DATA PROTECTION ADDENDUM
This Data Protection Addendum (“Addendum”) supplements the terms and conditions in the Master Agreement and is incorporated therein. In the event of a conflict between this Addendum, and any other agreement between the parties on the issues set forth herein, this Addendum shall control.
1. DEFINITIONS
1.1. Terms not defined herein have the meanings set forth in the Master Agreement. The following words in this Addendum have the following meanings:
1.2. “Authorized User” means an individual permitted by Customer who may include either or a Customer’s employee and/or contractor, to access and use the Platform on behalf of the Customer, pursuant the execution of the Master Agreement.
1.3. “Customer Data” means any Personal Data related to any Authorized User or identifiable natural person that is transferred, processed, or stored by Globalization Partners on behalf of Customer for the use of the Platform by the Customer.
1.4. “Data Protection Laws” means any data protection and privacy laws to which a party to this Agreement is subject and which are applicable to the Services provided, including where applicable, but not limited to, GDPR, UK GDPR, US privacy laws (including state and federal laws) and Singapore’s Personal Data Protection Act
1.5. “GDPR” means the General Data Protection Regulation (EU) 2016/679.
1.6. “EEA” means the European Economic Area.
1.7. “EOR Services” means the employer of records services to be provided by Globalization Partners to Customer in accordance with the Master Agreement.
1.8. “Master Agreement” means the agreement executed between Customer and Globalization Partners.
1.9. “Platform” means Globalization Partners’ proprietary software , including without limitation, the software, the mobile version, any software contained therein, and any data made available through the use of either Globalization Partners’ proprietary software or the third party services, including their updates, upgrades, platform as a service, documentation, a description of which is set out at https://www.globalization-partners.com/goglobal/
1.10. "Controller" "Data Subject", "Personal Data", “Data Breach”, "Processor", and "Process/Processing" and/or any other similar terms and concepts shall have the meanings as defined in Data Protection Laws.
2. RELATIONSHIP OF PARTIES AND ROLES
2.1. Roles of the Parties and Details of Processing. Globalization Partners shall process Personal Data as an independent Controller when Globalization Partners provides EOR Services. In no event will the Parties Process Personal Data under this Addendum as joint Controllers. Where Globalization Partners operates as an independent Controller, Globalization Partners shall comply with its Controller obligations under Data Protection Laws when Processing Personal Data and shall Process the Personal Data as described in Globalization Partners’ Privacy Policy available at https://www.globalization-partners.com/privacy-policy/. Customer shall comply with its obligations under Data Protection Laws when Processing Personal Data as a Controller. To the extent Globalization Partners acts as Processor while Processing Customer Data, such Processing shall be carried out in accordance with Section 3 (“Processing of Personal Data”) below.
2.2. Responsibilities and Acknowledgements. Each Party may process Personal Data under this Addendum with respect to Personal Data as independent data Controllers. The Parties agree to comply with their respective obligations and to process any Personal Data fairly and lawfully in compliance with this Addendum and all Data Protection Laws applicable to such Party’s Personal Data Processing operations. Each Party shall ensure that its Processing of Personal Data is limited to the purpose of the EOR Services being provided by Globalization Partners and is based on a legal ground for lawful processing. The Parties will assist each other in complying with their respective obligations under Data Protection Laws, including, but not limited to, assisting each other if a Data Breach occurs, responding to Data Subjects and/or regulators’ requests.
3. PROCESSING OF PERSONAL DATA
3.1. Scope. The use of the Platform by the Customer and the Customer management relationship may entail the Processing of Customer Data by Globalization Partners as a Processor on behalf of Customer.
3.2. Instructions. Globalization Partners will process Customer Data in accordance with Customer’s documented instructions. Customer agrees that this Addendum, the Master Agreement, and Annex I attached hereunder, comprise Customer’s complete instructions to Globalization Partners regarding the Processing of Customer Data. Any additional or alternate instructions must be agreed between the parties in writing, including the costs (if any) associated with complying with such instructions. Globalization Partners is not responsible for determining if Customer’s instructions are compliant with applicable law. However, if Globalization Partners is of the opinion that a Customer instruction infringes applicable Data Protection Laws, Globalization Partners shall notify Customer as soon as reasonably practicable and shall not be required to comply with such infringing instruction.
3.3. Details of Processing. Details of the subject matter of the Processing, its duration, nature and purpose, and the type of Customer Data and data subjects are as specified in Annex I attached hereto.
3.4. Compliance. Customer and Globalization Partners agree to comply with their respective obligations under Data Protection Laws applicable to the Customer Data that is Processed as specified in Annex I. Customer has sole responsibility for complying with Data Protection Laws regarding the lawfulness of the Processing of Customer Data prior to disclosing, transferring, or otherwise making available, any Customer Data to Globalization Partners. For the avoidance of doubt, in all cases, Customer shall obtain, where required, any consents from the Data Subjects for Globalization Partners to Process Customer Data as directed by Customer.
3.5. Subprocessors. Customer authorizes Globalization Partners to appoint and use Processors (“Subprocessors”) to Process the Customer Data in connection with the Services. Subprocessors may include third parties or any member of the Globalization Partners group of companies. Globalization Partners may continue to use those Subprocessors already engaged by Globalization Partners as of the date of this Addendum, and a list of such Subprocessors is available in Annex III attached hereunder. Where a Subprocessor fails to fulfil its data protection obligations as specified above, Globalization Partners shall be liable to the Customer for the performance of the Subprocessor’s obligations. Globalization Partners shall notify Customer of any changes to its list of Subprocessors. If, within 10 (ten) days of the receipt of that notice, Customer legitimately objects to the addition or removal of a Subprocessor on data protection grounds and Globalization Partners cannot reasonably accommodate Customer’s objection, the parties will discuss Customer’s concerns in good faith with a view to resolving the matter.
3.6. Technical and organizational security measures. Taking into account industry standards, the costs of implementation, the nature, scope, context and purposes of the Processing, and any other relevant circumstances relating to the Processing of the Customer Data within the Platform, Globalization Partners shall implement appropriate technical and organizational security measures to ensure security, confidentiality, integrity, availability and resilience of processing systems and services involved in the Processing of the Customer Data are commensurate with the risk in respect of such Customer Data. Globalization Partners will periodically (i) test and monitor the effectiveness of its safeguards, controls, systems and procedures and (ii) identify reasonably foreseeable internal and external risks to the security, confidentiality and integrity of the Customer Data, and ensure these risks are addressed.
3.7. Confidentiality. Globalization Partners shall ensure that persons authorized to access the Customer Data (i) have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality and (ii) access the Customer Data only upon documented instructions from Globalization Partners, unless required to do so by applicable law.
3.8. Personal Data Breach. Globalization Partners will notify the Customer without undue delay after becoming aware of a Data Breach in relation to the Processing of Customer Data and will use reasonable efforts to assist the Customer in mitigating, where possible, the adverse effects of any Data Breach.
3.9. International Transfers. Globalization Partners is authorized, in the normal course of business, to make worldwide transfers of Customer Data to its affiliates and/or Subprocessors. When making such transfers, Globalization Partners shall ensure appropriate protection is in place to safeguard the Customer Data transferred under or in connection with the Agreement. Where Globalization transfers Customer Data to countries outside the EEA (which are not subject to an adequacy decision under Privacy Laws), Globalization Partners shall execute and comply with its obligations under the Module EU Commission’s Standard Contractual Clauses (annexed to EU Commission Decision 2021/914/EU of 4 June 2021) (the “EU SCCs”), which shall be entered into and incorporated into this Addendum by this reference and completed as follows:
- Module 2 (Controller to Processor) will apply where Customer is a Controller of Personal Data and Globalization Partners is a Processor of Personal Data;
- in Clause 7, the optional docking clause will apply;
- in Clause 11, the optional language will not apply;
- in Clause 12, any claims brought under the EU SCCs shall be subject to the terms and conditions set forth in the Agreement;
- in Clause 17, Option 1 will apply, EU SCCs will be governed by Irish Law;
- in Clause 18(b), disputes shall be resolved before the courts of Ireland;
- Annex I of the EU SCCs shall be deemed completed with the information set out in Annex I to this Addendum;
- Annex II of the EU SCCs shall be deemed completed with the information set out in Annex II to this Addendum; and
- Annex III of the EU SCCs shall be deemed completed with the information set out in Annex III to this Addendum.
Nothing in the interpretations in this Section 3.9 is intended to conflict with either Party’s rights or responsibilities under the EU SCCs and, in the event of any such conflict, the EU SCCs shall prevail.
3.10. Deletion of Personal Data. Upon termination of the Services (for any reason) and if requested by Customer in writing, Globalization Partners shall, as soon as reasonably practicable, return or delete the Customer Data stored in the Platform unless applicable law requires storage of the Customer Data for a longer period. For such retention the provisions of this Addendum shall continue to apply to such Customer Data.
3.11. Data Subject Requests. Globalization Partners shall promptly inform Customer of any Data Subjects’ requests regarding Customer Data. Customer is responsible for responding to such requests. Globalization Partners will reasonably assist Customer to respond to such Data Subject requests to the extent that Customer is unable to access the relevant Customer Data in its use of the Platform.
3.12. Third party requests. If Globalization Partners receives any requests from third parties or an order of any court, tribunal, regulator or government agency with competent jurisdiction to which Globalization Partners is subject relating to the Processing of Customer Data under the Agreement, Globalization Partners will promptly redirect the request to the Customer. Globalization Partners will not respond to such requests without Customer’s prior authorization unless legally compelled to do so. Globalization Partners will, unless legally prohibited from doing so, inform the Customer in advance of making any disclosure of Customer Data and will reasonably co-operate with Customer to limit the scope of such disclosure to what is legally required.
3.13. Data Protection Impact Assessment and Prior Consultation. To the extent required by Data Protection Laws, Globalization Partners shall provide reasonable assistance to Customer to carry out a data protection impact assessment in relation to the Processing of Customer Data undertaken by Globalization Partners and/or any required prior consultation(s) with supervisory authorities. Globalization Partners reserves the right to charge Customer a reasonable fee for the provision of such assistance.
3.14. Demonstrating Compliance. Globalization Partners regularly conducts external audits on organization’s security, availability, processing integrity, confidentiality and privacy controls and will provide Customer with a copy of the most recent summary audit report or certification upon written request. If the Customer prefers to conduct its own audit in addition to the provided third party certifications or reports, such audit shall be conducted: i) no more than once per each 12 (twelve) months period; ii) during normal business hours and without disrupting Globalization Partners’ day-to-day business; iii) with thirty (30) days prior written notice; iv) at the Customer’s sole expense (including Globalization Partner’s time spent assisting the Customer during the audit based on the daily rate of a security manager); v) based upon mutually agreed parameters and scope, limited to the specific scope of services, systems in use and/or processing activities contemplated and be specific to the actual requirement; vi) based upon mutually agreed in advance date, subject to reasonable postponement by Customer upon Globalization Partners’ reasonable request; and vii) in accordance with all confidentiality obligations and restrictions. Notwithstanding the forgoing, no audit right is granted after termination of the Master Agreement, except for legal obligations that will have to be demonstrated by the Customer. Any third-party representative selected to perform an audit on behalf of Customer must not have an ownership interest in or affiliation with an EOR Services agency, a related organization or consultant.
Annex I
Data Processing Description
| Parties | Controller / Data Exporter: Customer Processor / Data Importer: Globalization Partners entity executing the Master Agreement. |
| Processing Activities | Globalization Partners will process Customer Data in its provision of the Platform as a service to the Customer. |
| Duration of the Processing | Globalization Partners will Process Customer Data for the duration of the Master Agreement and on a continuous basis. |
| Nature and Purpose of Processing | Customer may transfer Customer Data to Globalization Partners, the extent of which is determined and controlled by the Customer in its sole discretion. Globalization Partners will Process Customer Data as necessary for the purposes of providing the Platform as a service to the Customer in accordance with the Master Agreement. |
| Categories of Data Subjects | The Customer Data concern Authorized Users of the Platform who may include Customer’s employees and/or contractors, in addition to individuals whose Personal Data is supplied by Authorized Users of the Platform. |
| Types of Personal Data | The Customer Data transferred may include the following categories of data:
|
| Special Categories of Data (if appropriate) | N/A |
| Retention | Customer Data will be retained at least as long as any applicable legally mandated minimum retention period, that is consistent with applicable statutes of limitations and meets good business practices. |
| Competent Supervisory Authority | The Irish Data Protection Commission |
| Transfers to Subprocessors | For transfers to processors, the subject matter, nature and duration of the processing are the same as above defined. |
| Globalization Partners Privacy contact details | privacy@globalization-partners.com Attn: Global Privacy Office. |
Annex II
Technical And Organisational Measures
Globalization Partners has been certified and attested to confirm compliance with SOC 2 standards, by independent auditors. Service Organization Controls (SOC) reports demonstrate our commitment to securing Customer Data. Globalization Partners’ security program is designed to:
- Protect the confidentiality, integrity, and availability of Customer Data in Globalization Partners’ possession or to which Globalization Partners has access;
- Protect against any anticipated threats or hazards to the confidentiality, integrity, and availability of Customer Data;
- Protect against unauthorized or unlawful access, use, disclosure, alteration, or destruction of Customer Data;
- Protect against accidental loss or destruction of, or damage to, Customer Data; and
- Safeguard information as set forth in any regulations by which Globalization Partners may be regulated.
The following describes the functions, processes, controls, systems, procedures and measures which Globalization Partners has taken to ensure the security of the Processing of Customer Data:
1) TECHNICAL MEASURES TO ENSURE DATA PRIVACY AND PROTECTION
a) Privacy by Design and Default:
Globalization Partners takes the requirements of Article 25 GDPR into account in the conception and development phase of product development. Processes and functionalities are set up in such a way that the data protection principles such as legality, transparency, purpose limitation, data minimization, etc. as well as the security of processing are considered at an early stage.
b) Encryption of Personal Data:
Ensuring that personal data are only stored in the system in a way that does not allow third parties to identify the data subject.
- Database and storage encryption:
On all databases used by Globalization Partners an encryption "at rest" according to the state of the art is used so that the data from the database can only be read after proper authentication on the respective database system. - Encryption of mobile data media:
The use of mobile data carriers for storing customer data is not permitted. - Encryption of data carriers on laptops:
Appropriate state-of-the-art hard disk encryption is installed on all employees' laptops. - Encrypted exchange of information and files:
In principle, the exchange of information and files is directly encrypted via a special application. If personal data or confidential information must be transferred to servers which cannot be sent via TLS-encrypted HTTPS uploads, these will be transferred using Secure File Transfer Protocol (SFTP), encrypted envelope service or another encrypted mechanism according to the state of the Art. - E-Mail Encryption:
In principle, all e-mails sent by employees of Globalization Partners are encrypted with TLS. Exceptions may be if the receiving mail server does not support TLS. The Customer shall ensure that the corresponding mail servers used within the scope of the order support TLS encryption
c) Admission Control
Admission controls are intended and put in place in order to prevent the use and processing of data which is protected by data protection laws by unauthorized persons.
- Use of authentication methods
Access to personal data is always via encrypted protocols: SSH, SSL/ TLS, HTTPS or comparable protocols. Authentication procedure for IT system: Multifactor authentication log-in to IT system. - Automatic blocking in case of inactivity
Laptops used by Globalization Partners employees locked with password or PIN protection when not in use by the user. In addition, an automatic screen lock with password protection is set up after 15 minutes of inactivity. - Use of anti-virus software
Laptops used by Globalization Partners employees are equipped with state-of-the-art anti-virus software that is kept up to date on all operational or business IT systems. As a matter of principle, no computers may be operated without resident virus protection unless other equivalent state-of-the-art security measures have been taken or there is no risk. Default security settings must not be deactivated or circumvented. - "Clean Desk Policy"
Employees of Globalization Partners are instructed not print out or locally store personal data of data subjects, not to leave work materials in a location where they may be viewed by third parties, and to store all work materials properly. Documents which Globalization Partners is required by law to hold in hard copy are stored in locked cabinets.
d) Access Controls Within the Platform
Access controls ensure that persons authorized to use a processing system have access only to the personal data covered by their access authorization.
- Roles and Authorization
- Roles and Authorization Platform – Customer Access Customer users can view and edit customer account information.
- Roles and Authorization Platform – Professional Access Professional users can view and edit their own professional information. Professionals can also gain Customer access role upon requirement + approval
- Roles and Authorization Platform – Internal Access
Internal access users have varied roles. They have varied access to create, view, edit, and approve the following:
- Customer information
- Billing information
- Partner information
- Professional personnel records information
e) Firewall as a Service
Globalization Partners uses use an external firewall as a service that allows it to grant or block access to websites to make sure systems can’t access malicious content and to restrict access to inappropriate content.
f) Record of Log-In to the Platform
Globalization Partners maintains a record of all login activity.
g) Separability
Ensuring that personal data collected for different purposes can be processed separately and are separated from other data and systems in such a way that unplanned use of these data for other purposes is excluded.
- Separation of development, test and operating environments
Data from the operating environment may only be transferred to test or development environments if it has been made completely anonymous before transfer. The transfer of the anonymized data must be encrypted or via a trustworthy network. - Separation in networks
Globalization Partners separates its networks according to tasks. The following networks are used permanently: operating environment ("Production"), test environment ("Staging", “Sandbox”), development environment (“Dev”) office IT staff. In addition to these networks, further separate networks are created as required, e.g., for restore tests and penetration tests. Depending on the technical possibilities, the networks are separated either physically or by means of virtual networks.
i) Availability control
Globalization Partners takes the following steps to ensure that personal data is protected against accidental destruction or loss.
- Data protection procedures/ backups
To ensure adequate availability Globalization Partners implements daily snapshots of its database with replication to a different region. Measures are also taken to ensure employees with job-based need to review data are granted access only to replica datasets. - Geo-redundancy with regard to server infrastructure of productive data and backups
- IT incident management ("Incident Response Management")
There is a concept and documented procedures for handling incidents and safety- relevant events. This includes the planning and preparation of the response to incidents, procedures for monitoring, detecting and analyzing security- relevant events and the definition of corresponding responsibilities and reporting channels in the event of a violation of the protection of personal data within the framework of the legal requirements.
2) ORGANIZATIONAL MEASURES TO ENSURE DATA PRIVACY AND PROTECTION
Globalization Partners has put in place the following organizational measures to ensure the organization operates in a manner that meets data privacy and protection requirements.
a) Organizational Instructions
Globalization Partners has developed and is developing a data governance program including policies, procedures, and guidelines for employees to follow. Documentation includes how to identify and manage data privacy issues, best practices for ensuring privacy compliance, and policies for addressing privacy incidents.
b) Commitment to confidentiality and data protection
Globalization Partners has developed and is developing a data governance program including policies, procedures, and guidelines for employees to follow. All employees and contractors are bound in writing to confidentiality and data protection as well as other relevant laws. All employees receive privacy & security training. Internal audits on data protection and information security are conducted regularly. Audits are carried out on the basis of common test criteria/schemes. The employees and contractors of Globalization Partners are instructed to process personal data for lawful reasons only, pursuant to applicable contracts with the customer and professional, with due consideration to any express consent given or withheld by the data subject, and in keeping with any lawful duty of the organization.
c) Data protection training
All employees receive privacy & security training which remains available for review at any time in Globalization Partners training platform.
d) Physical Access Controls
Globalization Partners has the following physical controls in place to deny unauthorized persons access to IT systems equipment used for processing.
- Electronic door protection
The entrance doors to the premises of Globalization Partners offices are always locked and electronically secured. The doors are opened via a personal electronic transponder. - Controlled distribution of keys
A central, documented allocation of keys to the employees of Globalization Partners takes place. These electronic transponders/keys could be deactivated centrally by each office manager or the People Resources department. - Supervision and accompaniment of external persons
External service providers and other third parties may only be granted access to the premises via prior authorization or when accompanied by an employee of Globalization Partners. Globalization Partners applies its written Visitor’s Policy when visitors are invited to the premises. - Securing of premises with increased need for protection
Premises or cabinets with increased protection requirements, such as legal offices and certain Operations locations, are equipped with locking cabinets and drawers. Cabinets and drawers where legal documents, contracts, and confidential documentation are held are to be locked at all times except when they are in use. - Closed doors and windows
Employees are organizationally instructed to keep windows and doors closed or locked outside office hours.
e) Recoverability
Globalization Partners ensures that systems in use can be restored in the event of physical or technical failure.
- Regular tests of the data recovery ("Restore-Tests")
Regular full restore tests are carried out to ensure recoverability in the event of an emergency/disaster. - Emergency plan ("Disaster Recovery Concept")
There is a concept for the treatment of emergencies/disasters and a corresponding emergency plan. Globalization Partners ensures the recovery of all systems on the basis of the data backups / backups, usually within 48 hours. - Review and evaluation measures
Presentation of the procedures for regular review, assessment and evaluation of the effectiveness of the technical and organizational measures.
f) Privacy Team
The organization has a Global Data Privacy Office tasked with planning, implementing, evaluating and adapt measures in the field of data protection.
g) Risk Management
There is a process for analyzing, evaluating, and allocating risks and for deriving measures on the basis of these risks.
3) INDEPENDENT REVIEW OF INFORMATION SECURITY
a) Performance of audits
Internal audits on data protection and information security are conducted regularly. Audits are carried out on the basis of common test criteria/schemes.
b) Review of compliance with security policies and standards
Compliance with the applicable security guidelines, standards and other security requirements for the processing of personal data is checked regularly. Where possible, these checks are carried out on a random and unexpected basis.
c) Verification of compliance with technical specifications
Regular automated and manual vulnerability scans are performed by the IT department or other qualified personnel to verify the security of the applications and infrastructure, as well as the regular development of the product. Detailed penetration tests are carried out by an external service provider to specifically examine the applications and infrastructure for vulnerabilities.
d) Processing on instruction
The employees of Globalization Partners are instructed to process personal data for lawful reasons only, pursuant to applicable contracts with the customer and professional, with due consideration to any express consent given or withheld by the data subject, and in keeping with any lawful duty of the organization.
e) Careful supplier selection
Globalization Partners adheres to its Supplier Prequalification Process when selecting vendors and suppliers who may encounter protected data. This process includes feedback from the Finance and Legal/Privacy Departments and incorporates risk assessment, security prequalification and documentation certification steps. Suppliers who will process protected data will be required to demonstrate their adherence to applicable data privacy laws, including Article 28 GDPR for covered data.
Annex III
List of Subprocessors
| Globalization Partners subsidiaries | Providing the Platform and Customer relationship management |
| Acumatica | Financial Services |
| Amazon Web Service | Hosting – Cloud Services Provider |
| Microsoft Azure | Hosting – Cloud Services Provider |
| Atlassian | Business Process Support for services management |
| Conga | Contracts Management |
| DocuSign | Document Management |
| Gong | Telecommunications Services |
| iCertis | Contracts Management |
| Salesforce.com | Business Process Support for Customer Relationship management (CRM) |
| Zendesk | Helpdesk inquiries for customer support |