Last Updated: Sept 14, 2023
This Data Processing Addendum and its schedules (“DPA”) between the party identified as the “Customer” in the SaaS agreement (defined below) and Forethought Technologies, Inc. (“Forethought”) forms part of and is subject to the software as a service agreement found at https://forethought.ai/saas-agreement/ or other superseding written or electronic agreement incorporating this DPA governing the Customer’s access and use of the Services (“SaaS agreement”). This DPA applies where and to the extent that Forethought is acting as a processor processing Personal Data on behalf of Customer under the SaaS agreement. The parties intend this DPA to be an extension of the SaaS agreement that will outline certain requirements for the processing of Personal Data. All capitalized terms not defined in this DPA shall have the meanings set forth in the SaaS agreement.
Customer enters into this DPA (including the Standard Contractual Clauses and UK Addendum, where applicable) on behalf of itself and any Affiliates authorized to use the Services under the Agreement and who have not entered into a separate contractual arrangement with Forethought. For the purposes of this DPA only, and except where otherwise indicated, the term “Customer” shall include Customer and such Affiliates.
The parties agree as follows:
a. “Affiliate” means any entity that is directly or indirectly controlled by, controlling or under common control with a party. “Control” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
b. “Data Protection Legislation” means the data protection and privacy laws of Europe applicable to the Personal Data in question, including where applicable: (i) General Data Protection Regulation (Regulation 2016/679) (“GDPR”); (ii) the GDPR as saved into UK law by virtue of section 3 of the UK’s European Union (Withdrawal) Act 2018 and the UK Data Protection Act 2018 (collectively referred to for these purposes as the “UK Data Protection Legislation“); (iii) the Swiss Federal Data Protection Act of 19 June 1992 and its corresponding ordinances (“Swiss DPA“); (iv) the e-Privacy Directive (Directive 2002/58/EC); (v) any applicable national data protection laws made under or pursuant to or that apply in conjunction with (i), (ii), (iii) and or (iv) (in each case, as superseded, amended or replaced from time to time).
c. “Europe” means, for the purposes of this DPA, the member states of the European Economic Area (“EEA“), Switzerland and the United Kingdom (“UK“).
d. “Personal Data” means any Customer Content that is protected as “personal data”, “personally identifiable information” or “personal information” under Data Protection Legislation and that is processed on behalf of Customer in the course of providing the Services, as more particularly described in Schedule A of this DPA (as applicable).
e. “controller“, “ processor“, “subprocessor”, “data subject“, “personal data“, “processing“, and “appropriate technical and organizational measures” shall be interpreted in accordance with the GDPR, or other applicable Data Protection Legislation.
f. “Restricted Transfer” means a transfer (directly or via onward transfer) of Personal Data that is subject to Data Protection Legislation to a country outside Europe which is not subject to an adequacy determination by the European Commission, United Kingdom or Swiss authorities (as applicable).
g. “Security Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed by Forethought under this DPA. “Security Breach” shall not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.
h. “Services” means the services provided by Forethought to Customer under the SaaS agreement.
i. “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.
j. “Subprocessor” means any third party that has access to the Personal Data and which is engaged by Forethought to assist in fulfilling its obligations to provide the Services. Subprocessors may include Forethought Affiliates but shall exclude any Forethought employee, contractor or consultant.
k. “UK Addendum” means the “UK Addendum to the EU Standard Contractual Clauses” issued by the Information Commissioner’s Office under s.119A(1) of the UK Data Protection Act 2018, as may be amended and replaced from time to time.
2. Scope. This DPA applies to the extent Forethought processes Personal Data subject to Data Protection Legislation as a processor. The parties agree that, as between the parties, Customer is the controller and Forethought is the processor in relation to Personal Data that Forethought processes on behalf of Customer in the course of providing the Services, as more particularly described in Schedule A of this DPA.
3. Redaction. Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion. As part of the provision of the Services, upon receiving the Customer Content from Customer, Forethought makes its best efforts to automatically redact and delete all or part of the Personal Data. Redaction reduces or eliminates the Personal Data processed by Forethought and its Subprocessors. Customer as the controller is responsible for confirming whether the redaction process facilitated by Forethought effectively reduces or eliminates the compliance risk based on the Personal Data Customer shares with Forethought. Forethought provides no warranty as to the accuracy and effectiveness of the redaction process.
4. Data Protection. To the extent Forethought processes Personal Data as a processor, Forethought shall adhere to the following requirements:
a. Processing Instructions. Forethought will process the Personal Data in accordance with the Customer’s lawful written instructions. Customer instructs Forethought to process Personal Data for the purposes described in Schedule A, unless obligated to do otherwise by applicable law. The nature and purposes of the processing shall be limited to that necessary to carry out such instructions, and not for Forethought’s own purposes, or for any other purposes except as required by law. If Forethought is required by law to process the Personal Data for any other purpose, Forethought will inform Customer of such requirement prior to the processing unless prohibited by law from doing so. Customer shall ensure its instructions are lawful and that the processing of the Personal Data in accordance with such instructions will not violate Data Protection Legislation. Forethought will notify Customer if, in Forethought’s reasonable opinion, an instruction for the processing of Personal Data given by Customer infringes applicable Data Protection Legislation and Forethought shall not be required to comply with such instruction.
b. Security Measures. Forethought will implement and maintain appropriate technical and organizational measures designed to protect the Personal Data against Security Breaches and preserve the security and confidentiality of Personal Data. Such measures shall include, at a minimum, those measures described in Schedule B (“Security Measures“). Customer acknowledges that the Security Measures are subject to technical progress and development and that Forethought may update or modify the Security Measures from time to time, provided that such updates and modifications do not degrade or diminish the overall security of the Services.
c. Subprocessors. Forethought may engage Subprocessors to process the Personal Data on Customer’s behalf and Customer hereby provides Forethought a general upfront authorization to engage Subprocessors in order to provide the Services, including the Sub-processors listed at: https://forethought.ai/data-subprocessors/. Forethought will not engage new Subprocessors without giving Customer prior notice and a reasonable opportunity to object in good faith on data protection grounds, which, if not exercised in writing within 30 days of receipt of such notice, shall be deemed to constitute an approval of such engagement. If Customer objects in writing within the time period, the parties shall discuss Customer concerns in good faith with a view to achieving a commercially reasonable resolution. If no such resolution can be reached, Forethought will, at its sole discretion, either (i) not appoint the Subprocessor; or (ii) permit Customer to suspend or terminate the affected Services in accordance with the termination provisions in the SaaS agreement without liability to either party (but without prejudice to any fees incurred by Customer prior to suspension or termination). Forethought shall: (i) ensure Subprocessors are bound by a written agreement, including data protection and security measures, no less protective of Personal Data than this DPA; and (ii) Forethought shall be liable for any breach of this DPA caused by an act, error or omission of its Sub-processors to the extent Forethought would have been liable had such breach been caused by Forethought.
d. Confidentiality. Forethought will take reasonable steps to ensure the reliability and competence of any Forethought personnel who have access to Personal Data. Forethought will ensure that all Forethought personnel required to access the Personal Data are subject to a duty of confidentiality (whether contractual or statutory) and that they only process Personal Data in accordance with this DPA.
e. Data Subject Rights. Forethought will, taking into account the nature of the processing, provide Customer with reasonable assistance (including by appropriate technical and organizational means, in so far as this is possible) to enable Customer to respond to: (i) any requests by data subjects to exercise their rights with respect to Personal Data (to the extent that Customer is unable to independently access, delete or retrieve the relevant Personal Data within the Services); and (ii) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Personal Data (collectively “Correspondence“). In the event the Correspondence is made directly to Forethought, and where the Customer is identified or identifiable from the Correspondence, Forethought shall promptly notify Customer and shall not, unless legally compelled to do so, respond directly to the Correspondence except to refer the requestor to Customer to allow Customer to respond as appropriate.
f. Cooperation. Forethought shall provide Customer with reasonable cooperation and assistance where necessary for Customer to comply with its obligations under applicable Data Protection Legislation, including to conduct data protection impact assessments and consult with supervisory authorities with respect to Forethought’s processing of Personal Data. Forethought shall comply with the foregoing by: (i) complying with Section 3 (i) (Audit Rights); (ii) providing the information contained in the SaaS agreement, including this DPA; and (iii) if the foregoing sub-sections (i) and (ii) are insufficient for Customer to comply with such obligations, upon request, providing additional reasonable assistance at Customer’s expense.
g. Deletion. At the end of the Services, or upon Customer’s request, Forethought will securely destroy or return (at Customer’s election) the Personal Data to Customer. In the event that no election is made by Customer in accordance with this Section 4.g, Forethought will delete all Personal Data. This requirement shall not apply to the extent that Forethought (i) has redacted and deleted the Personal Data in accordance with Section 3 above, (ii) is required by applicable law to retain some or all of the Personal Data, or (iii) in relation to Personal Data archived on back-up systems, which data Forethought shall securely isolate and protect from any further processing (to the extent permitted by applicable law).
h. International Transfers. Where the processing of Personal Data involves the transfer of Personal Data from Customer to Forethought and such transfer is a Restricted Transfer and Data Protection Legislation require that appropriate safeguards are put in place, such transfer shall be subject to the Standard Contractual Clauses, which shall be deemed incorporated into and form an integral part of this DPA, as follows:
1. In relation to transfers of Personal Data subject to the GDPR, the SCCs shall apply, completed as follows: (i) Forethought shall be the “data importer” and Customer shall be the “data exporter”; (ii) the Module Two terms shall apply where Customer is a controller and the Module Three terms shall apply where customer is a processor acting on behalf of third party controllers; (iii) in Clause 7, the optional docking clause shall apply; (iv) in Clause 9, Option 2 shall apply and the time period for notice of changes to Subprocessors shall be as agreed under Section 3.c (Subprocessors) of this DPA; (v) in Clause 11, the optional language shall be deleted; (vi) in Clause 17, Option 1 shall apply and the SCCs shall be governed by the laws of the Republic of Ireland; (vii) in Clause 18(b), disputes shall be resolved before the courts of the Republic of Ireland; (viii) Annex I and Annex II of the SCCs shall be deemed completed with the information set out in Schedule A and Schedule B of this DPA respectively.
2. In relation to transfers of Personal Data that are protected by UK Data Protection Legislation, the SCCs: (i) shall apply as completed in accordance paragraph 3.h.1 above; and (ii) shall be deemed amended as specified by the UK Addendum attached as Schedule C, which shall deemed executed by the parties and incorporated into and form an integral part of this DPA. Any conflict between the terms of the SCCs and the UK Addendum shall be resolved in accordance with Section 10 and Section 11 of the UK Addendum.
3. In relation to transfers of Personal Data subject to the Swiss DPA, Forethought agrees to process such Personal Data in compliance with the SCCs, which are incorporated herein in full by reference and form an integral part of this DPA with the following modifications: (i) references to “Regulation (EU) 2016/679” shall be interpreted as references to the Swiss DPA; (ii) references to specific Articles of “Regulation (EU) 2016/679” shall be replaced with the equivalent article or section of the Swiss DPA; (iii) references to “EU”, “Union” and “Member State” shall be replaced with references to “Switzerland”; (iv) Clause 13(a) and Part C of Annex II shall not be used and the “competent supervisory authority” shall be the Swiss Federal Data Protection Information Commissioner; (v) references to the “competent supervisory authority” and “competent courts” shall be replaced with references to the “Swiss Federal Data Protection Information Commissioner” and “applicable courts of Switzerland”; (vi) in Clause 17, the SCCs shall be governed by the laws of Switzerland; and (vii) in Clause 18(b), disputes shall be resolved before the courts of Switzerland.
4. It is not the intention of either party to contradict or restrict any of the provisions set forth in the SCCs and, accordingly, if and to the extent the SCCs conflict with any provision of the SaaS agreement (including this DPA), the SCCs shall prevail to the extent of such conflict. The terms of the SCCs shall not apply where and to the extent that Forethought adopts an alternative data export mechanism that is recognized by the relevant authorities or courts as providing an adequate level of protection or appropriate safeguards for Personal Data (“Alternative Transfer Mechanism”). The Alternative Transfer Mechanism shall automatically apply instead of any applicable transfer mechanism described in this DPA (but only to the extent such Alternative Transfer Mechanism complies with Data Protection Legislation applicable to Europe and extends to territories to which Personal Data is transferred) and Customer agrees to execute such other and further documents and take such other and further actions as may be reasonably necessary to give legal effect such Alternative Transfer Mechanism (as applicable).
i. Audit Rights. Forethought shall provide written responses to all reasonable requests made by Customer for information relating to Forethought’s processing of Personal Data, including responses to information and security audit questionnaires submitted to it by Customer and that are necessary to confirm Forethought’s compliance with this DPA, provided that Customer shall not exercise this right more than once per calendar year or when Customer is expressly requested or required to provide this information to a data protection authority. While it is the parties’ intention to ordinarily rely on the written responses described above to verify Forethought’s compliance with this DPA and Data Protection Legislation, following a confirmed Security Breach or where a data protection authority requires it, Customer may provide Forethought with thirty (30) days’ prior written notice requesting that a third-party conduct an audit of Forethought’s facilities, equipment, documents and electronic data relating to the processing of Personal Data under the SaaS agreement (“Audit“), provided that: (a) the Audit shall be conducted at Customer’s expense; (b) the parties shall mutually agree upon the scope, timing and duration of the Audit; and (c) the Audit shall not unreasonably impact Forethought’s regular operations. Customer acknowledges that any written responses or Audit shall be subject to the confidentiality provisions of the SaaS agreement.
j. Security breach Notification. If Forethought becomes aware of a Security Breach it shall, without undue delay (and at least within 72 hours upon awareness), notify Customer and take such measures as Forethought may deem necessary and reasonable to remediate the Security Breach. Forethought shall provide Customer with timely information about the nature of the Security Breach as soon as such information becomes known or available to Forethought and provide reasonable co-operation and assistance to enable Customer to comply with its obligations under Data Protection Legislation.
5. Aggregated Data. Forethought may use Customer Content and data related to the use of the Services by Customer that (i) does not specifically identify Customer, Users or third parties, and (ii) is combined with the data of other customers, users or additional data sources (“Aggregated Data“) for the following purpose: of (a) maintaining, analyzing and improving the Services, including the algorithms underlying the Services, (b) complying with legal or contractual requirements, (c) analyzing and mitigating security risks such as vulnerabilities or networking issues, and (d) developing, distributing and publishing measures and reports of the Services.
6. Customer Responsibilities. Customer is responsible for determining whether the Services are appropriate for the storage and processing of Personal Data under Data Protection Legislation. Customer further agrees that: (a) it will comply with its obligations under Data Protection Legislation and its contractual obligations with Forethought regarding its use of the Services and the processing of Personal Data; (b) it has provided notice and obtained all consents, permissions and rights necessary for Forethought and its Subprocessors to lawfully process Personal Data for the purposes contemplated by the SaaS agreement (including this DPA); and (c) it will notify Forethought if it is unable to comply with its obligations described in (a) above or if its processing instructions will cause Forethought or its Subprocessors to be in breach of Data Protection Legislation. For clarity, Forethought is not responsible for compliance with any Data Protection Legislation applicable to Customer or Customer’s industry that is not generally applicable to Forethought as a service provider.
7. Modifications. Notwithstanding anything else to the contrary in the SaaS agreement and without prejudice to Sections 4.a, Forethought may periodically make modifications to this DPA where necessary to (i) comply with a request or order by a supervisory authority or other government or regulatory entity; (ii) as may be required to comply with Data Protection Legislation; or (iii) implement or adhere to new standard contractual clauses, approved codes of conduct or certifications, or other compliance mechanisms, which may be permitted under Data Protection Legislation. Unless otherwise specified by Forethought, these changes will become effective for Customer upon posting of the modified DPA (see “Last Updated” date above). Forethought will use reasonable efforts to notify Customer of the changes through Customer’s account, email, or other means. In any event, continued use of the Services will constitute Customer’s acceptance of the version of the DPA in effect.
8. Limitation of liability. Any claim or remedy Customer or its Affiliates may have against Forethought, its employees, agents and Subprocessors, arising under or in connection with this DPA (including the Standard Contractual Clauses), whether in contract, tort (including negligence) or under any other theory of liability, shall to the maximum extent permitted by law be subject to the limitations and exclusions of liability in the SaaS agreement. Accordingly, any reference in the SaaS agreement to the liability of a party means the aggregate liability of that party and all of its Affiliates under and in connection with the SaaS agreement and this DPA together.
9. Conflicts. Except for the changes made by this DPA, the SaaS agreement remain unchanged and in full force and effect. In the event of a conflict between the SaaS agreement and this DPA, this DPA shall control with respect to any terms that relate to the parties processing of Personal Data.
10. Permitted Disclosures. Each party acknowledges that the other party may disclose the Standard Contractual Clauses, this DPA and any privacy related provisions in the SaaS agreement to any European or US regulator upon request.
11. Severability. The provisions of this DPA are severable. If any phrase, clause or provision or Annex (including the Standard Contractual Clauses) is invalid or unenforceable in whole or in part, such invalidity or unenforceability shall affect only such phrase, clause or provision, and the rest of this DPA or the remainder of the SaaS agreement, which shall remain in full force and effect.
12. Governing Law and Jurisdiction. This DPA shall be governed by and construed in accordance with the governing law and jurisdiction provisions in the SaaS agreement, unless required otherwise by Data Protection Legislation or the Standard Contractual Clauses.
DESCRIPTION OF THE PROCESSING ACTIVITIES / TRANSFER
(A) List of Parties:
|Data Exporter||Data Importer|
|Name: the party identified as the “Customer” in the SaaS agreement and this DPA||Name: Forethought Technologies, Inc. (“Forethought”)|
|Address: As set out in the SaaS agreement||Address: 345 California Street, Suite 3600, San Francisco, CA 94104, USA|
|Contact Person’s Name, position and contact details: As set out in the SaaS agreement||Contact Person’s Name, position and contact details: [email protected]|
|Activities relevant to the transfer: See (B) below||Activities relevant to the transfer: See (B) below|
|Role: Controller / Processor||Role: Processor|
(B) Description of Processing / Transfer
|Categories Data Subjects|
|The personal data transferred concern the following categories of data subjects||Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to, Personal Data relating to the following categories of data subjects:· Employees of Customer· Current and potential customers of Customer· Third parties who email Customer· Visitors of websites operated by Customer· Any other data subjects whose data may be processed from time to time pursuant to the SaaS agreement and this DPA.|
|Purposes of the transfer(s)|
|The transfer is made for the following purposes:||Processing (a) to perform any steps necessary for the performance of the SaaS agreement; (b) to provide the Services in accordance with the SaaS agreement; (c) initiated by users in their use of the Services; (d) to comply with other reasonable instructions provided by Customer that are consistent with the terms of the SaaS agreement and this DPA; and (e) to comply with any legal obligations under applicable law, including Data Protection Legislation.|
|Categories of Personal Data|
|The personal data transferred concern the following categories of data:||The types of Personal Data processed by Forethought are determined and controlled by Customer in its sole discretion and may include, but are not limited to the following categories of Personal Data:· Contact data (such as name, title, email address, telephone number, mailing address)· Account credentials (such as username and password) and ticket/case number· IP address and other online identifiers such as website page view data, click data and social media information· Communications and ticket/case data (any Personal Data processed by Forethought in connection with the Services and which could constitute any type of Personal Data included in chats, messages and/or emails, or ticket trends)Sentiment and intent (based on responses to and engagement with communications)· Any other Personal Data included by data subjects in their communications to Customer, submitted to the Services or collected by Forethought as part of providing the Services|
|Frequency of the transfer|
|Whether continuous of one off.||Continuous.|
|Sensitive data (if appropriate)|
|The personal data transferred concern the following categories of special / sensitive Personal Data:||Forethought does not knowingly process (and Customer and data subjects shall not submit) any sensitive data or any special categories of data (as defined under Data Protection Legislation).|
|Duration of processing:||The duration of the data processing under this DPA is until the termination of the SaaS agreement in accordance with its terms plus the period from the expiry of the SaaS agreement until deletion of the personal data by Forethought in accordance with the terms of the SaaS agreement.|
|Nature and Subject Matter of the Processing:||Personal Data transferred will be processed in accordance with the SaaS agreement (including this DPA) and may be subject to the following processing activities: (i) storage and other processing necessary to provide, maintain and improve the Service (as applicable); and/or (ii) disclosures in accordance with the SaaS agreement or this DPA and/or as compelled by applicable laws.|
|Retention period (or, if not possible to determine, the criteria used to determine that period):||The duration of the SaaS agreement plus the period from the expiry of the SaaS agreement until deletion of the personal data by Forethought in accordance with the SaaS agreement and DPA.|
(C): Competent supervisory authority
The data exporter’s competent supervisory authority shall be determined in accordance with the GDPR. With respect to personal data regulated by the UK Data Protection Legislation, the competent supervisory authority is the Information Commissioners Office (the “ICO”).
TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES
Forethought implements the following technical and organizational measures (including any relevant certifications) found at: forethought.ai/security-policy/ to ensure an appropriate level of security taking into account the nature, scope, context and purposes of the processing, and the risks for the rights and freedoms of natural persons:
This Schedule C forms part of this DPA and applies in accordance with Section 3.h.2 of the DPA.
|Start Date||The date of the SaaS agreement.|
|Parties’ details||Name: The party identified as the “Customer” in the SaaS agreement and this DPA Address: As set out in the SaaS agreement Contact person’s name, position and contact details: As set out in the SaaS agreement||Name: Forethought Technologies, Inc. (“Forethought”) Address: 345 California Street, Suite 600, San Francisco, CA 94104, USA Contact person’s name, position and contact details: [email protected]|
|Addendum SCCs||The Approved SCCs, including the Appendix Information and with only the following modules, clauses or optional provisions of the approved SCCs brought into effect for the purposes of this Addendum: See Section 3.h.2 of the DPA.|
|Appendix Information||See Schedule A|
|Ending this Addendum when the Approved Addendum changes||Neither Party|
|Mandatory Clauses||Part 2: Mandatory Clauses of the UK Addendum, as it is revised under Section 18 of those Mandatory Clauses.|