DATA PROCESSING ADDENDUM (DPA)
Ensuring compliance and through our Data Processing Agreement (DPA) tailored to meet global standards. Custom DPAs can be drafted for individual firms or matters.
PLATINUM IDS: DATA PROCESSING ADDENDUM
By using Platinum Intelligent Data Solutions (Platinum IDS) products or services, you automatically agree to this Data Processing Addendum (DPA). As a customer of Platinum IDS, this DPA outlines your rights and ensures that Platinum IDS, its vendors, facilities, and sub processors will adhere to the specified standards of behavior, performance, and reporting. By continuing to use our services, you acknowledge and accept the terms and conditions outlined in this DPA.
THE DPA
Cloud Data Processing Addendum is provided by Platinum IDS; (Platinum Intelligent Data Solutions) This Cloud Data Processing Addendum including its appendices (“Addendum”) is incorporated into the Agreement(s) under which Google has agreed to provide Google Cloud Platform, Google Workspace, or Cloud Identity (each as defined below), as applicable (the “Services”), to Platinum Intelligent Data Solutions (“Customer”).
COMMENCEMENT
This Addendum will be effective and replace any terms previously applicable to the processing of Customer Data, including any Data Processing and Security Terms or Data Processing Amendment, from the Addendum Effective Date (as defined below).
DEFINITIONS
2.1 Capitalized terms used but not defined in this Addendum have the meaning given to them in the Agreement:
- Account means Customer’s Google Cloud Platform account, Google Workspace account or Cloud Identity account, as applicable, associated with Platinum Intelligent Data Solutions.
- Addendum Effective Date means the date on which Customer accepted, or the parties otherwise agreed to, this Addendum.
- Customer Data means: (a) data provided by or on behalf of Platinum Intelligent Data Solutions or its End Users via Google Cloud Platform under the Account; or (b) data submitted, stored, sent or received by or on behalf of Platinum Intelligent Data Solutions or its End Users via Google Workspace or Cloud Identity under the Account.
- Customer Personal Data means the personal data contained within the Customer Data, including any special categories of personal data defined under European Data Protection Law.
- Data Incident means a breach of Google’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Data on systems managed by or otherwise controlled by Google.
- Instructions has the meaning given in Section 5.2.1 (Compliance with Customer’s Instructions).
- Notification Email Address means the email address(es) designated by Platinum Intelligent Data Solutions in the Admin Console or Order Form to receive certain notifications from Google. Customer is responsible for using the Admin Console to ensure that its Notification Email Address remains current and valid.
- Security Documentation means all documents and information made available by Google under Section 7.5.1 (Reviews of Security Documentation).
- Security Measures has the meaning given in Section 7.1.1 (Google’s Security Measures).
- Subprocessor means a third party authorized as another processor under this Addendum to have logical access to and process Customer Data in order to provide parts of the Services and TSS.
- Term means the period from the Addendum Effective Date until the end of Google’s provision of the Services to Platinum Intelligent Data Solutions, including, if applicable, any period during which provision of the Services may be suspended and any post-termination period during which Google may continue providing the Services for transitional purposes.
2.2 The terms “personal data”, “data subject”, “processing”, “controller” and “processor” as used in this Addendum have the meanings given in the GDPR irrespective of whether European Data Protection Law or Non-European Data Protection Law applies.
CUSTOMIZED CLOUD DATA PROCESSING ADDENDUM (CUSTOMERS) FOR PLATINUM INTELLIGENT DATA SOLUTIONS
DURATION
Regardless of whether the applicable Agreement has terminated or expired, this Addendum will remain in effect until, and automatically expire when, Google deletes all Platinum Intelligent Data Solutions Customer Data as described in this Addendum.
SCOPE OF DATA PROTECTION LAW
4.1 Application of European Law. The parties acknowledge that European Data Protection Law will apply to the processing of Platinum Intelligent Data Solutions Customer Personal Data if, for example:
- a. the processing is carried out in the context of the activities of an establishment of Platinum Intelligent Data Solutions in the territory of the EEA or the UK; and/or
- b. the Platinum Intelligent Data Solutions Customer Personal Data is personal data relating to data subjects who are in the EEA or the UK and the processing relates to the offering to them of goods or services in the EEA or the UK, or the monitoring of their behavior in the EEA or the UK.
DATA DELETION
6.1 Deletion by Platinum Intelligent Data Solutions. Google will enable Platinum Intelligent Data Solutions to delete Customer Data during the Term in a manner consistent with the functionality of the Services. If Platinum Intelligent Data Solutions uses the Services to delete any Customer Data during the Term and that Customer Data cannot be recovered by Platinum Intelligent Data Solutions, this use will constitute an Instruction to Google to delete the relevant Customer Data from Google’s systems in accordance with applicable law. Google will comply with this Instruction as soon as reasonably practicable and within a maximum period of 180 days, unless European Law requires storage.
6.2 Return or Deletion When Term Ends. If Platinum Intelligent Data Solutions wishes to retain any Customer Data after the end of the Term, it may instruct Google in accordance with Section 9.1 (Access; Rectification; Restricted Processing; Portability) to return that data during the Term. Subject to Section 6.3 (Deferred Deletion Instruction), Platinum Intelligent Data Solutions instructs Google to delete all remaining Customer Data (including existing copies) from Google’s systems at the end of the Term in accordance with applicable law. After a recovery period of up to 30 days from that date, Google will comply with this Instruction as soon as reasonably practicable and within a maximum period of 180 days, unless European Law requires storage.
6.3. Deferred Deletion Instruction. To the extent any Customer Data covered by the deletion instruction described in Section 6.2 (Return or Deletion When Term Ends) is also processed, when the applicable Term under Section 6.2 expires, in relation to an Agreement with a continuing Term, such deletion instruction will take effect with respect to such Customer Data only when the continuing Term expires. For clarity, this Addendum will continue to apply to such Customer Data until its deletion by Google.
DATA SECURITY
7.1 Security Measures, Controls and Assistance.
Platinum Intelligent Data Solutions (“Platinum IDS”) will implement and maintain technical, organizational, and physical measures to protect Customer Data in accordance with industry standards. These Security Measures include encryption, confidentiality, integrity, availability, resilience, and regular testing of effectiveness. Platinum IDS may update these Security Measures, provided they don’t result in a material reduction of security for the Services.
7.1.2 Access and Compliance. Platinum IDS will ensure that only authorized employees, contractors, and Subprocessors access Customer Data as necessary and maintain confidentiality obligations.
7.1.3 Additional Security Controls. Platinum IDS will provide Additional Security Controls to help customers secure their data and access information about securing, accessing, and using Customer Data.
7.1.4 Platinum IDS’s Security Assistance. Platinum IDS will assist customers in ensuring compliance with GDPR Articles 32 to 34 by implementing and maintaining Security Measures, making Additional Security Controls available, handling Data Incidents, providing Security Documentation, and offering additional reasonable cooperation and assistance upon request.
7.2 Data Incidents.
7.2.1 Incident Notification. Platinum IDS will promptly notify the customer of any Data Incident and take reasonable steps to minimize harm and secure Customer Data.
7.2.2 Details of Data Incident. Notifications will include information on the nature of the incident, measures taken, recommended customer actions, and a contact point for further information.
7.2.3 Delivery of Notification. Notifications will be sent to the designated email address.
7.2.4 No Assessment of Customer Data by Platinum IDS. Platinum IDS has no obligation to assess Customer Data for specific legal requirements.
7.2.5 No Acknowledgement of Fault by Platinum IDS. Notifications or responses to Data Incidents don’t imply fault or liability by Platinum IDS.
7.3 Customer’s Security Responsibilities and Assessment.
7.3.1 Customer’s Security Responsibilities. Customers are responsible for their use of the Services, securing their authentication credentials, systems, and devices, and backing up their data.
7.3.2 Customer’s Security Assessment. Customers agree that Platinum IDS’s Services, Security Measures, Additional Security Controls, and commitments provide a level of security appropriate to the risk to Customer Data.
7.4 Compliance Certifications and SOC Reports. Platinum IDS will maintain infrastructural relevant Compliance Certifications and SOC Reports to evaluate the continued effectiveness of Security Measures and to report to client requests for such.
7.5 Reviews and Audits of Compliance.
7.5.1 Reviews of Security Documentation. Platinum IDS will make Compliance Certifications and SOC Reports available for customer review.
7.5.2 Customer’s Audit Rights. Platinum IDS will allow customers to conduct audits to verify compliance with obligations under this Addendum, providing necessary information and assistance.
7.5.3 Additional Business Terms for Reviews and Audits. Platinum IDS and the customer will agree in advance on the details of any audits, including fees for audits conducted by customer-appointed auditors.
IMPACT ASSESSMENTS AND CONSULTATIONS
Platinum IDS will assist customers in ensuring compliance with GDPR Articles 35 and 36 by providing Additional Security Controls, Security Q
ACCESS, DATA SUBJECT RIGHTS, AND DATA EXPORT
9.1 Platinum IDS will provide the Customer with the ability to access, rectify, and restrict the processing of their data during the term of the agreement, including data deletion and export functionalities.
9.2 Data Subject Requests
9.2.1 Platinum IDS will redirect data subject requests to the Customer when receiving data subject requests related to Customer Personal Data. The Customer is responsible for responding to such requests using the provided functionalities.
9.2.2 Platinum IDS will assist the Customer in fulfilling their obligations under the GDPR regarding data subject requests, providing additional security controls, and offering reasonable cooperation and assistance if needed.
DATA TRANSFERS
10.1 Platinum IDS may process Customer Data in any country where Platinum IDS or its Subprocessors maintain facilities, subject to data location commitments.
10.2 If European Data Protection Law applies to Customer Personal Data transfers, Platinum IDS will inform the Customer of the relevant transfer solution and ensure compliance with it.
10.3 Non-EMEA Customers must certify if European Data Protection Law applies to their processing of Customer Personal Data and identify their competent Supervisory Authority.
10.4 Platinum IDS will provide relevant information about Restricted European Transfers, Additional Security Controls, and other supplementary measures to protect Customer Personal Data.
10.5 Customers may terminate the agreement if they conclude that the transfer solutions do not provide appropriate safeguards for their Personal Data.
10.6 Data Center locations are available on demand, provided as a list to the requestor.
SUBPROCESSORS
11.1 Customer authorizes the engagement of Subprocessors as disclosed in Section 11.2 and consents to the engagement of New Subprocessors.
11.2 Subprocessor information is available on demand. Platinum IDS does not regularly use Subprocessors. It is our goal to inform the client if a subcontractor’s services are required to complete the goals.
11.3 Platinum IDS will ensure that Subprocessors comply with the same data protection obligations as Platinum IDS.
11.4 Customers will be notified of any New Subprocessors and may object to their engagement by terminating the agreement.
CLOUD DATA PROTECTION TEAM AND PROCESSING RECORDS
12.1 Platinum IDS’s Cloud Data Protection Team will provide assistance with Customer queries related to the processing of Customer Data and can be contacted through the provided links.
12.2 Platinum IDS will maintain appropriate documentation of its processing activities as required by the GDPR.
12.3 Platinum IDS will redirect any controller requests related to Customer Personal Data to the Customer.
SUBPROCESSORS
14.1 Authorized Subprocessors. Customer agrees that Platinum IDS may engage third-party subprocessors to process Customer Personal Data in connection with the provision of the Services and TSS. Platinum IDS will enter into a written agreement with each subprocessor containing data protection obligations that provide at least the same level of protection for Customer Personal Data as those set forth in this Addendum, to the extent applicable to the nature of the services provided by the subprocessor.
14.2 Subprocessor List. Upon Customer’s written request, Platinum IDS will provide a list of current subprocessors used for the processing of Customer Personal Data, as well as a mechanism for Customer to receive notice of any updates to the subprocessor list.
14.3 Objection to Subprocessors. If Customer has a reasonable basis to object to Platinum IDS’s use of a new subprocessor, Customer shall notify Platinum IDS in writing within ten (10) business days after receipt of notice of the new subprocessor. In the event of a valid objection, Platinum IDS will use reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer’s configuration or use of the Services to avoid processing of Customer Personal Data by the objected-to subprocessor. If neither party can provide a solution within a reasonable timeframe, Customer may terminate the affected Services by providing written notice to Platinum IDS.
AUDITS AND CERTIFICATIONS
15.1 Audits. Platinum IDS will maintain appropriate audit logs and related information necessary to demonstrate its compliance with this Addendum. Upon Customer’s written request, and subject to the confidentiality obligations set forth in the Agreement, Platinum IDS will make available to Customer (or Customer’s independent, third-party auditor) the relevant audit logs and related information to verify Platinum IDS’s compliance with this Addendum.
15.2 Certifications. Platinum IDS will maintain any relevant certifications and audits (such as ISO 27001, SOC 2, and others) as may be required by applicable data protection laws or as otherwise agreed between the parties.
MISCELLANEOUS
16.1 Severability. If any provision of this Addendum is found by any court or administrative body of competent jurisdiction to be invalid or unenforceable, such invalidity or unenforceability will not affect the other provisions of this Addendum, which will remain in full force and effect.
16.2 No Waiver. No failure or delay by a party in exercising any right or remedy provided under this Addendum or by law will constitute a waiver of that or any other right or remedy, nor will it preclude or restrict the further exercise of that or any other right or remedy. No single or partial exercise of any right or remedy provided under this Addendum or by law will preclude or restrict the further exercise of that or any other right or remedy.
16.3 Governing Law and Jurisdiction. This Addendum will be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless otherwise required by applicable European Data Protection Law.
DATA
- (a) Data Storage, Isolation, and Logging. Platinum Intelligent Data Solutions (Platinum IDS) utilizes Google-owned servers to store data in a multi-tenant environment. Unless instructed otherwise, Customer Data is replicated across multiple geographically dispersed data centers. Platinum IDS ensures logical isolation of Customer Data and separates each End User’s data from others. Customer has control over specific data sharing policies and can choose to use logging functionality provided through the Services.
- (b) Decommissioned Disks and Disk Erase Policy. Platinum IDS follows a Disk Erase Policy for Decommissioned Disks, subjecting them to a series of data destruction processes before being reused or destroyed. The process is verified by at least two independent validators, and erase results are logged. If a Decommissioned Disk cannot be erased due to hardware failure, it is securely stored until it can be destroyed. Regular audits are conducted to monitor compliance with the Disk Erase Policy.
PERSONNEL SECURITY
Platinum IDS personnel follow company guidelines on confidentiality, business ethics, appropriate usage, and professional standards. Reasonably appropriate background checks are conducted in accordance with applicable laws and regulations. Personnel must sign a confidentiality agreement and acknowledge the company’s confidentiality and privacy policies. They receive security training, and those handling Customer Data must meet additional requirements appropriate to their role. Platinum IDS personnel will not process Customer Data without authorization.
SUBPROCESSOR SECURITY
Before engaging Subprocessors, Platinum IDS conducts an audit of their security and privacy practices to ensure an appropriate level of security and privacy concerning access to data and the scope of services they provide. Upon assessing the risks presented by the Subprocessor and subject to the requirements in Section 11.3 (Requirements for Subprocessor Engagement) of this Addendum, the Subprocessor must enter into appropriate security, confidentiality, and privacy contract terms.