FabricLake Data Processing Addendum

Data Processing Addendum

Definitions:

“Anonymous Data” refers to Personal Data processed to the point where it can no longer be linked to an identifiable natural person.
“CCPA Personal Information” pertains to the “personal information” as defined in the CCPA, which FabricLake processes on behalf of the Customer and/or the Customer’s Affiliates within the scope of FabricLake’s Service.
“Customer Data” retains the meaning specified in the Agreement.
“Data Protection Laws” encompass various regulations, including GDPR, E-Privacy Directive, UK GDPR, CCPA, CPRA, Virginia Consumer Data Protection Act, Colorado Privacy Act, and FTC guidance.
“Data Subject” refers to individuals governed by GDPR, UK GDPR, CCPA, and other Data Protection Laws.
“GDPR Personal Data” denotes “personal data” as defined in GDPR and UK GDPR, which FabricLake processes for the Customer and/or the Customer’s Affiliates within the context of FabricLake’s Service.
“Personal Data” covers information concerning a Data Subject, subject to Data Protection Laws, processed by FabricLake on behalf of the Customer, excluding Anonymous Data. It encompasses both GDPR Personal Data and CCPA Personal Information.
“Personal Data Breach” signifies a confirmed security breach leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to Personal Data during transmission, storage, or processing.
“Service” maintains the meaning established in the Agreement.
“EU Standard Contractual Clauses” refers to the standard contractual clauses provided by the European Commission for the cross-border transfer of Personal Information to non-European Union countries.
“Sub-Processor” denotes any third party appointed by or on behalf of FabricLake to process Personal Data as part of the Service.
“Third Countries” are nations not recognized by Data Protection Laws as providing adequate protection for Personal Information.
“UK Data Protection Laws” encompasses laws related to data protection, personal data processing, privacy, and electronic communications in the UK, including the UK GDPR and the Data Protection Act 2018.

Processing of Personal Data:

Both parties will adhere to their respective obligations under Data Protection Laws concerning the processing of Personal Data. FabricLake will process Personal Data solely according to Customer’s instructions, provided that Customer’s instructions comply with applicable laws and do not breach Data Protection Laws. Customer holds responsibility for the means of acquiring Personal Data and the accuracy, quality, and legality of the data provided to FabricLake.

FabricLake will process Personal Data to provide and support the Service, as documented in the Agreement and any other written instructions issued by Customer, as long as those instructions align with the Agreement’s terms.

The subject matter of data processing under this DPA is the provision of the Service by FabricLake. The nature and purpose of the processing, the types of Personal Data processed, and the categories of Data Subjects involved are outlined in Schedule 1 of this DPA.

For the purpose of this DPA, Customer is designated as the “controller” or “business,” and FabricLake is the “processor” or “service provider” of Personal Data as defined in Data Protection Laws.

Authorized Employees:

FabricLake will only disclose Customer Data to Authorized Employees who require access to Personal Data to fulfill their obligations under this Addendum or the Agreement. FabricLake will ensure the reliability and appropriate training of Authorized Employees and have them sign confidentiality agreements. Access to Customer Data will be limited to Authorized Employees.

Authorized Sub-Processors:

Customer consents to FabricLake engaging Affiliates and Sub-processors, as listed on the Sub-Processor Page (https://www.reciprocity.com/subprocessors/), which may be updated periodically. These Affiliates and Sub-processors may, in turn, engage third-party Sub-processors to handle Personal Data on FabricLake’s behalf. This Addendum serves as general written authorization for FabricLake to engage Sub-processors as necessary to perform the Service.

Upon adding a new Sub-Processor, FabricLake will notify Customer at least thirty (30) days in advance. Customer may object to a new Sub-Processor’s engagement within ten (10) days of being informed of it. If Customer reasonably objects and FabricLake cannot provide a reasonable alternative in a reasonable time, Customer’s sole remedy will be to terminate the Addendum.

If Customer does not object to a new Sub-Processor within ten (10) days of notice, that Sub-Processor will be deemed Authorized.

FabricLake will enter into written agreements with Authorized Sub-Processors imposing data protection obligations comparable to those placed on FabricLake under this Addendum.

Security of Personal Data:

FabricLake will maintain appropriate technical and organizational measures to protect the security, confidentiality, and integrity of Personal Data. In case of a Personal Data Breach, FabricLake will promptly notify Customer and take necessary steps to mitigate the breach.

Requirements for GDPR Personal Data:

This section applies only to the processing of GDPR Personal Data by FabricLake.

FabricLake may transfer GDPR Personal Data outside the EEA, UK, or Switzerland if necessary to provide the Service. Adequate safeguards will be in place for such transfers.
FabricLake may engage Sub-Processors, following the process outlined in Section 4 (Authorized Sub-Processors).
For transfers of GDPR Personal Data, applicable Standard Contractual Clauses will be employed.

Requirements for CCPA:

This section applies solely to the processing of CCPA Personal Information by FabricLake.

FabricLake will not retain, use, or disclose CCPA Personal Information for purposes other than providing the Service.
FabricLake will not Sell or Share CCPA Personal Information.
FabricLake will not combine CCPA Personal Information with Personal Data from other sources or interactions.

Rights of Data Subjects:

FabricLake will notify Customer of Data Subject Requests and assist, to the extent permitted by law, in responding to such requests.

Actions and Access Requests:

FabricLake will maintain records to demonstrate compliance with this Addendum for at least two (2) years after the Agreement’s termination. Customer has the right to review these records upon reasonable notice.

Upon Customer’s request, FabricLake will provide certifications or reports demonstrating compliance with data security standards. Customer may also conduct audits with FabricLake’s cooperation, subject to prior notice.

Return or Deletion of Customer Data:

After the Agreement’s termination, FabricLake will return or delete Customer Data, unless further storage is required by law. If return or destruction is impractical or prohibited, FabricLake will block further processing and protect the data.

Affiliates:

Customer acts as the central contact for its Affiliates regarding Data Protection Laws. Claims related to Data Protection Laws under this DPA will be brought by Customer.

Limitation of Liability:

The total liability of Customer and FabricLake Inc., as outlined in the Agreement, is the sole remedy for any issues arising from this Addendum.

End of Data Processing Addendum

DevSecOps AI Security Tool

Project Management Compliance Tool

Tightly integrated with

Latest News, Blog and Articles

Read about the latest Technology, Compliance Reports and News.

Support, Help & Legal Center

Get Federal Compliance Tips and Latest News?

FabricLake Data Processing Addendum

About FabricLake

RiskGuardian360

Quick Contact

Learn how we saved a client over a million and reduced FedRAMP deployment by 67%.