Skip to content
Search

Data Processing Agreement

This Data Processing Agreement (“DP Agreement”) is between Customer and Saviynt and is incorporated into and made a part of the Agreement. Customer and Saviynt are referred to herein as “Parties” and individually as a “Party”.

  1. DEFINITIONS
    Unless otherwise defined below, all capitalized terms have the same meaning given to them in the Agreement and/or schedules thereto.
    1. Data Controller” or “Controller” means the entity, which, alone or jointly with others, determines the purposes and means of the processing of Personal Data. 
    2. Data Processor” or “Processor” means the entity which Processes Personal Data on behalf of the Data Controller.
    3. Data Protection Laws” means any law relating to the processing, privacy, and use of Personal Data, including, without limitation (i) the Privacy and Electronic Communications (EC Directive) Regulations 2003 and (ii) the EU General Data Protection Regulation 2016/679 (“GDPR”), as well as any subsequent or replacing laws, directives or regulations and any judicial or administrative interpretation of such laws, directives or regulations.
    4. Data Subject” means the person to whom Personal Data relates.
    5. Personal Data” means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. 
    6. Personal Data Breach” means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
    7. Processing” or “Process” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available in any form, merging, linking as well as blocking, erasure or destruction of Personal Data. 
    8. Sub-Processor” means any natural or legal person, public authority, agency or other body which processes personal data on behalf of Processor (including any Affiliate of Processor).

  2. PROCESSING PERSONAL DATA
    1. Scope and Role of the Parties. The subject matter of the Processing is limited to Personal Data within the scope of applicable law. The duration of the Processing shall be for the duration of the provision of Professional Services and Subscription Services under the Agreement (collectively the “Services”).  The nature and purpose of the Processing shall be to provide the Services pursuant to the Agreements. The types of Personal Data processed by the Services are those submitted by Customer to the Services.  The categories of Data Subjects are Customer’s representatives and end users, including employees, subcontractors, collaborators and customers. For purposes of the Agreement and this DP Agreement, (i) Customer is the Data Controller and (ii) with respect to Personal Data for which Customer is the Data Controller, Saviynt is the Data Processor Processing such Personal Data on Customer’s behalf.
    2. Nature and purpose, types, and categories of Personal Data.   The nature and purpose, types and categories of Personal Data to be processed under this DP Agreement may include, but may not be limited to, those contained in the table below. 
      Nature of Processing
      • Provisioning and reconciling access/ privileges from connected systems based on defined business processes (joiner, mover, leaver) 
      Purpose of Processing
      • Provide unified view of identity information across various systems and applications
      • Meet regulatory compliance needs and reduce risk associated with excessive user access
      • Timely removal of access when user leaves the organization
      Type of Personal data Personal data would include
      • First Name
      • Last Name
      • Email Address
      • Location
      No sensitive personal data such as social security number, race, origin, personal preferences are stored or processed by the provider
      Categories of Data Subjects Staff including employees, contractors, temporary and casual workers
      Special Categories of Data (if any) Not Applicable


    3. Confidentiality and Compliance with Laws.  Data Processor shall treat Personal Data as confidential and shall only Process Personal Data in accordance with the Customer’s instructions.  Data Processor shall also comply with Data Protection Laws: (i) applicable to Customer in its role as a Data Controller; and (ii) applicable to Saviynt in its role as a Data Processor.

  3. DATA PROCESSOR PERSONNEL
    1. Screening of Data Processor Personnel. Data Processor shall take reasonable steps to screen its personnel who may have access to Personal Data and shall require such personnel to receive appropriate training on their responsibilities regarding the handling and safeguarding of Personal Data.  All Data Processor personnel that handle Personal Data on behalf of the Customer must sign confidentiality agreements or otherwise commit or be subject to an appropriate statutory or other legal obligation of confidentiality with Data Processor.  Such confidentiality obligations shall survive termination of employment.
    2. Use of Data Processor Personnel.  Data Processor shall process the Personal Data only (a) as needed to provide the Services, (b) in accordance with Customer’s documented instructions (including any instructions regarding data transfers to third countries) and (c) as needed to comply with applicable law, with respect to the region in which the Personal Data originates. Data Processor shall ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, and that any natural person acting under the authority of the Data Processor who has access to Personal Data does not process it except on Customer’s instructions, unless required to do so by applicable law. 

  4. SUB-PROCESSORS
    1. Use of Sub-Processors.  Data Processor may engage Sub-Processors, with Customer’s prior written consent, to Process Personal Data on its behalf only (a) as needed to provide the Services, (b) in accordance with Data Processor’s documented instructions (including any instructions regarding data transfers to third countries) and (c) as needed to comply with the requirements of the law that governs Sub-Processor in its performance.  Data Processor shall ensure that any Sub-Processor being used has entered into a written agreement requiring compliance with terms and data protection obligations no less protective than those provided for in this DP Agreement.  Data Processor shall be liable for the acts and omissions of any Sub-Processor to the same extent as if the acts and omissions were performed by the Data Processor. 
    2. Notification of Sub-Processors.  Data Processor shall give Customer prior written notice of the appointment of any Sub-Processor including, if requested, full details of the Processing to by undertaken by the Sub-Processor.  Data Processor may remove, replace or appoint suitable and reliable further Sub-Processors in its sole discretion. Data Processor shall on written request, make available to Customer a list of all Sub-Processors being used in the Processing.

  5. INTERNATIONAL DATA TRANSFERS
    To provide the Services as described in this DP Agreement, Data Processor and its Sub-Processers, if any, will only access Personal Data from (i) countries in European Economic Area and (ii) countries formally recognized by the European Commission as providing an adequate level of data protection. Accordingly, Data Processor and its Sub-Processors, if any, may not transfer or export any Personal Data under the Agreement or this DP Agreement unless (i) such transfer or export complies with applicable law with respect to the region in which the Personal Data originates; and (ii) if necessary for such compliance, Data Processor enters into an appropriate data transfer agreement with Customer.

  6. GOVERNMENT ACCESS REQUESTS
    Process for Notification. Unless prohibited by applicable law or a legally-binding request of law enforcement, Data Processor shall promptly notify Customer of any request by government agency or law enforcement authority for access to or seizure of Personal Data and provide reasonable assistance to Customer if Customer wishes to respond to the request. Data Processor shall not respond to such communication directly without Customer’s prior authorization unless legally compelled to do so.

  7. SECURITY
    1. Security of Processing. Data Processor shall implement and maintain appropriate technical and organizational measures in such a manner that its Processing of Personal Data will meet the requirements of applicable law, ensure the protection of the rights of the data subjects, and ensure a level of security appropriate to the risk, including as appropriate: (a) the pseudonymisation and encryption of Personal Data; (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (c) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
      In assessing the appropriate level of security, account shall be taken of the risks that are presented by Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise processed.
    2. Personal Data Breach Notification. Upon becoming aware of a Personal Data Breach, Processor shall promptly (not more than seventy-two (72) hours after becoming aware of a Personal Data Breach) notify Customer of any Personal Data Breach affecting the Personal Data that Data Processor maintains on the Customer’s behalf.  The notice will include (i) the date or estimated date of the incident; (ii) date Data Processor discovered the breach; (iii) description of the breach; (iv) number of Data Subjects affected; (v) types of Personal Data involved; and (vi) the likely consequences of the Personal Data Breach and the investigative and mitigation measures taken or proposed to be taken to address it.  Data Processor will cooperate with and update Customer as necessary, including any related data breach reporting obligations required by law.
    3. Public Disclosure of Personal Data Breach. The content and provision of any notification, public/regulatory communication or press release concerning the Personal Data Breach shall be solely at Customer’s discretion, except as otherwise required by applicable law.

  8. COOPERATION
    Data Processor will upon reasonable notice cooperate with requests by Customer to facilitate the Processing of Personal Data and to ensure Customer’s compliance with its obligations under the Data Protection Laws, including by way of example: (i) maintaining and providing Customer with a complete, accurate, and up-to-date written record of categories of Processing activities carried out on behalf of Customer; (ii) providing reasonable assistance to Customer in carrying out a privacy impact assessment; and (iii) providing reasonable assistance  to Customer in consulting a supervisory authority in relations to privacy impact assessments.  To the extent that Customer is subject to and involved in an investigation by a governmental authority or litigation arising out of or related to a Personal Data Breach under this DP Agreement, Data Processor will provide full cooperation to Customer in responding to such event.

  9. AUDITS
    1. Maintenance of Records and Certifications. Data Processor shall maintain records in accordance with ISO 27001 or similar Information Security Management System (“ISMS”) standards and applicable law. Upon request, Data Processor shall provide copies of these records, including relevant external ISMS certifications, audit report summaries and/or other documentation reasonably required by Customer to verify Data Processor’s compliance with this DP Agreement. 

  10. RETURN AND DELETION OF PERSONAL DATA
    Upon termination or expiration and in accordance with the Agreement or DP Agreement, Data Processor shall, at Customer’s option, delete or return all Personal Data to Customer, and delete existing copies except where it is required to retain copies under applicable law, in which case Processor will isolate and protect that Personal Data from any further Processing except to the extent required by applicable law. 

  11. LIABILITY AS A RESULT OF A PERSONAL DATA BREACH
    1. Limitation of Liability. The Parties agree that in the event that the Customer suffers damage(s) as a result of a Personal Data Breach by the Data Processor or a Sub-Processor, Customer is entitled to receive compensation from the Data Processor for the damages suffered related to Covered Costs, subject to the limitations set forth in Section 10 of the Agreement.
    2. Covered Costs.  For purposes of Section 11.1, covered costs shall include the following:  (i) costs to notify individuals whose Personal Data was lost or compromised; (ii) costs to establish and operate a call center to receive calls from affected individuals; (iii) costs to provide credit monitoring (or similar data protection services) and credit restoration services to individuals whose Personal Data was lost or compromised; (iv) costs associated with third party claims arising from the Personal Data Breach or loss of Personal Data, including damages, litigation costs and settlement costs; and (v) any investigation, enforcement or similar miscellaneous costs.

  12. GENERAL PROVISIONS
    1. Termination. The term of this DP Agreement will survive so long as Data Processor or its Sub-Processors Process Personal Data and end simultaneously and automatically with the termination of the Agreement.
    2. Modification.  This DP Agreement may not be modified expect by a subsequent written instrument signed by both Parties.
    3. Conflict. In the event of a conflict between the provisions of this DP Agreement and the Agreement, the provisions of the agreement will prevail with regard to the Parties’ data protection guidelines.
    4. Section Headings.  The section headings contained in this DP Agreement are for reference purposes only and shall not in any way affect the meaning or interpretation of this DP Agreement.
    5. Severability.  If any part of this DP Agreement is held unenforceable, the validity of all remaining parts will remain in full force and effect.