Services Data is data that resides on DSI, customer or third-party systems to which DSI is provided access to perform services (including Cloud environments as well as test, development and production environments that may be accessed to perform DSI consulting and support services). DSI treats services data according to the terms of this policy, and treats services data as confidential in accordance with the terms of your order for services.
In contrast, having contracted with DSI for Cloud or other services, the customer provides DSI access to its production, development or test environment, which may include personal information about its employees, customers, partners or suppliers (collectively "end users").
Services data may be accessed and used to perform services under your order for support, consulting, Cloud or other services and to confirm your compliance with the terms of your order. This may include testing and applying new product or system versions, patches, updates and upgrades; monitoring and testing system use and performance; and resolving bugs and other issues you have reported to DSI. Any copies of services data created for these purposes are only maintained for time periods relevant to those purposes.
DSI may be required to retain or provide access to services data to comply with legally mandated reporting, disclosure or other legal process requirements.
DSI does not use services data except as stated above or in your order. DSI may process services data, but does not control your collection or use practices for services data. If you provide any services data to DSI, you are responsible for providing any notices and/or obtaining any consents necessary for DSI to access, use, retain and transfer services data as specified in this policy and your order.
DSI is committed to the security of your services data, and has in place physical, administrative and technical measures designed to prevent unauthorized access to that information. DSI employees are required to maintain the confidentiality of services data. Employees' obligations include written confidentiality agreements, and compliance with company policies concerning protection of confidential information.
DSI promptly evaluates and responds to incidents that create suspicions of unauthorized handling of services data. DSI’s Management and General Counsel are informed of such incidents and, depending on the nature of the activity, define escalation paths and response teams to address the incidents. If DSI determines that your services data has been misappropriated (including by an employee of DSI) or otherwise wrongly acquired by a third party, DSI will promptly report such misappropriation or acquisition to you.
If you believe your services data has been used in a way that is not consistent with this policy, or if you have further questions related to this policy, please contact DSI’s General Counsel. Written inquiries may be addressed to General Counsel, DSI, 1201 Walnut Street, Ste. 1100, Kansas City, Missouri 64106, United States of America.
DSI reserves the right to change this policy. DSI will provide notification of the material changes to this Policy through the DSI’s Web sites at least thirty (30) business days prior to the change taking effect.
This agreement (the “Data Processing Agreement”) applies to DSI’s Processing of Personal Data provided to DSI by Customer as part of DSI’s provision of Cloud Services (“Cloud Services”), as further specified in (i) the applicable DSI master agreement and (ii) the DSI Cloud Ordering Document between Customer and DSI, and all documents, addenda, schedules and exhibits incorporated therein (collectively the “Agreement”) by and between the Customer entity and DSI subsidiary listed in the order for Cloud Services.
This Data Processing Agreement is subject to the terms of the Agreement and is incorporated into the Agreement. Except as expressly stated otherwise, in the event of any conflict between the terms of the Agreement and the terms of this Data Processing Agreement, the relevant terms of this Data Processing Agreement shall take precedence. This Data Processing Agreement shall be effective for the Services Period of any DSI Cloud order placed under the Agreement.
“Customer” or “you” means the Customer that has executed the order for Cloud Services.
“DSI” or “Processor” means the DSI or DSI subsidiary as listed in the order for Cloud Services.
“DSI Affiliates” mean the subsidiaries of Data Systems International, Inc. that may assist in the performance of the Cloud Services.
“Personal Data” means any information relating to an identified or identifiable natural person that Customer or its end users provide to DSI as part of the Cloud Services; an identified or identifiable natural person (a “data subject”) is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his/her physical, physiological, mental, economic, cultural or social identity.
“Process” or “Processing” means any operation or set of operations which is performed by DSI as part of the Cloud Services upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
“Subprocessor” means a third party subcontractor engaged by DSI which, as part of the subcontractor’s role of delivering the Cloud Services, will Process Personal Data of the Customer.
Other terms have the definitions provided for them in the Agreement or as otherwise specified below.
In order to execute the Agreement, and in particular to perform the Cloud Services on behalf of Customer, Customer authorizes and requests that DSI Process the following Personal Data:
Categories of Personal Data: Personal Data may include, among other information, personal contact information such as name, home address, home telephone or mobile number, fax number, email address, and passwords; information concerning family, lifestyle and social circumstances including age, date of birth, marital status, number of children and name(s) of spouse and/or children; employment details including employer name, job title and function, employment history, salary and other benefits, job performance and other capabilities, education/qualification, identification numbers, social security details and business contact details; financial details; and goods and services provided.
Categories of Data Subjects: Data subjects may include Customer’s representatives and end users, such as employees, job applicants, contractors, collaborators, partners, and customers of the Customer. Data subjects also may include individuals attempting to communicate or transfer Personal Data to users of the Cloud Services.
DSI will Process Personal Data solely for the provision of the Cloud Services, and will not otherwise (i) Process or use Personal Data for purposes other than those set forth in the Agreement or as instructed by Customer, or (ii) disclose such Personal Data to third parties other than DSI Affiliates or Subprocessors for the aforementioned purposes or as required by law.
During the Services Period of any order for Cloud Services, Customer may provide instructions to DSI in addition to those specified in the Agreement with regard to processing of Personal Data. DSI will comply with all such instructions without additional charge to the extent necessary for DSI to comply with laws applicable to DSI as a data processor in the performance of the Cloud Services; the parties will negotiate in good faith with respect to any other change in the Cloud Services and/or fees resulting from such instructions.
The control of Personal Data remains with Customer, and as between Customer and DSI, Customer will at all times remain the data controller for the purposes of the Cloud Services, the Agreement, and this Data Processing Agreement. Customer is responsible for compliance with its obligations as data controller under data protection laws, in particular for justification of any transmission of Personal Data to DSI (including providing any required notices and obtaining any required consents), and for its decisions and actions concerning the Processing and use of the data.
DSI will grant Customer electronic access to Customer’s Cloud Services environment that holds Personal Data to permit Customer to delete, release, correct or block access to specific Personal Data or, if that is not practicable and to the extent permitted by applicable law, follow Customer’s detailed written instructions to delete, release, correct or block access to Personal Data held in Customer’s Cloud Services environment. Customer agrees to pay DSI’s reasonable fees associated with the performance of any such deletion, release, correction or blocking of access to Personal Data. DSI will pass on to the Customer any requests of an individual data subject to delete, release, correct or block Personal Data Processed under the Agreement.
DSI treats all Personal Data in a manner consistent with the requirements of the Agreement and this Data Processing Agreement in all locations globally. DSI’s information policies, standards and governance practices are managed on a global basis. With respect to Personal Data stored by DSI in data centers in the EEA or in countries that have been subject to an adequacy (or equivalent) finding by the European Commission pursuant to Articles 25 and 26 of the Directive (“Adequacy Finding”), DSI manages compliance by the Subprocessors as follows. For Subprocessors, DSI or the DSI Affiliates have entered into contracts with Subprocessors that provide that the Subprocessor will undertake data protection and confidentiality obligations consistent with the Safe Harbor Principles.
Some or all of DSI’s obligations under the Agreement may be performed by Subprocessors to assist in the provision of the Cloud Services. DSI maintains a list of Subprocessors that may Process the Personal Data of DSI’s Cloud Service customers and will provide a copy of that list to Customer upon request.
All Subprocessors are required to abide by substantially the same obligations as DSI under this Data Processing Agreement as applicable to their performance of the Cloud Services. Customer may request, to receive copies of the relevant terms of DSI’s agreement with Subprocessors that may Process Personal Data, unless the agreement contains confidential information, in which case DSI may provide a redacted version of the agreement. DSI remains responsible at all times for compliance with the terms of the Agreement and this Data Processing Agreement by DSI Affiliates and Subprocessors.
Customer consents to DSI’s use of DSI Affiliates and Subprocessors in the performance of the Cloud Services in accordance with the terms of Articles VII and VIII above.
When Processing Personal Data on behalf of Customer in connection with the Cloud Services, DSI and/or Subprocessors have implemented and will maintain appropriate technical and organizational security measures for the Processing of such data, including the measures specified in this Section to the extent applicable to the DSI’s Processing of Personal Data. These measures are intended to protect Personal Data against accidental or unauthorized loss, destruction, alteration, disclosure or access, and against all other unlawful forms of processing.
Customer may audit DSI’s compliance with the terms of the Agreement and this Data Processing Agreement up to once per year. If a third party is to conduct the audit, the third party must be mutually agreed to by Customer and DSI and must execute a written confidentiality agreement acceptable to DSI before conducting the audit.
To request an audit, Customer must submit a detailed audit plan at least two weeks in advance of the proposed audit date to DSI describing the proposed scope, duration, and start date of the audit. DSI will review the audit plan and provide Customer with any concerns or questions (for example, any request for information that could compromise DSI security, privacy, employment or other relevant policies). DSI will work cooperatively with Customer to agree on a final audit plan.
The audit must be conducted during regular business hours at the applicable facility, subject to DSI policies, and may not unreasonably interfere with DSI business activities. DSI will make reasonable efforts to provide requested information to the auditor.
Customer will provide DSI a copy of any audit reports generated in connection with any audit under this section, unless prohibited by law. Customer may use the audit reports only for the purposes of meeting its regulatory audit requirements and/or confirming compliance with the requirements of the Agreement and this Data Processing Agreement. The audit reports are Confidential Information of the parties under the terms of the Agreement.
Any audits are at the Customer's expense. Any request for DSI to provide assistance with an audit is considered a separate service if such audit assistance requires the use of different or additional resources. DSI will seek the Customer's written approval and agreement to pay any related fees before performing such audit assistance.
DSI evaluates and responds to incidents that create suspicion of unauthorized access to or handling of Personal Data (“Incident”) and, depending on the nature of the activity, defines escalation paths and response teams to address those Incidents. DSI will work with Customer, with internal DSI lines of business, with the appropriate technical teams and, where necessary, with outside law enforcement to respond to the Incident. The goal of the Incident response will be to restore the confidentiality, integrity, and availability of the Cloud Services environment, and to establish root causes and remediation steps.
DSI operations staff is instructed on responding to Incidents where handling of Personal Data may have been unauthorized, including prompt and reasonable reporting to DSI’s legal department, escalation procedures, and chain of custody practices to secure relevant evidence.
For purposes of this section, “Security Breach” means the misappropriation of Personal Data located on DSI systems or the Subprocessor’s Cloud Services environment that compromises the security, confidentiality or integrity of such information. DSI will inform Customer within five business days if DSI determines that Personal Data has been subject to a Security Breach (including by a DSI employee) or any other circumstance in which Customer is required to provide a notification under applicable law, unless otherwise required by law.
DSI will promptly investigate the Security Breach and take reasonable measures to identify its root cause(s) and prevent a recurrence. As information is collected or otherwise becomes available, unless prohibited by law, DSI will provide Customer with a description of the Security Breach, the type of data that was the subject of the breach, and other information Customer may reasonably request concerning the affected persons. The parties agree to coordinate in good faith on developing the content of any related public statements or any required notices for the affected persons and/or the relevant data protection authorities.
Following termination of the Cloud Services, DSI will return or otherwise make available for retrieval Customer’s Personal Data then available in the Customer’s Cloud Services environment. Following return of the data, or as otherwise specified in the Agreement, DSI will promptly delete or otherwise render inaccessible all copies of Personal Data from the production Cloud Services environment, except as may be required by law.
Except as otherwise required by law, DSI will promptly notify Customer of any subpoena, judicial, administrative or arbitral order of an executive or administrative agency or other governmental authority (“Demand”) that it receives and which relates to the Personal Data DSI is Processing on Customer’s behalf. At Customer’s request, DSI will provide Customer with reasonable information in its possession that may be responsive to the Demand and any assistance reasonably required for Customer to respond to the Demand in a timely manner. Customer acknowledges that DSI has no responsibility to interact directly with the entity making the Demand.
DSI and/or its Subprocessor may (i) compile statistical and other information related to the performance, operation and use of the Cloud Services, and (ii) use data from the Cloud Services environment in aggregated form for security and operations management, to create statistical analyses, and for research and development purposes (clauses i and ii are collectively referred to as “Service Analyses”). DSI may make Service Analyses publicly available; however, Service Analyses will not incorporate Customer’s Content or Confidential Information in a form that could identify or serve to identify Customer or any data subject, and Service Analyses do not constitute Personal Data. DSI retains all intellectual property rights in Service Analyses.
DSI reserves the right to change this Agreement. DSI will provide notification of the material changes to this Agreement through the DSI’s Web sites at least thirty (30) business days prior to the change taking effect.