This Data Processing Agreement (“DPA”) is supplemental to and forms part of the Master Service Agreement, Terms of Service or other agreement (the “Agreement”) between Client and Tenex Security, Inc. dba TENEX.AI (“TENEX.AI”) governing TENEX.AI’s provision of Services to Client The parties acknowledge that TENEX.AI, and where applicable its subcontractors, may process Personal Data in connection with the services provided by TENEX.AI. This DPA ensures that adequate safeguards are in place for such Personal Data as required by Data Law.
1. Definitions
Capitalized terms have the meaning set forth below or as defined within this DPA.
- “Data Law” means all privacy laws and regulations applicable to Personal Data processed under this DPA and the Agreement, including without limitation: the Data Protection Directive 95/46/EC (as superseded), the GDPR, the Privacy and Electronic Communications Directive 2002/58/EC, the UK Data Protection Act 2018, the California Consumer Privacy Act of 2018 (as amended) (“CCPA”), and all national legislation implementing or supplementing the foregoing.
- “GDPR” means Regulation (EU) 2016/679.
- “Personal Data” means all data defined as personal data (or equivalent) under Data Law that is provided by Client to TENEX.AI, or that is accessed, stored, or otherwise processed by TENEX.AI or its subcontractors in providing the Services.
- “Processing,” “Data Controller,” “Data Processor,” “Data Subject,” and “Supervisory Authority” have the meanings given in the applicable Data Law.
2. Data Processing
Client is the Data Controller and TENEX.AI is the Data Processor. Each party shall comply with applicable Data Law. TENEX.AI shall process Personal Data only in accordance with the Agreement and Client’s written instructions. TENEX.AI and its subcontractors shall not access, transfer, or process Personal Data outside the country of origin except as otherwise agreed to by the parties in writing.
For California residents’ Personal Data, TENEX.AI shall comply with the CCPA. Specifically:
– TENEX.AI acts solely as a “service provider” (as defined in the CCPA).
– TENEX.AI will not “sell” Personal Data.
– TENEX.AI certifies it will not retain, use, or disclose Personal Data (1) for any purpose other than performing the Services under the Agreement; or (2) outside the direct business relationship between Client and TENEX.AI.
3. Security
TENEX.AI represents and warrants that it will maintain appropriate technical and organizational safeguards against unauthorized or unlawful Processing, and against accidental loss, destruction, or damage of Personal Data. TENEX.AI shall maintain a comprehensive written security program and provide reasonable assistance to Client, including with respect to: (1) data protection impact assessments (2) notifications to Supervisory Authorities or Data Subjects following a Security Incident, and (3) Client’s security obligations under Data Law.
TENEX.AI shall ensure audit trails are enabled and active for systems handling Personal Data, and that only securely configured, corporate-owned devices are used. Safeguards include, at minimum:
– Single geolocation for storage;
– SOC 2 Type II certification;
– Encryption of data at rest and in transit per NIST standards;
– Data destruction consistent with NIST standards;
– Physical and logical separation of Personal Data;
– Back-up and data-loss prevention software;
– Patch management, malware prevention, backups, and secure configurations;
– Multi-factor authentication for access to Personal Data;
– Record retention and business continuity planning;
– Least-privilege access controls; and
– Prohibition on use of mobile devices or removable media to store or process Personal Data.
4. Certifications
TENEX.AI shall engage independent external auditors to verify its security measures at least annually, using SOC 2 Trust Services Principles (or comparable standards). TENEX.AI shall also engage a certified independent third party to conduct annual penetration testing, with remediation of any identified vulnerabilities.
5. Audit Rights
TENEX.AI shall provide reasonable cooperation and assistance to Client and/or its auditors to meet Data Law obligations. Upon request, TENEX.AI shall provide an audit report not older than twelve (12) months by an independent external auditor demonstrating compliance with recognized standards (e.g., SOC 2); and additional information reasonably related to its data processing activities. Client may audit TENEX.AI no more than once annually, except in the event of a Security Incident, in which case additional audits may be conducted. TENEX.AI shall cooperate fully with such audits.
6. Deletion
Within thirty (30) days after termination or expiration of the Agreement (or sooner upon Client’s request), TENEX.AI shall delete all Personal Data (including copies), in accordance with industry best practices, and shall promptly provide certification of deletion upon request.
7. Breach Notification
TENEX.AI shall maintain incident response procedures and shall notify Client promptly, and no later than forty-eight (48) hours after becoming aware, of any actual destruction, loss, alteration, disclosure of, or access to Personal Data (“Security Incident”). TENEX.AI shall take reasonable steps to mitigate harm, cooperate with Client in the investigation, and remediate the incident.
TENEX.AI will provide to Client notice to Client, to the extent possible, that includes: a brief description of what happened, including the date of the potential unauthorized access, acquisition, use or disclosure of the Personal Data and its discovery; the identity of each individual whose personal data has been, or is, after reasonable diligence and inquiry, believed to have been, accessed, acquired, used, or disclosed in connection with an unauthorized use or disclosure of Personal Data; a description of the Personal Data accessed, acquired, used, or disclosed; and any other available information that may be useful or necessary for sending the notifications required by the Client or any applicable law, rule or regulation to those potentially affected. Updates to the information listed above, to the extent they become available until conclusion of the reasonable inquiry, shall be provided to the Client.
Immediately following any unauthorized or unlawful Personal Data processing or such breach, TENEX.AI will investigate the matter. TENEX.AI will reasonably co-operate with the Client, including by: (a) assisting with any investigation, (b) making available relevant records, logs, files, data reporting, and other materials required to comply with the privacy and data protection requirements or as otherwise reasonably required by the Client, and (c) taking all such measures and actions as are necessary to remedy or mitigate the effects of the breach and will keep the Client informed for all material developments in connection with the breach.
8. Data Subject Requests
TENEX.AI shall promptly notify Client if it receives a request from a Data Subject. TENEX.AI shall not respond except to confirm the request relates to Client, and shall provide reasonable assistance to Client in responding, upon request.
9. Limitation of Liability
Each party’s liability arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, is subject to the Limitation of Liability section of the Agreement.
10. General.
In the event of conflict between the Agreement and this DPA, this DPA shall prevail. Any liability arising under or in connection with this DPA shall be subject to the limitations and exclusions of liability set out in the Agreement. If any provision is deemed unenforceable, it shall be severed without affecting the remainder. This DPA is governed by the law specified in the Agreement.