon Vendor’s deletion of all remaining copies of Personal Data in accordance with this Section.
4. European Data Processing Terms
4.1. Roles. Blockstack is a Controller and appoints Vendor as a Processor on behalf of Blockstack.
4.2. Subprocessing. Vendor must obtain Blockstack’s specific prior written authorization to engage Subprocessors. Blockstack hereby authorizes Vendor to engage the Subprocessors listed in Appendix 0. Vendor must inform Blockstack at least thirty (30) days prior to any intended change of Subprocessor. Vendor must obtain sufficient guarantees from all Subprocessors that they will implement appropriate technical and organizational measures in such a manner that the Processing will meet the requirements of European Data Protection Law and this DPA. Vendor must enter into a written agreement with all Subprocessors which imposes the same obligations on the Subprocessors as this DPA imposes on Vendor. Vendor must provide a copy of Vendor’s agreements with Subprocessors to Blockstack upon request. Vendor may redact commercially sensitive information before providing such agreements to Blockstack. If any Subprocessor fails to fulfil its obligations under European Data Protection Law, this DPA, or the agreements between Vendor and Subprocessor, Vendor will be fully liable to Blockstack for the performance of such obligations.
4.3. International Data Transfers. Vendor must obtain Blockstack’s specific written authorization prior to transferring, or authorizing the transfer of, Personal Data from Europe to a country outside of Europe, including any onward transfer from one the country outside of Europe to another country outside of Europe. Blockstack hereby authorizes Vendor to perform such transfers: to any country subject to a valid adequacy decision of the EU Commission; to the extent authorized by Supervisory Authorities on the basis of an organization’s binding corporate rules; to an organization in the United States to the extent covered by that organization’s active Privacy Shield certification; and to any data importer who has acceded to the standard contractual clauses between Blockstack and Vendor under Section 4.4. Vendor must inform Blockstack at least thirty (30) days prior to any intended change transfer under this Section, including the recipient, the country, and the relevant legal instrument to comply with European Data Protection Law. All authorizations of transfers under this Section are expressly conditioned upon Vendor’s ongoing compliance with the requirements of European Data Protection Law applicable to such transfers. If such compliance is affected by circumstances outside of Vendor’s control, including circumstances affecting the validity of an applicable legal instrument, Blockstack and Vendor will work together in good faith to reasonably resolve such non-compliance.
4.4. Standard Contractual Clauses. By signing this DPA, Blockstack and Vendor conclude the standard contractual clauses annexed to EU Commission Decision 2010/87/EU of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council (OJ L 39, 12.2.2010, p. 5-18), which are hereby incorporated into this DPA and completed as follows: the “data exporter” is Blockstack; the “data importer” is Vendor; the governing law in Clause 9 and Clause 11.3 is the law of the European member state in which Blockstack is established; Appendix 1 and 2 are Appendix 1 and 2 to this DPA, respectively; and the optional indemnification clause is struck.
4.5. Third-Party Inquiries. Unless prohibited by European law, Vendor must inform Blockstack without undue delay if Vendor: receives a request, complaint or other inquiry regarding the Processing of Personal Data from a Data Subject or Supervisory Authority; receives a binding or non-binding request to disclose Personal Data from law enforcement, courts or any government body; is subject to a legal obligation that requires Vendor to Process Personal Data in contravention of Blockstack’s instructions; or is otherwise unable to comply with European Data Protection Law or this DPA. Unless prohibited by European law, Vendor must obtain Blockstack’s written authorization before responding to, or complying with any requests, orders, or legal obligations referred to in Section.
4.6. Accountability. Vendor warrants that it possesses the expert knowledge, reliability and resources, and has implemented appropriate technical and organizational measures to meet the requirements of European Data Protection Law, including for the security of Processing. Vendor must inform Blockstack without undue delay if Vendor believes that an instruction of Blockstack violates European Data Protection Law, in which case Vendor may suspend the Processing until Blockstack has modified or confirmed the lawfulness of the instructions in writing.
4.7. Internal Records. Vendor must maintain records of all Processing of Personal Data, including at a minimum the categories of information required under European Data Protection Law, and must provide a copy of such records to Blockstack upon request.
4.8. Audits. Vendor must make available to Blockstack all information necessary to demonstrate compliance with the obligations of European Data Protection Law and this DPA and allow for and contribute to audits, including inspections, conducted by a Supervisory Authority, Blockstack or another auditor mandated by Blockstack. Blockstack and Vendor each bear their own costs related to an audit. If an audit determines that Vendor violated European Data Protection Law or this DPA, then Vendor bears all costs related to the audit.
4.9. Liability and Indemnification. Vendor is fully liable to Blockstack for any infringements of European Data Protection Law or this DPA by Vendor or Vendor’s Processors. Where Blockstack has paid damages or fines, Blockstack is entitled to claim back from Vendor that part of the compensation, damages or fines, corresponding to Vendor’s part of responsibility for the damages or fines. Vendor must indemnify Blockstack, its affiliates, directors, officers and personnel against all claims by third parties and resulting liabilities, losses, damages, costs and expenses (including reasonable external legal costs, administrative fines and other penalties) suffered or incurred by any of them, whether in contract, tort (including negligence) or otherwise arising out of or in connection with any infringement by Vendor or Vendor’s Processors of this DPA or its obligations under European Data Protection Law.
5. Applicable Law and Jurisdiction. This DPA is governed by the laws of the State of New York. Any disputes relating to this DPA will be subject to the exclusive jurisdiction of the federal and state courts of New York, New York.
6. Modification of this DPA. This DPA may only be modified by a written amendment signed by both Blockstack and Vendor.
7. Invalidity and Severability. If any provision of this DPA is found by any court or administrative body of competent jurisdiction to be invalid or unenforceable, then the invalidity or unenforceability of such provision does not affect any other provision of this DPA and all provisions not affected by such invalidity or unenforceability will remain in full force and effect.
Blockstack |
CoinList Services, LLC |
|
|
Name: Xxxxx Xxxxxx |
Name: |
|
|
Title: Head of Legal & Finance |
Title: |
|
|
Address: |
Address: |
|
|
Signature: |
Signature: |
|
|
|
|
Date: May 8, 2019 |
Date: May 8, 2019 |
APPENDIX 0
SUBPROCESSORS
Blockstack authorizes Vendor to engage the following Subprocessors:
# |
|
Name |
|
Description |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
APPENDIX 1
DESCRIPTION OF THE PROCESSING
1. Data Subjects
The Personal Data Processed concern the following categories of Data Subjects (please specify):
# |
|
Category |
|
Description |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2. Categories of Personal Data
The Personal Data Processed concern the following categories of data (please specify):
# |
|
Category |
|
Description |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3. Sensitive Data
The Personal Data Processed concern the following special categories of data (please specify):
# |
|
Category |
|
Description |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
4. Processing operations
The Personal Data will be subject to the following basic Processing activities (please specify):
# |
|
Operation |
|
Description |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
APPENDIX 2
SECURITY MEASURES
Vendor and Data Importer will, at a minimum, implement the following types of security measures:
1. Physical access control
Technical and organizational measures to prevent unauthorized persons from gaining access to the data processing systems available in premises and facilities (including databases, application servers and related hardware), where Personal Data are Processed, include:
· Establishing security areas, restriction of access paths;
· Establishing access authorizations for employees and third parties;
· Access control system (ID reader, magnetic card, chip card);
· Key management, card-keys procedures;
· Door locking (electric door openers etc.);
· Security staff, janitors;
· Surveillance facilities, video/CCTV monitor, alarm system; and
· Securing decentralized data processing equipment and personal computers.
2. Virtual access control
Technical and organizational measures to prevent data processing systems from being used by unauthorized persons include:
· User identification and authentication procedures;
· ID/password security procedures (special characters, minimum length, change of password);
· Automatic blocking (e.g. password or timeout);
· Monitoring of break-in-attempts and automatic turn-off of the user ID upon several erroneous passwords attempts;
· Creation of one master record per user, user-master data procedures per data processing environment; and
· Encryption of archived data media.
3. Data access control
Technical and organizational measures to ensure that persons entitled to use a data processing system gain access only to such Personal Data in accordance with their access rights, and that Personal Data cannot be read, copied, modified or deleted without authorization, include:
· Internal policies and procedures;
· Control authorization schemes;
· Differentiated access rights (profiles, roles, transactions and objects);
· Monitoring and logging of accesses;
· Disciplinary action against employees who access Personal Data without authorization;
· Reports of access;
· Access procedure;
· Change procedure;
· Deletion procedure; and
· Encryption.
4. Disclosure control
Technical and organizational measures to ensure that Personal Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage on storage media (manual or electronic), and that it can be verified to which companies or other legal entities Personal Data are disclosed, include:
· Encryption/tunneling;
· Logging; and
· Transport security.
5. Entry control
Technical and organizational measures to monitor whether Personal Data have been entered, changed or removed (deleted), and by whom, from data processing systems, include:
· Logging and reporting systems; and
· Audit trails and documentation.
6. Control of instructions
Technical and organizational measures to ensure that Personal Data are Processed solely in accordance with the instructions of the Controller include:
· Unambiguous wording of the contract;
· Formal commissioning (request form); and
· Criteria for selecting the Processor.
7. Availability control
Technical and organizational measures to ensure that Personal Data are protected against accidental destruction or loss (physical/logical) include:
· Backup procedures;
· Mirroring of hard disks (e.g. RAID technology);
· Uninterruptible power supply (UPS);
· Remote storage;
· Anti-virus/firewall systems; and
· Disaster recovery plan.
8. Separation control
Technical and organizational measures to ensure that Personal Data collected for different purposes can be Processed separately include:
· Separation of databases;
· “Internal client” concept / limitation of use;
· Segregation of functions (production/testing); and
· Procedures for storage, amendment, deletion, transmission of data for different purposes.