Global DPA for Quadient Partners
PREAMBLE
This Data Processing Addendum (“DPA”) forms part of the agreement for the purchase or subscription to Quadient Solutions between the Parties (the “Agreement”), where Solution Partner’s Customer acts as a data controller (“Customer”), Partner acts as a Data Processor (”Data Processor”), and Quadient as Subprocessor (“Subprocessor”, also called “Service Provider”). The Subprocessor(s) may be one or more Quadient group entities involved in the processing of the controller's personal data for the performance of the subscribed Quadient Solution, as selected in the Quadient’s ordering document (the “Order Form”). This DPA shall be effective as of the Effective Date. The list of Quadient Solutions is as follows: a. Quadient Digital Platform b. Quadient Inspire Flex c. Quadient Inspire Evolve d. Quadient Impress e. Quadient AR f. Quadient AP g. iForms Terms Not Defined Herein. Capitalized terms used but not defined in this DPA will have the respective meanings provided for in the General terms and Conditions, Specific Terms and Conditions and Order Form signed by the Customer.
1. DEFINITIONS.
1.1. "Affiliate” means, as to a party, any other entity that directly or indirectly controls, is controlled by, or is under common control with such party. For the purpose of this definition “control” means direct or indirect ownership or control of more than 50% of the voting interests or the possession, directly or indirectly, of power to direct the management or policies of an entity. 1.2. "AI-enabled Processing" means Processing activities performed in connection with the Services that involve an Artificial Intelligence System, including machine learning, automated decision-making, or generative AI. 1.3. "Artificial Intelligence System" means a machine-based system designed to operate with varying levels of autonomy that may generate outputs such as predictions, recommendations, classifications, or content that can influence physical or virtual environments, as defined under applicable artificial intelligence laws and regulations, including the EU Artificial Intelligence Act where relevant. 1.4. “Customer Personal Data” means any Personal Data that Service Provider Processes on behalf of Customer and under the instructions of the Partner pursuant to the Agreement. 1.5. “Data Controller” means the Customer; the natural or legal person which, alone or jointly with others, (General Data Protection Regulation (“GDPR”)), “business” (California Consumer Privacy Act (“CCPA”)) determines the purposes and means of the Processing of Personal Data, and shall include a “controller” or similar term as defined by Data Protection Laws. 1.6. “Data Privacy Framework” means the EU-U.S Data Privacy Framework, as defined by the Decision (UE) 2023/1795 of the European Commission, and the Swiss-U.S Data Privacy Framework as defined by the Federal Act on Data Protection (FADP), SR 235.1 and the Decision of the Swiss Federal Council dated 14 August 2024. 1.7. “Data Processor” means Partner; a natural or legal person which Processes Personal Data on behalf of the Data Controller and shall include a “processor” (GDPR), “service provider” (CCPA) or similar term as defined by Data Protection Laws. 1.8. “Data Protection Laws” means the GDPR, UK GDPR, the new Swiss Data Protection Act (nFADP) of Sept 1st 2023, the Australian Privacy Act 1988 (Cth), Japan Act on the Protection of Personal Information (“APPI”), and the United States’ state and federal laws regarding data privacy, including the California Consumer Privacy Act and its implementing regulations (the “CCPA”), the Federal Law on the Protection of Personal Data Held by Private Parties, enacted in the United States of Mexico, in each case, as amended from time to time and only to the extent applicable to Service Provider’s Processing of Customer Personal Data under the Agreement. 1.9. “Data Subject” means the identified or identifiable person to whom Customer Personal Data relates. 1.10. “Effective Date” means the later of the date on which the Agreement becomes effective or the date on which Customer provides Customer Personal Data to Service Provider for Processing. 1.11. “GDPR” means Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). 1.12. “Personal Data” means any information relating to an identified or identifiable natural person that is “personal data”, “personal information”, “personally identifiable information” or such similar term as defined under Data Protection Laws, and including sensitive data or sensitive information or such similar term as defined under the Data Protection Laws. 1.13. “Personal Data Breach” means a data breach, as defined under Data Protection Laws, affecting Customer Personal Data to the extent caused by Service Provider’s breach of this DPA. 1.14. “Process” or “Processing” means any operation or set of operations which is performed on Customer Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. 1.15. "Subprocessor” means Quadient; acting as a Data Processor engaged by Solution Partner 1.16. “Subsequent Subprocessor” means any Subprocessor engaged by Service Provider as listed in Annex I.B.6. 1.17. “Supervisory Authority” means the regulatory body competent for supervising compliance with the Personal Data Procession operation with Data Protection Laws, other governmental, regulatory, enforcement, surveillance authorities, and courts or tribunals. 1.18. “UK GDPR” means the Data Protection Act 2018, as amended by regulations under the European Union (Withdrawal) Act 2018, and the UK General Data Protection Regulation.
2. GENERAL.
2.1. Roles. The parties acknowledge and agree that Service Provider acts as a Subrocessor in relation to any Customer Personal Data that Service Provider processes under the instruction of the Partner. The parties and their respective employees, contractors, and agents shall cooperate to ensure compliance with Data Protection Laws in the performance of its tasks with respect to this DPA. 2.2. Processing. Partner has engaged and hereby instructs Service Provider to Process Customer Personal Data to the extent necessary for the provision of Services and the performance of the Agreement. The subject matter, duration, nature, and purposes of the Processing and the types of Personal Data and categories of Data Subjects contemplated by this DPA are accurately described in Annex I.B. 2.3. Processing under CCPA: With respect to Customer Personal Data that is “personal information” for purposes of the CCPA, Service Provider shall not (i) sell ( including exchanging for monetary or other valuable consideration) or share the personal information; (ii) retain, use, or disclose the personal information for any purpose other than for the business purposes specified in the Agreement, including performing the services, or as otherwise permitted by the CCPA; (iii) retaining, using, or disclosing the personal information outside of the direct business relationship between Service Provider and Customer; and (iv) except as otherwise permitted under the CCPA, combining the personal information that Service Provider receives from, or on behalf of, Customer with personal information that it receives from, or on behalf of, another person or persons, or collects from its own interaction with a California resident. Service Provider certifies that it understands the restrictions set forth in this section with respect to Customer Personal Data that is “personal information” for purposes of the CCPA and will comply with them.
3. RESPONSIBILITIES AND OBLIGATIONS.
3.1. Service Provider. During the term of the Agreement and under the instructions of the Partner, Service Provider will: a). Comply with all applicable Data Protection Laws in connection with its Processing of Customer Personal Data. b). Process Customer Personal Data and solely for the purpose of, and as necessary to carry out its obligations in accordance with, the Order Form and this DPA and as required by Data Protection Laws. c). Taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, implement and maintain the technical and organizational measures set forth in Annex II to ensure a level of security appropriate to the risks presented by the Processing and the nature of Customer Personal Data, provided that Service Provider may update or modify the security measures from time to time provided that such updates and modifications do not result in the degradation of the overall security. d). To the extent Partner is a Processor as defined under the GDPR, make available to Partner on request during the term of the Agreement all information reasonably necessary to demonstrate Service Provider’s compliance with Article 28 of the GDPR and, to the extent Customer is a “controller” as defined under the GDPR, a “business” as defined under the CCPA, or a trustee under the APPI allow for and contribute to audits, no more than once per year, with respect to the Processing by Service Provider of Customer Personal Data in order to ascertain compliance with this DPA; provided, however, such audits shall occur only by one of the following means: (1) Service Provider supplying a summary copy of its audit report(s), prepared by independent third-party auditors and/or internal auditors, to Partner; (2) Service Provider providing written responses to reasonable requests for information made by Partner related to the Processing of Customer Personal Data, including responses to information security questionnaires that are necessary to confirm Service Provider’s compliance with this DPA; or (3) Partner instructing Service Provider to carry out an audit or inspection of agreed technical and organization measures, the results of which Service Provider shall share with the Partner in a summary format. Partner shall provide reasonable advance written notice to Service Provider of any requested audit (and in any event no less than 30 days’ notice). e). Where AI-enabled Processing materially supports automated decision-making or otherwise influences decisions affecting individuals, Service Provider may consider providing reasonable assistance to Partner (to the extent applicable and reasonably available) to enable Partner to meet relevant transparency, information, and human intervention obligations under GDPR and applicable AI regulations. f). To the extent permitted by law, promptly notify Partner of: (i) any legally binding request for disclosure of Customer Personal Data by a law enforcement authority; (ii) any request received in relation to Customer Personal Data directly from a Data Subject; and (iii) any complaint, communication or request relating to Partner’s obligations under applicable Data Protection Laws. g). In the event Partner is required to provide information (including details of the services provided by Service Provider) to a competent Supervisory Authority, provide reasonable assistance to Partner, at Partner’s cost, by providing such information, to the extent that such information is in the possession of Service Provider. h). Taking into account the nature of the Processing, implement or have available (with assistance from Customer and Partner as necessary), to the extent required under Data Protection Laws, appropriate mechanisms, where possible, to fulfill its obligations with respect to requests from Data Subjects seeking to exercise their rights under Data Protection Laws. i). If Service Provider receives any requests from Data Subjects or applicable Supervisory Authorities relating to the Processing of Customer Personal Data, including requests from Data Subjects seeking to exercise their rights under Data Protection Laws, promptly redirect the request to Partner and not respond to such communication directly without Partner's prior authorization, unless legally compelled to do so. For requests from Data Subjects located in Australia, inform Partner of the request to the extent permitted by applicable law, and endeavor to consult with Partner before responding or communicating directly with the Data Subject or applicable Supervisory Authorities in accordance with and to the extent permitted by applicable law (including, but not limited to Data Protections Laws). j). Notify Partner without undue delay of any Personal Data Breach and provide information relating to the Personal Data Breach as required by Data Protection Laws and as reasonably requested by Partner to meet its notification obligations under Data Protection Laws. k). Upon termination of the Agreement and upon completion of Service Provider’s obligations in relation to the Processing of Customer Personal Data under this DPA, Service Provider shall either, as set forth in the Agreement, return, destroy, or render anonymous all or certain subsets of Customer Personal Data; provided, however, if Service Provider determines that anonymization, return, or destruction of Customer Personal Data is not reasonably feasible, including because Service Provider is required by applicable law to retain any such Customer Personal Data, Service Provider shall notify Partner thereof and limit any further Processing to those purposes that make the anonymization, return or destruction infeasible. The requirements of this section shall survive termination or expiration of this DPA and shall be in force as long as any Customer Personal Data remain in the custody or control of Service Provider. 3.2. AI-enabled Processing (where applicable).Before introducing or materially modifying AI-enabled Processing in the Services, Service Provider should assess and document whether the relevant functionality may be subject to prohibited-use restrictions, transparency obligations, or high-risk requirements under applicable AI law, and should notify Partner where that classification may materially affect Customer's compliance obligations. Where the Services involve AI-enabled Processing of Customer Personal Data, Service Provider shall ensure that: a). AI-enabled Processing is performed solely to provide the Services and in accordance with the Agreement, this DPA, Partner's documented instructions, and applicable law. b). Service Provider implements safeguards proportionate to the nature, context and risk of the AI-enabled Processing, including human oversight where required, output validation, access controls, data minimisation, security controls, and ongoing monitoring for material errors, bias, discriminatory impact, unexpected behaviour, and misuse. c). Service Provider maintains logs and records sufficient to support security investigations, incident response, compliance reviews, audit requests, and regulatory inquiries, and shall preserve relevant logs where an incident, complaint, regulatory inquiry, or suspected non-compliance occurs. d). Customer Personal Data is not used to train, fine-tune, validate, test, improve, or develop any Artificial Intelligence System unless Partner has expressly authorised such use in writing and such use is permitted under applicable law. e). Service Provider provides, upon Partner's reasonable request, information necessary to support Partner's compliance with applicable data protection and AI laws, including the EU Artificial Intelligence Act where relevant. f). Service Provider promptly notifies Partner of any material AI-related incident, malfunction, security event, unauthorised training use, unexpected behaviour, or output issue that affects or is reasonably likely to affect Customer Personal Data, Data Subjects, or Partner's compliance obligations. 3.3. Service Provider Personnel and Subsequent Subprocessors. Service Provider further agrees that during the Term of the Agreement it will: a). Ensure that each Subsequent Subprocessor to Process Customer Personal Data is made aware of Service Provider’s obligations under this DPA by entering into a written agreement with such Subsequent Subprocessor that imposes substantially the same obligations on such Subsequent Subprocessor as are imposed on Service Provider under this DPA. Service Provider acknowledges that any material failure by its Subsequent Subprocessors to comply with the terms of this DPA shall be deemed a breach of this DPA by Service Provider. b). Ensure that such of its affiliates, employees, and agents who are authorized to Process Customer Personal Data are bound by contract, employment policies, or fiduciary or professional ethical obligations with respect to confidentiality and data security.3.4. Partner a). Partner shall comply with its obligations under Data Protection Laws with respect to Customer Personal Data. Partner shall ensure that Customer will not use the Services in a manner that violates Data Protection Laws. b). Partner in Australia will notify Service Provider without undue delay of any Personal Data Breach and provide information relating to the Personal Data Breach as required by Data Protection Laws and as reasonably requested by Service Provider to meet its notification obligations under Data Protection Laws. c). Partner represents and warrants that it has a valid legal basis or lawful purpose for Processing Customer Personal Data under this DPA and for any transfer of Customer Personal Data to Service Provider. Partner shall immediately notify Service Provider if any change should occur in the legal bases or lawful purposes for the Processing or transfer of Customer Personal Data and shall immediately instruct Service Provider of any new or revised scope, duration, subject matter, nature, or purposes regarding the Processing of Customer Personal Data by Service Provider. d). Partner shall ensure that Customer has sole responsibility for the accuracy, quality, and legality of Customer Personal Data and the means by which Customer acquires Customer Personal Data. Partner shall ensure that Customer represents and warrants that it has all rights and necessary consents and that it has provided all necessary notices to Process Customer Personal Data and to transfer Customer Personal Data to Service Provider. Partner shall ensure Customer shall obtain all necessary consents from Data Subjects. e). Partner shall ensure that Customer is responsible for using the Services in a manner that complies with Data Protection Laws and for implementing appropriate technical and organizational measures with respect to its systems, networks, resources, personnel, and operations to ensure the privacy and security of Customer Personal Data and the transfer of Customer Personal Data to Service Provider. f). To the extent permitted by law, Partner shall promptly inform Service Provider of any inquiry or complaint received from a Data Subject or a Supervisory Authority relating to the Processing of Customer Personal Data under this DPA. g). Partner agrees and provides a general written authorization for Service Provider to engage its Affiliates as well as third-party Subsequent Subprocessors in the Processing of Customer Personal Data without Partner’s and Customer’s prior consent, provided that Service Provider notifies Partner of any new Subsequent Subprocessors, within thirty (30) days , and enters into an agreement with the Subsequent Subprocessor containing data protection obligations that are as restrictive as the obligations under this DPA (to the extent applicable to the services provided by the Subsequent Subprocessor). Within ten (10) days of receiving a notification from Service Provider to Partner of any changes in its use of Subsequent Subprocessors during the term of the Agreement, Partner shall notify Service Provider of any objections to such additional or different Subprocessors. If Partner does not notify Service Provider of an objection within such ten (10) day period, Partner acknowledges and agrees that Service Provider may use the Subsequent Subprocessor(s) identified in the notice pursuant to the general authorization provided by Partner in this Section. If Partner does notify Service Provider of an objection, Service Provider shall work with Partner in good faith to take reasonable measures to address the Legitimate Reasons (as defined below) for the objections raised by Partner, and where such measures cannot be agreed within twenty (20) days from Service Provider’s receipt of the notice, Partner may by written notice to Service Provider terminate the Services which require the use of the proposed Subsequent Subprocessor. “Legitimate Reasons” shall be deemed given if there is an indication based on objective facts which reasonably support the assumption that the engagement of the new Subsequent Subprocessor would breach Data Protections Laws or this DPA. Partner acknowledges and agrees that Service Provider may engage such Subsequent Subprocessors as Service Provider determines are reasonably appropriate for the Processing of Customer Personal Data under the Agreement and the Standard Contractual Clauses. Partner hereby consents to the processing of Customer Personal Data by, and the disclosure and transfer of Customer Personal Data to, the Subprocessors listed on Annex I-B.
4. DATA TRANSFER.
4.1. Partner acknowledges and agrees that Customer Personal Data will be transferred outside of the European Union (“EU”) and the European Economic Area (“EEA”) and Australia, including to the United States, and that Service Provider’s Subsequent Subprocessors may also transfer Customer Personal Data to other jurisdictions. Partner confirms that Customer hereby agrees to such transfers, and the parties agree to comply with the EU Standard Contractual Clauses (“SCCs”) and UK/Swiss Addendum as described in Annex I.A. The SCCs shall apply with respect to transfers of Customer Personal Data regarding a resident of the EU or EEA, the UK Addendum shall apply with respect to transfers of Customer Personal Data regarding a resident of the United Kingdom and the Swiss Addendum shall apply with respect to transfers of Customer Personal Data regarding a resident of the Switzerland. The parties shall work together during the term of the Agreement to ensure and maintain (and the relevant Subsequent Subprocessor) a legally-approved mechanism in place to facilitate such data transfers, including working together to document the appropriateness of such mechanism in accordance with Data Protection Laws. 4.2. In the event the Service is covered by more than one Transfer Mechanism, the transfer of personal data will be subject to a single Transfer Mechanism, as applicable, and in accordance with the following order of precedence: (a) the Data Privacy Frameworks; (b) the applicable Standard Contractual Clauses; and, if neither of the preceding is applicable, then (c) other alternative data Transfer Mechanisms permitted under Applicable Laws will apply. 4.3. To the extent the Service Provider processes Customer Personal Data originating from the EEA, United Kingdom, or Switzerland, the Service Provider declares that it is self-certified under the Data Privacy Frameworks and adheres to the Data Privacy Principles. 4.4. The applicable Standard Contractual Clauses, the UK or Swiss Addendum are available at the following link : Standard Contractual Clauses | Quadient.
5. MISCELLANEOUS
5.1. This Data Processing Addendum will be governed by the law of the where Quadient Entity is based. 5.2. ANY CLAIMS BROUGHT UNDER THIS DPA WILL BE SUBJECT TO THE TERMS AND CONDITIONS OF THE AGREEMENT, INCLUDING THE EXCLUSIONS AND LIMITATIONS SET FORTH IN THE AGREEMENT WHICH SHALL PREVAIL; PROVIDED, HOWEVER, THAT THE PARTIES HAVE NOT LIMITED THEIR LIABILITY UNDER THE AGREEMENT WITH RESPECT TO ANY DATA SUBJECT’S RIGHTS UNDER DATA PROTECTION LAWS WHERE SUCH LIMITATION WOULD BE PROHIBITED BY LAW. 5.3. In the event of a conflict between the Agreement (or any document referred to therein) and this DPA, the provisions of this DPA shall prevail. It is not the intention of either party to contradict or restrict any of the provisions set forth in the SCCs and UK/Swiss Addendum and, accordingly, if and to the extent the SCCs and UK/Swiss Addendum conflict with any provision of this DPA, the SCCs and UK/Swiss Addendum shall prevail to the extent of such conflict. 5.4. All notices provided for in this DPA shall be sent to Service Provider and Partner at the addresses provided in the Agreement and in accordance with all requirements for service of notices set forth therein. 5.5. Government Disclosure Requests. Service Provider has implemented measures to regulate the disclosure of Customer Personal Data to a government entity. These measures require Service Provider to consider its obligations to comply with any order or demand and any legal obligations to protect Customer Personal Data. With regard to data of EU and UK/Swiss residents, Service Provider abides by the obligations set forth in the SCCs and UK Addendum. Specifically, to the extent permitted by law, Service Provider will promptly notify Partner of the order or demand before Service Provider will respond. If Service Provider is not permitted to provide notification to Partner, Service Provider will seek permission to notify Partner or ask the issuing court or government authority to seek the requested documents directly from Partner. Service Provider will challenge an order or demand when appropriate and valid legal grounds exist. If production is required to comply with a valid Court order or demand, Service Provider will disclose the minimum amount of Customer Personal Data necessary to comply with such order or demand. 5.6. This DPA will terminate automatically upon the termination of the Agreement.
ANNEX I
A. LIST OF PARTIES DATA PROCESSING ADDENDUM INCLUDING SCCs WHERE APPLICABLE.
Name: Partner as defined in the Order Form Address: as defined in the Order Form Contact person’s name, position and contact details: as defined in the Order Form Signature and accession date: by Signing the Order Form, Partner accepts to be bound by GTCs with all reference documents including the standard contractual clauses as applicable. DPO Name: Data Protection Officer Contact details: as defined in the Order Form Role: Processor | Name: Quadient as defined in the Order Form. Address: as defined in the Order Form Contact person’s name, position and contact details: as defined in the Order Form Signature and accession date: by Signing the Order Form, Quadient accepts to be bound by GTCs with all referenced documents including the standard contractual clauses as applicable. DPO Name: Data Protection Officer Contact details: privacyteam@quadient.com Role: Subprocessor |
B. DESCRIPTION OF PROCESSING
1. Categories of data subjects whose personal data is processed:
Subscription to | Categories of data subjects |
Quadient Digital Platform | The extent of data sharing is determined and controlled by Customer in its sole discretion (but in accordance with Data Protection Laws), and which may include, but is not limited to Personal Data relating to the following categories of data subjects: a) employees including contingent workers, consultants, contractors; b) Customer and clients of each Customers including prospects institutional client and/or counterparty representatives; c) authorized signatories; d) professional advisers, agents, experts; e) third party vendors; f) recipients of customer communication; g) For Switzerland, personal data includes legal entities. |
Quadient Inspire Flex Cloud Services | |
Quadient Inspire Evolve | |
Quadient Impress | |
Quadient AR | |
Quadient AP | |
iForms |
2. Categories of personal data processed:
Subscription to | Categories of personal data |
Quadient Digital Platform | The extent of data sharing is determined and controlled by Customer in its sole discretion (but in accordance with Data Protection Laws), and which may include, but is not limited to the following categories of Personal Data: First and last name; Addresses; Email Addresses; Phone No.; Communication content; IP address and log history, User Data; Financial data (Bank account Numbers) for Quadient AR,Quadient AP and iForms). |
Quadient Inspire Flex Cloud Services | |
Quadient Inspire Evolve | |
Quadient Impress | |
Quadient AR | |
Quadient AP | |
iForms |
Sensitive data:
Subscription to | Categories of sensitive personal data |
Quadient Digital Platform | None |
Quadient Inspire Flex Cloud Services | |
Quadient Inspire Evolve | Partner needs to make sure that Customer informs Service Provider if any sensitive data as defined in Data Protection Laws will be processed in the Solutions prior to such processing takes place. |
Quadient Impress | |
Quadient AR | |
Quadient AP | |
iForms |
FREQUENCY. The transfer of personal data will occur with the following frequency: Periodically during the term of the Subscription Agreement, depending on how Customer uses the Services.3. Nature of processing:
Subscription to | Nature of the processing |
Quadient Digital Platform | Quadient will process (subprocessor) Customer Personal Data for the purposes of providing Quadient’s Services including collecting, storing, and safeguarding Controller’s personal data. |
Quadient Inspire Flex Cloud Services | |
Quadient Inspire Evolve | |
Quadient Impress | |
Quadient AR | |
Quadient AP | |
iForms |
4. Purpose(s) for which the personal data is processed on behalf of the controller:
Subscription to | Purpose(s) of the data transfer and further processing |
Quadient Digital Platform | Login portal for Quadient Digital Solutions. |
Quadient Inspire Flex Cloud Services | Performance of the subscribed Quadient Services as defined in the Order Form: Customer communication and data quality services. |
Quadient Inspire Evolve | |
Quadient Impress | |
Quadient AR | Import Invoice Level data and Contact data, store encrypted, send reminders, collection of payment confirmation purpose(s) for which the personal data is processed on behalf of the Customer. Account receivable automation and management solution that import Invoice Level data and Contact data. |
Quadient AP | Accounts payable management solutions for Customers including enabling payment remittance communications between Customers and their vendors. |
iForms | Use data to generate reports, minutes or other documents, transmit them to external integrators or send them to customers' back-office systems. |
5. Duration of processing:
Subscription to | Period for which the personal data will be retained |
Quadient Digital Platform | See the General Terms and Conditions and Specific Terms and Conditions. |
Quadient Inspire Flex Cloud Services | |
Quadient Inspire Evolve | |
Quadient Impress | |
Quadient AR | |
Quadient AP | |
iForms |
For processing by (subsequent) Subprocessors, also specify subject matter, nature and duration of the processing: For Quadient Digital Platform, Inspire, Impress, iForms, Quadient AR services, Quadient AP services, iForms, please refer to the following list : https://resources.quadient.com/m/161f452f7a8c8517/original/Quadient-Digital-subprocessors-list.pdf.C. COMPETENT SUPERVISORY AUTHORITY France’s Commission Nationale de l’Informatique et des Libertés.
ANNEX II: TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Notwithstanding any additional measures agreed to in the General Terms and Conditions and Specific Terms and Conditions, Quadient has implemented and will maintain for both Corporate and Customer Data (‘Data’) the following security measures, which in conjunction with the security commitments in this Data Processing Agreement (‘DPA’) (including the GDPR Terms), are Quadient’s only responsibility with respect to the security of that data.
Domain | Practices |
Organization of Information Security | Security Responsibility. Each Party shall appoint one or more security officers responsible for coordinating and monitoring the security rules and procedures. Security Roles and Responsibilities. Each Party’s personnel with access to Data shall be subject to confidentiality obligations. Risk Management Program. Each Party shall perform a risk assessment before processing the Data or launching the corresponding service. Each Party shall retain its security documents pursuant to its retention requirements after they are no longer in effect. |
Asset Management | Asset Inventory. Each Party’s shall maintain an inventory of all assets on which Data is stored. Access to the inventories of such assets shall be restricted to personnel authorized in writing to have such access. Asset Handling - Each Party shall classify Data to help identify it and to allow for access to it to be appropriately restricted. - Each Party shall impose restrictions on printing Data and shall have procedures for disposing of printed materials that contain Data. - One Party personnel shall obtain internal authorization prior to storing Data on portable devices, remotely accessing Data, or processing Data outside its facilities. |
Human Resources Security | Security Training. Each Party shall inform its personnel about relevant security procedures and their respective roles. Each Party shall also inform its personnel of possible consequences of breaching the security rules and procedures. |
Physical and Environmental Security | Physical Access to Facilities. Each Party shall limit access to facilities where information systems that process Data are located to identified authorized individuals. Protection from Disruptions. Each Party shall use a variety of industry standard systems to protect against loss of Data due to power supply failure or line interference. Component Disposal. Data Processor shall use industry standard processes to delete Data when it is no longer needed. |
Communications and Operations Management | Operational Policy. Each Party shall maintain security documents describing its security measures and the relevant procedures and responsibilities of its personnel who have access to Data. Data Recovery Procedures - On an ongoing basis, but in no case less frequently than once a week (unless no updates have occurred during that period), Each Party shall maintain multiple backups of Data from which such data can be recovered. - Each Party shall store backups of Data and data recovery procedures in a different place from where the primary computer equipment processing the Data are located. - Each Party shall have specific procedures in place governing access to backups of Data. - Each Party shall log data restoration efforts, including the person responsible, the description of the restored Data and where applicable, the person responsible and which Data (if any) had to be input manually in the data recovery process. Malicious Software. Each Party shall have anti-malware controls to help avoid malicious software gaining unauthorized access to Data, including malicious software originating from public networks. Data Beyond the limits of the information system - Each Party shall encrypt Data that is transmitted over public networks. - Each Party shall restrict access to Data stored on media leaving its facilities. Event Logging. Each Party shall log, access and use of information systems containing Data, registering the access ID, time, authorization granted or denied, and relevant activity. AI Security Measures (where applicable). Where either Party uses an AI System in connection with the Agreement, that Party should implement and maintain controls proportionate to the relevant use case and legal risk, which may include: (i) an assessment of whether the use may fall within a prohibited practice, a high-risk AI system, or another regulated category under applicable AI law; (ii) appropriate human oversight measures; (iii) logging and recordkeeping sufficient to support compliance review and incident investigation; (iv) output validation measures proportionate to the impact of the use; (v) escalation procedures for AI-related incidents, errors, or security events; and (vi) user-facing disclosures where required by law. |
Access Control | Access Policy. Each Party shall maintain a record of security privileges of individuals having access to Data. Access Authorization - Each Party shall maintain and update a record of personnel authorized to access its systems that contain Data. - Each Party shall deactivate authentication credentials that have not been used for a period of time not to exceed six months. - Each Party shall identify those personnel who may grant, alter or cancel authorized access to Data and resources. - Each Party shall ensure the individuals have separate identifiers/log-ins. Need to Know - Technical support personnel are only permitted to have access to Data when needed. - Each Party shall restrict access to Data to only those individuals who require such access to perform their job function. Integrity and Confidentiality - Each Party shall instruct its personnel to disable administrative sessions when leaving premises under its controls or when computers are otherwise left unattended. - Each Party shall store passwords in a way that makes them unintelligible while they are in force. Authentication - Each Party shall use industry standard practices to identify and authenticate users who attempt to access information systems. - Where authentication mechanisms are based on passwords, Each Party shall require that the passwords are renewed regularly. - Where authentication mechanisms are based on passwords, Each Party shall require the password to be at least eight characters long. - Each Party shall ensure that de-activated or expired identifiers are not granted to other individuals. - Each Party shall monitor repeated attempts to gain access to the information system using an invalid password. - Each Party shall maintain industry standard procedures to deactivate passwords that have been corrupted or inadvertently disclosed. - Each Party shall use industry standard password protection practices, including practices designed to maintain the confidentiality and integrity of passwords when they are assigned and distributed, and during storage. Network Security. Each Party shall have controls to avoid individuals assuming access rights they have not been assigned to gain access to Data they are not authorized to access. |
Information Security Incident Management | Incident Response Process - Each Party shall maintain a record of security breaches with a description of the breach, the time period, the consequences of the breach, the source of the reporting, and the main mitigation and recovery actions. - For each breach that is a Security Incident, notification by Data Processor to Data Controller shall be made without undue delay. Service Monitoring. - Each Party operation personnel shall verify logs on a regular basis to propose remediation efforts if necessary. |
Business Continuity Management | - Data Processor shall maintain emergency and contingency plans for the facilities in which its information systems that process Data are located. - Data Processor redundant storage and its procedures for recovering data shall be designed to attempt to reconstruct Data in its original or last-replicated state from before the time it was lost or destroyed. |