Last updated August 26, 2024
This Data Processing Addendum (“DPA“) is entered into between BeHome247, Inc. (“BeHome 247”) and the customer identified on an Order Form (“Customer”) whose written or electronic agreement with BeHome247 incorporates this DPA (“Agreement”). This DPA forms part of the Agreement, and applies to Customer’s access and use of the Platform and/or other Devices that supply BeHome247 with Customer Data for processing via the Platform (collectively, “Services”). By entering into an Order Form or an Agreement referencing this DPA, the parties enter into this DPA on behalf of themselves and, to the extent required under applicable Data Protection Laws, in the name and on behalf of their Affiliates, and this DPA shall be effective on the effective date of the Agreement (“Effective Date“).
1. Definitions.
All capitalized terms not defined in this DPA shall have the meanings set forth in the Agreement.
“Affiliate” has the meaning set forth in the Agreement.
“Customer Data” has the meaning given in the Agreement.
“Customer Personal Data” means any Customer Data that is Personal Data.
Data Protection Laws” means all data protection and privacy laws applicable to the respective party in its role in the processing of Personal Data under the Agreement in any relevant jurisdiction, including, where applicable, EU Data Protection Law, in Switzerland, the Switzerland Federal Act on Data Protection (“FADP”) and the revised FADP (“revFADP”), and in the UK, the UK Data Protection Act of 2018 and the United Kingdom General Data Protection Regulation (“UK GDPR”), and any legislation and/or regulation implementing or made pursuant to the foregoing, or which amends, replaces, re-enacts or consolidates any of them.
“Data Controller” means an entity that determines the purposes and means of the processing of Personal Data.
“Data Processor” means an entity that processes Personal Data on behalf of a Data Controller.
“EU Data Protection Law” means Directive 2002/58/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of Personal Data, and Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (“GDPR“).
“EEA” means, for the purposes of this DPA, the European Economic Area and/or its member states, United Kingdom and/or Switzerland.
“Model Clauses” means, with respect to regulated processing transfers originating in the European Union, the Standard Contractual Clauses for Processors as approved by the European Commission and set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021, in the forms set out at: (1) for regulated processing transfers originating in the EU, the clauses incorporated by reference in Annex D, and (2) for regulated processing transfers originating from the UK, the Standard Data Protection Clauses as approved by the Information Commisioners Office under S119A(1) UK Data Protection Act 2018, incorporated by reference in Annex D, or (3) other applicable Model Clauses as the parties may agree upon, acting in good faith, based on the parties respective roles and type of transfer.
“Personal Data” means any information relating to an identified or identifiable natural person.
“Processing” has the meaning given to it under the Data Protection Laws and “process“, “processes” and “processed” will be interpreted accordingly.
“Purposes” shall mean the data processing purposes described and defined in Section 3.4 of this DPA.
“Security Incident” means any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Personal Data, but does not include any Unsuccessful Security Incident.
“Sub-processor” means any Data Processor engaged by BeHome247 or its Affiliates to assist in fulfilling its obligations with respect to providing the Services pursuant to the Agreement or this DPA. Sub-processors may include third parties or BeHome247’s Affiliates.
“Unsuccessful Security Incident” means an unsuccessful attempt or activity that does not compromise the security of Customer Personal Data, including (without limitation) pings and other broadcast attacks of firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond headers) or similar incidents.
2. Scope and Applicability of this DPA
2.1. This DPA applies where and only to the extent that BeHome247 Processes Customer Personal Data on behalf of Customer as Data Processor in the course of providing Services pursuant to the Agreement. This DPA does not apply to the extent that Customer, Renters, Guests, or Users provide personal data to the manufacturer, seller, or provider of Third-Party Products or Services in order to establish, use, receive, or manage services provided by such third parties, or to the extent that the Devices collect and process such personal data in the performance of services contracted by Customer, Guests, Renters, or Users from the Third-Party Products and Services suppliers, even if the Devices were purchased by Customer from BeHome247.
2.2. Notwithstanding expiry or termination of the Agreement, this DPA and the Model Clauses (if applicable) will remain in effect until, and will automatically expire upon, deletion of all Customer Personal Data by BeHome247 as described in this DPA.
3. Roles and Scope of Processing
3.1. Role of the Parties. As between BeHome247 and Customer, Customer is either a Data Controller or a Data Processor of Customer Personal Data, and BeHome247 is only a Data Processor of Customer Personal Data acting on behalf of Customer.
3.2. Customer Processing of Personal Data. Customer agrees that: (i) it will comply with its obligations under Data Protection Laws in respect of its processing of Personal Data, including any obligations specific to its role as a Data Processor or Data Controller (where Data Protection Laws recognise such concept); (ii) it has provided all notices and obtained all consents, permissions and rights necessary under Data Protection Laws for BeHome247 to lawfully process Personal Data for the Purposes; and (iii) it shall ensure its processing instructions are lawful and that the processing of Customer Personal Data in accordance with such instructions will not violate applicable Data Protection Laws. If Customer is itself a Data Processor acting on behalf of a third-party Data Controller, Customer warrants to BeHome247 that Customer’s instructions and actions with respect to that Customer Personal Data, including its appointment of BeHome247 as another Data Processor, have been authorized by the relevant Data Controller.
3.3. Customer Instructions. BeHome247 will process Customer Personal Data only for the Purposes and in accordance with Customer’s documented lawful instructions. The parties agree that the Agreement (including this DPA), and Customer’s selected configurations of the Services, sets out the Customer’s complete and final instructions to BeHome247 in relation to the processing of Customer Personal Data. Additional processing outside the scope of these instructions (if any) will require prior written agreement between Customer and BeHome247.
3.4. Details of Data Processing
(a) Subject matter: The subject matter of the data processing under this DPA is the Customer Personal Data.
(b) Duration: As between BeHome247 and Customer, the duration of the data processing under this DPA is until the termination of the Agreement in accordance with its terms or the period of retention of the Customer Personal Data, whichever is shorter.
(c) Purpose: Customer Personal Data may be processed by BeHome247 solely for the following purposes: (i) the provision, maintenance and improvement of the Services to the Customer as further described in the Agreement and the performance of BeHome247’s obligations or the exercise of express rights under the Agreement (including this DPA) or as otherwise agreed by the parties, (ii) as necessary for BeHome247 to comply with law or governmental order consistent with Data Protection Laws; and (iii) processing initiated by Guests, Renters, or Users in their use of the Services (the “Purposes”).
(d) Nature of the processing: BeHome247 provides the Services as described in the Agreement, which process Customer Personal Data and per the instructions of the Customer in accordance with the terms of this DPA (including Exhibit A) and the Agreement.
(e) Categories of data subjects: Customer Personal Data submitted to the Services may consist of Customer Personal Data provided: (a) for Guests or Renters to communicate with Customer via the Platform pertaining to the Property as part of the rental or hospitality relationship established among such parties (including, but not limited to, registration or check-in/check-out at a Property, maintenance or facilities communications, or requests to Property owners or managers or service personnel registered as Users ), (b) for Users to communicate via the Platform with Customers, other Users, or with Guests or Renters in the fulfillment of obligations owed to Guests or Renters, (c) through Devices including but not limited to smart alarm event information, thermostat use information, security camera images and logs, and other such Device data to the extent shared via an integration with the Platform, and (d) for business communications between Customer and BeHome247 pertaining to the Services and/or the Agreement.
(f) Types of Personal Data: Customer may submit Customer Personal Data to the Services, which may include, but is not limited to, the following types of information:
- (i) Contact information of Guests or Renters, or contact information of suppliers, service providers, and its or employees or contractors (name, address, title, contact details).
- (ii) Name, email address, or other Customer Personal Data contained in BeHome 247 systems, emails, websites, or processed via the Services by Customer.
- (iii) Image files collected by Devices connected to the Services.
- (iv) Device sensor monitoring data, including information on notifications retained in the Platform.
- (v) Personal Data in documents uploaded by Customer to the Platform
3.5. Access or Use. BeHome247 will not sell Customer Personal Data; and will not access or use Customer Personal Data, except as necessary for the Purposes, or as necessary to comply with the law or binding order of a governmental body.
4. Subprocessing
4.1. Authorized Sub-processors. Subject to Section 9 (Changes to Sub-Processors), Customer agrees that BeHome247 may engage Sub-processors to process Customer Personal Data on Customer’s behalf. The Sub-processors currently engaged by BeHome247 and authorized by Customer are listed in Annex B
4.2. Sub-processor Obligations. BeHome247 will: (i) enter into a written agreement with the Sub-processor imposing data protection terms that require the Sub-processor to protect the Customer Personal Data to the standard required by Data Protection Laws; and (ii) remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Sub-processor that cause BeHome247 to breach any of its obligations under this DPA. To the extent required under Data Protection Laws, and unless otherwise noted on the Model Clauses applicable between BeHome247 and Customer, BeHome247 will provide written notice to Customer of its intent to use a new Sub-processor at least thirty (30) days prior to providing such Sub-processor with access to the Customer Personal Data, and if Customer provides written notice to BeHome247 (email [email protected]) within such thirty (30) day period that Customer objects to the use of such Sub-processor on grounds related to Data Protection Laws, and BeHome247 is unable to provide the Services without the use of the Sub-processor, then (a) BeHome247 will not provide the Customer Personal Data to the Sub-Processor and (b) BeHome247 or Customer may terminate or suspend the provision of Services.
5. Security
5.1. Security Measures. BeHome247 shall implement and maintain appropriate technical and organizational security measures to protect Customer Personal Data from Security Incidents and to preserve the security and confidentiality of the Customer Personal Data, in accordance with BeHome247’s security standards described in the attached Annex C (“Security Measures“). For purposes of the Model Clauses, the Security Measures constitute the agreed-to description of the data safeguards to be used by BeHome247 in connection with all Processing subject to the Model Clauses.
5.2. Updates to Security Measures. Customer is responsible for reviewing the information made available by BeHome247 relating to data security and making an independent determination as to whether the Services meet Customer’s requirements and legal obligations under Data Protection Laws. Customer acknowledges that the Security Measures are subject to technical progress and development and that BeHome247 may update or modify the Security Measures from time to time provided that such updates and modifications do not result in a material degradation of the overall security of the Services subscribed to by Customer.
5.3. Confidentiality of processing. BeHome247 shall ensure that any person who is authorized by BeHome247 to process Customer Personal Data (including its staff, agents and subcontractors) shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).
5.4. No Assessment of Customer Data by BeHome247. Customer acknowledges that BeHome247 will not assess the contents of Customer Data in order to identify information subject to any specific legal requirements. Customer is solely responsible for complying with incident notification laws applicable to Customer and fulfilling any third-party notification obligations related to any Security Incidents.
6. Security Reports and Audits
6.1. Customer acknowledges that BeHome247 may be audited by independent third-party auditors and/or internal auditors against the standards specified in the Security Measures. Upon request, and if available, BeHome247 shall supply (on a confidential basis) a summary copy of its then-current audit report(s) (“Report“) to Customer, so that Customer can verify BeHome247’s compliance with this DPA and the Security Measures. Notwithstanding the foregoing, Customer may disclose a Report as allowed under the applicable confidentiality section of the Agreement, including where requested or required by data protection authorities having jurisdiction over Customer even if not legally required (“Data Protection Authority Request”), provided, however, that Customer shall, unless legally prohibited, give BeHome247 prior written notice of the Data Protection Authority Request such that BeHome247 can attempt to secure confidential treatment for the Report. If Customer is not legally permitted to give BeHome247 prior notice, Customer agrees to use reasonable efforts to secure confidential treatment for the Report and further agrees to not remove or obscure any “confidential”, “proprietary”, or similar markings from the Report.
6.2. BeHome247 shall also provide written responses (on a confidential basis) to all reasonable requests for information made by Customer related to its Processing of Customer Personal Data, including responses to information security and audit questionnaires that are necessary to confirm BeHome247’s compliance with this DPA, provided that Customer shall not exercise this right more than once per year, except that this right may also be exercised if Customer is expressly requested or required to provide this information to a data protection authority, or if BeHome247 has experienced a Security Incident, or where otherwise required under Data Protection Laws.
7. International Transfers
7.1. BeHome247 hosts Customer Data in the United States or such other regions noted on the Order Form, if different, provided, however, that BeHome247 may process Customer Data anywhere in the world where BeHome247, its Affiliates, or its Sub-processors maintain data processing operations. BeHome247 will at all times provide appropriate safeguards for the Customer Personal Data wherever it is processed, in accordance with the requirements of Data Protection Laws.
7.2. Customer authorizes the transfer of the personal data to BeHome247 and Sub-processors located outside the EEA where such transfer is required in connection with the provision of Services and/or is necessary in the normal course of business. To the extent that Customer Personal Data is to be transferred from the EEA to a country not designated by the European Commission, ICO or Swiss Federal Data Protection Authority as providing an adequate level of protection for Personal Data, the parties agree to rely on the applicable Model Clauses to provide adequate protection for any Customer Personal Data. Customer and BeHome247 shall enter into the Model Clauses in accordance with Annex D. For onward transfers from BeHome247 to relevant Sub-processors, Customer consents to such onward transfers provided that BeHome247 and relevant Sub-processors enter into a written agreement which imposes materially the same obligations on the Sub-processors as are imposed on BeHome247 under the Model Clauses. As may be legally required, Customer shall execute this DPA, including the applicable referenced Model Clause form, and transmit a copy to BeHome247 at the email address provided on the template, which will become effective as of the date countersigned by Customer.
8. Co-operation
8.1. If a law enforcement agency sends BeHome247 a demand for Customer Personal Data (e.g., a subpoena or court order), BeHome247 will attempt to redirect the law enforcement agency to request that data directly from Customer. As part of this effort, BeHome247 may provide Customer’s contact information to the law enforcement agency. If compelled to disclose Customer Personal Data to a law enforcement agency, then BeHome247 will give Customer reasonable notice of the demand to allow Customer to seek a protective order or other appropriate remedy to the extent BeHome247 is legally permitted to do so.
8.2. Data Deletion on Termination. BeHome247 shall delete Customer Personal Data and other Customer Data upon termination or expiration of the Agreement in accordance with the provisions of the Agreement, unless required sooner by BeHome247 data retention guidelines. BeHome247 shall not be required to delete Customer Personal Data to the extent (i) BeHome247 is required by applicable law or order of a governmental or regulatory body to retain some or all of the Customer Personal Data; and/or (ii), Customer Personal Data has been archived on back-up systems, which Customer Personal Data BeHome247 shall remain subject to the terms of the Agreement and this DPA for the period of retention. In addition, BeHome247 has no responsibility for the retention or deletion of Customer Personal Data in any Device, it being understood and agreed that Customer, and not BeHome247, is responsible for all data management of any Personal Data contained in a Device or any Third-Party Products or Services used by Customer which may access such Device.
8.3. Security Incident Response. Upon confirming a Security Incident, BeHome247 shall: (i) notify Customer without undue delay, and in any event, such notification shall, where feasible, occur no later than 72 hours from BeHome247 confirming the Security Incident; (ii) provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by Customer; and (iii) BeHome247 shall promptly take reasonable steps to contain, investigate, and mitigate any Security Incident. BeHome247’s notification of or response to a Security Incident under this Section 9.3 (Security Incident Response) will not be construed as an acknowledgment by BeHome247 of any fault or liability with respect to the Security Incident.
9. Changes to Sub-processors.
9.1. BeHome247 shall (i) provide an up-to-date list of the Sub-processors it has appointed upon written request from Customer; and (ii) notify Customer (by email, posting to the BeHome247 website, or other means in the normal course of BeHome247 business ) if it adds or removes Sub-processors at least thirty (30) days’ prior to allowing such Sub-processor to process Customer Personal Data.
9.2. Customer may object in writing to BeHome247’s appointment of a new Sub-processor within (14) days of such notice, provided that such objection is based on reasonable grounds relating to data protection. In such event, the parties will discuss such concerns in good faith with a view to achieving resolution. If BeHome247 cannot provide an alternative Sub-processor, or the parties are not otherwise able to achieve resolution by providing the Services without the Sub-processor or an agreed alternate as provided in the preceding sentence, Customer, as its sole and exclusive remedy, may terminate the Agreement (including this DPA).
10. Cooperation
10.1. To the extent that Customer is unable to access the relevant Customer Personal Data within the Services using controls or tools provided by BeHome247 via the Services (such as the administrative features of the Services), taking into account the nature of the Processing, BeHome247 shall (at Customer’s request and expense) provide reasonable cooperation to assist Customer to respond to any requests from individuals or applicable data protection authorities relating to the processing of Customer Personal Data under the Agreement. In the event that any request from individuals or applicable data protection authorities is made directly to BeHome247 where such request identifies Customer, BeHome247 shall not respond to such communication directly without Customer’s prior authorization, unless legally compelled to do so, and instead, after being notified by BeHome247, Customer shall respond. If BeHome247 is required to respond to such a request, BeHome247 will promptly notify Customer and provide it with a copy of the request unless legally prohibited from doing so
10.2. Customer acknowledges that BeHome247 is required under the GDPR to: (a) collect and maintain records of certain information, including the name and contact details of each Data Processor and/or Data Controller on behalf of which BeHome247 is acting and, where applicable, of such Data Processor’s or Data Controller’s local representative and data protection officer; and (b) make such information available to the supervisory authorities. Accordingly, if GDPR applies to the processing of Customer Personal Data, Customer will, where requested, provide such information to BeHome247 via the Services or other means provided by BeHome247, and will ensure that all information provided is kept accurate and up-to-date.
10.3. To the extent BeHome247 is required under EU Data Protection Law, BeHome247 shall (at Customer’s request and expense) provide reasonably requested information regarding the Services to enable the Customer to carry out data protection impact assessments or prior consultations with data protection authorities as required by law
10.4. BeHome247 will inform Customer if it believes a Customer instruction infringes or it can no longer comply with its obligations under applicable Data Protection Laws and this DPA
11. Relationship with the Agreement.
The parties agree that this DPA shall replace and supersede any existing data processing addendum, attachment or exhibit (including the Model Clauses (as applicable)) the parties may have previously entered into in connection with the Services. Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement, this DPA shall prevail to the extent of that conflict in connection with the Processing of Customer Personal Data. Notwithstanding anything to the contrary in the Agreement or this DPA, the liability of each party and each party’s Affiliates under this DPA shall be subject to the limitations on liability set out in the Agreement. Without limiting either of the parties’ obligations under the Agreement, Customer agrees that any regulatory penalties incurred by BeHome247 in relation to the Customer Personal Data that arise as a result of, or in connection with, Customer’s failure to comply with its obligations under this DPA or any applicable Data Protection Laws shall count toward and reduce BeHome247’s liability under the Agreement as if it were liability to the Customer under the Agreement. Any claims against BeHome247 or its Affiliates under this DPA shall only be brought by the Customer entity that is a party to the Agreement against the BeHome247 entity that is a party to the Agreement. In no event shall this DPA or any party restrict or limit the rights of any data subject or of any competent supervisory authority. This DPA will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by applicable Data Protection Laws.
Annex A
Parties, Description Of Processing
A. LIST OF PARTIES
1. Data exporter(s):
Name: see the Customer name on the Order Form referencing the Agreement.
Address: see the Customer address on the signature page of the Order Form referencing the Agreement.
Contact person’s name, position, and contact details: see applicable contact information on the Order Form referencing the Agreement
Activities relevant to the data transferred under these Clauses:
- Please see Section 3.4 (Details of Data Processing) of DPA for a description of the data subjects, categories of data, special categories of data and processing operations.
Role: [X] controller [X] processor
2. Data importer(s):
Name: BeHome247 Inc.
Address: 303 West Wall Street, Suite 2400, Midland, TX 79701
Contact person’s name, position and contact details: [email protected]
Activities relevant to the data transferred under these Clauses:
- Please see Section 3.4 (Details of Data Processing) of DPA.
Role: [X] controller [X] processor
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred
- Please see Section 3.4 (Details of Data Processing) of DPA.
Categories of personal data transferred
- Please see Section 3.4 (Details of Data Processing) of DPA.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
- Not applicable
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
- Continuous
Nature of the processing
- BeHome247’s Services are used to enable Customer to manage Properties and Guests or Renters accessing and using the Platform to manage them.
Purpose(s) of the data transfer and further processing
- For delivery of the Services under the Agreement and as described in nature of processing.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
- Please see section 3.4 of the DPA
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
- Subprocessors are used for data importers hosting infrastructure and as further described in Annex B. Duration of processing is in accord with section 3.4 of DPA
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13
- Please see clause 13 of EU Standard Contractual Clauses.
Annex B
BeHome247 uses its Affiliates and a range of third party Sub-processors to assist it in providing the Services (as described in the Agreement). These Sub-processors as of the Effective Date of this DPA are set out below. BeHome247 will provide written notice of changes via email, the BeHome247 website or other means in the normal course of business.
Subprocessor | Location Country | Website | Purpose |
Adobe | US | https://www.adobe.com | Infrastructure |
Amazon Web Services | US | aws.amazon.com | Cloud hosting provider |
Barefoot Technology | US | https://www.barefoot.com/ | Vacation Rental property management |
GoDaddy | US | https://www.godaddy.com | URL management |
US | www.Google.com | Search and tools | |
Graphhopper | US | https://www.graphhopper.com/ | API Management |
HomeAway | US | www.vrbo.com | Vacation Rental property management |
HubSpot | US | https://hubspot.com | CRM |
OKTA | US | https://www.okta.com/ | Identity management |
Rackspace | US | https://www.rackspace.com/ | Cloud management |
Ring Central | US | www.ringcentral.com | Video and voice |
Streamline VRS | US | https://www.streamlinevrs.com/ | Vacation Rental property management |
Track | US | https://tnsinc.com/hospitality-hub/track-pms | Vacation Rental property management |
Wowza Media Systems | US | https://www.wowza.com/ | Video management |
ZenDesk | US | https://www.zendesk.com | Customer support |
Annex C
BeHome247 Information Security Policy
This BeHome247 Information Security Policy (“Security Policy”) defines the technical controls and security configurations that BeHome247 uses in connection with the hosting and provision of the Services that process Customer Data (as each term is defined in the Agreement). BeHome247 implements a documented security program under which BeHome247 maintains physical, administrative, and technical safeguards designed to protect the confidentiality, integrity, availability, and security of the Services and Customer Data (the “Security Program”), including, but not limited to, as set forth below. BeHome247 regularly tests and evaluates its Security Program and may review and update its Security Program as well as this Security Policy, provided, however, that such updates shall be designed to enhance and not materially diminish the Security Program.
Without limiting the foregoing, BeHome247 will:
1. Maintain an Information Security program that includes policies and information on the organizational structure and responsibilities of the Information Security team in the following areas; Mobile Device Security; Remote Access; Personnel Security; Asset Management; Data Classification & Handling; Access Control; Encryption; Physical and Environmental Security; Security Operations; Procurement & Vendor Management; Secure Development; Incident Management & Response; Business Continuity & Disaster Recovery; and Compliance
2. Verify that its personnel are trained to handle and obligated to maintain the confidentiality of any Customer Data in its possession
3. Verify that its agents and subcontractors that assist BeHome247 in performing its obligations under the Agreement maintain security practices consistent with this DPA;
4. Conduct routine risk assessments to identify, document, and remediate material internal and external risks;
Establish and enforce written procedures and technical controls enforcing role-based access control principles to control access to systems, networks, services, and facilities;
6. Implement and maintain minimum password requirements that will allow for unique user identification;
7. Maintain disaster recovery plans and allow for the recovery of services in the event that BeHome247’s services experience a significant interruption or impairment of operations;
8. Implement and conduct routine security awareness training for BeHome247 personnel;
9. Implement anti-malware software on any systems that Process Customer Data;
10. Commensurate with the nature and sensitivity of the Customer Data, encrypt Customer Data in transit across public networks or outside of BeHome247’s physical or logical controls and encrypted at rest when stored on any device or storage that is under BeHome247’s control (but excluding Devices, which BeHome247 does not control) using industry standard encryption tools;
11. Collect system, application, and user level logs on an ongoing basis for any BeHome247-managed network or system Processing Customer Data and retain such logs for at least one year;
12. Maintain or enter into agreements with parties that maintain appropriate physical security controls in place for any processing facilities that are used for Processing Customer Data, including without limitation and where applicable, appropriate perimeter security designed to protect against unauthorized access, damage or interference;
13. Evaluate and adjust its security program on an ongoing basis; and
14. Take reasonable steps to destroy Customer Data as provided under the Agreement, upon Customer request, by (i) shredding; (ii) permanently erasing and deleting; (iii) degaussing; or (iv) otherwise modifying Customer Data to make it unreadable, indecipherable, and irretrievable.
Annex D
Standard Contractual Clauses
1. EU Standard Contractual Clauses:
For data transfers from the EEA to locations outside the EEA or the UK, the 2021 EU Standard Contractual Clauses will apply in the following manner. Where the applicable sections of the Standard Contractual Clauses require the data exporter and the data importer to select a module Customer has selected the following:
1.1 Applicable SCC Module (check as applicable): [ ] Module 2 (C2P) [ ] Module 3 ( P2P)
1.1.1. Module Two of the Standard Contractual Clauses (Transfer controller to processor) shall apply where BeHome247, as data importer, is acting as Customer’s Data Processor; and
1.1.2. Module Three of the Standard Contractual Clauses (Transfer processor to processor) shall apply where Customer is acting as a processor, and BeHome247, as data importer, is acting as Customer’s data sub- Processor;
1.2. Clause 7, the optional docking clause will not apply
1.3. Clause 9(a), Option 2 (“General Written Authorisation”) will apply. The notification, authorization, and applicable time period will be as set forth in Sections 4.1, 4.2 of the DPA.
1.4. Clause 11: the Parties do not select the independent dispute resolution option.
1.5. Clause 17, Option 1 will apply. These Standard Contractual Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The parties agree that this shall be the law of the Republic of Ireland .
1.6. Clause 18(b), disputes will be resolved before the courts of Ireland.
2. UK Standard Contractual Clauses:
For data transfers from the United Kingdom, the applicable Model Clauses shall be the UK International Data Transfer Agreement, or the UK International Data Transfer Addendum (altogether, the “UK SCCs”) as applicable. For data transfers subject to the UK SCCs, Annex A and Annex B of this DPA shall apply as Annexes 1A, 1B. and Annex II respectively of the UK SCCs. For personal data subject to the privacy laws of the UK, references to the GDPR in the Addendum will be deemed to be references to the the UK GDPR and Data Protection Act 2018, and, to the extent possible, Modules and optional clauses shall apply as set forth above in Sections 1.1, 1.2 “EU Standard Contractual Clauses.”
3. UK Standard Contractual Clauses- Applicability
The UK SCCs will apply in the following manner:
3.1. Table 2:
3.1.1. Exporter Status: Customer, as exporter is a controller
3.1.2. Importer Status: BeHome247, as importer is a processor
3.2. Table 3, list of Sub-processors: see Annex B
3.3. Table 4: both the Importer and the exporter may end the UK SCCs in accordance with the terms of the UK SCCs.
3.4. In the event both the EU Standard Contractual Clauses and the UK SCC’s apply, then the UK International Data Transfer Addendum shall apply.
3.5. Conflict. To the extent there is any conflict or inconsistency between the EU Standard Contractual Clauses or UK SCCs and any other terms in this Addendum, or the Agreement, the provisions of the EU Standard Contractual Clauses or UK SCCs as applicable, will prevail.
3.6. Jurisdiction. With regard to personal data subject to the data privacy laws of the UK, this Annex D and the UK SCCs are governed by the laws of England and Wales, and any dispute arising under the UK SCCs will be resolved by the courts of England and Wales.
4. Conflict
To the extent that there is any conflict between the terms of the DPA and the Model Clauses, the relevant term(s) of the applicable Model Clauses will control.