Data Sharing Addendum
last updated: October 2024
This Data Sharing Addendum (“DSA”) is incorporated into and forms part of the Trulioo Services Agreement or other current written or electronic agreement, as well as any other related Order Forms (collectively the “Agreement“) between the entity identified as the “Customer” in the Agreement and Trulioo Information Services Inc. (“Trulioo“). All capitalized terms not defined in this DSA shall have the meanings set forth in the Agreement.
This DSA regulates the processing of Data subject to Data Protection Laws for the Controller Services provided under the Agreement. Any issues not regulated by this DSA shall be governed by the Agreement. By signing the Agreement, Customer hereby accepts this DSA on behalf of itself and in the name and on behalf of its Affiliates, if and to the extent Trulioo processes Customer Data, provided that such Affiliates have not signed their own separate agreement with Trulioo (“Authorized Affiliates“). For the purpose of this DSA only, and except where the context otherwise requires, the term “Customer” will include Customer and Authorized Affiliates.
The parties agree as follows:
1. Definition
“Controller Services” means any Services identified as “Controller Services” in an Order Form and/or Service Specific Terms.
“Customer Data” means any data (including Personal Data) that Customer provides or otherwise makes available to Trulioo through the Controller Services.
“Data” means any Personal Data that is provided or made available by a party to the other party under the Agreement in connection with the provision or use (as applicable) of the Controller Services, as described in Annex I.
“Data Protection Laws” means all worldwide data protection and privacy laws and regulations applicable to a party and the personal data in question, including where applicable European Data Protection Laws and US Data Protection Laws.
“Europe” means, for the purposes of this DSA, the European Economic Area, the United Kingdom and Switzerland.
“European Data Protection Laws” means: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (the “EU GDPR“); (ii) the EU e-Privacy Directive (Directive 2002/58/EC); (iii) any and all applicable national data protection laws made under, pursuant to or that apply in conjunction with (i) or (ii); (iv) the GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 and the UK Data Protection Act 2018 (collectively the “UK Privacy Law“); and (v) the Swiss Federal Data Protection Act of 25 September 2020 and its corresponding ordinances (“Swiss FDPA”); in each case as may be amended or superseded from time to time.
“Personal Data” means information which is protected as “personal data”, “personally identifiable information” or “personal information” under any applicable Data Protection Laws. For the avoidance of doubt, with respect to US Data Protection Laws, “Personal Data” does not include de-identified data, or publicly available information as such terms are defined in applicable Data Protection Laws.
“Processing Purposes” means the processing of Data for the purpose(s) described in Section 3 (Processing Purposes) of this DSA.
“Restricted Transfer” means: (i) where the EU GDPR applies, a transfer of personal data from the EEA to a country outside of the EEA which is not subject to an adequacy determination by the European Commission; (ii) where UK Privacy Law applies, a transfer of personal data from the United Kingdom to any other country which is not subject to adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018; and (iii) where the Swiss FDPA applies, a transfer of personal data to a country outside of Switzerland which is not included on the list of adequate jurisdictions published by the Swiss Federal Data Protection and Information Commissioner; in each case whether such transfer is direct or via onward transfer.
“Standard Contractual Clauses” or “SCCs” means the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.
“Trulioo Data” means any data (including Personal Data) that Trulioo provides or otherwise makes available to Customer through or in connection with the Controller Services. Trulioo Data may include but is not limited to information from publicly available sources, third-party data providers, and/or information derived or generated from analysing Customer Data.
“Trulioo Privacy Policy” means the Trulioo Services Privacy Policy available at https://www.trulioo.com/privacy.
“Trulioo Security Annex” means the Trulioo Security Annex available at https://www.trulioo.com/security-annex.
“US Data Protection Laws” means the California Consumer Privacy Act of 2018, as amended by the California Consumer Privacy Rights Act of 2020 (together, the “CCPA”), Colorado Privacy Act, Connecticut Data Privacy Act, Delaware Personal Data Privacy Act, Florida Digital Bill of Rights, Indiana Consumer Data Protection Act, Iowa Consumer Data Protection Act, Montana Consumer Data Privacy Act, Oregon Consumer Privacy Act, Tennessee Information Protection Act, Texas Data Privacy and Security Act, Utah Consumer Privacy Act, and Virginia Consumer Data Protection Act, in each case including any further amendments and implementing regulations that become effective on or after the effective date of this DSA.
The terms “controller,” “data subject,” “personal data,” “processor” and “processing,” shall have the meanings given to them in Data Protection Laws. If and to the extent that Data Protection Laws do not define such terms, then the definitions given to them in the EU GDPR will apply.
2. Relationship of the Parties. The parties acknowledge that they are each independent controllers with respect to the Data processed under this DSA and accordingly, each party shall be individually and separately responsible for fulfilling all obligations that apply to it under Data Protection Laws. Each party shall process Data received from the other party strictly for the Processing Purposes (or as otherwise agreed in writing by the parties) or as otherwise permitted under Data Protection Laws. In no event shall the parties be deemed joint controllers.
3. Processing Purposes.
3.1 The parties acknowledge and agree that: (a) Customer shall be permitted to use the Trulioo Data shared pursuant to this DSA (including Personal Data) in accordance with and for the purposes more particularly described in the Agreement (including this DSA); and (b) Trulioo shall be permitted to use the Customer Data shared pursuant to this DSA (including Personal Data) for the purposes of providing and improving the Controller Services in accordance with the Agreement (including this DSA)
3.2 Customer acknowledges and agrees that Trulioo will process Customer Data in accordance with the Trulioo Services Privacy Policy for as long as reasonably necessary for the purposes of providing and improving the Controller Services, which may include Trulioo and its third party data providers applying machine learning techniques to help better identify patterns in the Customer Data to improve the machine learning algorithms and data models essential to the continued provision of the Controller Services. Customer further acknowledges and agrees that, in connection with such purposes, Customer Data may be commingled with other customers’ data; provided, that (a) Customer Data shall not itself be made available to any other customer, and (b) Customer and any underlying individuals will never be identified or identifiable to the extent the Customer Data contributes to the Results provided to other customers of the Controller Services.
3.3 Compliance with Law. Each party shall be individually and separately responsible for complying with the obligations that apply to it under Data Protection Laws. Each party disclosing Data to the other party represents and warrants to the receiving party that it is lawfully entitled to process, and has provided all required notices and obtained all necessary consents and other permissions from the relevant data subjects (or has another valid lawful basis) to: (i) share such Data with the receiving party in accordance with the Agreement; and (ii) enable the receiving party to lawfully process such Data for the Processing Purposes or as otherwise agreed by the parties in writing. Customer shall be solely responsible for ensuring that Customer’s use of the Controller Services (and all Data provided or received in connection with the Controller Services) does not violate any laws (including Data Protection Laws).
4. Customer Obligations
4.1 Prior to accessing, using, sharing or otherwise processing any Data for the Processing Purposes, Customer will ensure that it: (a) prominently posts on the Customer Properties a readily accessible and legally sufficient privacy notice that includes accurate disclosures concerning the collection and processing of Data for the Processing Purposes; and (b) provides a legally sufficient mechanism for data subjects to “opt out” of uses of their Personal Data for the Processing Purposes to the extent required by Data Protection Laws. Without prejudice to the foregoing, such notice shall at a minimum include: (i) a description of the types of Data collected by Trulioo (or its data providers) for the Processing Purposes; and (ii) disclose the identity of Trulioo as a controller of the Data. The Trulioo Services Privacy Policy, its explanation of the Data Trulioo collects and how the Controller Services use it, may assist the Customer in complying with the notification obligations under this DSA. The parties will provide reasonable assistance and reasonably cooperate with each other to assist with each party’s compliance with Data Protection Laws and this Section 4.1.
4.2 Customer will conduct reasonable due diligence into any complaint Customer receives relating to the use of Data for the Processing Purposes, such as any decisions made based on the Trulioo Data provided to Customer in connection with the Controller Services. Customer will take appropriate action in response to such complaints (including by promptly providing feedback to Trulioo through the Controller Services) if Customer determines that such action is needed to correct any decision made based on the provision of the Controller Services to Customer.
4.3 To the extent Customer makes any automated decisions in connection with its use of the Controller Services, Customer acknowledges that it is solely responsible for such decisions, including (as applicable) notifying individuals of any automated decisions, obtaining consent and implementing suitable safeguards to ensure individuals are able to contest such decisions, express their point of view or obtain human review.
5. Trulioo Commitments. Trulioo will maintain a readily accessible privacy notice on its website (i.e. the Trulioo Service Privacy Policy) that includes accurate disclosures concerning its data practices that complies with Data Protection Laws, including disclosures concerning Trulioo’s collection, use, processing and sharing of Data for the Processing Purposes.
6. Third Party Requests. Each party (the “Responding Party”) will respond reasonably, promptly and in accordance with the Responding Party’s obligations under Data Protection Laws, to any correspondence, inquiry or complaint from any data subject, consumer, regulator or other third party (“Correspondence“), concerning its processing of Data shared under this DSA and the other party will co-operate as reasonably requested by Responding Party to enable Responding Party to respond to such Correspondence. The Responding Party will be entitled to take action with respect to specific Data in its control or possession in response to such Correspondence or as otherwise required by Data Protection Laws; provided that in the event either party receives any Correspondence related to the processing of Data by the other party, it will promptly inform the other party giving full details of the same, and the parties will cooperate reasonably and in good faith in-order to respond to such Correspondence in accordance with any requirements under applicable Data Protection Laws. Subject to the foregoing obligations of notice and cooperation, where any Correspondence made directly to Trulioo concerns a request by a data subject to exercise their data protection rights in relation to the Customer’s processing of Data under this DSA (including where Data resides in the Customer’s account), Customer shall be solely responsible for responding to the data subject in accordance with Data Protection Laws.
7. Cooperation. Each party will reasonably cooperate with the other in any activities contemplated by the Controller Services and to enable each party to comply with its respective obligations under applicable Data Protection Laws. Without limiting the foregoing, in the event of a change in Data Protection Laws or a determination by a supervisory authority or competent court affecting the data processing undertaken under this DSA, the parties shall work together in good faith to make any amendments to this DSA as are reasonably necessary to ensure continued compliance with Data Protection Laws
8. Security & Security Incidents. Each party shall implement and maintain appropriate technical and organisational measures designed to protect the security and integrity of Data it receives in the course of the Services, including protection against a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the Data (a “Security Incident“) and that, at a minimum comply with Data Protection Laws and Annex II to this DSA. Each party receiving Data shall ensure the persons authorized to process such Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Upon becoming aware of a Security Incident, each party shall inform the other party without undue delay and shall provide all such timely information and cooperation as the other party reasonably requires in order to comply with its obligations under Data Protection Laws (or in relation to Trulioo, its commitments under the relevant contract with a customer) and the affected party shall further take all such measures as are necessary to remedy or mitigate the effects of the Security Incident and shall keep the other party informed of all developments in connection with the Security Incident, to the extent it relates to the Data received by the affected party under the Agreement.
9. International Transfers
9.1 Each party shall take all such measures as are necessary to ensure that the processing or transfer (directly or via onward transfer) of the Data in or to a territory other than the territory in which the Data was first collected is in compliance with Data Protection Laws.
9.2 The parties agree that where the transfer of Data from the disclosing party (as “data exporter“) to the receiving party (as “data importer“) is a Restricted Transfer and European Data Protection Laws require that appropriate safeguards are put in place, such transfer shall be subject to the SCCs, modified by the UK Addendum as required for Restricted Transfers subject to UK Privacy Law, each of which shall be deemed incorporated herein in full by reference and shall form an integral part of this DSA. For the purposes of the foregoing, the parties agree that:
(a) each recipient of Data shall be the “data importer” and the other party shall be the “data exporter”;
(b) Module One (controller to controller) will apply;
(c) in Clause 7, the optional docking clause will apply;
(d) in Clause 11, the optional language will not apply;
(e) in Clause 17, Option 1 will apply, and the SCCs will be governed by the laws of Ireland, England and Wales or Switzerland (in each case, as appropriate, depending on the European Data Protection Law applicable to the transfer);
(f) in Clause 18(b), disputes shall be resolved before the courts of Ireland, England and Wales or Switzerland (in each case, as appropriate, depending on the European Data Protection Law applicable to the transfer); and
(g) Annexes I and II of the SCCs and Tables 1 and 3 of Part 1 of the UK Addendum (as applicable) shall be deemed completed with the information set out in Annexes I and II of this DSA and Table 4 in Part 1 of the UK Addendum shall be deemed completed by selecting “neither party”.
9.3 It is not the intention of either party to contradict or restrict any of the provisions set forth in the SCCs, and accordingly if and to the extent the SCCs conflict with any provision of the Agreement (including this DSA) the SCCs shall prevail to the extent of such conflict.
9.4 The parties acknowledge that Trulioo is located in Canada and Canada has been recognized as providing an adequate level of data protection by the European Commission (such adequacy decision is available at: https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32002D0002). However, where and to the extent the transfer of Data from Customer to Trulioo is a Restricted Transfer and European Data Protection Laws require that appropriate safeguards are put in place, such transfer shall be subject to the SCCs in accordance with this Section 10 (International Transfers).
10. Subcontracting. Each party may, at its election, appoint one or more third party processors or service providers to process the Data it receives from the other party on its behalf, provided that such processors: (a) agree in writing to process the Data in accordance with the instructing party’s documented instructions; (b) implement appropriate technical and organisational security measures to protect the Data against a Security Incident; and (c) otherwise provide sufficient guarantees that they will process the Data in a manner that will meet the requirements of Data Protection Law.
11. Audit. Each party agrees upon request from the other party to respond to questions and all reasonable requests for information in connection with its processing activities to the extent necessary to demonstrate its compliance with this DSA. If such an audit identifies any default by a party or there are reasonable grounds to suspect a default then, without prejudice to any other rights or remedies available, the defaulting party shall take all necessary steps to comply with its obligations.
12. Additional provisions for CCPA
12.1 Roles. This Section shall only apply with respect to Data processed in connection with the Controller Services subject to the CCPA (“CCPA Personal Information”). When processing CCPA Personal Information, the parties acknowledge and agree that Customer is a Business and Trulioo is a Service Provider for the purposes of the CCPA. For the purpose of this Section, “Business”, “Business Purpose”, “Commercial Purpose”, “Consumer,” “Personal Information”, “Process,” “Sell”, “Service Provider”, and “Share” have the meanings given to them in the CCPA.
12.2 Responsibilities. The parties agree that all CCPA Personal Information is processed by Trulioo on behalf of Customer for one or more Business Purpose(s) and its use or sharing by Customer with Trulioo is necessary to perform such Business Purpose(s). For the purposes of this DSA, Trulioo is Processing the CCPA Personal Information for the Business Purpose(s) of: (a) providing the Controller Services to Customer, and (b) to help Customer resist malicious, deceptive, fraudulent or illegal actions (the “Purpose”).
12.3 Trulioo will: (a) only Process CCPA Personal Information under the Agreement for the limited and specific Purpose, and at all times in compliance with applicable portions of the CCPA, and shall provide the same level of privacy protection as is required by the CCPA; (b) assist Customer in responding to any request from a Consumer to exercise rights under the CCPA; (c) notify Customer without undue delay if Trulioo makes a determination that it can no longer meet its obligations under the CCPA and Customer shall have the right to take reasonable and appropriate steps to help ensure that Trulioo uses the CCPA Personal Information in a manner consistent with Customer’s obligations under the CCPA and stop and remediate any unauthorized use of the CCPA Personal Information; and (d) require that each employee or other person processing CCPA Personal Information is subject to a duty of confidentiality with respect to such CCPA Personal Information.
12.4 To the extent required by the CCPA and, in each case, except as otherwise permitted by the CCPA, Trulioo is prohibited from: (a) Selling the CCPA Personal Information; (b) Sharing the CCPA Personal Information for cross-contextual behavioural advertising purposes; (c) retaining, using or disclosing the CCPA Personal Information for any purpose other than for the Purposes; (d) retaining, using, or disclosing the CCPA Personal Information outside of the direct business relationship between Trulioo and Customer; and (e) combining the CCPA Personal Information with any Personal Information that may be collected from Trulioo’s separate interactions with the individual(s) to whom the CCPA Personal Information relates or from any other sources, except to perform a Purpose or as otherwise permitted by law.
13. General. In the event of any conflict, ambiguity or inconsistency between the terms of the Agreement and the terms of this DSA, the terms of this DSA shall prevail as they relate to the subject matter of this DSA. The DSA shall be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless required otherwise by Data Protection Laws.
Annex I
Description of Data Processing / Transfer
I.A. List of Parties
| Data Exporter | Data Importer |
|---|---|
| Name: The entity that is disclosing Data to the other party, which shall be Trulioo (for the Trulioo Data described in I.B. below) or the Customer (for the Customer Data described in Annex I.B. below). | Name: The entity that is disclosing Data to the other party, which shall be Trulioo (for the Trulioo Data described in I.B. below) or the Customer (for the Customer Data described in Annex I.B. below). |
| Address: Trulioo: 400 – #114 E. 4th Avenue, Vancouver, BC V5T 1G2, Canada; Customer: The address for the Customer specified in the Agreement. | Address: Trulioo: 400 – #114 E. 4th Avenue, Vancouver, BC V5T 1G2, Canada; Customer: The address for the Customer specified in the Agreement. |
| Contact Person’s Name, position and contact details: Trulioo: 400 – #114 E. 4th Avenue, Vancouver, BC V5T 1G2, Canada; [email protected] Customer: As set out in the Agreement and this DSA. | Contact Person’s Name, position and contact details: Trulioo: 400 – #114 E. 4th Avenue, Vancouver, BC V5T 1G2, Canada; [email protected] Customer: As set out in the Agreement and this DSA. |
| Activities relevant to the transfer: See Annex I.B. below. | Activities relevant to the transfer: See Annex I.B. below. |
| Signature and date: This Annex I shall automatically be deemed executed when the Agreement (incorporating this DSA) is executed by the parties. | Signature and date: This Annex I shall automatically be deemed executed when the Agreement (incorporating this DSA) is executed by the parties. |
| Role: Controller | Role: Controller |
I.B. Description of Processing / Transfer
(a) Customer Data
| EU SCC Module: | Module One (C2C) |
| Categories of Data Subjects: | Data subjects include individuals whose Personal Data is included in Data shared by the Customer (i.e., individuals who are the subject of a query submitted to the Services (including consumers/ end users of a Customer’s services)). |
| Categories of Personal Data: | The categories of Personal Data will depend on the specific Controller Services, but may include:: • name; • contact details (e.g. email address, residential address and telephone number); • date of birth; • government ID number (e.g. passport, driving license, national ID number); • IP address; and • any other category of Personal Data submitted by Customer to Trulioo in connection with the Controller Services. |
| Sensitive data transferred and safeguards: | N/A |
| Frequency: | Continuous |
| Nature of the processing: | Personal Data about individuals will be processed for the Processing Purposes. |
| Purpose(s): | The Personal Data is processed for the Processing Purposes set out in Section 3 of the DSA. |
| Retention: | Trulioo shall retain Personal Data for as long as necessary for the Processing Purposes or as otherwise permitted by Data Protection Laws. |
(b) Trulioo Data
| EU SCC Module: | Module One (C2C) |
| Categories of Data Subjects: | Data subjects include individuals whose Personal Data is included in Data shared by the Customer (i.e., individuals who are the subject of a query submitted to the Services (including consumers/ end users of a Customer’s services)). |
| Categories of Personal Data: | The categories of Personal Data will depend on the specific Controller Services, but may include:: • Personal Data included in the results for the Customer of the algorithmic modelling and analysis of Customer Data, using machine learning techniques, which results may include fraud and risk signals (for example, the number of times a data element has been queried or seen in a particular time period, and a risk score); • any other category of Personal Data provided by Trulioo to Customer in connection with the Controller Services. |
| Sensitive data transferred and safeguards: | N/A |
| Frequency: | Continuous |
| Nature of the processing: | Personal Data about individuals will be processed for the Processing Purposes. |
| Purpose(s): | The Personal Data is processed for the Processing Purposes set out in Section 3 of the DSA. |
| Retention: | Customer shall retain Personal Data for as long as necessary for the Processing Purposes or as otherwise permitted by Data Protection Laws. |
I.C. Competent supervisory authority
Irish Data Protection Commissioner, the UK Information Commissioner’s Office, or the Swiss Federal Data Protection and Information Commissioner (in each case, as appropriate, depending on the European Data Protection Law applicable to the transfer).
Annex II
Technical and Organizational Security Measures
Data Importer will implement and maintain an information security program that: (i) complies with the minimum security requirements described in this Annex; (ii) is consistent with industry standard practices taking into consideration the sensitivity of the relevant Data and the nature and scope of the Services (including any Delivery Method) provided; (iii) includes reasonable and appropriate administrative, technical and physical safeguards designed to protect Data; and (iv) complies with Data Protection Laws.
The Data Importer shall apply the minimum requirements specified in this Annex in conjunction with any other general security requirements agreed with Data Exporter (such as any further security requirements as are identified in any pre or post contract security assessment).
- Information security policy: Data Importer will implement and maintain a written information security policy consistent with established industry standards that specifies the security standards it will apply to protect the Data it Processes in accordance with the Agreement. The information security policy will:
- mandate the use of appropriate technical and organisational security measures in the Data Importer’s organisation to protect Data against Security Incidents. It will include processes to identify Security Incidents and further describe the measures to be taken in the event of an actual or suspected Security Incident;
- as appropriate, include the pseudonymisation and encryption of Data;
- include the ability to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- include the ability to restore the availability and access to Data in a timely manner in the event of a physical or technical incident; and
- include a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuing the security of the processing.
- Background Checks: To the extent legally permissible and practicable in the applicable jurisdiction, Data Importer will conduct pre-employment or pre-engagement screening on employees and contractors who will have access to Data.
- Employee and Contractor Confidentiality: Data Importer will require Data Importer employees and contractors to execute a confidentiality agreement as a condition of employment or engagement and to follow policies on the protection of customer data, confidential information, and information security procedures.
- Information Security and Privacy Training: Data Importer will conduct mandatory trainings for Data Importer employees and contractors, at least annually, on ethics, privacy and information security awareness. These trainings are reviewed and updated annually.
- Code of Conduct: Data Importer maintains a Code of Conduct and disciplinary process that is used when Data Importer employees or contractors violate Data Importer security or privacy policies.
- Information security officer: The Data Importer will appoint a duly skilled employee with responsibility for ensuring the security of Data processed by the Data Importer in its organisation and for reviewing, maintaining and updating the Data Importer’s information security policy.
- Physical security: Data Importer will ensure that access to data processing facilities will be restricted to duly authorised personnel, employees and contractors by use of keys, fingerprint readers, or other electronic security measures.
- Firewall and anti-virus: Data Importer will implement appropriate firewall, anti-virus, anti-spyware and other anti-malware software and technologies on all networks and systems it uses to process Data. Data Importer will update its firewall, anti-virus, anti-spyware and other anti-malware software and technologies on a regular basis to ensure that they protect against then-current virus, spyware and other malware threats.
- Encryption: Data Importer will encrypt Data in-transit and at rest as appropriate.
- Deletion: Where Data Importer is the Trulioo, Data Importer will ensure that any Customer Data is completely destroyed by the use of cross-cut shredding machines (or other equally effective destructive method) such that the data is no longer readable or usable for any purpose.
- Backups of Data: Data Importer will maintain an industry standard backup system and backup of Data designed to facilitate timely recovery in the event of a service interruption.
- Disaster Recovery and Business Continuity Plans: Data Importer will (i) maintain disaster recovery and business continuity plans aligned with Business Continuity Standard ISO22301 or equivalent; (ii) operate a business continuity risk assessment to proactively identify any risks that could cause a business interruption; (iii) ensure that the scope of the business continuity plan encompasses all locations, personnel and information systems used to process the Data; (iv) ensure that the business continuity plan is tested at least annually and shall supply upon written request evidence demonstrating that the tests have been performed (including the date and whether the test was successful).
- Portable media: Any devices, discs and other electronic storage media containing Data must be destroyed once no longer needed in a manner which makes access to the Data stored on them impossible. They must not be disclosed to any party not authorized to process Data unless the data previously stored on those media has been irretrievably destroyed.
- Access controls: Data Importer will implement technical access controls that restrict access to Data it processes to duly authorised employees and contractors only. Data Importer will also implement data access traceability measures. Duly authorised employees and contractors will be permitted to access Data only to the extent necessary for the performance by Data Importer of its obligations under the Agreement. The Data Importer will identify and appoint a system administrator with overall responsibility for granting, changing or voiding data access privileges to its data processing systems.
- Usernames / passwords: Data Importer will ensure that accessto Data will be controlled through access privileges (described above), usernames and confidential passwords. No two employees or contractors may share or use the same username. Employees and contractors will be required to change their passwords on a regular basis and at least once every six months. All employee passwords must be at least eight characters, including a minimum of one uppercase letter and one numeral.
- Data Entry Controls: Data Importer will maintain data entry control measures designed to ensure Data Importer can check and establish whether and by whom the Data has been input into data processing systems, modified, or removed.