PrinciplesUs Data Processing Addendum

Last updated January 22, 2024

Need a signed copy?  Click here.

This PrinciplesUs Data Processing Addendum (“DPA”) reflects the parties’ agreement with respect to Processing of Your Data by us.  We Process Your Data on behalf of you in connection with providing the PrinciplesUs products or services purchased by you under the PrinciplesUs Service Terms (also referred to in this DPA as the “Service Terms“) as described in Schedule 1 (Scope of Processing).

This DPA is supplemental to, and forms an integral part of, the Service Terms between PRIOS and Scubscriber.

In the event of any inconsistency or conflict between this DPA and the Service Terms, this DPA will govern, supersede, and prevail.

In the event of any change to or new Applicable Law, PRIOS shall have the right, upon written notice to Subscriber, to make changes to this DPA as it reasonably determines to be necessary or appropriate to address the requirements of such Applicable Law. Such changes shall become effective thirty (30) days after written notice unless PRIOS receives a written response from Subscriber prior to such effective date setting forth Subscriber’s objection to the changes and the specific bases for such objection (collectively, an “Objection”).

The term of this DPA will follow the term of the Service Terms.  All capitalized terms not otherwise defined in this DPA will have the meaning given to them in the Service Terms.

Subscriber and PRIOS agree as follows:

1. Subscriber Instructions.

Subscriber instructs PRIOS to Process (defined below) Your Data as necessary to provide PrinciplesUs products or services and as otherwise authorized or permitted under this DPA and the Service Terms, including as specified in Schedule 1 (Scope of Processing).  Additionally, Subscriber authorizes PRIOS to Process information that cannot reasonably be linked to or associated with Subscriber or any data subject (“Deidentified Data”) to improve PrinciplesUs products or services. PRIOS will (a) take reasonable measures to ensure the Deidentified Data cannot be associated with a data subject and (b) publicly commit to maintain and use Deidentified Data in deidentified form and not attempt to reidentify Deidentified Data except to assess the sufficiency of the deidentification process. This DPA, the Service Terms, and any instructions provided by Subscriber through configuration tools made available by PRIOS constitute Subscriber’s documented instructions regarding PRIOS’s Processing of Your Data.  Additional instructions provided by Subscriber (if any) require prior written agreement by Subscriber and PRIOS. As between Subscriber and PRIOS, all  of Your Data is the sole and exclusive property of Subscriber.

2. Subscriber Role and Responsibilities.

With respect to Your Data, Subscriber is a controller and/or business as each of those terms are defined under Applicable Law. Subscriber will comply with the obligations applicable to it under Applicable Law with respect to the Processing of Your Data. Subscriber will have sole responsibility for the legality of Your Data and the means by which Subscriber acquired Your Data and ensure that Subscriber has provided all notices, obtained all consents and has all necessary rights to provide Your Data to PRIOS for PRIOS to Process in accordance with this DPA. Subscriber is responsible for responding to requests from data subjects to exercise rights under Applicable Law regarding Your Data (each, a “Data Subject Request”). Subscriber will inform PRIOS of any Data Subject Request that PRIOS must comply with and provide the information necessary for PRIOS to comply with the request.

3. PRIOS Role and Responsibilities.

With respect to Your Data, PRIOS is a processor and/or service provider as each of those terms are defined under Applicable Law. “Process” or “Processing” means any operation or set of operations which is performed on Your Data, whether or not by automated means, such as the access, collection, use, storage, disclosure, dissemination, combination, recording, organization, structuring, adaption, alteration, copying, transfer, retrieval, consultation, disposal, restriction, erasure and/or destruction of Your Data. As a part of providing PrinciplesUs products or services:

(a) PRIOS will:

(i) Process Your Data solely: (A) in a manner consistent with documented instructions provided by Subscriber as specified in Section 1, including with regard to transfer of Your Data to a third country; and (B) as required by all data protection and privacy laws, rules, and regulations applicable to PrinciplesUs, including but not limited to the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the GDPR as incorporated into United Kingdom law by the Data Protection 2018 and amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (“UK GDPR”), and the California Consumer Privacy Act (“CCPA”) (collectively, “Applicable Law”);

(ii) to the extent permitted by Applicable Law, amend, correct, or erase Your Data at Subscriber’s written request and provide a means for Subscriber to update and make accurate Your Data Processed by PRIOS;

(iii) to the extent permitted by Applicable Law, notify Subscriber of any third party request (whether a Data Subject Request or otherwise) to (A) restrict the Processing of Your Data; (B) port Your Data to a third party; or (C) access, rectify, or erase Your Data. PRIOS will use commercially reasonable efforts to assist Subscriber, at Subscriber’s reasonable written request, in complying with Subscriber’s obligations under Applicable Law to respond to requests or complaints directed to Subscriber with respect to Your Data Processed by PRIOS, to the extent that Subscriber does not have access to such Your Data through Subscriber’s use of PrinciplesUs;

(iv) taking into account the nature of the Processing and the information available to PRIOS and at the written request of Subscriber, reasonably cooperate and assist Subscriber in conducting a data protection impact assessment and ensuring Subscriber’s other compliance with Applicable Law;

(v) ensure that PRIOS personnel Processing Your Data are subject to obligations of confidentiality;

and

(vi) keep all Your Data compartmentalized or otherwise logically distinct from other information of PRIOS or its personnel, suppliers, customers or other third parties.

(b) Without limiting the instructions under Section 1, PRIOS will not:

(i) Process Your Data for any purpose other than the specific purpose of providing PrinciplesUs products of services, including any Processing of Your Data for any commercial purpose, other than providing PrinciplesUs products or services;

(ii) Process any Your Data outside the direct business relationship between Subscriber and PRIOS;

(iii) sell or share (as defined by Applicable Law) Your Data;

(iv) ) combine Your Data with Personal Information Company receives from individuals or other customers, except as permitted by Applicable Law

or

(v) except as otherwise provided in this DPA with respect to Subprocessors, disclose Your Data to any other entity without first, except to the extent prohibited by Applicable Law, notifying Subscriber of the anticipated disclosure (so as to provide Subscriber the opportunity to oppose the disclosure and obtain a protective order or seek other relief); or obtaining Subscriber’s prior consent to the disclosure.

PRIOS will use commercially reasonable efforts to inform Subscriber if PRIOS becomes aware or reasonably suspects that Subscriber’s instructions regarding the Processing of Your Data may breach any Applicable Law. Notwithstanding the foregoing, Subscriber acknowledges and agrees that such notification will not constitute a general obligation on the part of PRIOS to monitor or interpret the laws applicable to Subscriber and such notification will not constitute legal advice to Subscriber.

4. Subprocessors.

PRIOS will not engage another processor to Process Your on behalf of Subscriber for the purpose of fulfilling PRIOS’ obligations with respect to the provision of PrinciplesUs under the Service Terms (a “Subprocessor”) without authorization from Subscriber. Subscriber hereby provides its general written authorization for and specifically consents to PRIOS’ engage of the Subprocessors listed at https://principlesus.com/principlesus-list-of-subprocessors/ or its successor URL. PRIOS will notify Subscriber of the appointment of any new Subprocessors by updating the list available at such URL and sending Subscriber an email concerning such updates at least thirty (30) days prior to engaging a new Subprocessor. Subscriber may object to new Subprocessors within ten (10) business days of such notice by sending an email to support@principles.com. If Subscriber objects to the new Subprocessors, PRIOS and Subscriber will cooperate in good faith to resolve Subscriber’s objection. If the parties are unable to resolve Subscriber’s objection within ten (10) days, then either party may terminate the Service Terms only with respect to those aspects of PrinciplesUs products or services that PRIOS indicates cannot be provided without the objected-to Subprocessor. We will ensure that Subprocessors are bound by written agreements that require them to provide at least the level of data protection required of us by this DPA. PRIOS will remain liable to you for the performance of any Subprocessors.

5. Data Transfers.

5.1 Overview. If Your Data that originates in the European Economic Area (“EEA“), the United Kingdom (“UK“) or Switzerland is transferred by Subscriber to PRIOS for Processing in a country not subject to an adequacy decision in accordance with Applicable Law (“Data Transfer”), the parties will conduct such Data Transfer in accordance with this Section 5.  Any Data Transfer will be conducted pursuant to the SCCs, as defined below, which are incorporated into the DPA by this reference. If an alternative transfer mechanism for legitimizing Data Transfers (an “Alternative Mechanism”)  becomes available during the term of this DPA, and PRIOS notifies Subscriber that Data Transfers can be conducted in compliance with Applicable Law pursuant to the Alternative Mechanism, the parties will rely on the Alternative Mechanism to legitimize Data Transfers instead of the provisions that follow.

5.2 Transfers Subject to the UK GDPR. For any of Your Data subject to the UK GDPR, defined below, the Data Transfer will be conducted pursuant to the UK IDTA, defined below, which is  hereby incorporated by reference.  The information needed to complete the tables to the UK IDTA is provided in the Schedules to this DPA.  

5.3 Transfers Subject to Swiss Data Protection Law. For any of Your Data subject to the Swiss Federal Act on Data Protection of 19 June 1992 (the “FADP”),   any Data Transfers will be conducted pursuant to the SCCs, defined below, with the following modifications:

(a) the competent supervisory authority in Annex I.C under Clause 13 shall be the Federal Data Protection and Information Commissioner insofar as the data transfer is governed by the FADP;

(b) references in the SCCs Module 2 to a “Member State” or “EU Member State” will not be read to prevent data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence; and 

(c) references to “GDPR” in the SCCs will be understood as references to the FADP.

5.4 Details for the Standard Contractual Clauses and UK Addendum. The parties agree to comply with the general clauses with Module Two (Controller-to-Processor) of the SCCs, defined below, (which are deemed executed as of the effective date of this DPA), with Subscriber is the “Data Exporter” or “Exporter” and PRIOS is the “Data Importer” or “Importer”.

SCCs” means Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on SCCs for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (Text with EEA relevance), available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX:32021D0914, as may be replaced or superseded by the European Commission. The parties make the following choices for implementing the SCCs:

(a) the option under Section I, Clause 7 shall not apply;

(b) the parties select option 2 in Section II, Clause 9 and agree on ten (10)business days as the notice period for additions or replacements of new Subprocessors;

(c) the optional language in Section II, Clause 11(a) is omitted;

(d) the parties select option 2 of Section II, Clause 17 and specify governing law as the law of Ireland;

(e) for Section II, Clause 18(b), disputes will be resolved in the courts of Ireland;

(f) details in Schedule 1 of this DPA will be used to complete Annex I of the SCCs Module II and Tables 1, 3 and 4 of the UK Addendum;

(g) details of Section 6 and Schedule 2 of this DPA will be used to complete Annex II of the SCCs Module 2 and Table 3 of the UK Addendum;

(h) details in Section 4 of this DPA will be used to complete Annex III of the SCCs Module 2 and Table 3 of the UK Addendum; and

(i) any audits required under the SCCs Module 2 will be conducted pursuant to Section 7 of this DPA.

UK GDPR” means the GDPR as incorporated into United Kingdom law by the Data Protection Act 2018 and amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (each as amended, superseded, or replaced).  

UK IDTA” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner, Version B1.0, in force 21 March 2022, available at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf. Neither party can terminate the UK IDTA pursuant to Table 4 and Section 19 thereof without the written consent of the other.

6. Security Safeguards.

PRIOS will implement and maintain appropriate technical and organizational measures consistent with industry standards designed to protect the confidentiality, integrity, and availability of InformationYour Data, protect Your Data against Security Breach (defined below), and provide the level of protection required by Applicable law in accordance with in Schedule 2 (Security Measures), which may be amended without reducing the level of security provided.

7. Audits.

Taking into account the nature of Processing and the information available to PRIOS, PRIOS will provide commercially reasonable efforts to assist Subscriber in Subscriber’s efforts to comply with Subscriber’s obligations to secure Your Data by providing the information and assistance described in Section 7. Subject to the forthcoming, PRIOS will make available to Subscriber information necessary to demonstrate compliance with its obligations in this DPA. Any such information, including but not limited to Audit Information, will be deemed the Confidential Information of PRIOS under the Service Terms. Where required by Applicable Law, and no more than once per calendar year, at Subscriber’s reasonable request and with advance written notice, PRIOS will make available to Subscriber records and information demonstrating its compliance with this DPA (“Audit Information”) and allow an independent third party, agreed to by the parties, to conduct an audit to verify such compliance on behalf of Subscriber. Subscriber acknowledges and agrees that Subscriber will exercise its audit rights under this DPA by instructing PRIOS to comply with the audit measures described in this Section. Upon written request and no more than one per calendar year, PRIOS will use commercially reasonable efforts to provide (on a confidential basis) a summary copy of our penetration testing report(s) to Subscriber as well as written responses (on a confidential basis) to reasonable requests for Audit Information. 

8. Security Breach.

If PRIOS becomes aware of any actual Security Breach (defined below), PRIOS will take commercially reasonable efforts to, without undue delay: (a) notify Subscriber of the Security Breach and any third-party legal processes relating to the Security Breach; and (b) help Subscriber investigate, remediate, and take any action required under Applicable Law regarding the Security Breach. “Security Breach” means a breach of security leading to any unlawful or accidental loss, destruction, alteration, or unauthorized Processing of Your Data under PRIOS’s possession or control, that is notifiable under Applicable Law. The obligations in this Section do not apply to incidents that are caused by Subscriber or Subscriber’s personnel or users or to unsuccessful attempts or activities that do not compromise the security of Your Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems. PRIOS’s obligation to notify a Security Breach under this Section is not and will not be construed as an acknowledgement by PRIOS of any fault or liability of PRIOS with respect to such Security Breach.

9. Return of Destruction of Personal Information.

Upon written request by Subscriber or when PRIOS no longer is required to Process Your Data to fulfill its obligations under the Service Terms, PRIOS will return all Your Data to Subscriber or destroy all Your Data and all copies thereof, except to the extent that PRIOS is required under Applicable Law to keep a copy of Your Data for a specified period of time. The certification of deletion contemplated by Section 8.5 of the SCCs will be provided on Subscriber’s written request.

10. Limitation of Liability.

Each party and each of their Affiliates’ liability, taken in aggregate, arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, will be subject to the limitations and exclusions of liability set out in the ‘Limitation of Liability’ section of the Service Terms and any reference in such section to the liability of a party means aggregate liability of that party and all of its Affiliates under the Service Terms (including this DPA).  In no event shall either party’s liability be limited with respect to any individual’s data protection rights under Applicable Law.

 

Schedule 1

Scope of Processing

A. List of Parties

 Data exporter:

Name: The Subscriber, as defined in the Service Terms (on behalf of itself and Permitted Affiliates)

Address: The Subscriber’s address, as set out in the order form when subscribing for PrinciplesUs

Contact person’s name, position and contact details: The Subscriber’s contact details, as set out in the order form when subscribing for PrinciplesUs and/or as set out in the Subscriber’s PrinciplesUs Account

Activities relevant to the data transferred under these Clauses: Processing of Your Data in connection with Subscriber’s use of PrinciplesUs under the Service Terms

Role: Controller

Data importer:

Name: PRIOS, LLC

Address: 25 Ford Road, Westport, MA, 06880, USA

Contact person’s name, position and contact details: Wm. Lee Goss, PRIOS, LLC Chief Financial Officer, 25 Ford Road, Westport, MA, 06880, USA, lee.goss@principles.com

Activities relevant to the data transferred under these Clauses: Processing of Your Data in connection with Subscriber’s use of PrinciplesUs under the Service Terms

Role: Processor

B. Description of Transfer

Categories of Data Subjects whose Your Data is Transferred

You may submit Your Data in the course of using PrinciplesUs, the extent of which is determined and controlled by you in your sole discretion, and which may include, but is not limited to Your Data relating to the following categories of Data Subjects:  you and your Users including your employees, contractors, collaborators, customers, prospects, suppliers and subcontractors.

Categories of Personal Information Transferred

You may submit Personal Information to PrinciplesUs, the extent of which is determined and controlled by you in your sole discretion, and which may include but is not limited to the following categories of Personal Information:

  1. First and last names
  2. Email address
  3. IP address
  4. Qualitative data entered into PrinciplesUs, and in particular: questions, answers, and feedback exchanged by Data Subjects in the course of using PrinciplesUs.
 

Special Categories of Data Transferred and Applied Restrictions or Safeguards

PrinciplesUs is not designed for special categories of data.  PRIOS does not anticipate that Subscriber will submit special categories of data to PrinciplesUs. To the extent that such data is submitted to PrinciplesUs, it is determined and controlled by Subscriber in Subscriber’s sole capacity.

Frequency of the Transfer

Continuous

Subject-Matter and Duration of Processing

PRIOS Processes Your Data if and when provided by Subscriber in the course of providing PrinciplesUs products or services in accordance with the Service Terms (including this DPA). Specifically, Your Data and may be subject to the following Processing activities among others:

1. Storage and other Processing necessary to provide, maintain and improve PrinciplesUs provided to you; and/or

2. Disclosure in accordance with the Service Terms (including this DPA) and/or as compelled by applicable laws.

Period for Which Your Data Will be Retained

Subject to this DPA, Your Data will be retained for the period needed for the duration of Service Terms, unless otherwise agreed in writing.

C. Competent Supervisory Authority

For the purposes of the Standard Contractual Clauses, the supervisory authority that shall act as competent supervisory authority is either (i) where Subscriber is established in an EU Member State, the supervisory authority responsible for ensuring Subscriber’s compliance with the GDPR; (ii) where Subscriber is not established in an EU Member State but falls within the extra-territorial scope of the GDPR and has appointed a representative, the supervisory authority of the EU Member State in which Subscriber’s representative is established; or (iii) where Subscriber is not established in an EU Member State but falls within the extra-territorial scope of the GDPR without having to appoint a representative, the supervisory authority of the EU Member State in which the Data Subjects are predominantly located. In relation to Your Data that is subject to the UK GDPR or Swiss DPA, the competent supervisory authority is the UK Information Commissioner or the Swiss Federal Data Protection and Information Commissioner (as applicable).

Schedule 2

Security Measures

We currently observe the Security Measures described in this Schedule 2.  All capitalized terms not otherwise defined herein shall have the meanings as set forth in the Service Terms.

a) Access Control

i)  Preventing Unauthorized Access

  • Outsourced processing: We host PrinciplesUs with outsourced cloud infrastructure providers. Additionally, we maintain contractual relationships with vendors in order to provide PrinciplesUs in accordance with this DPA. We rely on contractual agreements, privacy policies, and vendor compliance programs in order to protect data processed or stored by these vendors.
  • Physical and environmental security: We host PrinciplesUs infrastructure with multi-tenant, outsourced infrastructure providers. The physical and environmental security controls are audited for SOC 2 Type II and ISO 27001 compliance, among other certifications.
  • Authentication: We implement a uniform password policy for PrinciplesUs. Subscribers and their Users who interact with PrinciplesUs via the user interface must authenticate before accessing non-public data.
  • Authorization: Your Data is stored in multi-tenant storage systems accessible to Subscribers via only application user interfaces and application programming interfaces. Subscribers are not allowed direct access to the underlying application infrastructure. The authorization model in PrinciplesUs is designed to ensure that only the appropriately assigned individuals can access relevant features, views, and customization options. Authorization to data sets is performed through validating the User’s permissions against the attributes associated with each data set.

Application Programming Interface (API) access: PrinciplesUs’ APIs may be accessed through OAuth authorization.

ii)  Preventing Unauthorized Use

We implement industry standard access controls and detection capabilities for the internal networks that support PrinciplesUs.

  • Access controls: Network access control mechanisms are designed to prevent network traffic using unauthorized protocols from reaching the product infrastructure. The technical measures implemented differ between infrastructure providers and include Virtual Private Cloud (VPC) implementations, security group assignment, and traditional firewall rules.
  • Intrusion detection and prevention: We implement a Web Application Firewall (WAF) solution to protect hosted customer websites and other internet-accessible applications. The WAF is designed to identify and prevent attacks against publicly available network services.
  • Static code analysis: Security reviews of code stored in our source code repositories is performed, checking for coding best practices and identifiable software flaws.
  • Penetration testing: We maintain relationships with industry recognized penetration testing service providers for four annual penetration tests. The intent of the penetration tests is to identify and resolve foreseeable attack vectors and potential abuse scenarios.

iii)  Limitations of Privilege & Authorization Requirements

  • Services access: A subset of our employees have access PrinciplesUs and Your Data via controlled interfaces. The intent of providing access to a subset of employees is to provide effective customer support, to troubleshoot potential problems, to detect and respond to security incidents and implement data security. Access is enabled through requests for access, which must be approved by both our CEO and CFO. Employees are also granted access by role. Employee roles are reviewed at least once annually.
  • Background checks: All PRIOS, LLC employees undergo a third-party background check, in accordance with and as permitted by the applicable laws. All PRIOS, LLC employees are required to conduct themselves in a manner consistent with company guidelines, non-disclosure requirements, and ethical standards.

b) Transmission Control

  • In-transit: We make HTTPS encryption (also referred to as SSL or TLS) available on every one of our login interfaces. Our HTTPS implementation uses industry standard algorithms and certificates.
  • At-rest: We store user passwords following policies that follow industry standard practices for security.  We have implemented technologies to ensure that stored data are encrypted at rest. 

c) Input Control

  • Detection: We designed our infrastructure to log extensive information about the system behavior, traffic received, system authentication, and other application requests. Internal systems aggregated log data and alert appropriate employees of malicious, unintended, or anomalous activities. Our personnel, including security, operations, and support personnel, are responsive to known incidents.
  • Response and tracking: We maintain a record of known security incidents that includes description, dates and times of relevant activities, and incident disposition. Suspected and confirmed security incidents are investigated by security, operations, or support personnel; and appropriate resolution steps are identified and documented. For any confirmed incidents, we will take appropriate steps to minimize product and Subscriber damage or unauthorized disclosure. Notification to you will be in accordance with the terms of the Service Terms. 

d) Availability Control

  • Infrastructure availability: Our infrastructure providers use commercially reasonable efforts to ensure a minimum of 99.95% uptime. The providers maintain a minimum of N+1 redundancy to power, network, and HVAC services.
  • Fault tolerance: Backup and replication strategies are designed to ensure redundancy and fail-over protections during a significant processing failure. Subscriber data are backed up to multiple durable data stores and replicated across multiple availability zones.
  • Online replicas and backups: Where feasible, production databases are designed to replicate data between no less than 1 primary and 1 secondary database. All databases are backed up and maintained using at least industry standard methods.
  • Our products are designed to ensure redundancy and seamless failover. The server instances that support PrinciplesUs are also architected with a goal to prevent single points of failure. This design assists our operations in maintaining and updating PrinciplesUs’ applications and backend while limiting downtime.

Schedule a Demo