EU General Data Protection Regulation - Data Privacy Annexure

• California Personal Information” means Personal Data in relation to which Customer is a Business under the CCPA.

• “CCPA” means California Civil Code Sec. 1798.100 et seq. (also known as the California Consumer Privacy Act of 2018).

• “Business”, “Sell” and “Service Provider” shall have the meanings given to them in the CCPA. 

• “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

• “Data Protection Laws” means all applicable worldwide legislation relating to data protection and privacy which applies to the respective party in the role of Processing Personal Data in question under the Agreement, including without limitation European Data Protection Laws, and the CCPA; in each case as amended, repealed, consolidated or replaced from time to time. 

• “Data Subject” means the individual to whom Personal Data relates.

• “European Data” means Personal Data, the Processing of which, is subject to European Data Protection Laws.

• “European Data Protection Laws” means data protection laws applicable in Europe, including: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (“GDPR”); (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector; and (iii) applicable national implementations of (i) and (ii); or (iii) in respect of the United Kingdom, any applicable national legislation that replaces or converts in domestic law the GDPR or any other law relating to data and privacy as a consequence of the United Kingdom leaving the European Union; and (iv) Swiss Federal Data Protection Act on 19 June 1992 and its Ordinance; in each case, as may be amended, superseded or replaced.

• “Personal Data” means any information relating to an identified or identifiable individual where such information is contained within Customer Data and is protected similarly as personal data, personal information or personally identifiable information under applicable Data Protection Laws.

• “Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed by Jio Haptik Technologies Limited and/or its Sub-Processors in connection with the provision of the Services. “Personal Data Breach” shall not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.

• “Processing” means any operation or set of operations which is performed on Personal Data, encompassing the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction or erasure of Personal Data. The terms “Process”, “Processes” and “Processed” will be construed accordingly.

• “Processor” means a natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Controller.

• Standard Contractual Clauses” means the standard contractual clauses for Processors approved pursuant to the European Commission’s decision (C(2010)593) of 5 February 2010, in the form set out at Annex 3.

• “Sub-Processor” means any Processor engaged by Jio Haptik Technologies Limited or its Affiliates to assist in fulfilling Jio Haptik Technologies Limited’s obligations with respect to the provision of the Services under the Agreement.  Sub-Processors may include third parties or Jio Haptik Technologies Limited Affiliates but shall exclude any Jio Haptik Technologies Limited employee or consultant.

1. Security Best Practices.

• The Company should provide a secure environment for Confidential Information and any hardware and software, including servers, network and data components, to be supported as part of its performance under this Agreement and will at all times, remain at the higher of (i) applicable security and privacy laws and regulations, (ii) applicable privacy and security rules imposed by industry groups, (iii) Privacy & IT Security Best Practices (as defined by ISO 27001), and (iv) all security requirements, obligations, specifications and event reporting procedures as required in any applicable exhibit or schedule hereof.
  
  

• Company will develop, implement, maintain, and enforce a written information privacy and security program ("Security Program") that (i) complies with security best practices, (ii) includes administrative, technical, and physical safeguards reasonably designed to protect the confidentiality, integrity, and availability of Customer Data and (iii) is appropriate to the nature, size and complexity of Company’s business operations and the Customer Data involved.

• Company will notify Client of details regarding any material changes to its Security Program that may adversely affect the privacy and security of any Client and Customer Data.

• Company will designate a senior employee to be responsible for overseeing and carrying out its Security Program and for communicating with Client on information security matters. Upon Client’s request, Company’s Security Officer will provide Client with the contact information of one or more Company representatives who will be available to discuss any privacy and security concerns (e.g., discovered vulnerability, exposed risk, reported concern) with Client and to communicate the level of risk associated with such concerns and any remediation thereof.

• All workstations and servers will run the current version of industry standard anti-virus software with the most recent updates available on each workstation or server. Virus definitions must be updated within twenty-four (24) hours of release by the anti-virus software vendor. Company will configure this equipment and have supporting policies to prohibit users from disabling anti-virus software, altering security configurations, or disabling other protective measures put in place to ensure the safety of Company’s or Client’s computing environment.

• Company will have current anti-virus software configured to run real-time scanning of machines. and a full system scan on a regularly scheduled interval not to exceed seven (7) calendar days.

• Company will scan incoming and outgoing content for malicious code on all gateways to public networks, including, but not limited to, email and proxy servers.

• Company will quarantine or remove files that have been identified as infected and will log the event.

8. Data Loss Prevention.

• Documentation: Company will maintain documentation on overall system, network, and application architecture, data flows, process flows, and security functionality for all applications that process or store any Customer/Client Data.

• Vulnerability Management and Application Security Assessments. Company will run internal and external network vulnerability scans at least quarterly and after any material change in the network configuration (e.g., new system component installations, changes in network topology, firewall rule modifications, or product upgrades). Vulnerabilities identified and rated as critical/high risk by Company will be remediated within ninety (90) days of discovery. 

  • For all Internet-facing applications that collect, transmit or display Customer Data, Company agrees to conduct an application security assessment review to identify common security vulnerabilities as identified by industry-recognized organizations (e.g., OWASP Top 10 Vulnerabilities; CWE/SANS Top 25 vulnerabilities) annually or for all major releases, whichever occurs first. The scope of the security assessment will primarily focus on application security, including, but not limited to, a static code analysis or penetration test of the application, as well as a code review. At a minimum, it will cover the OWASP Top 10 vulnerabilities (https://www.owasp.org).

  • Company may utilize a qualified third party to conduct the application security assessments. Company may conduct the security assessment review themselves, provided that Company’s Personnel performing the review are sufficiently trained, follow industry standard best practices, and the assessment process is reviewed and approved by Company. Vulnerabilities identified and rated as critical/high risk by Company will be remediated within ninety (90) days of discovery.

• Source code review: Company will have a documented program for secure code reviews and maintain documentation of secure code reviews performed for all applications that store or process Customer Data.

• Patch Management: Company will patch all workstations and servers with all current operating system, database and application patches deployed in Company’s computing environment according to a schedule predicated on the criticality of the patch. Company will perform appropriate steps to help ensure patches do not compromise the security of the information resources being patched. All emergency or critical rated patches must be applied as soon as possible but at no time will exceed six weeks from the date of release.

10. Storage, Handling, and Disposal.

• Data Segregation: Company will physically or logically separate and segregate Customer Data from its other Client’s data.

• Electronic Form Data. Company will utilize Industry Standard Encryption Algorithms and Key Strengths to encrypt the following: 

  • All Customer Data that is in electronic form while in transit over all public wired networks (e.g., Internet) and all wireless networks; and

  • All Customer Data stored in databases, in file systems, and on various forms of online and offline media (DASD, tape, etc.)

• Key Management. Where encryption is utilized, Company will maintain a key management process that meets the following minimum requirements: 

  • At least one key custodian must be officially designated.

  • Key custodians must ensure that all keys used in a storage encryption solution are secured and managed properly to support the security of the solution.

  • Key management must be planned to include secure key generation, use, storage and revocation.

  • Key management practices must support the recovery of encrypted data if a key is inadvertently disclosed, destroyed or becomes unavailable.

  • Key custodians must ensure that access to encryption keys is properly restricted to approved administrators. Private keys must not be stored on the same media and/or virtual instance as the data they protect.

  • Authentication must be required in order to gain access to keys.

  • Keys will be rotated annually and must be replaced before they expire.

• Physical Form Data. Company will only store Customer Data in physical form in a Secure Area, and Company will establish and operate a document control system to record and track the transfer of all Customer Data that is in physical form both (i) between and within Company facilities, and (ii) via any external shipment. Such a control system will include, at minimum, a description of the specific records being transferred (e.g., customer or employee records, etc.), as well as the parties who are preparing, shipping, receiving, and processing such materials.

 I. Unless explicitly stated otherwise in this agreement, the Client shall be responsible to ensure that relevant consents as per applicable laws and regulations have been obtained from the individuals/ data subjects and recorded and the correctness and accuracy of such Personal Information and the Company shall have no liability towards the Client or the Users arising as a result of the collection, correctness, accuracy and processing of any such Personal Data. 

 II. The Client shall be responsible to maintain records of all consent acceptance and refusal for seven (7) years. The Client shall also be responsible to provide details of consent acceptance and/ or refusal within 15 calendar days of the Company’s written request for the same. The Client will be liable to pay for any damages that the Company incurs due to inaccurate and/ or insufficient consent records.

 III. The Company will use the Personal Data only on the directions of the Client. The Company will not use Personal Data collected on behalf of the Client, received from the Client or its personnel or otherwise processed on behalf of the Client for any purpose other than as necessary to perform services under this Agreement.

 IV. Parties shall take reasonable steps to ensure the reliability of any employee, agent or contractor who may have access Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know/ access the relevant Personal Data, as strictly necessary for the purposes of this Agreement, and to comply with Applicable Laws in the context of that individual’s duties, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

 V. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of storing, controlling and/ or processing personal data as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Parties shall in relation to the Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk.

 VI. The Parties will ensure that they are in compliance with all applicable laws while handling any personal information and shall execute such agreements as may be necessary to ensure compliance with applicable laws. 

 VII. The Company shall not under any circumstances, be liable for any damage, destruction, unauthorized access, or loss of Personal Data.  

 VIII. The subject-matter and duration of the processing:

• The chatbot is built to disseminate information about Client products and services and generate leads for the Client. These details are collected so that the prospect can be contacted via call and/or email by the Client. The Company shall retain Personal Data for a maximum duration of 7 years.

IX. The transfer nature and purpose of the processing:

• Leads generated from the bots will be shared with the Client. The Client may reach out to the leads over other channels like call and/or email for conversions and sale.

• For bots that do not generate leads, Personal Data may be collected to respond to queries of data subjects when they utilize bots on the Client’s website.

• Additionally, some data may be downloaded on dedicated endpoint asset of Company for analytics and research purpose. This downloaded data is deleted within 15 business days from the endpoint to maintain compliance.

 X. Categories of personal data: