This DPA is for illustrative purposes only. To request an executable version of this DPA,
please email admin@alphagold.africa
Alpha Gold Africa Proprietary Limited Data Processing Addendum
Controller (Business) to Processor (Service Provider)
This Alpha Gold Africa Proprietary Limited Data Processing Addendum (this “DPA”), including its two exhibits, is entered into by and between Alpha Gold Africa Proprietary Limited (“Alpha Gold”) and __________________ (“Customer”) (each, a “Party” and collectively, the “Parties”). This DPA reflects the Parties’ agreement with respect to the terms governing the Processing of Personal Data under the Terms of Service (the “Agreement”). This DPA hereby supplements and amends the Agreement and shall be effective immediately upon signing, as indicated by the date under the Parties signatures (the “Effective Date”).
The term of this DPA shall follow the term of the Agreement.
Terms not otherwise defined herein shall have the meaning as set forth in the Agreement.
THIS DPA INCLUDES:
- Further details of the Processing (Exhibit A).
- Jurisdiction Specific Terms (Exhibit B).
RECITALS
- WHEREAS, the Parties entered into the Agreement and have retained the power to alter, amend, revoke, or terminate the Agreement as provided in the Agreement;
- WHEREAS, the Parties now wish to amend the Agreement to ensure that Personal Data (as defined below) transferred between the Parties is Processed in compliance with applicable data protection principles and legal requirements.
- NOW, THEREFORE, in consideration of the mutual agreements set forth in this DPA, the Parties agree as follows:
1. Definitions
| 1.1. | Capitalized definitions not otherwise defined herein shall have the meaning given to them in the Agreement. Except as modified or supplemented below, the definitions of the Agreement shall remain in full force and effect. |
| 1.2. | For the purpose of interpreting this DPA, the following terms shall have the meanings set out below: |
| (a) | “Agreement” means Terms of Service, which govern the provision of Services to Customer, as such terms may be updated by Alpha Gold from time to time. |
| (b) | “Applicable Laws” means all laws and regulations applicable to the Processing of Personal Data under the Agreement, including laws of the Republic of South Africa, the European Union (or any member state thereof) and the laws of any other country, province, or state to which the Processing of the Personal Data is subject; |
| (c) | “Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data; |
| (d) | “Contracted Processor” means any third party appointed by or on behalf of Alpha Gold to Process Personal Data on behalf of Customer in connection with the Agreement; |
| (e) | “Customer” means the party that has entered into this DPA with Alpha Gold as indicated in the opening paragraph of this DPA; |
| (f) | “POPIA” or “Protection of Personal Information Act, 2013” as enacted by the South African Parliament. The commencement date of POPIA was 1 July 2020 and the one year grace period to comply ended on 30 June 2021. |
| (g) | “Personal Data” means any information relating to an identified or identifiable* natural person (a “Data Subject”) Processed by Alpha Gold on behalf of the Customer pursuant to or in connection with the Agreement *an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; |
| (h) | “Personal Data Breach” means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data which Alpha Gold Processes on behalf of the Customer in connection with the Agreement; |
| (i) | “Personal Data Recipient” means Alpha Gold, a Contracted Processor, or both collectively; |
| (j) | “Processing” (or any cognate terms) means any operation or set of operations which is performed on data or on sets of data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; |
| (k) | “Processor” means a natural or legal person, public authority, agency, or other body which processes Personal Data on behalf of the Controller; |
| (l) | “Services” means the services and other activities carried out by or on behalf of Alpha Gold for the Customer pursuant to the Agreement. |
2. Relationship with the Agreement
| 2.1. | The parties agree that this DPA shall replace any existing DPA the Parties may have previously entered into in connection with the Services. |
| 2.2. | Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement, this DPA shall prevail to the extent of that conflict. |
| 2.3. | Any claims brought under or in connection with this DPA shall be subject to the terms and conditions (including but not limited to, the exclusions and limitations) set forth in the Agreement. |
| 2.4. | Any claims against Alpha Gold or its affiliates under this DPA shall be brought solely against the entity that is a party to the Agreement. In no event shall any party limit its liability with respect to any individual’s data protection rights under this DPA or otherwise. Customer further agrees that any regulatory penalties incurred by Alpha Gold in relation to the Personal Data that arise as a result of, or in connection with, Customer’s failure to comply with its obligations under this DPA or any Applicable Laws shall count toward and reduce Alpha Gold’s liability under the Agreement as if it were liability to the Customer under the Agreement, to the fullest extent permitted under the applicable laws. |
| 2.5. | No one other than a party to this DPA, its successors and permitted assignees shall have any right to enforce any of its terms. |
| 2.6. | This DPA shall be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by Applicable Laws. |
3. Applicability
| 3.1. | This DPA applies where and only to the extent that Alpha Gold Processes Personal Data that is subject to Applicable Laws on behalf of Customer as Processor in the course of providing Services pursuant to the Agreement. |
| 3.2. | If Alpha Gold determines the purposes and means of Processing with respect to Personal Data, Alpha Gold shall be a Controller with respect to such Processing operations and shall act in accordance with the Alpha Gold Privacy Policy and Applicable Laws. |
| 3.3. | This DPA will apply to the Processing of all Personal Data, regardless of country of origin, place of Processing, location of Data Subjects, or any other factor. |
4. Processing and Disclosing of Personal Data
| 4.1. | In the context of this DPA and its appendices, with regard to the Processing of Personal Data, 1) when Customer acts as a Controller, Alpha Gold acts as a Processor; and 2) when Customer acts as a Processor, Alpha Gold acts as a Sub-Processor. For the avoidance of doubt, both situations fall within the scope of and are covered by this DPA. |
| 4.2. | Alpha Gold shall: |
| (a) | comply with all Applicable Laws in the Processing of Personal Data; |
| (b) | not Process Personal Data other than on Customer’s relevant documented instructions (including with regard to international transfers of Personal Data), unless such Processing is required by Applicable Laws to which the relevant Personal Data Recipient is subject, in which case Alpha Gold shall to the extent permitted by Applicable Laws, inform Customer of that legal requirement before the respective act of Processing of that Personal Data; |
| (c) | only conduct transfers of Personal Data in compliance with all applicable conditions, as laid down in Applicable Laws; |
| (d) | not retain, delete, or otherwise Process Personal Data contrary to or in the absence of the direct instructions of the Customer, provided, however, that the Customer expressly and irrevocably authorizes such retention, deletion, or other Processing if and to the extent required or allowed by Applicable Laws; and |
| (e) | immediately inform the Customer in the event that, in Alpha Gold’s opinion, a Processing instruction given by the Customer may infringe Applicable Laws. |
| 4.3. | The Customer shall provide all information which is applicable to the Customer, as provided in Exhibit A, attached hereto, and incorporated by reference, and keep all such information complete and up to date. |
| 4.4. | The Customer instructs Alpha Gold (and authorises Alpha Gold to instruct each Contracted Processor) to Process Personal Data, and in particular, transfer Personal Data to any country or territory, as reasonably necessary for the provision of the Services and consistent with the Agreement and this DPA. |
| 4.5. | The Customer represents and warrants that it has all necessary rights to provide the Personal Data to Alpha Gold for the purpose of Processing such data within the scope of this DPA and the Agreement. Within the scope of the Agreement and in its use of the Services, the Customer shall be solely responsible for complying with the statutory requirements relating to data protection and privacy, in particular regarding the disclosure and transfer of Personal Data to Alpha Gold and the Processing of Personal Data. |
5. Alpha Gold Personnel
| 5.1. | Alpha Gold shall take reasonable steps to ensure the reliability of any of its employees, agents, or contractors who may have access to Personal Data. |
| 5.2. | Alpha Gold shall ensure that access to Personal Data is strictly limited to those individuals who need to know or access it, as strictly necessary to fulfil the documented Processing instructions given to Alpha Gold by the Customer or to comply with Applicable Laws. |
| 5.3. | Alpha Gold shall ensure that all such individuals are subject to formal confidentiality undertakings, professional obligations of confidentiality, or statutory obligations of confidentiality. |
6. Security of Processing
| 6.1. | Taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of Processing, as well as the risk of varying likelihood and severity to the rights and freedoms of natural persons, Alpha Gold shall, with regard to Personal Data, implement and maintain appropriate technical and organisational security measures to ensure a level of security appropriate to that risk, as well as assist the Customer with regard to ensuring compliance with the Customer’s obligations pursuant to the Applicable Laws. |
| 6.2. | In assessing the appropriate level of security, Alpha Gold shall take account, in particular, of the risks that are presented by the nature of such Processing activities, and particularly those related to possible Personal Data Breaches. |
| 6.3. | The Customer is responsible for reviewing the information made available by Alpha Gold relating to data security and making an independent determination as to whether the Services meet the Customer’s requirements and legal obligations under Applicable Laws. The Customer acknowledges that the security measures are subject to technical progress and development and that Alpha Gold may update or modify the security measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services purchased by the Customer. |
| 6.4. | Notwithstanding the above, the Customer agrees that, except as provided by this DPA, the Customer is responsible for its secure use of the Services, including securing its account authentication credentials, protecting the security of the Personal Data when in transit to and from the Services, and taking any appropriate steps to securely encrypt or backup any Personal Data uploaded to the Services. |
7. Subprocessing
| 7.1. | The Customer authorises Alpha Gold to appoint (and permit each Contracted Processor appointed in accordance with this Section 6 to appoint) Contracted Processors in accordance with this Section 6 and any possible further restrictions, as set out in the Agreement, as the case may be. |
| 7.2. | Alpha Gold may continue to use those Contracted Processors already engaged by Alpha Gold as of the date of this DPA, subject to Alpha Gold meeting the obligations set out in Section 6.4. |
| 7.3. | Alpha Gold shall provide Customer prior written notice of the appointment of any new Contracted Processor by updating the list of Alpha Gold Contracted Processors. Customer may object in writing to Alpha Gold’s appointment of any Contractor processor within five (5) calendar days of posting such notice of that contractor Processor’s appointment, provided that such objection is based on reasonable grounds relating to data protection. In such event, the parties shall discuss Customer’s concerns in good faith with a view to achieving resolution. If this is not possible, Customer may suspend or terminate the Agreement (without prejudice to any fees incurred by Customer prior to suspension or termination) as a remedy. |
| 7.4. | With respect to each Contracted Processor, Alpha Gold shall: |
| (a) | carry out adequate due diligence to ensure that the Contracted Processor is capable of providing the level of protection and security for Personal Data required by this DPA, the Agreement, and Applicable Laws before the Contracted Processor first Processes Personal Data or, where applicable, in accordance with Section 6.2; and |
| (b) | ensure that the arrangement between Alpha Gold and the prospective Contracted Processor is governed by a written contract that includes terms which offer at least the same level of protection for Personal Data as those set out in this DPA, and that such terms meet the requirements of Applicable Laws. |
8. Rights of the Data Subjects
| 8.1. | Taking into account the nature of the Processing, Alpha Gold shall assist Customer by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Customer’s obligations, as reasonably understood by the Customer, to respond to requests to exercise rights of the Data Subjects under Applicable Laws. |
| 8.2. | With regard to the rights of the Data Subjects within the scope of this Section 7, Alpha Gold shall: |
| (a) | promptly notify Customer if any Personal Data Recipient receives a request from a Data Subject under any Applicable Law with respect to Personal Data; |
| (b) | ensure that the Personal Data Recipient does not respond to that request, except on the documented instructions of Customer, or as required by Applicable Laws to which the Personal Data Recipient is subject, in which case Alpha Gold shall, to the extent permitted by Applicable Laws, inform Customer of that legal requirement before the Personal Data Recipient responds to the request. |
| 8.3. | The Customer agrees to pay Alpha Gold, upon receipt of invoice, a reasonable fee based on the time spent, as well as to account for the materials expended, in relation to the Customer exercising its rights under this Section 8 or the Standard Contractual Clauses. |
9. Personal Data Breach
| 9.1. | Alpha Gold shall notify the Customer without undue delay upon Alpha Gold becoming aware of a Personal Data Breach affecting Personal Data under Alpha Gold’s direct control or upon Alpha Gold being notified of a Personal Data Breach affecting Personal Data under the direct control of a Contracted Processor, providing the Customer with sufficient information to allow the Customer to meet any applicable obligations pursuant to the Applicable Laws, such as to report to the supervisory authorities or any other competent authorities, or inform the Data Subjects of the Personal Data Breach. |
| 9.2. | Alpha Gold shall cooperate with Customer and take all reasonable commercial steps to assist Customer in the investigation, mitigation, and remediation of each such Personal Data Breach. |
| 9.3. | Alpha Gold’s notification of or response to a Personal Data Breach under this Section 8 will not be construed as an acknowledgement by Alpha Gold of any fault or liability with respect to the Personal Data Breach. |
10. Data Protection Impact Assessment and Prior Consultation
| 10.1. | Alpha Gold shall provide Customer with relevant information and documentation, such as, if available, an audit report (upon a written request and subject to obligations of confidentiality), with regard to any data protection impact assessments, and prior consultations with supervisory authorities when the Customer reasonably considers that such data protection impact assessments or prior consultations are required pursuant to Applicable Laws but in each such case solely with regard to Processing of Personal Data by, and taking into account the nature of the Processing and information available to, the respective Personal Data Recipient. |
11. Deletion or Return of Personal Data
| 11.1. | Alpha Gold shall provide the Customer with the technical means, consistent with the way the Services are provided, to request the deletion of Personal Data upon the request of the Customer unless Applicable Laws require storage of any such Personal Data. |
| 11.2. | Alpha Gold shall promptly, following the date of cessation of Services involving the Processing of Personal Data, at the choice of the Customer delete or return all Personal Data to the Customer as well as delete existing copies, unless Applicable Laws require storage of any such Personal Data. |
12. Security Reports and Audits
| 12.1. | Customer acknowledges that Alpha Gold is regularly audited against PCI standards by independent third-party auditors and internal auditors. Upon request, Alpha Gold shall supply (on a confidential basis) a summary copy of its audit report(s) to Customer, so that Customer can verify Alpha Gold’s compliance with the audit standards against which it has been assessed, and this DPA. |
| 12.2. | Alpha Gold shall also provide written responses (on a confidential basis) to all reasonable requests for information made by Customer, including responses to information security and audit questionnaires that are necessary to confirm Alpha Gold’s compliance with this DPA. |
13. Audit Rights
| 13.1. | Where the Customer is entitled to and desires to review Alpha Gold’s compliance with the Applicable Laws, the Customer may request, and Alpha Gold will provide (subject to obligations of confidentiality) relevant documentation, or any relevant audit report Alpha Gold might have been issued, as elaborated in Section 12. If the Customer, after having reviewed such audit report(s), still reasonably deems that it requires additional information, Alpha Gold shall further reasonably assist and make available to the Customer, upon a written request and subject to obligations of confidentiality, all other information (excluding legal advice) and/or documentation necessary to demonstrate compliance with this DPA, and the obligations pursuant to the Applicable Laws of the POPIA, and shall allow for and contribute to audits, including remote inspections of the Services, by the Customer or an auditor mandated by the Customer with regard to the Processing of the Personal Data by the Contracted Processors. Alpha Gold shall provide the assistance described in this Section 13.1, insofar as in Alpha Gold reasonable opinion such audits, and the specific requests of the Customer, do not interfere with Alpha Gold’s business operations or cause Alpha Gold to breach any legal or contractual obligation to which it is subject. |
| 13.2. | The Customer agrees to pay Alpha Gold, upon receipt of invoice, a reasonable fee based on the time spent, as well as to account for the materials expended, in relation to the Customer exercising its rights under this Section 13 or clause 5(f) of the Standard Contractual Clauses. |
14. Jurisdiction Specific Terms
| 14.1. | To the extent Alpha Gold processes Personal Data originating from, or protected by, Applicable Laws in one of the jurisdictions listed in Exhibit B, then the terms specified in Exhibit B with respect to the applicable jurisdiction(s) (“Jurisdiction Specific Terms”) shall apply in addition to the terms of this DPA. |
| 14.2. | Alpha Gold may update Exhibit B from time to time, to reflect changes in or additions to Applicable Laws to which Alpha Gold is subject. If Alpha Gold updates Exhibit B, it will provide the updated Exhibit B to the Customer. If the Customer does not object to the updated Exhibit B within 14 days of receipt, the Customer will be deemed to have consented to the updated Exhibit B. |
| 14.3. | In case of any conflict or ambiguity between the Jurisdiction Specific Terms and any other terms of this DPA, the applicable Jurisdiction Specific Terms will take precedence. |
15. No Selling of Personal Data
| 15.1. | Alpha Gold acknowledges and confirms that it does not receive any Personal Data as consideration for any services or other items that Alpha Gold provides to the Customer. The Customer retains all rights and interests in Personal Data. The Customer agrees to refrain from taking any action that would cause any transfers of Personal Data to or from Alpha Gold to qualify as selling Personal Data under Applicable Laws. |
16. Indemnification.
| 16.1. | The Customer agrees to indemnify and hold harmless Alpha Gold and its officers, directors, employees, agents, affiliates, successors, and permitted assigns against any and all losses, damages, liabilities, deficiencies, claims, actions, judgments, settlements, interest, awards, penalties, fines, costs, or expenses of whatever kind which Alpha Gold may sustain as a consequence of the breach by the Customer of its obligations pursuant to the Applicable Laws, where this DPA is not in full force and effect. |
17. General Terms
| 17.1. | This DPA supersedes and replaces all prior and contemporaneous proposals, statements, sales materials or presentations and agreements, oral and written, with regard to the subject matter of this DPA, including any prior data processing addenda entered into between the Alpha Gold and the Customer. |
| 17.2. | All clauses of the Agreement, that are not explicitly amended or supplemented by the clauses of this DPA, and as long as this does not contradict with compulsory requirements of Applicable Laws under this DPA, remain in full force and effect and shall apply. |
| 17.3. | In the event of any conflict between the Agreement (including any annexes and appendices thereto) and this DPA, the provisions of this DPA shall control. |
| 17.4. | Should any provision of this DPA be found legally invalid or unenforceable, then the invalid or unenforceable provision will be deemed superseded by a valid, enforceable provision that most closely matches the intent of the original provision and the remainder of the DPA will continue in effect. |
| 17.5. | If Alpha Gold makes a determination that it can no longer meet any of its obligations in accordance with this DPA, it shall promptly notify the Customer of that determination, and cease the Processing or take other reasonable and appropriate steps to remediate. |
| 17.6. | If you are accepting the terms of this DPA on behalf of an entity, you represent and warrant to Alpha Gold that you have the authority to bind that entity and its affiliates, where applicable, to the terms and conditions of this DPA. |
18. Data Protection Officer
| 18.1. | The identity and contact information of the Data Protection Officer of Alpha Gold is: Alpha Gold Africa Proprietary Limited Ratanga Road, Century City Cape Town, Western Cape, 7441 South Africa admin@alphagold.africa |
[ THE REMAINDER OF THIS PAGE IS INTENTIONALLY LEFT BLANK ]
[ SIGNATURE PAGE TO THE ALPHA GOLD DATA PROCESSING ADDENDUM FOLLOWS ]
Each Party is signing this DPA on the date stated below that Party’s signature.
Alpha Gold Africa Proprietary Limited
Signature
Name
Title
Date
[Customer Full Legal Name]
Signature
Name
Title
Date
[ SIGNATURE PAGE TO THE ALPHA GOLD DATA PROCESSING ADDENDUM]
Exhibit A
1. Further details of the Processing, in addition to the ones laid down in the Agreement and this DPA, include:
| 1.1. | The subject matter of the Processing of Personal Data is: |
| (a) | The subject matter of the Processing of Personal Data pertains to the provision of Services, as requested by the Customer. |
| 1.2. | The duration of the Processing of Personal Data is: |
| (a) | The duration of the Processing of Personal Data will be Processed for the duration of the Agreement, subject to Section 5 of this DPA. |
| 1.3. | The nature and purpose of the Processing of Personal Data is: |
| (a) | Personal Data will be Processed for purposes of providing the Services set out and otherwise agreed to in the Agreement and any applicable Order. The nature of such Processing is related to these purposes and is elaborated on in this DPA and the Agreement. |
| 1.4. | The categories of Personal Data to be Processed are: |
| (a) | Biographical information, such as first and last name |
| (b) | Contact information, such an email address |
| (c) | Professional information |
| (d) | Email messages and attachments; |
| (e) | Personal Data such as navigational data and; |
| (f) | Any other type of Personal Data captured through custom fields. |
| 1.5. | The categories of Data Subjects to whom the Personal Data relates are: |
| (a) | Any individual accessing and/or using the Service through the Customer’s account (“Users”); and any individual: (i) whose information is stored on or collected via the Services, or (ii) to whom Users send emails or otherwise engage or communicate with via the Services within the scope of the Agreement and this DPA, such as customers, business partners, or recipients of emails. |
| 1.6. | Description of the technical and organisational security measures implemented by Alpha Gold: |
a. Access Control
i. Preventing Unauthorized Product Access
Outsourced Processing: Alpha Gold hosts its Service with outsourced cloud infrastructure providers. Additionally, Alpha Gold maintains contractual relationships with Contracted Processors in order to provide the Services in accordance with our DPA. Alpha Gold relies on contractual agreements, privacy policies, and Contracted Processors compliance programs in order to protect Personal Data Processed or stored by these Contracted Processors.
Physical and environmental security: Alpha Gold hosts its product infrastructure with multi-tenant, outsourced infrastructure providers. The physical and environmental security controls are audited for SOC 2 Type II and ISO 27001 compliance, among other certifications.
Authentication: Alpha Gold implemented a uniform password policy for its customer products. Customers who interact with the products via the user interface must authenticate before accessing non-public Personal Data.
Authorization: Personal Data is stored in multi-tenant storage systems accessible to Customers via only application user interfaces and application programming interfaces. Customers are not allowed direct access to the underlying application infrastructure. The authorisation model in each of Alpha Gold’s products is designed to ensure that only the appropriately assigned individuals can access relevant features, views, and customisation options. Authorization to data sets is performed through validating the user’s permissions against the attributes associated with each data set.
Application Programming Interface (API) access: Public product APIs may be accessed using an API key or through Oauth authorization.
ii. Preventing Unauthorized Product Use
Alpha Gold implements industry standard access controls and detection capabilities for the internal networks that support its products.
Access controls: Network access control mechanisms are designed to prevent network traffic using unauthorized protocols from reaching the product infrastructure. The technical measures implemented differ between infrastructure providers and include Virtual Private Cloud (VPC) implementations, security group assignment, and traditional firewall rules.
Network scanning: Alpha Gold contracts with third-party vulnerability scanners to regularly review the Services for common vulnerabilities and to maintain PCI compliance.
Penetration testing: Alpha Gold maintains relationships with industry recognised penetration testing service providers for annual penetration tests. The intent of the penetration tests is to identify and resolve foreseeable attack vectors and potential abuse scenarios.
iii. Limitations of Privilege & Authorization Requirements
Product access: A subset of Alpha Gold’s employees have access to the products and to Personal Data via controlled interfaces. The intent of providing access to a subset of employees is to provide effective Customer support, to troubleshoot potential problems, to detect and respond to security incidents and implement data security.
b. Transmission Control
In-transit: Alpha Gold makes HTTPS encryption (also referred to as SSL or TLS) available on every one of its login interfaces. Alpha Gold’s HTTPS implementation uses industry standard algorithms and certificates.
At-rest: Alpha Gold stores user passwords following policies that follow industry standard practices for security.
c. Input Control
Detection: Alpha Gold designed its infrastructure to log extensive information about system behaviour, traffic received, system authentication, and other application requests. Alpha Gold personnel, including security, operations, and support personnel, are responsive to known incidents.
Response and tracking: Alpha Gold maintains a record of known security incidents that includes description, dates and times of relevant activities, and incident disposition. Suspected and confirmed security incidents are investigated by security, operations, or support personnel; and appropriate resolution steps are identified and documented. For any confirmed incidents, Alpha Gold will take appropriate steps to minimise product and Customer damage or unauthorised disclosure.
Communication: If Alpha Gold becomes aware of unlawful access to Personal Data stored within its products, Alpha Gold will: 1) notify the affected Customers of the incident; 2) provide a description of the steps Alpha Gold is taking to resolve the incident; and 3) provide status updates to the Customer contact, as Alpha Gold deems necessary. Notification(s) of incidents, if any, will be delivered to one or more of the Customer’s contacts in a form Alpha Gold selects, which may include via email or telephone.
d. Availability Control
Infrastructure availability: The infrastructure providers use commercially reasonable efforts to ensure a minimum of 99.95% uptime. The providers maintain a minimum of N+1 redundancy to power, network, and HVAC services.
Fault tolerance: Backup and replication strategies are designed to ensure redundancy and fail-over protections during a significant processing failure. Personal Data is backed up to multiple durable data stores and replicated across multiple availability zones.
Online replicas and backups: Where feasible, production databases are designed to replicate data between no less than 1 primary and 1 secondary database. All databases are backed up and maintained using at least industry standard methods.
Alpha Gold’s products are designed to ensure redundancy and seamless failover. The server instances that support the products are also architected with a goal to prevent single points of failure. This design assists Alpha Gold operations in maintaining and updating the product applications and backend while limiting downtime.
Exhibit B
Jurisdiction Specific Terms
1. Transfers of EU Personal Data
| 1.1. | “Privacy Shield” (as used in this Section) means the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield Framework self-certification program operated by the U.S. Department of Commerce and approved by the European Commission pursuant to Decision C(2016)4176 of 12 July 2016 and by the Swiss Federal Council on January 11, 2017, respectively. |
| 1.2. | “Restricted Transfer of Personal Data” (as used in this Section) means any transfer of Personal Data (including data storage in foreign servers) that would be prohibited by the GDPR in the absence of the execution of the Standard Contractual Clauses (as defined below) or another lawful data transfer mechanism; |
| 1.3. | “Standard Contractual Clauses” (as used in this Section) means the contractual clauses adopted by Decision of the European Commission (Commission Decision C(2010)593) for the purpose of adducing adequate protection of Personal Data transferred from a Controller to a Processor established in a third country, where the legislation in such third country has not been deemed to provide an adequate level of data protection. |
| 1.4. | With regard to any Restricted Transfer of EU Personal Data from the Customer to Alpha Gold within the scope of this DPA, one of the following transfer mechanisms shall apply, in the following order of precedence: |
| (a) | Alpha Gold’s EU-U.S. and Swiss-U.S. Privacy Shield Framework self-certifications (if any); |
| (b) | the Standard Contractual Clauses (insofar as their use constitutes an “appropriate safeguard” under Article 46 of the GDPR); or |
| (c) | any other lawful basis, as laid down in the GDPR, as the case may be. |
| 1.5. | This DPA hereby incorporates by reference the Standard Contractual Clauses (updated from time to time to reflect the latest version promulgated by the European Commission) for the Customer (as “data exporter”) to Alpha Gold Contractual Clauses would reflect the information as contained Exhibit A to this DPA. The Parties are deemed to have accepted, executed, and signed the Standard Contractual Clauses where necessary, in their entirety (including the Appendices thereto, and including the “Illustrative Indemnification Clause” as an operative clause). |
| 1.6. | In cases where the Standard Contractual Clauses apply, and there is a conflict between the terms of the DPA and the terms of the Standard Contractual Clauses, the terms of the Standard Contractual Clauses shall control. |
2. California
| 2.1. | “Applicable Laws” (as used in the DPA) includes the California Consumer Privacy Act of 2018, Assembly Bill 375 of the California House of Representatives, an act to add Title 1.81.5 (commencing with Section 1798.100) to Part 4 of Division 3 of the Civil Code, relating to privacy and approved by the California Governor on June 28, 2018 (“CCPA”) as may be amended from time to time. |
| 2.2. | “Business Purpose” (as used in this Section) shall have the same meaning as in the CCPA; |
| 2.3. | “Commercial Purpose” (as used in this Section) shall have the same meaning as in the CCPA; |
| 2.4. | “Controller” (as used in the DPA) includes “Business” as defined under the CCPA. |
| 2.5. | “Data Subject” (as used in the DPA) includes “Consumer” as defined under the CCPA. |
| 2.6. | “Personal Data” (as used in the DPA) includes “Personal Information” as defined under the CCPA. |
| 2.7. | “Personal Data Breach” (as used in the DPA) includes “Breach of the Security of the System” as defined under the CCPA. |
| 2.8. | “Processor” (as used in the DPA) includes “Service Provider” as defined under the CCPA. |
| 2.9. | The Customer discloses Personal Data to Alpha Gold solely for: (i) valid Business Purposes; and (ii) to enable Alpha Gold to perform the Services under the Agreement. |
| 2.10. | Alpha Gold shall not: (i) sell Personal Data; (ii) retain, use or disclose Personal Data for a Commercial Purpose other than providing the Services specified in the Agreement or as otherwise permitted by the CCPA; nor (iii) retain, use, or disclose Personal Data except where permitted under the Agreement between the Customer and Alpha Gold. Alpha Gold certifies that it understands these restrictions and will comply with them. |
3. United Kingdom
| 3.1. | “Applicable Laws” (as used in the DPA) includes the Data Protection Act 2018. |
4. South Africa
| 3.1. | “Applicable Laws” (as used in the DPA) includes the Protection of Personal Information Act, 2013. |