Impendulo Limited Services Data Processing Agreement

Last updated August 23, 2022

This DPA is incorporated into the Contract between Impendulo Limited (“Impendulo” or “us” or “our”) and Customer. If a provision of this Impendulo Limited Services Data Processing Agreement (“DPA”) conflicts with a provision of the Contract, the provision of this DPA governs. Capitalised terms used and not otherwise defined in this DPA have the meanings provided in the Contract.

  1. Except as amended by this DPA, the Contract will remain in full force and effect.
  2. To the extent that the terms of this DPA and the Contract conflict, the terms of this DPA prevail.
  3. This DPA will automatically expire on the termination or expiration of the Contract.

Impendulo serves enterprises, public sector entities and other organisations (“Customer”) and protects Services Data in compliance with the terms of this DPA. Services Data means personal data relating to named or identifiable individuals that Customer’s authorised users (“Authorised Users”) provide in compliance with applicable law and our applicable service agreements or other commercial contract terms (“Contract”) when Customer uses our service offerings and related data processing services as described in our data sheets, service specifications, and other technical documentation, as amended from time to time (“Services”).

  1. Control and Ownership.  Customer owns and controls all Services Data. Impendulo does not use Services Data, except: (a) in the interest and on behalf of Customer; (b) as necessary to provide the Services, or (c) as contemplated or directed by the Contract. Impendulo returns or deletes Services Data at Customer’s request, as agreed in the Contract, or after the Contract expires or is terminated, subject to applicable law.

  2. Security. Impendulo applies technical, administrative and organisational data security measures that meet or exceed the requirements described in Exhibit 1 (“Security”). Impendulo may update and modify Exhibit 1 from time to time, provided that Impendulo must not reduce the level of security provided thereunder, except with Customer’s consent or with 90 days prior written notice.

  3. Cooperation with Compliance Obligations.  At Customer’s reasonable request, Impendulo will (a) reasonably assist Customer with data access, deletion, portability and other requests, subject to compensation for any custom efforts required of Impendulo, and (b) enter into additional contractual agreements to meet specific requirements that are imposed by mandatory laws on Customer pertaining to Services Data and that, due to their nature, can only be satisfied by Impendulo in its role as service provider or that Customer specifically explains and assigns to Impendulo in an addendum or amendment to the applicable Contract, subject to additional cost reimbursement or fees as appropriate. If Customer can no longer legally use Impendulo’s products due to changes in law or technology, Impendulo shall allow Customer to terminate certain or all contracts and provide transition or migration assistance as reasonably required, subject to termination charges and fees as mutually agreed in good faith by the parties.

  4. Submit to Audits. Impendulo submits to reasonable data security and privacy compliance audits subject to reasonable precautions and safeguards for the data of other customers.

  5. Notify Breaches. Impendulo notifies Customer of unauthorised access to Services Data and other security breaches as required by applicable law.

  6. No Information Selling or Sharing for Cross‐Context Behavioral Advertising. Impendulo does not accept or disclose any Services Data as consideration for any payments, services, or other items of value. Impendulo does not sell or share any Services Data, as the terms “sell” and “share” are defined in the California Consumer Privacy Act of 2018, as amended, including by the California Privacy Rights Act (“CCPA”). Impendulo processes Services Data only for the business purposes specified in the written Contract. Impendulo does not retain, use, or disclose Services Data (a) for cross‐context behavioral advertising, or (b) outside the direct business relationship with the Customer. Impendulo does not combine Services Data with other data if and to the extent this would be inconsistent with limitations on service providers under the CCPA.

  7. Personal Data subject to the GDPR or similar laws: With respect to any Services Data that is subject to the EU General Data Protection Regulation (GDPR) or similar laws of other countries as "personal data," Impendulo accepts the following obligations as a data importer, processor or sub-processor of Customer and warrants that Impendulo:

    (a) processes the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by European Union or EU Member State law to which the processor is subject; in such a case, the processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest; also, the processor shall immediately inform the controller if, in its opinion, an instruction infringes the GDPR, national data protection laws in the EU or other applicable law;

    (b) ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

    (c) takes all measures required pursuant to Article 32 of the GDPR (security of processing);

    (d) respects the conditions referred to in paragraphs 2 and 4 of Article 28 of the GDPR for engaging another processor;

    (e) taking into account the nature of the processing, assists the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III of the GDPR, including, without limitation, right to access, rectification, erasure and portability of the data subject's personal data; (for the avoidance of doubt, processor shall only assist and enable controller to meet controller’s obligations to satisfy data subjects' rights, but processor shall not respond directly to data subjects)

    (f) assists the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR (Security of personal data) taking into account the nature of processing and the information available to the processor;

    (g) at the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires storage of the personal data;

    (h) makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.

  8. Integration. This DPA is binding after a Contract has been signed between Impendulo and Customer, and Customer may collect a signed copy of this DPA at here or https://avalara.na1.echosign.com/public/esignWidget?wid=CBFCIBAA3AAABLblqZhBvMM0PuUDwRJa-YKLWF7XDJmCadDe902vPStclybqCxZXhRh4FU8n6E8ZA6yRBZcc*. This DPA shall not create third party beneficiary rights. Impendulo does not accept or submit to additional requirements relating to Services Data, except as specifically and expressly agreed in writing with explicit reference to the Contract and this DPA.

  9. Notice. Avalara shall provide Customer with legal notices in writing by email, mail, or courier to the address provided by the Customer. Except as otherwise specified in the Agreement, all notices to Avalara must be in writing and sent as follows:

Email: DataPrivacy@avalara.com
Attn: Legal Department

Impendulo Limited
Lanchester House, 1st Floor, Trafalgar Place
Brighton BN1 4FU


EXHIBIT 1:

SECURITY

Impendulo ensures the commitment to satisfy the IT security requirements listed below, in order to guarantee an adequate level of data protection and the compliance with the applicable laws:

Rights to audit

  • Customer may inspect/audit the security processes and procedures implemented within the services provided as:

a) Incident Management Process

b) Business Continuity and Disaster Recovery (Plans and tests)

Data Deletion disposal

Impendulo must ensure that:

  • upon Customer’s requests, return all of the Customer data or erase/destroy all or a portion of Customer data in Impendulo’s possession
  • the usage of shredding of paper and portable media used to store Customer data is encouraged
  • multiple passes of software-based overwriting must be performed on all media containing Customer data before being disposed

Generali Data Breach

Impendulo must ensure that:

  • an incident response plan with detailed procedures is defined to ensure effective response to incidents involving Customer data
  • Customer data breaches are immediately reported. In case of personal data breach, notification procedures for the reporting of the breaches to Customer is in place, following art. 33 and 34 GDPR
  • collaborate with Customer on the incident investigation, if necessary

Access Control and Authentication

Impendulo must ensure that:

  • an access control system applicable to all users accessing the IT system is implemented. The system allows creating, approving, reviewing and deleting user accounts
  • the use of common user accounts is avoided. In cases where this is necessary, it must be ensured that all users of the common account have the same roles and responsibilities
  • an authentication mechanism is in place, allowing access to the IT system (based on the access control policy and system). As a minimum, a username/password combination must be used. Passwords must respect a certain (configurable) level of complexity
  • the access control system has the ability to detect and not allow the usage of passwords that don’t respect a certain (configurable) level of complexity
  • a specific password policy is defined and documented. The policy must include at least password length, complexity, validity period, as well as number of acceptable unsuccessful login attempts
  • user passwords must be stored in a “hashed” form
  • device authentication is used to guarantee that the processing of data is performed only through specific resources in the network

Workstation security

Impendulo must ensure that:

  • users are not able to deactivate or bypass security settings
  • anti-virus applications and detection signatures are configured on a weekly basis
  • users not have privileges to install or deactivate unauthorised software applications
  • the system has session time-outs when the user has not been active for a certain period
  • critical security updates released by the operating system developer are regularly installed
  • transfer critical data from workstations to external storage devices (e.g. USB, DVD, external hard drives) is not allowed
  • workstations used for the processing of critical data are preferably not connected to the Internet unless security measures are in place to prevent unauthorised processing, copying and transfer of Customer data or store
  • in case of Customer critical data processing, full disk software encryption is enabled on the workstation operating system drives

Mobile portable device

Impendulo must ensure that:

  • mobile and portable device management procedures are defined and documented establishing clear rules for their proper use
  • specific roles and responsibilities regarding mobile and portable device management are clearly defined
  • the organisation is able to remotely erase Customer data (related to its processing operation) on a mobile device that has been compromised
  • mobile devices are physically protected against theft when not in use

Training

Impendulo must ensure that:

  • the staff has an understanding of Customer data protection threats and concerns relating to the service and to the relevant information risk management policies
  • all employees are adequately informed about the security controls of the IT system that relate to their everyday work. Employees involved in the processing of Customer data must also be properly informed about relevant data protection requirements and legal obligations through regular awareness campaigns
  • the organisation has a structured and regular training programs for staff, including specific programmers for the introduction (to data protection matters) of newcomers
  • a training plan with defined goals and objectives must be prepared and executed on a regular basis

Physical Security

Impendulo must ensure that:

  • the physical perimeter of the infrastructure is not accessible by non-authorized personnel
  • clear identification, through appropriate means e.g. ID Badges, for all personnel and visitors accessing the premises of the organisation must be established, as appropriate
  • secure zones are defined and protected by appropriate entry controls. A physical log book or electronic audit trail of all access must be securely maintained and monitored
  • intruder detection systems are installed in all security zones
  • physical barriers, where applicable, are built to prevent unauthorised physical access
  • vacant secure areas are physically locked and periodically reviewed
  • an automatic fire suppression system, closed control dedicated air conditioning system and uninterruptible power supply (UPS) is implemented at the server room
  • external party support service personnel are granted restricted access to secure areas