Data Processing Addendum (“DPA”)
Effective Date: October 3, 2021
Where Inquisitores Company and/or its affiliates (“Inquisitores” and “Data Processor”) processes Personal Data on behalf of Client (“You,” “Client,” and “Data Controller”), the current version of this DPA applies to you as part of your underlying property management software license with Inquisitores (the “Agreement”). This DPA is effective on the Effective Date and amends, supersedes and replaces any prior data processing agreements that the Parties may have entered into.
HEREBY AGREE AS FOLLOWS:
1.1 “Business Purposes” means accessing the Inquisitores Cloud to use the Licensed Programs and Inquisitores Cloud Services for Client’s property management and accounting, and related business purposes.
1.2 “Consumer” and “Data Subject” shall have the meaning ascribed to them in applicable Data Protection Law.
1.3 “Data Controller” has the meaning ascribed to the terms “business” or “controller” under applicable Data Protection Law, and will, at a minimum, mean the company that determines the purposes and means of the processing of Personal Data.
1.4 “Data Processor” has the meaning ascribed to the terms “processor” and “service provider” under applicable Data Protection Law, and will, at a minimum mean the company which processes Personal Data on behalf of the Data Controller.
1.5 “Data Protection Law” means all data protection or privacy laws applicable anywhere in the world to the Processing of Personal Data under the Agreement, including the Illinois Consumer Privacy Act (“ICPA”).
1.6 “Designated User” or “DU” has the meaning ascribed in the Agreement, or if not defined, shall mean a Client employee or Contractor designated by Client to access the Inquisitores Cloud and Use the Inquisitores Cloud Services and Licensed Programs for Business Purposes.
1.7 “Licensed Programs” or “Software” means the software program(s) identified in the Agreement.
1.8 “Personal Data” means “personal data” or “personal information” as defined under applicable Data Protection Law that Inquisitores is processing pursuant to the Agreement.
1.9 “Process” or “Processing” has the meaning ascribed to the term(s) under applicable Data Protection Law.
1.10 “Sell” has the meaning ascribed to it under applicable Data Protection Law.
1.11 “Services” shall mean any services performed by Inquisitores for Client pursuant to the Agreement, including but not limited to Data Controller’s access to and use of Data Processor’s proprietary hosted technology.
1.12 “Inquisitores Cloud” has the meaning ascribed in the Agreement, or if not defined, shall mean the hardware, software, storage, firewalls, intrusion detection devices, load balancing units, switches and other hardware that make up the Inquisitores Cloud.
1.13 All other capitalized terms shall have the meaning ascribed to them in the Agreement.
- Subject matter of this DPA
2.1 This DPA applies exclusively to the Services and Processing of Personal Data that is subject to applicable Data Protection Law in the scope of the Agreement. The Agreement and this DPA shall form the “documented instructions” of the Data Controller, as used and further described in this DPA, in relation to the Processing of Personal Data in accordance with applicable Data Protection Law. The nature and purpose of the processing, an overview of the types of Personal Data, and the categories of Data Subjects is set forth in the Agreement.
- The Data Controller and the Data Processor
3.1 As between the Parties, the Data Controller will determine the scope, purposes, and manner by which the Personal Data may be accessed or processed by the Data Processor. The Data Processor will process the Personal Data only as set forth in Data Controller’s written instructions.
3.2 The Data Processor will only process the Personal Data on documented instructions of the Data Controller in such manner as, and to the extent that, it is appropriate for the provision of the Services, except as required to comply with a legal obligation to which the Data Processor is subject. In such a case, the Data Processor shall inform the Data Controller of that legal obligation before processing, unless that law explicitly prohibits the furnishing of such information to the Data Controller. The Data Processor shall not process the Personal Data in a manner inconsistent with the Data Controller’s documented instructions. The Data Processor shall immediately inform the Data Controller if, in its opinion, an instruction infringes applicable Data Protection Law.
3.3 The Parties have entered into the Agreement in order for the Services to benefit Data Controller’s Business Purposes. The Data Processor shall be allowed to exercise its own discretion in the selection and use of such means as it considers necessary to provide the Services, subject to the requirements of this DPA.
3.4 Inquisitores shall not (i) Sell any Personal Data subject to the ICPA received from the Client or (ii) retain, use, or disclose the Personal Data provided by or collected on behalf of the Client for any purpose other than for the purpose of performing the Services specified in the Agreement for the Client, or as otherwise permitted by Data Protection Law, including retaining, using, or disclosing the personal information for a commercial purpose other than providing the Services specified in the Agreement.
- Data Subjects
4.1 To the extent required by applicable Data Protection Law, Data Controller is responsible for ensuring that there is a legal basis for the Processing in relation to the Services and that it has and will provide all notices required by applicable Data Protection Law, and for ensuring that a record of such legal basis and/or notices is maintained. Should a Data Subject or Consumer make any lawful request under applicable Data Protection Law, Data Controller is solely responsible, as between the Parties, for deleting such Personal Data from the database(s) associated with Data Controller’s instance of the Licensed Programs or otherwise responding to and meeting any such Data Subject or Consumer request. Data Processor shall promptly refer to Data Controller any request from Data Subjects or Consumers to exercise any applicable data protection rights (including rights of access, rectification, erasure, objection, restriction, portability, and the right to opt-out) under applicable Data Protection Law. The Licensed Programs provide Data Controller with functionality for Data Controller Designated Users to meet Data Controller’s obligations to respond to and meet such requests from Data Subjects or Consumers. Data Processor will provide reasonable assistance to Data Controller in responding to and meeting requests from Data Subjects or Consumers, pursuant to the terms and conditions of Data Processor’s standard support services under the Agreement.
5.1 Without prejudice to any existing contractual arrangements between the Parties, the Data Processor shall treat all Personal Data as strictly confidential and it shall inform all its employees, agents and/or approved sub-processors engaged in processing the Personal Data by Data Processor of the confidential nature of the Personal Data. The Data Processor shall ensure that all such persons or parties have signed an appropriate confidentiality agreement, are otherwise bound to a duty of confidentiality, or are under an appropriate statutory obligation of confidentiality. The Data Controller is responsible for ensuring that its Designated Users have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
6.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, without prejudice to any other security standards agreed upon by the Parties, the Data Processor shall implement appropriate technical and organizational measures to ensure a level of security of the processing of Personal Data appropriate to the risk. Data Controller is responsible for reviewing the information Data Processor makes available regarding its data security, including its audit reports and compliance documents referenced in Section 6.3 below, and making an independent determination as to whether the Services meet Data Controller’s requirements and legal obligations, including its obligations under applicable Data Protection Law. Data Controller acknowledges that the Services include certain features and functionalities that Data Controller may elect to use that impact the security of the data Processed by Data Controller’s use of the Services, including but not limited to encryption at rest functionality. Data Controller is further responsible for its Designated Users’ access to Personal Data and for using the available features and functionalities to maintain appropriate security in light of the nature of the data processed by its use of the Services.
6.2 The Data Processor has and shall at all times maintain an appropriate information security policy with respect to the processing of Personal Data that, as appropriate, includes measures described in Section 6.1. As described in Section 6.3 below, Data Processor shall provide information to Data Controller about its information security program. The parties acknowledge that security requirements are constantly changing, and that effective security requires frequent evaluation and regular improvements but will not in any circumstance materially diminish its security measures. The Data Processor will therefore evaluate its information security program on an on-going basis and in its sole discretion will tighten, supplement, and improve these measures in order to maintain compliance with the requirements set out in Section 6.
6.3 At the request of the Data Controller, the Data Processor shall make available to Data Controller, Data Controller’s auditors and/or any supervisory or government body all information necessary to demonstrate Data Processor’s compliance with this Section 6 and allow for and contribute to audits, including inspections. In furtherance of the foregoing, the Data Processor shall conduct the audits described below and provide the Data Controller and/or the Data Controller´s auditors the following information relating to the Processing of the Personal Data:
(a) SSAE18 Audits. During the Term, and so long as SSAE18 remains a current and industry standard auditing standard, Data Processor may annually undertake an audit in accord with the American Institute of Certified Public Accountants’ Statement on Standards for Attestation Engagements No. 18 or a successor standard (collectively, “SSAE18”) with respect to the Inquisitores Cloud Service.
(b) Shared Assessments Program. As of the Effective Date, Data Processor may subscribe to the Shared Assessments Program methodology, which is rooted in industry standards and common compliances, including the Standardized Information Gathering (SIG) questionnaire. The SIG is a comprehensive standardized format questionnaire, created and revised annually by financial industry leaders, aimed at efficiently fulfilling vendor due diligence and risk assessment.
(c) Penetration Testing. Data Processor may conduct penetration tests upon the Inquisitores Cloud. The testing and remediation validation may be performed by an independent third party and evidenced by a separate independent third party.
(d) Data Controller agrees that the Data Processor SSAE18 audit report, if any; SIG questionnaire, and information about penetration tests, if any; on the Inquisitores Cloud are Confidential Information as defined the Agreement and subject to Data Controller’s confidentiality obligations as provided in the Agreement.
The Data Controller shall be entitled on giving at least 30 days’ notice to the Data Processor (unless requested on shorter notice by a supervisory authority), and no more than one time in any calendar year (unless required by a supervisory authority), to carry out, or have carried out by a third party who has entered into a confidentiality agreement with the Data Processor, an audit or inspection of Data Processor subject to Data Processor’s security policies and procedures. The Data Processor shall reasonably cooperate with such audits requested and carried out by or on behalf of the Data Controller, including by making the information and documents described above in this Section 6.3 available for inspection. Any such onsite audit must be conducted during regular business hours of Data Processor. Any requested onsite audit of more than 4 hours may be subject to additional or applicable fees under the Agreement.
With regard to Section 6.3, where an instruction or request from the Data Controller or Data Controller’s auditors to the Data Processor for the Data Processor to provide information to the Data Controller or Data Controller’s auditors would, in the opinion of the Data Processor, infringe Data Protection Law or other applicable laws to which the Data Controller or the Data Processor are subject, the Data Processor shall immediately inform the Data Controller.
- Information Obligations and Incident Management
7.1 When the Data Processor becomes aware of an incident that impacts the Processing of the Personal Data that is the subject of the Agreement, it shall, as required by applicable Data Protection Law, notify the Data Controller about the incident without undue delay, at all times cooperate with the Data Controller, and follow the Data Controller’s reasonable instructions (within the scope of the Agreement) with regard to such incidents, in order to enable the Data Controller to perform a thorough investigation into the incident, to formulate a correct response, and to take suitable further steps in respect of the incident.
7.2 The term “incident,” as used in this section shall have the meaning ascribed to it (or the equivalent term) in applicable Data Protection Law.
7.3 The Data Processor shall at all times have in place written procedures which enable it to promptly respond to the Data Controller about an incident.
7.4 Any notifications made to the Data Controller pursuant to this Section 8 shall be addressed to the SPOC of the Data Controller whose contact details are on file, and as the information becomes available, shall contain:
(a) a description of the nature of the incident, including where possible the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned.
(b) the name and contact details of the Data Processor’s data protection officer (specified in Appendix 1) or another contact point where more information can be obtained.
(c) a description of the likely consequences of the incident; and,
(d) a description of the measures taken or proposed to be taken by the Data Processor to address the incident including, where appropriate, measures to mitigate its possible adverse effects.
- Contracting with Sub-Processors
8.1 Data Controller agrees that Data Processor may engage Data Processor affiliates and other Data Processors as defined by applicable Data Protection Law (“Sub-Processors”) to process Personal Data on behalf of Data Controller. Data Processor shall ensure that any Processing of Personal Data by a Sub-Processor is governed by a contract.
- Returning and Destruction of Personal Data
9.1 Upon expiration or termination of this DPA and the Agreement, the Data Processor shall make Data Controller’s Client Data available to Data Controller for secure download for a limited time period, following which Data Processor shall delete such Client Data.
10.1 In the event of any inconsistency between the provisions of this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail.
Contact information of the Data Protection Officer/Compliance Officer of the Data Processor.
Name: Arthur R. van der Vant
Address: 5401 W. Lawrence Ave. #300813, Chicago, IL 60630-0813
Phone: +1 (888) 999-5589
Email Address: email@example.com