EisnerAmper Vendor Data Protection Addendum
This Data Protection Addendum (“Addendum”) supplements the Master Services Agreement or similar contractual arrangement (“Agreement”) by and between Eisner Advisory Group LLC, EisnerAmper LLP and/or any of their subsidiaries as provided for under the Agreement (collectively, as applicable “EA”) and the vendor identified in the applicable Agreement (“Vendor”), which an Effective Date as stipulated in the Agreement.
WHEREAS, “EisnerAmper" is the brand name under which EisnerAmper LLP and Eisner Advisory Group LLC provide professional services. EisnerAmper LLP and Eisner Advisory Group LLC are independently owned firms that practice in an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable laws, regulations and professional standards. EisnerAmper LLP is a licensed CPA firm that provides attest services, and Eisner Advisory Group LLC and its subsidiary entities provide tax and business consulting services to clients and provide staff and other administrative resources to EisnerAmper LLP. Eisner Advisory Group LLC and its subsidiary entities are not licensed CPA firms.
WHEREAS, the parties wish to include provisions for the requirements of applicable data protection laws, which may include the European Union’s General Data Protection Regulation (the GDPR); the United Kingdom's General Data Protection Regulation (the UK GDPR) and the UK Data Protection Act of 2018; Cayman Islands’ Data Protection Act, (2021 Revision) and the Data Protection Regulations, 2018 (SL 17 of 2019) (Cayman DPA); the comprehensive privacy laws in the U.S. states of California, Colorado, Connecticut, Montana, Oregon, Tennessee, Texas, Utah, and Virginia (collectively, “U.S. State Privacy Laws”); and any other applicable law, regulation, or other legal requirements protecting a data subject’s privacy with respect to the processing of personal information to the extent the Agreement is subject.
In consideration of the mutual obligations set out herein, the parties hereby agree that the terms set out below shall be added as an Addendum to the Agreement.
The terms set out in this Addendum will take effect from the date of execution of the Agreement and in the event of a conflict between this Addendum and the Agreement, the terms of this Addendum shall supersede the Agreement.
NOW, THEREFORE, in consideration of the mutual covenants, and for continuing to perform the Services, the Parties agree as follows.
1. Definitions.
- “Appropriate Safeguards” means such legally enforceable mechanism(s) for transfers of personal information across national borders, as may be permitted under applicable data protection laws, including the EU-US Data Privacy Framework, the Swiss-U.S. Data Privacy Framework, or the standard contractual clauses adopted by the European Commission for the transfer of personal information to third countries pursuant to the GDPR or the international data transfer agreement adopted by the UK Information Commission’s Office pursuant to the UK GDPR.
- “Data Controller” means the entity which alone or jointly with others determines the purposes and means of the processing of personal information.
- “Data Processor” means an entity that processes Personal Data on behalf of the Data Controller.
- “Personal Data” means information collected, accessed, received, or created pursuant to the Agreement relating to an identified or identifiable natural person; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his or her physical, physiological, mental, economic, cultural, or social identity.
- “Security Incident” means any of the following: (i) a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure and acquisition of, or access to, Personal Data transmitted, stored, or otherwise processed; (ii) a security vulnerability or event that carries a material risk of compromising the confidentiality, integrity, or security of Personal Data or a system that contains Personal Data; or (iii) a violation of applicable data protection laws relating to the processing of Personal Data under this Agreement.
- “Sell” (and its conjugates, including without limitation, “selling,” “sale,” and “sold,”) means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, personal information to a third party for monetary or other valuable consideration.
- “Share” (and its conjugates, including without limitation, “sharing” and “shared”) means sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, personal information to a third party for cross-context behavioral advertising or targeted advertising, whether or not for monetary or other valuable consideration.
- Unless specifically defined in this Addendum, any terms defined in an applicable data protection law, such as “consumer,” “sensitive personal information,” “profiling,” “cross-context behavioral advertising,” “targeted advertising,” or “third party” have the meaning given to that term or a materially similar term in that law solely to the extent that the relevant personal information is covered by that law, regardless of whether such terms are capitalized or not in this Addendum.
2. Data Protection.
- Both parties will comply with all applicable requirements of the data protection laws and the Vendor shall not by any act or omission cause EA or EA’s customer for whom the Vendor provides services under the Agreement (“Customer”) to be in breach of any data protection laws. This clause 2(a) is in addition to, and does not relieve, remove or replace, a party's obligations under the data protection laws.
- The parties acknowledge that EA’s Customer is a data controller. EA may be an independent data controller or a data processor to EA’s Customer under the applicable data protection laws, and Vendor is a data processor to EA (or a sub-Processor to EA’s Customer where EA acts as a data processor).
- Schedule 1 sets out the scope, nature and purpose of processing by the Vendor, the duration of the processing and the types of Personal Data and categories of Data Subject.
- Vendor acknowledges that EA is disclosing or making available Personal Data to Vendor only for the limited and specified purposes and services set forth in the Agreement (“Services”).
3. Vendor Obligations. Without prejudice to the generality of clause 2(a), the Vendor shall comply with the following in relation to any Personal Data processed in connection with the performance by the Vendor of its obligations under the Agreement where applicable.
- Vendor shall process Personal Data only on the written instructions of the Customer (as communicated in writing to the Vendor by EA) unless the Vendor is required by applicable law to process that Personal Data in some other way.
- To the extent required by U.S. State Privacy Laws, Vendor will not (i) process Personal Data for Vendor’s own commercial purposes that are outside the Services; (ii) process Personal Data for any purpose outside the direct business relationship between the parties; (iii) combine personal information collected from different sources in a way that is inconsistent with its role as a Data Processor under the U.S. State Privacy Laws; nor (iv) Sell or Share Personal Data belonging to EA or EA’s Customer. Vendor certifies that it understands the restrictions contained in this clause and will comply with them.
- Vendor shall immediately inform EA if the Vendor is requested to take any action which may infringe applicable Data Protection Law.
- Vendor shall at all times implement and maintain appropriate technical and organizational measures to protect Personal Data against Security Incidents.
- Vendor shall ensure that access to Personal Data is limited to the authorized persons who need to access it to supply the Services and that all personnel who have access to and/or process Personal Data are under an appropriate statutory or contractual duty of confidentiality.
- Vendor shall provide regular training in security and data protection to any personnel who have access to and/or process Personal Data.
- Vendor shall reasonably cooperate with EA with respect to any data protection impact assessments or prior consultations that may be required under applicable data protection laws.
- Vendor agrees to retain Personal Data received from EA or created on behalf of EA for only so long as necessary to conduct the Services or as may otherwise be required under applicable laws. On termination of the Agreement or earlier upon request by EA, Vendor shall delete or return (as determined by EA in its sole discretion) Personal Data and copies thereof to EA immediately unless required by applicable law to store the Personal Data. Vendor shall promptly notify EA of any inability to return or destroy Personal Data and any Personal Data retained as required by law shall remain subject to the requirements of this Addendum, which shall survive termination of the Agreement with respect to such data.
- Vendor shall maintain a complete, accurate and up-to-date record of all categories of processing activities carried out on behalf of EA and make copies available to EA promptly on request.
- Vendor shall promptly notify EA if it determines that it can no longer meet its obligations under this Addendum or applicable data protection laws.
Data Subject Requests.
- At no cost to EA, Vendor shall record and refer to EA all requests and communications received from data subjects or any regulatory authority which related (or which may relate) to any Personal Data promptly (and in any event within 3 days of receipt) and shall not respond to any requests and communications without EA’s express written approval and strictly in accordance with EA’s instructions unless and to the extent required by law.
- Regardless of the source of the data subject request (whether received by Vendor, EA, or EA’s Customer), Vendor shall follow reasonable instructions by EA in responding to or fulfilling the data subject request (including, but not limited to, deleting or providing Personal Data held by Vendor under this Agreement) at no cost to EA.
5. Security Incidents.
- Vendor shall promptly (and in any event within 6 hours) notify EA if it suspects or becomes aware of any suspected, actual or threatened occurrence of any Security Incident in respect of any Personal Data. Such notification shall contain sufficient information for EA to assess the Security Incident and make any required notifications under applicable data protection laws. EA will decide on the basis of all available information and applicable data protection laws whether to make notifications to data subjects or regulatory authorities.
- Vendor shall provide reasonable assistance and cooperate as instructed by EA to investigate and resolve the Security Incident, including to halt the root cause of the Security Incident to the extent it is ongoing. Vendor will take reasonable remedial actions as required by applicable data protection laws or as the Parties mutually agree is warranted.
- Vendor shall not disclose, without EA’s prior written approval, any information related to the involvement of EA or any Personal Data subject to this Agreement in a suspected Security Incident to any third party other than a person hired to investigate/mitigate such Security Incident and bound by confidentiality and non-disclosure obligations, except as required by applicable data protection laws.
- To the extent a Security Incident is due to the negligence or willful misconduct of Vendor or approved contractor pursuant to section 8 below, Vendor shall, at Vendor’s cost, comply with EA’s reasonable instructions to remediate the incident, including but not limited to taking actions under applicable data protection laws; making notification to government authorities; and providing support, notifications, credit monitoring or similar services to affected data subjects.
6. Legally Required Disclosures. In the event Vendor receives a request from a regulatory authority or is otherwise legally required for a purpose unrelated to the Services to disclose Personal Data to any non-affiliated persons, Vendor shall, unless legally prohibited, inform EA of the request or legal requirement and give it a reasonable opportunity to object to or challenge the disclosure.
7. Notice at Collection. If the Services require the Vendor to collect Personal Data directly from data subjects on EA’s behalf and to the extent required by applicable data protection laws, EA will provide Vendor a notice at collection that complies with applicable data protection laws that Vendor shall make available to such data subjects at or before collection of such information and in a manner and format consistent with applicable data protection laws. Vendor will not modify or alter such notice without EA's written consent.
8. Inspections, Audits, and Oversight.
- Upon the reasonable request of EA and no less than thirty (30) days advance notice, Vendor shall promptly make available to EA (at Vendor’s cost) and allow EA to inspect any information necessary to demonstrate the Vendor’s and EA’s compliance with their respective obligations under this Addendum and the data protection laws.
- Vendor shall permit EA to take reasonable and appropriate steps to ensure that Vendor uses Personal Data in a manner consistent with EA’s obligations under the applicable data protection laws. These steps may include, without limitation, manual reviews and automated scans of Vendor's information systems, internal or third-party assessments, audits during normal business hours and on reasonable notice, or other technical and operational testing at least once every 12 months. Each Party shall bear their own expenses in relation to such audit or inspection.
- Vendor shall comply with EA’s right, upon notice, to take reasonable and appropriate steps to stop and remediate the use of Personal Data that is unauthorized under applicable Data Protection Law or this Addendum.
9. Subcontractors. Vendor may further subcontract certain processing activities subject to this Agreement to non-affiliated persons only after obtaining prior specific written authorization for each sub-Processor from EA (where EA acts as a controller) or the Customer (where EA acts as a Processor). Before executing this Addendum, Vendor shall provide EA with a copy of proposed subcontractors for processing Personal Data under this Agreement and represent that any subcontractor used must agree in writing to meet substantially similar obligations as Vendor under this Addendum. Vendor shall remain liable for any processing by its subcontractors to the same extent as if those services were provided by Vendor. EA reserves the right to impose additional conditions on subcontractors to comply with applicable data protection laws.
10. International Data Transfers.
- The Vendor may not transfer Personal Data outside of the jurisdiction where the Vendor received the Personal Data without EA’s prior written consent in each instance. Where EA permits such transfer, Vendor shall implement Appropriate Safeguards and agree to comply with any other requirements (such as obtaining consent or ensuring an appropriate legal basis for the transfer) in accordance with applicable data protection laws.
- To the extent that EA initiates a transfer of Personal Data to Vendor or directs Vendor to transfer Personal Data from the European Economic Area (“EEA”), the United Kingdom (“UK”), or Switzerland to a country that has not received an adequacy decision under applicable data protection laws, the Parties agree to cooperate in good faith to implement Appropriate Safeguards for such transfers in accordance with applicable data protection laws. Where the transfer is from the EEA, the UK, or Switzerland to the United States of America, the Parties acknowledge that EA is an active participant in the EU-US Data Privacy Framework, the UK Extension to the EU-US Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework, which requirements govern such transfer. Specifically, with respect to these transfers, Vendor agrees to:
- transfer such data only for limited and specified purposes;
- provide at least the same level of privacy protection as is required by the Data Privacy Framework Principles (the “Principle”);
- take reasonable and appropriate steps to ensure that Vendor effectively processes the personal information transferred in a manner consistent with EA’s obligations under the Principles;
- notify EA if it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Principles;
- upon notice, including under (iv), take reasonable and appropriate steps to stop and remediate unauthorized processing; and
- permit EA to provide a summary or a representative copy of this Addendum and any other privacy terms (if applicable) to the U.S. Department of Commerce upon request.
11. Indemnification. In addition to any indemnification obligations set forth in the Agreement and notwithstanding any limitation of liabilities clauses in the Agreement, the Sub-Processer shall indemnify and keep EA indemnified against:
- all losses, claims, damages, liabilities, fines, interest, penalties, costs, charges, sanctions, expenses, compensation paid to data subjects (including compensation to protect goodwill and ex gratia payments), demands and legal and other professional costs (calculated on a full indemnity basis and in each case whether or not arising from any investigation by, or imposed by, a regulatory authority) arising out of or in connection with any Security Incident or breach by the Vendor of any of its obligations under this Addendum; and
- all amounts paid or payable by EA to a third party which would not have been paid or payable if the Vendor’s Security Incident or breach of this Addendum had not occurred.
12. General.
- The Vendor shall perform all of its obligations under this Addendum at no cost to EA.
- Failure to comply with any provision of this Addendum shall constitute a material breach of the Agreement.
- EA may, at any time on not less than 30 days’ notice, revise this Addendum by replacing it with or adding any applicable standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when replaced by attachment to this Addendum).
Schedule 1
Processing, Personal Data and Data Subjects
Processing of Personal Data by the Vendor under the Agreement shall be for the subject-matter, duration, nature and purposes and involve the types of Personal Data and categories of data subject set out in this Schedule 1.
1. Processing by Vendor
- Subject-matter of processing
The subject matter of the data collection and processing under this Addendum is the Customer’s Personal Data processed by the Vendor pursuant to the services provided to EA under the Agreement. - Nature and purpose of processing
The Vendor will collect and process Personal Data for the purposes of providing the services to EA in accordance with the Agreement. - Duration of the processing
The duration of the contract and processing under the Agreement is determined by EA and the Customer and as set forth in the Agreement.
2. Types of personal data
Data relating to data subjects of the Customer collected and processed by the Vendor in order to provide services to EA under the Agreement, including of the Customer’s personnel and customers, including but not limited to the following:
- First and last name
- Mailing address
- Social security number
- Bank account information
3. Categories of data subject
- Individuals for whom EA prepares tax returns
- Employees, shareholders or investors of EA Customers to which EA provides tax, audit, accounting or advisory services
- Client employees, managers, administrators, shareholders and investors, advisors and representatives
- Client’s third party business relations