California Consumer Privacy Act - Data Privacy Annexure

 

This Data Processing Agreement and its Annexes (“DPA”) reflects the parties’ agreement with respect to the Processing of Personal Data by Jio Haptik Technologies Limited (“Company”) on behalf of Client in connection with the Services under the Jio Haptik Technologies Limited Terms and Conditions between Company and the Client (the “Agreement”).

This DPA is supplemental to, and forms an integral part of, the Agreement and is effective upon its incorporation into the Agreement, which incorporation may be specified in the Agreement, an executed amendment to the Agreement as the case maybe. The terms and conditions of the Data Processing Agreement apply where the CCPA applies to Client or to Jio Haptik Technologies Limited (Company) or to any of their respective Affiliates.

Company shall periodically update the terms of this DPA. Company shall keep the Client notified of amends if any via email.

The term of this DPA shall follow the Terms of the Agreement. Headings, word or phrases not otherwise defined herein shall have the meaning as set forth in the Agreement.

 

Definitions:

  • California Personal Information” means Personal Data in relation to which Client is a Business under the CCPA.

  • “CCPA” means California Civil Code Sec. 1798.100 et seq. (also known as the California Consumer Privacy Act of 2018).

  • “Business”, “Sell” and “Service Provider” shall have the meanings given to them in the CCPA.

  • “Business Entity”, “Client” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

  • “Data Protection Laws” means all applicable worldwide legislation relating to data protection and privacy which applies to the respective party in the role of Processing Personal Data in question under the Agreement, including without limitation European Data Protection Laws, and the CCPA; in each case, as amended, repealed, consolidated or replaced from time to time.

  • “Data Subject” means the individual to whom Personal Data relates.

  • “European Data” means Personal Data, the Processing of which, is subject to European Data Protection Laws.

  • “European Data Protection Laws” means data protection laws applicable in Europe, including: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (“GDPR”); (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector; and (iii) applicable national implementations of (i) and (ii); or (iii) in respect of the United Kingdom, any applicable national legislation that replaces or converts in domestic law the GDPR or any other law relating to data and privacy as a consequence of the United Kingdom leaving the European Union; and (iv) Swiss Federal Data Protection Act on 19 June 1992 and its Ordinance; in each case, as may be amended, superseded or replaced.

  • “Personal Data” means any information relating to an identified or identifiable individual where such information is contained within Client Data and is protected similarly as personal data, personal information or personally identifiable information under applicable Data Protection Laws.

  • “Data Breach” means a breach of security or a security incident leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed by Jio Haptik Technologies Limited and/or its Sub-Processors in connection with the provision of the Services.

  • “Personal Data Breach” shall not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.

  • “Processing” means any operation or set of operations which is performed on Personal Data, encompassing the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction or erasure of Personal Data. The terms “Process”, “Processes” and “Processed” will be construed accordingly.

  • “Processor” means a natural or legal person, public authority, agency, or other body which processes Personal Data on behalf of the Business Entity.

 

1. Security Best Practices

  • The Company should provide a secure environment for Confidential Information and any hardware and software, including servers, network, and data components, to be supported as part of its performance under this Agreement and will at all times, remain aligned with industry standards (i) applicable security and privacy laws and regulations, (ii) applicable privacy and security rules imposed by industry groups, (iii) Privacy & IT Security Best Practices (as defined by ISO 27001), and (iv) all applicable security requirements, obligations, specifications, and event reporting procedures as required in any applicable exhibit or schedule hereof.

2. Security Management

  • Company will develop, implement, maintain, and enforce a written information privacy and security program ("Security Program") that (i) complies with security best practices, (ii) includes administrative, technical, and physical safeguards reasonably designed to protect the confidentiality, integrity, and availability of Client Data and (iii) is appropriate to the nature, size and complexity of Company’s business operations and the Client Data involved.

  • Company will notify Client of details regarding any material changes to its Security Program that may adversely affect the privacy and security of any Client Data.

  • Company’s support team will provide Client with the contact information of one or more Company representatives who will be available to discuss any privacy and security concerns (e.g., discovered vulnerability, exposed risk, reported concern) with Client and to communicate the level of risk associated with such concerns and any remediation thereof.

3. Personnel Security

  • Prior to assigning any of its Personnel to positions in which they will, or Company reasonably expects them to, have access to Client Data. Company will conduct or verify background checks on such Personnel, except where expressly prohibited by law. For the purposes of this Exhibit, "Personnel" means Company’s employees, independent contractors, and subcontractors that have access to Personal Data.

  • Company Personnel will, upon hiring, and at least annually thereafter, participate in privacy and security awareness training. This training will cover, at a minimum, Company’s privacy and security policies, including acceptable use, password protection, data classification, Breach reporting, the repercussions of violations, and brief overviews of Applicable Laws and Regulations.

  • Company must maintain a security process to conduct appropriate due diligence prior to utilizing subcontractors to provide any of the Services. The due diligence processm shall provide for the identification and resolution of significant security issues prior to engaging a subcontractor, written information security requirements that require subcontractor to adhere to Company's key information security policies and standards within all contracts, and for the identification and resolution of any security issues during the term of the Agreement.

4. Physical Security.

  • The physical security processes in this section apply to all facilities at which Client Data is accessed, processed, stored, transferred, or maintained, including any floor space where Services are performed in which Personnel have access to Client Data, and servers or other equipment that process or store Client Data (the "Secure Area").

  • Secure Area: Client Data will only reside within a Secure Area. Company using Cloud Services will leverage AWS and Azure’s Data Center’s will restrict access to and will control and monitor any Secure Area and will maintain physical security controls at the Secure Area, on a 24-hours-per-day, 7-days-per-week basis ("24/7"). Company will revoke any Personnel's logical access to Secure Areas within forty-eight (48) hours of the cessation of such Company Personnel's need to access buildings, system(s) or application(s).

5. Logical Security.

  • The logical security processes in this section apply to all Company’s systems or Company’s agents' or its assigns' systems and supporting networks used to provide the services on which Client Data is accessed, processed, stored, transferred, or maintained.

  • Company must employ access control mechanisms that:

  • prevent unauthorized access to Client Data;

  • limit access to Personnel with a business need to know;

  • follow principle of least privilege allowing access to only the information and resources that are necessary under the terms of the Agreement; and

  • have the capability of detecting, logging, and reporting access to the system or network or attempts to breach security of the system or network.

  • All Personnel must have an individual account that authenticates that individual's access to Client Data. Access controls and passwords must be configured in accordance with industry standards and best practices. Passwords will be hashed with industry standard algorithms per the Storage, Handling and Disposal Section, below.

6. Telecommunication and Network Security.

  • Company will deploy reasonably appropriate firewall technology in the operation of Company’s sites. Traffic between Company and Client will be protected and authenticated by industry standard cryptographic technologies. Specifically, firewall(s) must be able to effectively perform the following functions: stateful inspection, logging, support for all IPsec standards and certificates, support for strong encryption and hashing, ICMP and SNMP based monitoring and anti-spoofing.

  • At a minimum, Company will review firewall rule sets annually to ensure that legacy rules are removed, and active rules are configured correctly.

  • Company will deploy intrusion detection or preferably prevention systems (IDS/IPS) in order to generate, monitor, and respond to alerts which could indicate potential compromise of the network and/or host.

  • Company will deploy a log management solution and retain logs produced by firewalls and intrusion detection systems for a maximum period of 90 days.

7. Malicious Code Protection.

  • Company should have current anti-virus software configured to run real-time scanning of machines and a full system scan on a regularly scheduled interval every seven (7) calendar days.

  • Company should scan incoming and outgoing content for malicious code on all gateways to public networks, including, but not limited to, email and proxy servers.

  • Company should quarantine or remove files that have been identified as infected and will log the event.

8. Data Loss Prevention.

  • Company will have policies, procedures, and technical controls in place to prevent data loss.

9. Systems Development and Maintenance.

  • Documentation: Company will maintain documentation on overall system, network, and application architecture, data flows, process flows, and security functionality for all applications that process or store any Client Data.

    ▫️ Vulnerability Management and Application Security Assessments. Company will run internal and external network vulnerability scans as per internal schedule and after any material change in the network configuration (e.g., new system component installations, changes in network topology, firewall rule modifications, or product upgrades). Vulnerabilities identified and rated as critical/high risk by Company will be remediated as per risk and SLA.

      -  For all Internet-facing applications that collect, transmit or display Client Data, Company agrees to conduct an application security assessment review to identify common security vulnerabilities as identified by industry-recognized organizations (e.g., OWASP Top 10 Vulnerabilities; CWE/SANS Top 25 vulnerabilities) annually or for all major releases, whichever occurs first. The scope of the security assessment will primarily focus on application security, including, but not limited to, a static code analysis or penetration test of the application, as well as a code review. At a minimum, it will cover the OWASP Top 10 vulnerabilities (https://www.owasp.org).

      -  Company may utilize a qualified third party to conduct the application security assessments. Company may conduct the security assessment review themselves, provided that Company’s Personnel performing the review are sufficiently trained, follow industry standard best practices, and the assessment process is reviewed and approved by Company. Vulnerabilities identified and rated as critical/high risk by Company will be remediated within as per risk and SLA.

  • Source code review: Company will have a documented program for secure code reviews and maintain documentation of secure code reviews performed for all applications that store or process Client Data.

  • Patch Management: Standard Patch Management Policy and Procedures are set up in the company as per (ISMS) ISO 27001 and it is part of Company’s InfoSec Management System.

10. Storage, Handling, and Disposal

  • Data Segregation: Company will physically or logically separate and segregate Client Data from its other Client’s data.

  •  Electronic Form Data. Company will utilize Industry Standard Encryption Algorithms and Key Strengths to encrypt the following:

     -  All Client Data that is in electronic form while in transit over all public wired networks (e.g., Internet) and all wireless networks;           and

     -  All Client Data stored in databases, in file systems, and on various forms of online and offline media (DASD, tape, etc.)

  • Key Management. Industry Standard Cryptography Policy and Key Management Policy is set up and implemented as per (ISMS) ISO 27001 and it is part of Company’s InfoSec Management System.


I. Unless explicitly stated otherwise in this agreement, the Client shall be responsible to ensure that relevant consents as per applicable laws and regulations have been obtained from the individuals/ data subjects and recorded and the correctness and accuracy of such Personal Information and the Company shall have no liability towards the Client or the Users arising as a result of the collection, correctness, accuracy and processing of any such Personal Data.

II. The Client shall be responsible to maintain records of all consent acceptance and refusal for seven years. The Client shall also be responsible to provide details of consent acceptance and/ or refusal within 15 calendar days of the Company’s written request for the same. The Client will be liable to pay for any damages that the Company incurs due to inaccurate and/ or insufficient consent records.

III. The Company will use the Personal Data only on the directions of the Client. The Company will not use Personal Data collected on behalf of the Client, received from the Client or its personnel or otherwise processed on behalf of the Client for any purpose other than as necessary to perform services under this Agreement.

IV. Parties shall take reasonable steps to ensure the reliability of any employee, agent or contractor who may have access Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know/ access the relevant Personal Data, as strictly necessary for the purposes of this Agreement, and to comply with Applicable Laws in the context of that individual’s duties, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

V. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of storing, controlling and/ or processing personal data as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Parties shall in relation to the Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk.

VI. The Parties will ensure that they are in compliance with all applicable laws while handling any personal information and shall execute such agreements as may be necessary to ensure compliance with applicable laws.

VII. The Company shall not under any circumstances, be liable for any damage, destruction, unauthorized access or loss of Personal Data.

VIII. The subject-matter and duration of the processing:

  • The chatbot is built to disseminate information about Client products and services and generate leads for the Client. These details are collected so that the prospect can be contacted via call and/or email by the Client. The Company shall retain Personal Data for a maximum duration of 7 years.


IX. The transfer nature and purpose of the processing:

  • Leads generated from the bots will be shared with the Client. The Client may reach out to the leads over other channels like call and/or email for conversions and sale.
  • For bots that do not generate leads, Personal Data may be collected to respond to queries of data subjects when they utilize bots on the Client’s website.
  • Additionally, some data may be downloaded on dedicated endpoint asset of Company for analytics and research purpose. This downloaded data is deleted within 15 business days from the endpoint to maintain compliance.


X. Categories of Personal Data:

  • Details collected by the data subject may include but not be limited to be name, social security number, unique citizen identifier, email address, records of products purchased, internet browsing history, geolocation data, fingerprints, and inferences from other personal information that could create a profile about your preferences and characteristics.
  • This will depend on the type of use-cases and services which are availed by the Business Entity.


XI. The obligations and rights of the Business Entity:

  • The Business Entity (Client) is responsible to securely store and maintain privacy for subject data and Personal Data.

  • For client availing Agent Chat functionality, the Business Entity (Client) has access to the Company’s portal for accessing chat transcripts. Controls over information security for Personal Data in chat transcripts must be implemented.

  • Access to Analytics Dashboard will be provided by the Company. Business Entity (Client) should ensure appropriate safeguards for limiting and securing access.

  • It is the responsibility of the Business Entity (Client) to implement any and all security measures for protection of Personal Data received from the Company.


XII. The obligations and rights of the Processor/Service Provider:

  • Company (processor/service provider) will store Personal Data securely and limit access to this data through permissions.

  • Company (processor/service provider) is responsible to securely share Personal Data to the Client (controller).

  • Company (processor/service provider) will inform the Client (Business Entity) in case of a data breach of Personal Data collected for that respective Client.


XIII. Breach Notification and Response Procedures

  • Company will maintain incident response function capable of identifying, mitigating the effects of, and preventing the recurrence of, Security Breaches. Upon discovering or otherwise becoming aware a Breach, Company will take all reasonable measures to mitigate the harmful effects of the Breach. Company will also notify Client of the Breach as soon as practicable, but in no event later than 24 hours after the Breach. Notice to Client will include: (i) the identification of the Client Data which has been or Company reasonably believes has been used, accessed, acquired or disclosed during the incident; (ii) a description of what happened, including the date and time of the incident and the date and time of discovery of the incident, if known; (iii) the scope of the incident, including a description of the type of Client Data involved in the incident; (iv) a description of Company response to the incident, including steps Company has taken to mitigate the harm caused by the incident; and (v) other information as Client may reasonably request and is reasonably applicable.

  • Company will retain all data related to known and reported Breaches or investigations until Company reasonably determines that the data is no longer needed. Upon Client’s request, Company will permit Client or its third-party auditor to review and verify relevant video surveillance records, access logs and data pertaining to any Breach investigation. Upon conclusion of investigative, corrective, and remedial actions with respect to a Breach, Company will prepare and deliver to Client a final report that describes in detail: (i) the extent of the Breach; (ii) the Client Data disclosed, destroyed, or otherwise compromised or altered; (iii) all supporting evidence, including, but not limited to, system, network, and application logs; (iv) all corrective and remedial actions completed; and (v) all efforts taken to mitigate the risks of further Breaches.


XIV. Rights of data subjects:

  • Right to opt-out of sale of personal information.

  • Right to Access (Disclosure) of personal information.

  • Right of Data Portability.

  • Right to Deletion / Erasure (The Right to be Forgotten).

  • Right to Restrict Processing.

  • Right to Equal Service

The parties are responsible for assisting each other to the extent this is relevant and necessary for both parties to comply with their obligations to the data subjects.

The Client hereby acknowledges and confirms that the Company is originated in India, and the workforce is primarily situated therein, in light of the same the data shared under this Agreement may get transferred or stored in India, as per the data localization during the course of the Agreement, however only in order to provide the Services to the Client.


XV. Data Subject Requests

  • The Services provides Client with several categories of personal data that Client may use to retrieve, correct, delete, or restrict Personal Data, which Client may use to assist it in connection with its obligations under Data Protection Laws, including its obligations relating to responding to requests from Data Subjects to exercise their rights under applicable Data Protection Laws (“Data Subject Requests”).

  • Upon termination of the Agreement i.e. from the date of termination Haptik will not divulge or use any and all data or non personally identifiable information of the Client. Further, within a period of 30 days from the date of termination of this Agreement, Haptik will destroy and, in case of electronic embodiments, permanently erase all tangible material embodying the data or non personally identifiable information of the Client in its possession or under its control.

  • To the extent that Client is unable to independently address a Data Subject Request through the Services, then upon Client’s written request Company shall provide commercially reasonable assistance to Client to respond to any Data Subject Requests or requests from data protection authorities relating to the Processing of Personal Data under the Agreement.

  • If a Data Subject Request or other communication regarding the Processing of Personal Data under the Agreement is made directly to Company, Company will promptly inform Client and will advise the Data Subject to submit their request to Client. Client shall be responsible for responding to any such Data Subject Requests or communications involving Personal Data.


XVI. Responsibilities of the parties:

  • The parties agree that Company (Jio Haptik Technologies Limited) will process the Personal Data as a Service Provider strictly for the purpose of performing the Services under the Agreement. Company (Jio Haptik Technologies Limited) shall not (a) Sell Personal data; or (b) retain, use, or disclose Personal data for any purpose other than for the Business Purpose or as otherwise permitted by the CCPA.


XVII. Additional Provisions for California Personal Information

  • This Section (Provisions for California Personal Information) shall apply only to the extent that Client is a Business under the CCPA (California).

  • Roles of the Parties: When processing California Personal Information in accordance with Client Instructions, the parties acknowledge and agree that Company is a Service Provider for the purposes of the CCPA.

  • Additional Applicable Data Protection Legislation: The Company shall at all times adhere to the applicable Data Protection Laws including but not limited to GDPR, CCPA, PDP Act (Singapore) for the purpose of processing activities under this document.

Last updated on: 1st March 2022