Published: June 25, 2024
This Data Processing Addendum (“DPA”) is made by and between Transcend, Inc. (“Transcend”), and Client, pursuant to the Transcend Services Agreement entered into between the parties (“Agreement “) and is effective at signing of such Agreement.
This DPA forms part of the Agreement and sets out the terms that apply when Client Personal Data is processed by Transcend as a Processor or Service Provider under the Agreement. The purpose of the DPA is to ensure such processing is conducted in accordance with applicable laws. Capitalized terms used but not defined in this DPA have the same meanings as set out in the Agreement.
1. Definitions. For the purposes of this DPA:
a."Data Protection Laws" means all applicable laws, regulations, and other legally binding requirements in any jurisdiction relating to privacy, data protection, data security, breach notification, or the Processing of Client Personal Data, including without limitation, to the extent applicable, the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. and any associated regulations and amendments, including the California Privacy Rights Act amendments (“CCPA”); the General Data Protection Regulation, Regulation (EU) 2016/679 (“GDPR”); the Swiss Federal Act on Data Protection (“FADP”); and the United Kingdom Data Protection Act of 2018 (“UK GDPR”). For the avoidance of doubt, if Transcend’s Processing activities involving Client Personal Data are not within the scope of a given Data Protection Law, such law is not applicable for purposes of this DPA.
b.“Data Subject,” "Processor," "Service Provider," "Controller," and "Business" shall be defined as provided in applicable Data Protection Laws.
c."EU SCCs" means the Standard Contractual Clauses issued pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, located http://data.europa.eu/eli/dec_impl/2021/914/oj, and completed as set forth in Section 7 below.
d"Client Personal Data" includes “personal data,” “personal information,” “personally identifiable information,” and similar terms, that is processed by Transcend in connection with providing Services under the Agreement, and such terms shall have the same meaning as defined by applicable Data Protection Laws. For purposes of this Agreement, Client Personal Data does not include any “personal data,” “personal information,” or “personally identifiable information” that Transcend processes as a data controller outside the scope of the Agreement.Â
e."Process"and "Processing"Â mean any operation or set of operations performed on Client Personal Data or on sets of Client Personal Data, whether or not by automated means, such as collection, recording, organization, creating, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
f."Security Breach"Â means any accidental or unlawful acquisition, destruction, loss, alteration, unauthorized disclosure of, or access to, Client Personal Data on Transcend's systems or under Transcend's control.Â
2.Scope and Purposes of Processing
a. The scope, nature, purposes, and duration of the processing, the types of Client Personal Data Processed, and the Data Subjects concerned are set forth in this DPA, including its Schedule A. The details provided in Schedule A are deemed to satisfy any requirement for the Parties to provide such details under Data Protection Law.
b. Transcend will Process Client Personal Data solely: (1) to fulfill its obligations to Client under the Agreement, including this DPA; (2) on Client’s behalf pursuant to Client’s instructions; and (3) in compliance with Data Protection Laws, and will provide the same level of privacy protection as required by such applicable Data Protection laws. Transcend will not “sell” Client Personal Data (as such term in quotation marks is defined in applicable Data Protection Laws), “share” or Process Client Personal Data for purposes of “cross-context behavioral advertising” or “targeted advertising” (as such terms in quotation marks are defined in applicable Data Protection Laws), or otherwise Process Client Personal Data for any purpose other than for the specific purposes set forth herein or outside of the direct business relationship with Client. Transcend will not attempt to link, identify, or otherwise create a relationship between Client Personal Data and non-personal data or any other data without the express authorization of Client.
c. Client will ensure that: (1) all such notices have been given, and all such authorizations have been obtained, as required under applicable Data Protection Law, for Transcend to process Client Personal Data as contemplated by the Agreement and this DPA; (2) it has complied, and will continue to comply, with all applicable laws relating to privacy and data protection, including applicable Data Protection Law; and (3) it has, and will continue to have, the right to transfer, or provide access to, Client Personal Data to Transcend for Processing in accordance with the terms of the Agreement and this DPA.
3.Transcend's Personal Data Processing Requirements
Transcend will:
a. Ensure that the persons it authorizes to Process the Client Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
b. Taking into account the nature of the processing, assist Client by implementing appropriate technical and organizational measures to ensure that Client may at any time respond to request(s) from Data Subjects exercising their rights under Data Protection Laws where Transcend Processes Client Personal Data subject to such request on Client's behalf. In the event that Transcend receives a Data Subject request related to Client Personal Data that Transcend Processes on Client's behalf, Transcend will promptly, and in any event within five (5) business days, transfer such request to the Client. For the avoidance of doubt, Transcend's obligations under this Section 5(b) apply only to the Client Personal Data that Transcend Processes as a Processor or Service Provider, as applicable, to Client, and not to the tools or features of the Services that allow Client to manage its own data subject requests pursuant to the Agreement.Â
c. Promptly notify Client of (i) any third-party complaints regarding the Processing of Client Personal Data; or (ii) any government requests for access to or information about Transcend’s Processing of Client Personal Data on Client’s behalf, unless prohibited by Data Protection Laws. Transcend will provide Client with reasonable cooperation and assistance in relation to any such request. If Transcend is prohibited by applicable Data Protection Laws from disclosing the details of a government request to Client, Transcend shall inform Client that it can no longer comply with Client’s instructions under this DPA without providing more details and await Client’s further instructions. Transcend shall use all available and reasonable legal mechanisms to challenge any demands for data access through national security process that it receives, as well as any non-disclosure provisions attached thereto.Â
d. Provide reasonable assistance to and cooperation with Client for Client’s performance of a data protection impact assessment of Processing or proposed Processing of Client Personal Data, when required by applicable Data Protection Laws, and at Client’s reasonable expense.Â
e. Provide reasonable assistance to and cooperation with Client for Client’s consultation with regulatory authorities in relation to the Processing or proposed Processing of Client Personal Data, including complying with any obligation applicable to Transcend under Data Protection Laws to consult with a regulatory authority in relation to Transcend’s Processing or proposed Processing of Client Personal Data.Â
f. Comply with any applicable restrictions under applicable Data Protection Laws on combining Client Personal Data with personal data received from, or on behalf of, another person or persons.Â
g.Promptly notify customer if it determines that (i) it can no longer meet its obligations under this DPA or applicable Data Protection Laws; or (ii) in its opinion, an instruction from Client infringes applicable Data Protection Laws.
h.Transcend certifies that it understands its obligations under this DPA (including without limitation the restrictions under Sections 2 and 3 and that it will comply with them.
4.Data Security
Transcend will implement appropriate administrative, technical, physical, and organizational measures to protect Client Personal Data. These measures shall at a minimum comply with applicable law and include the measures identified in Schedule A, Annex II. Client acknowledges that Transcend’s security measures are subject to technical progress and development and that Transcend may update or modify the Security Measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Services purchased by the Client.
5.Security Breach
Transcend will notify Client without undue delay (within seventy-two (72) hours) of becoming aware of a Security Breach and will assist Client in Client’s compliance with its Security Breach-related obligations, including without limitation, by:
a. Taking commercially reasonable steps to mitigate the effects of the Security Breach and reduce the risk to Data Subjects whose Client Personal Data was involved; and
b. Providing Client with the following information, to the extent knownÂ
i.The nature of the Security Breach, including, where possible, how the Security Breach occurred, the categories and approximate number of Data Subjects concerned, and the categories and approximate number of Client Personal Data records concerned.
ii. The likely consequences of the Security Breach; andÂ
iii. Measures taken or proposed to be taken by Transcend to address the Security Breach, including, where appropriate, measures to mitigate its possible adverse effects.Â
6. Subprocessors
a. Client acknowledges and agrees that Transcend may use Transcend affiliates and other subprocessors (as defined in application Data Protection Law) to Process Client Personal Data in accordance with the provisions within this DPA and Data Protection Laws. Where Transcend subcontracts any of its rights or obligations concerning Client Personal Data, including to any affiliate, Transcend will take steps to select and retain subprocessors that are capable of maintaining appropriate privacy and security measures to protect Client Personal Data consistent with applicable Data Protection Laws.
b. Transcend’s current list of subprocessors is provided in Schedule B. Transcend will maintain an up-to-date list of its subprocessors, and it will provide Client with five (5) days’ prior notice of any new subprocessor added to the list along with relevant information regarding such subprocessor. In the event Client has a commercially reasonable objection to a new subprocessor, Transcend will use commercially reasonable efforts to make available to Client a change in the services to avoid Processing of Client Personal Data by the objected-to subprocessor without unreasonably burdening the Client. Either party may, in its sole discretion, and upon reasonable advance notice to the other party, terminate the Agreement in the event that Transcend is not able to provide a reasonable change to cure Client’s subprocessor objection.
7. Data Transfers
a. Transcend will not engage in any cross-border Processing of Client Personal Data, or transmit, directly or indirectly, any Client Personal Data to any country outside of the country from which such Client Personal Data was collected, without complying with applicable Data Protection Laws. Where Transcend engages in an onward transfer of Client Personal Data, Transcend shall ensure that a lawful data transfer mechanism is in place prior to transferring Client Personal Data from one country to another.
b.To the extent legally required, by signing this DPA, Client and Transcend are deemed to have signed the EU SCCs, which form part of this DPA and (except as described in Section 7(c) and (d) below) will be deemed completed as follows:
1.Module 2 of the EU SCCs applies to transfers of Client Personal Data from Client (as a controller) to Transcend (as a processor);
2. Clause 7 (the optional docking clause) is included;
3. Under Clause 9 (Use of subprocessors), the Parties select Option 2 (General written authorization) and the use of subprocessors shall be as provided in Section 6 of the DPA;
4. Under Clause 11 (Redress), the optional language requiring that Data Subjects be permitted to lodge a complaint with an independent dispute resolution body shall not be deemed to be included;
5. Under Clause 17 (Governing law), the law of the Member State in which Client is established shall apply, provided such Member State law allows for third-party beneficiary rights; otherwise, the laws of Ireland shall govern.
6.Under Clause 18 (Choice of forum and jurisdiction), the Parties select the courts of Ireland;
7. Annex I(A) and I(B) (List of Parties) is completed as set forth in Schedule A;
8. Under Annex I(C) (Competent supervisory authority), the Parties shall follow the rules for identifying such authority under Clause 13 and, to the extent legally permissible, select the Irish Data Protection Commission;
9. Annex II (Technical and organizational measures) is completed with Schedule A, Annex II of this DPA; and
10.10. Annex III (List of subprocessors) is not applicable as the Parties have chosen General Authorization under Clause 9, but Transcend's list of current subprocessors can be found in Schedule B.
c. With respect to Client Personal Data transferred from the United Kingdom for which United Kingdom law (and not the law in any European Economic Area jurisdiction or Switzerland) governs the international nature of the transfer, the International Data Transfer DPA to the EU Commission Standard Contractual Clauses (available as of the Effective Date at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf) (“UK SCCs”) forms part of this DPA and takes precedence over the rest of this DPA as set forth in the UK SCCs. Undefined capitalized terms used in this provision shall mean the definitions in the UK SCCs. For purposes of the UK SCCs, they shall be deemed completed as follows: (a) the Parties’ details shall be the Parties and their affiliates to the extent any of them is involved in such transfer; (b) the Key Contacts shall be the contacts set forth in Schedule A; (c) the Approved EU SCCs referenced in Table 2 shall be the EU SCCs as executed by the Parties; (d) either Party may end this DPA as set out in Section 19 of the UK SCCs; (e) by entering into this DPA, the Parties are deemed to be signing the UK SCCs, including their Mandatory Clauses and shall be read and interpreted in light of the provisions in the Mandatory Clauses; and (f) the laws of England and Wales shall apply and this DPA shall be enforceable by the competent supervisory authorities and courts located in England and Wales.
d. For transfers of Client Personal Data that are subject to the FADP, the EU SCCs form part of this DPA as set forth in Section 7(b) of this DPA, but with the following differences to the extent required by the FADP: (1) references to the GDPR in the EU SCCs are to be understood as references to the FADP insofar as the data transfers are subject exclusively to the FADP and not to the GDPR; (2) references to personal data in the EU SCCs also refer to data about identifiable legal entities until the entry into force of revisions to the FADP that eliminate this broader scope; (3) the term “member state” in EU SCCs shall not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the EU SCCs; and (4) the relevant supervisory authority is the Swiss Federal Data Protection and Information Commissioner (for transfers subject to the FADP and not the GDPR), or both such Commissioner and the supervisory authority identified in the EU SCCs (where the FADP and GDPR apply, respectively).
8. Audits
To the extent required by applicable Data Protection Law, Transcend shall make available all information necessary for Client to confirm Transcend’s compliance with this DPA and applicable Data Protection Law. If Client has a reasonable basis to conclude that such information provided by Transcend is not satisfactory to confirm such compliance, Client may, at Client’s sole expense, upon thirty (30) days’ prior notice, conduct an audit during normal business hours and in a manner that does not disrupt Transcend's business of those Transcend systems and records relevant to Transcend’s Processing of Client Personal Data on Client’s behalf. Client shall limit its exercise of audit rights to not more than once in any twelve (12) calendar month period, unless (1) required by instruction of a Supervisory Authority; or (2) following a Security Breach.
9. Return or Destruction of Client Personal Data
Upon termination or expiry of the Agreement, Transcend will (at Client’s election and written request) delete all Client Personal Data in its possession or control as soon as reasonably practicable and within a maximum period of sixty (60) days of termination or expiry of the Agreement, save that this requirement will not apply to the extent that Transcend is required by applicable law to retain some or all of the Client Personal Data, or to Client Personal Data it has archived on back-up systems, which Client Personal Data Transcend will securely isolate and protect from any further processing, except to the extent required by applicable law. Absent a Client request for deletion in accordance with this provision, Transcend will delete Client Personal Data in accordance with its standard data retention policies.
10. Miscellaneous Provisions
a. Notwithstanding anything else to the contrary in the Agreement, and upon reasonable advance notice to Client, Transcend reserves the right to make modifications to this DPA as may be required to comply with applicable Data Protection Law, implement amended standard contractual clauses laid down by the European Commission or United Kingdom, or follow the instructions of a relevant supervisory authority. Client shall promptly notify Transcend if it does not agree to a modification, in which case Transcend may terminate these DPA and the Agreement with two (2) weeks' prior written notice, whereby in the case of an objection not based on non-compliance of the modifications with applicable Data Protection Law, Transcend shall remain entitled to claim its agreed remuneration until the term end.Â
b. This DPA shall, by default, be concluded between Transcend and Client as well as any subsidiary of Client or a holding company of Client or any other subsidiary of that holding company ("Client Affiliate"), directly or indirectly, bound by the Agreement. Client warrants that, with respect to Client Affiliates directly or indirectly, bound by the Agreement, it is duly authorized to conclude this DPA for and on behalf of any such Client Affiliates, and that, upon executing this DPA, each Client Affiliate shall be bound by the terms of this DPA as if they were Client. Where Client may not be duly authorized to conclude the DPA for and on behalf of a Client Affiliate, Client warrants that such Client Affiliate will submit to Transcend without delay a signed copy of this DPA. Client shall provide all the information necessary to complete Schedule 1 as to itself and Client Affiliates. The Parties agree that any notice or communication sent by Transcend to Client shall satisfy any obligation to send such notice or communication to a Client Affiliate.
c.If there is a conflict between the Agreement and this DPA, the terms of this DPA will prevail. In the event of a conflict between this DPA and the EU SCCs or UK SCCs, the terms of the EU SCCs or UK SCCs, as relevant, will control.
d.Any claims brought under this DPA shall be subject to the terms and conditions, including but not limited to, the exclusions and limitations, set forth in the Agreement.
Schedule A
Annex I
A. List of Parties
Data exporter(s):The exporter (Controller) is Client and Client’s contact details and signature (including, if relevant, any electronic signature or acceptance) are as provided in the Agreement.
Data importer(s):The importer (Processor) is Transcend, Inc. and Transcend’s signature is as provided in the Agreement. Client may direct any questions about this DPA to:
Name: Brandon Wiebe
Position: General Counsel, Head of Privacy
Contact details: privacy@transcend.io
B. Description of Transfer
Categories of data subjects whose personal data is transferred: Client's End Users, Authorized Users, employees, and individuals authorized by Client to access Client's Transcend account.Â
Categories of personal data transferred: Any Client Personal Data that is Processed by Transcend in connection with the Agreement and the DPA, depending on the version of the Services chosen by Client.
Examples of categories of Personal Data Transcend may Process include: email addresses; IP addresses; records of consents and opt outs made on Client's website and/or online service; Personal Data relating to any Client information technology systems and programs; Personal Data submitted by employees or contractors employed by Client in connection with their use of the Services; and any other Personal Data made available to Transcend by Client as part of the Services (including data automatically collected by tracking technologies on Client's website and/or online service, and any user identifiers submitted to Transcend by Client).
If Client uses Transcend's on-premises security gateway version of the Services ("Sombra"), the scope of Personal Data collected will be narrower given that Sombra is an on-premises solution that utilizes end-to-end encryption technology.
Sensitive data transferred (if applicable): N/A, and we discourage Clients from providing any sensitive data to us in connection with our provision of the Services.Â
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): On a continuous basis as needed to provide the Services to Client for the term of the Agreement.Â
Nature of the processing: Data Processing for the performance of the Services under the Agreement.Â
Purpose(s) of the data transfer and further processing: The purposes of the data transfer is for Transcend to provide its services pursuant to the Agreement.Â
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: The data will be retained for the time period needed to accomplish the purposes of Processing, unless otherwise required by applicable law.Â
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: Same subject matter, nature, and duration as provided herein by Transcend.Â
C. Competent Supervisory Authority
Identify the competent supervisory authority/ies in accordance with Clause 13: The data exporter’s competent supervisory authority will be determined in accordance with applicable Data Protection Law, and where possible, will be the data protection authorities in Germany.
ANNEX II - TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.
Transcend has obtained SOC 2 Type II certification. The following provides more information regarding the technical and organization measures to protect Client Data:
1. Technical and Organizational Security Measure: Measures of pseudonymisation and encryption of personal data
a. Evidence of Technical and Organizational Security Measures: All data and communication within Transcend is protected at rest using AES 256-bit encryption, and in transit using Transport Layer Security (TLS) encryption 1.2 or higher.
2. Technical and Organizational Security Measure: Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services
a. Evidence of Technical and Organizational Security Measures: Transcend maintains an information security program, which includes: (a) having a formal risk management program; (b) conducting periodic risk assessments of systems and networks that process Client Data; (c) monitoring for security incidents and maintaining a tiered remediation plan to ensure timely fixes to any discovered vulnerabilities; (d) a written information security policy and incident response plan that explicitly addresses and provides guidance to its personnel in furtherance of the security, confidentiality, integrity, and availability of Client Data; (e) penetration testing performed by a qualified third party on an annual basis; and (f) having resources responsible for information security efforts.
3. Technical and Organizational Security Measure: Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
a. Evidence of Technical and Organizational Security Measures: Transcend's backup policy is based on ISO-27001 standards. Transcend services are replicated to ensure high availability, redundancy, and failure tolerance. Transcend performs at least daily backups for recovery purposes. Backups are encrypted and tested at least annually.
4. Technical and Organizational Security Measure: Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing
a. Evidence of Technical and Organizational Security Measures: Transcend’s systems are annually subjected to a wide range of different penetration tests and external audits. The company practices security by design principles by incorporating threat modeling into the design phase for all key features.
Any changes to the code base requires additional testing and review prior to migrating to the production environment. Security tooling is integrated into Transcend’s code pipeline, which incorporates a number of checks for application security vulnerabilities, such as static code analysis, and dependency checking. In addition, members of the security team regularly perform manual application security testing on key components.
5. Technical and Organizational Security Measure: Measures for user identification and authorisation
a. Evidence of Technical and Organizational Security Measures: Transcend systems are managed through an SSO provider which enforces MFA. Transcend observes the principles of “least privilege” and “role based access” meaning access to data and systems are limited to what is necessary in order to fulfill an employee's current job responsibilities. Transcend utilizes segregation of duties to reduce the risk of unauthorized or unintentional modification or misuse of systems or data. Systems require user authentication and user access (including privileged access) to be reviewed quarterly or when changes to personnel occur.
6. Technical and Organizational Security Measure: Measures for the protection of data during transmission
a. Evidence of Technical and Organizational Security Measures: All data and communication within Transcend is protected in transit using Transport Layer Security (TLS) encryption 1.2 or higher.
7. Technical and Organizational Security Measure: Measures for the protection of data during storage
a. Evidence of Technical and Organizational Security Measures: All data and communication within Transcend is protected at rest using AES 256-bit encryption. By default, Client Data is stored and processed within a secure cloud environment hosted on AWS.
8. Technical and Organizational Security Measure: Measures for ensuring physical security of locations at which personal data are processed
a. Evidence of Technical and Organizational Security Measures: Transcend utilizes Amazon Web Services (AWS) for hosting. AWS is a leader in infrastructure security, and maintains multiple security and compliance certifications including ISO 27001, SOC 1, SOC 2, and SSAE16.
In addition, all Transcend offices and spaces have a physical security program that manages visitors, building entrances, closed circuit televisions, and overall office security. All employees, contractors, and visitors are required to wear an identification badge.
9. Technical and Organizational Security Measure: Measures for ensuring events logging
a. Evidence of Technical and Organizational Security Measures: All key actions performed within Transcend, such as logins, data writes and configuration changes, are attributable to particular users, and are captured with user information, date and time stamps in the audit logs. Logging data is centralized where it is made available for authorized individuals to monitor and take action in the event of an incident.
10. Technical and Organizational Security Measure: Measures for ensuring system configuration, including default configuration
a. Evidence of Technical and Organizational Security Measures: Transcend systems are built leveraging baseline configurations which are hardened in accordance with industry best practices like Center for Information Security (CIS).
11. Technical and Organizational Security Measure: Measures for internal IT and IT security governance and management
a. Evidence of Technical and Organizational Security Measures: Transcend’s IT services are automated and compartmentalized to limit the security risk of any single component of the system. Transcend practices a Zero Trust policy. This means multiple security attributes are assigned to each Transcend team member and user account, and multi-factor authentication is required in order to access any of the company’s IT services. A final layer of security is provided by the NIST Security Risk Management Framework, in which each security risk is assessed according to a set of internal benchmarks, with significant decisions requiring confirmation from Transcend’s senior executive team.
12. Technical and Organizational Security Measure: Measures for certification/assurance of processes and products
a. Evidence of Technical and Organizational Security Measures: Transcend’s dedicated security and privacy programs are externally audited annually. The company maintains an International Organization for Standardization (ISO) 27001 certification. All Transcend’s operations comply with the General Data Protection Regulation (GDPR). In addition, Transcend aligns its security program and capabilities with the Cloud Computer Compliance Controls Catalogue (C5), National Cyber Security Center (NCSC) Cloud Security Principles, and National Institute of Standards and Technology (NIST) Cloud Computing Standards.
13. Technical and Organizational Security Measure: Measures for ensuring data minimisation
a. Evidence of Technical and Organizational Security Measures: Transcend only collects information that is necessary in order to provide the Services outlined in the Agreement. Our employees are directed to access only the minimum amount of information necessary to perform the task at hand.
14. Technical and Organizational Security Measure: Measures for ensuring data quality
a. Evidence of Technical and Organizational Security Measures: Transcend maintains logging details that include any changes to sensitive configuration settings and files. At minimum, log entries include date, timestamp, action performed, and the user ID or the device ID of the action performed. Logs are protected from change.
15. Technical and Organizational Security Measure: Measures for ensuring limited data retention
a. Evidence of Technical and Organizational Security Measures: Transcend will retain information for the period necessary to provide the Services and for a period of time thereafter in backups, unless a longer retention period is required or permitted by law, or where the Agreement requires or permits specific retention or deletion periods.
16. Technical and Organizational Security Measure: Measures for ensuring accountability
a. Evidence of Technical and Organizational Security Measures: Transcend has established a comprehensive GDPR compliance program and is committed to partnering with Clients and vendors on compliance efforts. Specifically, Transcend has taken the following steps to align its practices with GDPR: (i) all employees are required to complete annual GDPR training and security training, (ii) policies and contracts are in place with our partners and vendors to comply with GDPR, (iii) we have enhanced security practices and procedures, (iv) we have implemented tools to produce data maps, (v) we have created robust internal privacy and security documentation, and (vi) we have implemented tools and procedures to respond to data subject access requests.
17. Technical and Organizational Security Measure: Measures for allowing data portability and ensuring erasure
a. Evidence of Technical and Organizational Security Measures: Transcend provides a mechanism for individuals to exercise their privacy rights in accordance with applicable law. Individuals request that Transcend delete their data or provide a copy of their data here.
18. Technical and Organizational Security Measure: Technical and organizational measures to be taken by the [sub]-processor to provide assistance to the controller and, for transfers from a processor to a [sub]-processor, to the Client.
a. Evidence of Technical and Organizational Security Measures: When Transcend engages a subprocessor under this DPA, Transcend and the subprocessor enter into an agreement with data protection obligations substantially similar to those contained in this DPA. Each subprocessor must ensure that Transcend is able to meet its obligations to Clients. In addition to implementing technical and organizational measures to protect Client Data, the subprocessors must (a) notify Transcend in the event of a Security Incident, (b) delete Client Personal Data when instructed by Transcend in accordance with Client’s instructions to Transcend; (c) not engage additional subprocessors without Transcend’s authorization; (d) not change the location where Client Personal Data is processed; and (e) not process Client Personal Data in a manner which conflicts with Client’s instructions to Transcend.
Schedule B - Transcend Subprocessors
Transcend maintains a list of Sub-Processors (including details of the processing each performs or will perform), at the following URL: https://docs.transcend.io/docs/transcends-subprocessors
Transcend imposes data protection terms on any Sub-Processor it appoints that protect the Client Personal Data to a reasonably similar standard provided for by this DPA.