Data Processing
Addendum

effective June 2022

HOW TO EXECUTE THIS DPA

  1. This DPA consists of two parts: the main body of the DPA, and Schedules 1 – 4.
  2. This DPA has been pre-signed on behalf of Treno. Schedule 2 has been pre-signed by Treno, Inc. as the data importer.
  3. To complete this DPA, Customer must:
    1. Complete the information in the signature box of this DPA and sign this DPA.
    2. Send the signed DPA to Treno by email to [email protected].

Except as otherwise expressly provided in the Agreement, this DPA will become legally binding upon receipt by Treno of the validly completed DPA at the above email address. For the avoidance of doubt, signature of this DPA shall be deemed to constitute signature and acceptance of the Standard Contractual Clauses, including Schedule 2. Where Customer wishes to separately execute the Standard Contractual Clauses and its Appendix, Customer should also complete the information as the data exporter and sign Schedule 2.

SCHEDULE 1

TRANSFER MECHANISMS FOR EUROPEAN DATA TRANSFERS

For the purposes of the EU C-to-P Transfer Clauses and the EU P-to-P Transfer Clauses, Customer is the data exporter and Treno is the data importer and the parties agree to the following. If and to the extent an Authorized Affiliate relies on the EU C-to-P Transfer Clauses or the EU P-to-P Transfer Clauses for the transfer of Personal Data, any references to ‘Customer’ in this Schedule include such Authorized Affiliate. Where this Schedule 1 does not explicitly mention EU C-to-P Transfer Clauses or EU P-to-P Transfer Clauses it applies to both of them.

1. STANDARD CONTRACTUAL CLAUSES OPERATIVE PROVISIONS AND ADDITIONAL TERMS

1.1. Reference to the Standard Contractual Clauses. The relevant provisions contained in the Standard Contractual Clauses are incorporated by reference and are an integral part of this DPA. The information required for the purposes of the Appendix to the Standard Contractual Clauses are set out in Schedule 2.

1.2. Docking clause. The option under clause 7 shall not apply.

1.3. Instructions. This DPA and the Agreement are Customer’s complete and final documented instructions at the time of signature of the Agreement to Treno for the Processing of Personal Data. Any additional or alternate instructions must be consistent with the terms of this DPA and the Agreement. For the purposes of clause 8.1(a), the instructions by Customer to Process Personal Data include onward transfers to a third party located outside Europe for the purpose of the performance of the Services

1.4. Certification of Deletion. The parties agree that the certification of deletion of Personal Data that is described in clause 8.5 and 16(d) of the Standard Contractual Clauses shall be provided by Treno to Customer only upon Customer’s written request.

1.5. Audits of the SCCs. The parties agree that the audits described in clause 8.9 of the Standard Contractual Clauses shall be carried out in accordance with section 4.3 of this DPA.

1.6. General authorization for use of Subprocessors. Option 2 under clause 9 shall apply. For the purposes of clause 9(a), Treno has Customer’s general authorization to engage Subprocessors in accordance with section 7 of this DPA. Treno shall make available to Customer the current list of Subprocessors in accordance with section 7 of this DPA. Where Treno enters into the EU P-to-P Transfer Clauses with a Subprocessor in connection with the provision of the Services, Customer hereby grants Treno and Treno’s Affiliates authority to provide a general authorization on Controller’s behalf for the engagement of subprocessors by Subprocessors engaged in the provision of the Services, as well as decision making and approval authority for the addition or replacement of any such subprocessors.

1.7. Notification of New Subprocessors and Objection Right for new Subprocessors. Pursuant to clause 9(a), Customer acknowledges and expressly agrees that Treno may engage new Subprocessors as described in section 7 of this DPA. Treno shall inform Customer of any changes to Subprocessors following the procedure provided for in section 7 of this DPA.

1.8. Complaints – Redress. Treno shall inform Customer if it receives a Data Subject Request with respect to Personal Data and shall without undue delay communicate the complaint or dispute to Customer. Treno shall not otherwise have any obligation to handle the request (unless otherwise agreed with Customer). The option under clause 11 shall not apply.

1.9. Liability. Treno‘s liability under clause 12(b) shall be limited to any damage caused by its Processing where Treno has not complied with its obligations under the GDPR specifically directed to Processors, or where it has acted outside of or contrary to lawful instructions of Customer, as specified in Article 82 GDPR.

1.10. Supervision. Clause 13 shall apply as follows:

1.10.1.  Where Customer is established in an EU Member State, the supervisory authority with responsibility for ensuring compliance  by Customer with Regulation (EU) 2016/679 as regards the data transfer shall act as competent supervisory authority.

1.10.2. Where Customer is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679, the supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established shall act as competent supervisory authority.

1.10.3. Where Customer is established in the United Kingdom or falls within the territorial scope of application of UK Data Protection Laws, the Information Commissioner’s Office shall act as competent supervisory authority.

1.10.4. Where Customer is established in Switzerland or falls within the territorial scope of application of Swiss Data Protection Laws, the Swiss Federal Data Protection and Information Commissioner shall act as competent supervisory authority insofar as the relevant data transfer is governed by Swiss Data Protection Laws.

1.11. Notification of Government Access Requests. For the purposes of clause 15(1)(a), Treno shall notify Customer (only) and not the Data Subject(s) in case of government access requests. Customer shall be solely responsible for promptly notifying the Data Subject as necessary.

1.12. Governing Law. The governing law for the purposes of clause 17 shall be the law that is designated in the section of the Agreement. If the Agreement is not governed by an EU Member State law, the Standard Contractual Clauses will be governed by either (i) the laws of Ireland; or (ii) where the Agreement is governed by the laws of the United Kingdom, the laws of the United Kingdom.

1.13. Choice of forum and jurisdiction. The courts under clause 18 shall be those designated in the Agreement. If the Agreement does not designate an EU Member State court as having exclusive jurisdiction to resolve any dispute or lawsuit arising out of or in connection with this Agreement, the parties agree that the courts of either (i) Ireland; or (ii) where the Agreement designates the United Kingdom as having exclusive jurisdiction, the United Kingdom, shall have exclusive jurisdiction to resolve any dispute arising from the Standard Contractual Clauses. For Data Subjects habitually resident in Switzerland, the courts of Switzerland are an alternative place of jurisdiction in respect of disputes.

1.14. Data Exports from the United Kingdom and Switzerland under the Standard Contractual Clauses. In case of any transfers of Personal Data from the United Kingdom and/or transfers of Personal Data from Switzerland subject exclusively to the Data Protection Laws and Regulations of Switzerland (“Swiss Data Protection Laws”), (i) general and specific references in the Standard Contractual Clauses to GDPR or EU or Member State Law shall have the same meaning as the equivalent reference in the Applicable Data Protection Laws of the United Kingdom (“UK Data Protection Laws”) or Swiss Data Protection Laws, as applicable; and (ii) any other obligation in the Standard Contractual Clauses determined by the Member State in which the data exporter or Data Subject is established shall refer to an obligation under UK Data Protection Laws or Swiss Data Protection Laws, as applicable. In respect of data transfers governed by Swiss Data Protection Laws, the Standard Contractual Clauses also apply to the transfer of information relating to an identified identifiable legal entity where such information is protected similarly as Personal Data under Swiss Data Protection Laws until such laws are amended to no longer apply to a legal entity.

1.15. Conflict. The Standard Contractual Clauses are subject to this DPA and the additional safeguards set out hereunder. The rights and obligations afforded by the Standard Contractual Clauses will be exercised in accordance with this DPA, unless stated otherwise. In the event of any conflict or inconsistency between the body of this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.

2. ADDITIONAL TERMS FOR THE EU P-TO-P TRANSFER CLAUSES

For the purposes of the EU P-to-P Transfer Clauses (only), the parties agree the following.

2.1.  Instructions and notifications. For the purposes 8.1(a), Customer hereby informs Treno that it acts as Processor under the instructions of the relevant Controller in respect of Personal Data. Customer warrants that its Processing instructions as set out in the Agreement and this DPA, including its authorizations to Treno for the appointment of Subprocessors in accordance with this DPA, have been authorized by the relevant Controller. Customer shall be solely responsible for forwarding any notifications received from Treno to the relevant Controller where appropriate.

2.2. Security of Processing. For the purposes of clause 8.6(c) and (d), Treno shall provide notification of a personal data breach concerning Personal Data Processed by Treno to Customer.

2.3. Documentation and Compliance. For the purposes of clause 8.9, all enquiries from the relevant Controller shall be provided to Treno by Customer. If Treno receives an enquiry directly from a Controller, it shall forward the enquiry to Customer and Customer shall be solely responsible for responding to any such enquiry from the relevant Controller where appropriate.

2.4. Data Subject Rights. For the purposes of clause 10 and subject to section 3 of this DPA, Treno shall notify Customer about any request it has received directly from a Data Subject without obligation to handle it (unless otherwise agreed), but shall not notify the relevant Controller. Customer shall be solely responsible for cooperating with the relevant Controller in fulfilling the relevant obligations to respond to any such request.

SCHEDULE 2

DESCRIPTION OF PERSONAL DATA PROCESSING

This Schedule forms part of the Standard Contractual Clauses and must be completed and signed by the parties. As evidenced by the signature of each party’s authorized representative below, the data Processing activities carried out by Treno under the Agreement may be described as follows:

1. Subject Matter. The parties acknowledge and agree that the subject matter of the Processing is data importer’s provision of the Services to data exporter as fully described in this DPA and/or the Agreement.

2. Duration. The duration of the Processing of Customer Personal Data is for the Term or until the disposal of all Personal Data, whichever is later.

3. Nature and Purpose.
The nature and purpose of the Processing of Personal Data is for data importer’s provision of the Services to data exporter.

4. Data Categories.  Categories of personal data are identification and contact data (for example, name, address, title, contact details), employment details (for example, employer, job title, geographic location and area of responsibility), and IT information (for example, IP addresses, usage data, cookies data, device specific information, connection data and location data) of the data subjects.

5. Special Data Categories. Data exporter is prohibited from providing data importer with sensitive personal information (such as financial, medical or other sensitive personal information such as government IDs, passport numbers or social security numbers), and data importer has no obligation to comply with the DPA with respect to such data.

6. Data Subjects. The employees of data exporter.

SCHEDULE 3

CALIFORNIA SCHEDULE 

1. For purposes of this Schedule 2, the terms “business,” “commercial purpose,” “sell” and “service provider” shall have the respective meanings given thereto in the CCPA, and “personal information” shall mean Personal Data that constitutes personal information, the Processing of which is governed by the CCPA.

2. It is the parties’ intent that with respect to any personal information, Treno is a service provider.  Treno shall (i) not “sell” (as defined in the CCPA) personal information; and (ii) not retain, use or disclose any personal information for any purpose other than for the specific purpose of providing the Services, including retaining, using or disclosing personal information for a commercial purpose (as defined in the CCPA) other than providing the Services.  For the avoidance of doubt, the foregoing prohibits Treno from retaining, using or disclosing personal information outside of the direct business relationship between Treno and Customer.  Treno hereby certifies that it understands the obligations under this section 2 and shall comply with them.

3. The parties acknowledge that Treno’s retention, use and disclosure of personal information authorized by Customer’s instructions documented in the DPA are integral to Treno’s provision of the Services and the business relationship between the parties.

SCHEDULE 4

Security Measures

1. Organizational management and dedicated staff responsible for the development, implementation and maintenance of the Treno’s information security program.

2. Audit and risk assessment procedures for the purposes of periodic review and assessment of risks to Treno’s organization, monitoring and maintaining compliance with the Treno’s policies and procedures, and reporting the condition of its information security and compliance to internal senior management.

3. Data security controls which include, at a minimum, logical segregation of data, restricted (e.g. role-based) access and monitoring, and utilization of commercially available industry standard encryption technologies for Personal Data that is transmitted over public networks (i.e. the Internet) or when transmitted wirelessly or at rest or stored on portable or removable media (i.e. laptop computers, CD/DVD, USB drives, back-up tapes).

4. Logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions, (e.g. granting access on a need-to-know and least privilege basis, use of unique IDs and passwords for all users, periodic review and revoking/changing access promptly when employment terminates or changes in job functions occur).

5. Password controls designed to manage and control password strength, expiration and usage including prohibiting users from sharing passwords and requiring that the Treno’s passwords that are assigned to its employees:  (i) be at least eight (8) characters in length, (ii) not be stored in readable format on the Treno’s computer systems; (iii) must have defined complexity; (iv) must have a history threshold to prevent reuse of recent passwords; and (v) newly issued passwords must be changed after first use.

6. System audit or event logging and related monitoring procedures to proactively record user access and system activity.

7. Physical and environmental security of data centers, server room facilities and other areas containing Personal Data designed to:  (i) protect information assets from unauthorized physical access, (ii) manage, monitor and log movement of persons into and out of the Treno’s facilities, and (iii) guard against environmental hazards such as heat, fire and water damage.

8. Operational procedures and controls to provide for configuration, monitoring and maintenance of technology and information systems, including secure disposal of systems and media to render all information or data contained therein as undecipherable or unrecoverable prior to final disposal or release from the Treno’s possession.

9. Change management procedures and tracking mechanisms designed to test, approve and monitor all material changes to the Treno’s technology and information assets.

10. Incident management procedures design to allow Treno to investigate, respond to, mitigate and notify of events related to the Treno’s technology and information assets.

11. Network security controls that provide for the use of enterprise firewalls and layered DMZ architectures, and intrusion detection systems and other traffic and event correlation procedures designed to protect systems from intrusion and limit the scope of any successful attack.

12. Vulnerability assessment, patch management and threat protection technologies, and scheduled monitoring procedures designed to identify, assess, mitigate and protect against identified security threats, viruses and other malicious code.

13. Business resiliency/continuity and disaster recovery procedures designed to maintain service and/or recovery from foreseeable emergencies or disasters.