BOOK DEMO CONTACT US
BOOK DEMO CONTACT US
BOOK DEMO CONTACT US
BOOK DEMO CONTACT US

Data Processing Addendum

1 Application of this addendum

1.1 This data processing addendum (addendum) forms part of the agreement (as defined below) and sets out the parties' agreement in relation to the processing of personal data in accordance with applicable data protection laws.

1.2 This addendum was last updated on 11 December 2023.

2 Interpretation

2.1 Unless the context requires otherwise:

a. capitalised terms used, but not defined, in this addendum will have the meanings given to them in applicable data protection laws (or, if not defined in applicable data protection laws, the agreement);

b. the rules of interpretation set out in the agreement apply to this addendum; and

c. references to paragraphs are references to the paragraphs in this addendum.

2.2 In this addendum:

Agreement means the agreement between SGL and the customer that references this addendum

Applicable data protection laws means any applicable data protection or privacy laws of any country, including, if applicable, EU/UK data protection laws, the NZ Privacy Act and the CCPA

CCPA means the California Consumer Privacy Act, Cal. Civ. Code §1798.100 et seq., and its implementing regulations

Data subject has the meaning given in EU/UK data protection laws and includes an individual as defined in the NZ Privacy Act, a consumer as defined in the CCPA and any other identified or identifiable natural person to whom any information relates

EU/UK data protection laws means all laws and regulations, including laws and regulations of the European Union, its member states and the United Kingdom, that apply to the processing of data under the agreement, including (where applicable) the GDPR and the equivalent laws of the United Kingdom

GDPR means the European Union General Data Protection Regulation 2016/679

Instruction means the instructions set out in paragraph 3.4 or agreed under paragraph 3.5

NZ Privacy Act means the New Zealand Privacy Act 2020

Personal data means all data which is personal data, personally identifiable information or personal information under applicable data protection laws (as applicable under those laws)

Processing means any operation or set of operations which is performed upon personal data, whether or not by automated means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction. Process has a consistent meaning

Sub-processor means any person appointed by SGL or on SGL's behalf to process personal data on the customer's behalf in connection with the agreement.

3 Processing of personal data

3.1 With respect to the processing of personal data under the agreement:

a. for the purposes of EU/UK data protection laws: i. the customer acts as the data controller; and ii. SGL acts as the data processor;

b. SGL is acting as the customer's agent for the purposes of the NZ Privacy Act;

c. SGL is the customer's service provider for the purposes of the CCPA; and

d. subject to paragraph 6, SGL may engage the sub-processors listed in appendix 2.

3.2 SGL will comply with all applicable data protection laws that apply to its processing of personal data on the customer's behalf, including, if applicable, all EU/UK data protection laws that apply to data processors.

3.3 The customer must, when using the SaaS service, comply with all applicable data protection laws that apply to the customer's processing of personal data, including, if applicable, all EU/UK data protection laws that apply to data controllers.

3.4 The customer instructs SGL to process personal data and in particular, subject to paragraph 6, transfer personal data to any country or territory:

a. as reasonably necessary to provide the services in accordance with the agreement;

b. as initiated through the use of the SaaS service by the customer, or its authorised users and invited users; and

c. to comply with any further instruction from the customer (including by email or through SGL's support channels) that is consistent with the agreement and this addendum.

3.5 This addendum and the agreement is the customer's complete and final instructions for the processing of personal data as at the time the agreement takes effect. Any additional or alternate instructions must be agreed between the parties separately in writing.

3.6 SGL will not process personal data other than on the customer's instruction unless required by any law to which SGL is subject, in which case SGL will to the extent permitted by applicable law inform the customer of that legal requirement before SGL processes that personal data.

3.7 As required by Article 28(3) of the GDPR (and, if applicable, equivalent requirements of other applicable data protection laws), the nature and purpose of the processing, the types of personal data and categories of data subjects processed under this addendum are set out in appendix 1. SGL may amend appendix 1 from time to time on written notice to the customer as SGL reasonably consider necessary to meet the requirements of the GDPR (and applicable equivalent requirements of other applicable data protection laws).

3.8 The duration of processing is limited to the duration of the agreement. SGL's obligations in relation to processing will continue until the personal data has been properly deleted or returned to the customer in accordance with paragraph 11.

3.9 The customer is solely responsible for ensuring that the customer's instructions comply with applicable data protection laws. It is also the customer's responsibility to enter into data processing agreements with other relevant data controllers in order to allow SGL and its sub-processors to process personal data in accordance with this addendum.

3.10 If, in SGL's reasonable opinion, an instruction infringes applicable data protection laws, SGL will notify the customer as soon as reasonably practicable.

4 Data subject requests

4.1 To the extent permitted by law, SGL will notify the customer promptly if SGL receives a request from a data subject to exercise the data subject's rights under applicable data protection laws relating to any personal data (data subject request).

4.2 Taking into account the nature of the processing, SGL will assist the customer by implementing appropriate technical and organisational measures, to the extent possible, to fulfil the customer's obligation to respond to a data subject request under applicable data protection laws.

4.3 To the extent the customer does not have the ability to address a data subject request, SGL will, on the customer's written request, provide reasonable assistance in accordance with applicable data protection laws to facilitate that data subject request. The customer will reimburse SGL for the costs arising from this assistance.

4.4 SGL will not respond to a data subject request except on the customer's written request or if required by applicable law.

5 Provider personnel

SGL will:

a. take reasonable steps to ensure the reliability of any of its personnel engaged in the processing of personal data;

b. ensure that access to personal data is limited to its personnel who require that access as strictly necessary for the purposes of exercising its rights and performing its obligations under the agreement;

c. ensure that its personnel engaged in processing personal data are subject to confidentiality undertakings or professional or statutory obligations of confidentiality; and

d. ensure that its personnel engaged in processing personal data are informed of the confidential nature of the personal data and receive appropriate training on their responsibilities.

6 Sub-processors

6.1 The customer acknowledges and agrees that SGL may engage its affiliates as sub-processers and SGL and its affiliates respectively may engage third party sub-processors in connection with the provision of the service.

6.2 SGL has entered into (and will, for any new sub-processor, enter into) written agreements with each sub-processor containing data protection obligations which offer at least the same level of protection for personal data as set out in this addendum and that meet the requirements of Article 28(3) of the GDPR (to the extent applicable) and/or equivalent requirements of other applicable data protection laws, as applicable to the nature of the services provided by that sub-processor.

6.3 The customer may request copies of SGL's written agreements with sub-processors (which may be redacted to remove confidential information not relevant to this addendum).

6.4 A list of current sub-processors for the services as at the start date is set out in appendix 2. SGL may update the list of sub-processors from time to time and, subject to paragraph 6.5, SGL will give at least 30 days' written notice of any new sub-processor. If the customer does not object to any such new sub-processor in accordance with paragraph 6.5, the customer is deemed to have agreed to the new sub-processor.

6.5 SGL may engage sub-processors as needed to serve as an emergency replacement to maintain and support the services. Emergency replacement means a sudden replacement of a sub-processor where a change is outside SGL's reasonable control. In this case, SGL will inform the customer of the replacement sub-processor as soon as reasonably practicable.

6.6 The customer may reasonably object to SGL's use of a new sub-processor by notifying SGL promptly in writing within 10 business days after receipt of SGL's notice in accordance with paragraph 6.4. Such notice will explain the reasonable grounds for the objection. In the event the customer objects to a new sub-processor:

a. SGL will use commercially reasonable efforts to make available to the customer a change in the services or recommend a commercially reasonable change to the customer's configuration or use of the services to avoid the processing of personal data by the objected-to new sub-processor without unreasonably burdening customer; or

b. if SGL is unable to make available such change under paragraph 6.6(a) above, within a reasonable period of time, which will not exceed 30 days, either party may terminate without penalty the statements of work to which the new sub-processor relates or if not possible, terminate the agreement and its right to access and use the SaaS service.

6.7 SGL is liable for the acts and omissions of its sub-processors to the same extent it would be liable if performing the services of each sub-processor directly under the terms of this addendum, except as otherwise set out in this addendum.

7 Security

SGL will maintain technical and organisational measures to protect the confidentiality, integrity and security of personal data (including protection against unauthorised or unlawful processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorised disclosure of, or access to, personal data), and to manage data security incidents affecting personal data, in accordance with appendix 3.

8 Security breach management

8.1 SGL will comply with all applicable laws requiring notification to the customer of any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data processed by SGL or its sub-processors of which SGL becomes aware (breach incident).

8.2 SGL will make reasonable efforts to identify the cause of that breach incident, notify the customer within a timely manner to allow the customer to meet its obligations to report a breach incident, and take steps SGL consider necessary and reasonable to remediate the cause of the breach incident, to the extent remediation is within SGL's reasonable control.

9 Audit and compliance

Upon the customer's written request, SGL will, at the customer's cost, submit to the customer's audits and inspections, and provide the customer all information necessary, to demonstrate that both parties are complying with their respective obligations under applicable data protection laws (including SGL's respective obligations under Article 28 of the GDPR).

10 Data protection impact assessment

Upon the customer's written request, SGL will, at the customer's cost, provide the customer with reasonable assistance needed to fulfil the customer's obligations under the GDPR to carry out a data protection impact assessment relating to the customer's use of the service, to the extent the customer does not otherwise have access to the relevant information.

11 Return and deletion of personal data

11.1 Subject to paragraphs 11.2 and 11.3, following termination of the agreement, SGL will delete all personal data within a reasonable period from termination of the agreement.

11.2 Subject to paragraph 11.3, the customer may submit a written request to SGL within 10 business days of the termination of the agreement requiring SGL, within 20 business days of the customer's written request, to:

a. return a complete copy of all personal data by secure file transfer in a common format; and

b. delete all other copies of personal data processed by SGL or any sub-processor.

11.3 SGL, or each sub-processor, may retain personal data to the extent that it is required by applicable laws, provided that SGL ensures the confidentiality of all such personal data and ensures that such personal data is only processed as necessary for the purposes required under applicable laws requiring its processing and for no other purpose.

11.4 If SGL cannot delete all personal data due to technical reasons, it will inform the customer as soon as reasonably practicable and will take reasonably necessary steps to:

a. come as close as possible to a complete and permanent deletion of the personal data;

b. fully and effectively anonymise the remaining data; and

c. make the remaining personal data which is not deleted or effectively anonymised unavailable for future processing.

12 Changes in data protection laws

12.1 SGL may on at least 30 days' written notice to the customer from time to time, make any variations to this addendum, which SGL considers (acting reasonably) is required as a result of any change in, or decision of a competent authority under, applicable data protection law, to allow transfers and processing of personal data to continue without breach of applicable data protection law.

12.2 If the customer objects to any variation under paragraph 12.1, the customer may, despite anything to the contrary in the agreement, terminate the agreement and its right to access and use the service without penalty on written notice, provided the customer's notice of termination is received by SGL before the effective date of SGL's notice. If the customer does not terminate the agreement and its right to access and use the service in accordance with this paragraph, the customer is deemed to have agreed to the variation.

13 Limitation of liability

The liability of each party to the other party under or in connection with this addendum is subject to the limitations and exclusions set out in the agreement, and any reference in the agreement to the liability of a party means the aggregate liability of that party under the agreement and this addendum together.

14 General

If any provision of this addendum is, or becomes unenforceable, illegal or invalid for any reason, the relevant provision is deemed to be varied to the extent necessary to remedy the unenforceability, illegality or invalidity. If variation is not possible, the provision must be treated as severed from this addendum without affecting any other provisions of this addendum.

Appendix 1: Details of processing

Nature and purpose of processing

SGL will process personal data as necessary to provide the services in accordance with the agreement, as further specified in SGL's documentation, and as further instructed by the customer and the customer's authorised users and invited users.

Duration of processing

Subject to paragraph 11 of this addendum, SGL will process personal data for the duration of the agreement, unless otherwise agreed upon in writing.

Categories of data subjects

The customer may submit personal data to the SaaS service, the extent of which is determined and controlled by the customer in its sole discretion, and which may include, but is not limited to, personal data relating to the following categories of data subjects:

  • insured persons
  • administrative users
  • service providers
  • sales partners

Type of data

The customer may submit personal data to the SaaS service, the extent of which is determined and controlled by the customer in its sole discretion, and which may include, but is not limited to, the following categories of personal data:

  • contact details
  • information about dependents
  • information about beneficiaries
  • financial information
  • information about insured articles

Appendix 2: List of sub-processors

  • Microsoft Azure - application hosting in the customer's geographic location or in the location agreed by SGL and the customer under the agreement.

Appendix 3: Technical and organisational security measures

As set out at https://www.sentro.co/data-protection-and-security, as that page may be updated from time to time.

Document reference: SSLI-523168997-567\1.0