InsureMO DATA PROCESSING ADDENDUM

This Data Processing Addendum (“DPA”) supplements and forms part of the InsureMO Subscription General Terms and Conditions available at https://insuremo.com/en/insuremo-gtc/, as updated from time to time between Client and InsureMO, or other agreement(s) between Client and InsureMO governing Client’s use of the Services (the “Agreement”).

 

This DPA is an agreement between you and the entity you represent (“Client”) and the InsureMO contracting entity under the Agreement (“InsureMO”). This DPA reflects the Parties’ agreement with regard to the Processing of Client Data (as defined below) by InsureMO on behalf of Client in order to provide the Services pursuant to the Agreement.

1. Definitions

All capitalized terms shall follow the definition under the Agreement unless otherwise defined specifically in this DPA as below:

 

Client Data means the Personal Data that is uploaded to the Services under Client’s InsureMO accounts, or otherwise provided by, or on behalf of Client to InsureMO through the Use of the Services.

Controller means the entity which, alone or jointly with others, determines the purposes and means of Processing of Personal Data.

Data Protection Laws mean all legislations and regulations applicable to the Processing of Client Data under the Agreement, including GDPR (EU General Data Protection Regulation 2016/679) and other data protection legislations, as applicable.

Process or Processing means any operation or set of operations performed on Client Data, including collection, storage, use, access, disclosure, erasure, destruction, and reading.

Processor means the entity which Processes Personal Data on behalf of the Controller.

Security Incident means a breach of InsureMO’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Client Data.

Sub-processor means the entity engaged by Processor to provide Processing activities on Personal Data on behalf of Controller.

Supervisory Authority means an independent public authority or national body responsible for monitoring the application of the applicable Data Protection Laws.

2. Data Processing.

2.1 Scope and Roles. This DPA applies when Client Data is Processed by InsureMO as a Processor on behalf of Client as a Controller in order to provide Services pursuant to the Agreement.

For clarity, this DPA applies only to the Processing of Personal Data in environments controlled by InsureMO and InsureMO’s Sub-processors. For the avoidance of doubt, this includes Personal Data sent to InsureMO through the Use of the Services but does not include Personal Data that remains on Client’s premises or in any of Client’s selected third party operating environments.

2.2. Processing Details

2.2.1 Subject matter. The subject matter of the data processing under this DPA is Client Data.

2.2.2 Duration of the Processing. The duration of the Processing of Client Data under this DPA corresponds to the duration of the Services unless otherwise agreed by the Parties in writing.

2.2.3 Purpose and Nature of the Processing. InsureMO will Process Personal Data as necessary to perform the Services pursuant to the Agreement, as further specified in the Documentation, and as further instructed by Client in its Use of the Services. The nature of the Processing is the performance of the Services pursuant to the Agreement.

2.2.4 Type of Personal Data. Personal Data uploaded to the Services under Client’s InsureMO accounts or otherwise provided by Client to InsureMO.

2.2.5 Categories of Data Subjects. The Data Subjects could include Client’s customers, employees, suppliers and End Users.

2.3 Compliance with Law. Each party will comply with all Data Protection Laws applicable to and binding on it in the performance of this DPA. Client agrees that it shall comply with its obligations as a Controller under Data Protection Laws. Client will not use the Services in a way that would violate Data Protection Laws.

3. Client Instructions.

The Parties agree that this DPA and the Agreement constitute Client’s documented instructions regarding InsureMO’s Processing of Client Data (“Documented Instructions”). InsureMO will Process Client Data only in accordance with Documented Instructions from Client, unless otherwise required by Data Protection Laws. Additional instructions outside the scope of the Documented Instructions (if any) require prior written agreement between InsureMO and Client, including agreement on any additional fees payable by Client to InsureMO for carrying out such instructions. Client is entitled to terminate this DPA and the Agreement if InsureMO declines to follow instructions requested by Client that are outside the scope of, or changed from, those given or agreed to be given in this DPA.

4. Confidentiality Commitment.

InsureMO will take reasonable steps to ensure that its personnel engaged in the Processing of Client Data (i) will Process such data only on Documented Instructions from Client, and (ii) will be obligated to maintain the confidentiality and security of such data. InsureMO imposes appropriate contractual obligations upon its personnel, including relevant obligations regarding confidentiality, data protection and data security.

5. Security of Data Processing.

5.1 InsureMO has implemented and will maintain appropriate technical and organizational measures, as set out in Annex 1 (“Security Measures”), for protection of the security, confidentiality and integrity of Client Data.

5.2 InsureMO regularly monitors compliance with the Security Measures. Client acknowledges that the Security Measures are subject to technical progress and development and that InsureMO may update or modify the Security Measures from time to time provided that such updates and modifications will not materially decrease the overall security of the Services. InsureMO will, at Client’s request, make available to Client corresponding information reasonably requested by Client regarding InsureMO security practices and policies.

6. Sub-processing.

6.1 General Authorization. Client acknowledges and agrees that InsureMO may appoint its Affiliates, Amazon Web Services and Microsoft Azure as Sub-processors to provide Processing activities on Client Data on behalf of Client.

6.2 InsureMO shall not engage a Sub-processor to carry out specific Processing activities which fall outside the general authorization granted above without Client’s prior written authorization and, where such other Sub-processor is so engaged, InsureMO shall ensure that the same contractual obligations set out in this DPA be imposed on that Sub-processor.

6.3 InsureMO is responsible for its Sub-processors’ compliance with InsureMO’s obligations in this DPA.

6.4 The Parties agree that if copies of InsureMO’s agreements with a Sub-processor must be sent by InsureMO to Client as required by Data Protection Laws, such copies will be provided only upon reasonable request by Client and all commercial information and provisions unrelated to this DPA will be redacted beforehand.

7. Security Incident Notification.

7.1 InsureMO will (i) notify Client of a Security Incident without undue delay after becoming aware of the Security Incident, and (ii) take reasonable steps to mitigate any adverse effects resulting from the Security Incident.

7.2 Notification(s) of Security Incidents will be delivered to Client by any means InsureMO selects, including via email. It is Client’s sole responsibility to ensure Client maintains accurate contact information with InsureMO for each applicable Service.

7.3 Client is solely responsible for complying with its third-party notification obligations related to any Security Incident as required under Data Protection Laws.

7.4 InsureMO shall make reasonable efforts to assist Client in fulfilling Client’s obligation, as required under Data Protection Laws, to notify the relevant Supervisory Authority and Data Subjects about such Security Incident.

8. Audit.

Subject to Client’s commitment in confidentiality, InsureMO shall allow for, and contribute to, audits conducted by Client or another auditor designated by Client, who shall not be a direct competitor of InsureMO, including inspections to the extent required by Data Protection Laws, during InsureMO’s normal business hours without interference to InsureMO’s daily operations, in accordance with the following procedures:

8.1 InsureMO will provide Client or its designated auditor with the most recent certifications and/or summary audit report(s), which InsureMO has procured to regularly test, assess and evaluate the effectiveness of the security measures.

8.2 If further information is needed by Client to comply with its own or other Controllers audit obligations or a competent Supervisory Authority’s request, Client shall inform InsureMO in writing to enable InsureMO to provide such information or to grant access to it.

8.3 To the extent that it is not possible to satisfy Client’s audit rights as stipulated in Data Protection Laws or as required by a competent Supervisory Authority unless by way of onsite visit in InsureMO’s premise or facilities, InsureMO shall allow the onsite visit provided that Client gives InsureMO reasonable prior written notice of such onsite visit and such onsite visit shall be conducted on a Working Day during normal business hours mutually selected by the Parties to reduce any risk to InsureMO’s other clients, and only in a manner that causes minimal disruption to InsureMO’s business.

9. Transfers of Client Data.

Client Data relating to the Services of the Agreement will be stored in a location as agreed with the Client. InsureMO will not transfer Client Data to other locations/countries. In the event of a documented instruction from Client on international transfer of Client Data for purposes of performance of the Agreement or for InsureMO to provide the Services initiated by Client, Client shall ensure its instructions will not breach the requirements under Data Protection Laws, and each Party will ensure such transfer is made in compliance with the requirements of Data Protection Laws.

10. InsureMO Assistance.

10.1 InsureMO will assist Client, when reasonably requested by Client, by technical and organizational measures for the fulfillment of Client’s obligation to comply with the rights of Data Subjects and in compliance with Client’s obligations relating to the security of Processing, the notification to Supervisory Authorities and/or communication of a Security Incident to Data Subjects, as and when required by Data Protection Laws, taking into account the nature of the Processing and the information available to InsureMO, subject to reasonable additional charges as mutually agreed by the Parties in advance for the efforts incurred based on the then-current charging standard of InsureMO. If Client does not agree to the quote of InsureMO, the Parties agree to reasonably cooperate to find a feasible solution.

10.2 Data Protection Impact Assessment. Taking into account the nature of the Processing and the information available to InsureMO, InsureMO will assist Client in complying with Client’s obligations in respect of data protection impact assessments and prior consultation with the responsible Supervisory Authority as and when required by the Data Protection Laws, by providing the necessary information reasonably requested by Client.

11. Termination of the DPA.

This DPA will continue in force and effect until the expiry or termination of the Agreement.

12. Deletion or Return of Client Data.

Upon termination of the Agreement, InsureMO will, subject to the terms and conditions of the Agreement or otherwise agreed with the Client, delete or return Client Data in its possessions, unless otherwise required by applicable laws.

13. Limitation of Liability.

EACH PARTY’S AND ALL OF ITS AFFILIATES’ TOTAL AND AGGREGATE LIABILITIES ARISING OUT OF OR IN CONNECTION WITH THIS DPA, WHETHER IN CONTRACT, TORT OR UNDER ANY OTHER THEORY OF LIABILITY, ARE SUBJECT TO THE LIMITATION OF LIABILITY SET OUT IN THE AGREEMENT.

14. Miscellaneous.

14.1 In the event and to the extent of a conflict between the Agreement and this DPA, the terms of this DPA will prevail.

14.2 InsureMO has a Data Security Committee that includes a Data Protection Officer responsible for overseeing data protection and security measures. The Data Security Committee may be contacted at security-committee@InsureMO.com.

ANNEX 1 – Security Measures

InsureMO has implemented and will maintain for Client Data the following Security Measures, which are in conjunction with the security commitments in this DPA, and the following are InsureMO’s only responsibility with respect to the security of Client Data.

Category	Practices
Asset Management	Assets Security. InsureMO identifies and manages data assets, and implements appropriate operating procedures to manage such assets according to the characteristics of different types of assets.
Access Control	Access Control Policy. InsureMO has set up a set of access control policies which standardizes user management, password management and system configuration, to ensure proper authority control. User Access Management. InsureMO implements a formal user access provisioning process to assign or revoke access rights for all user types to each system. InsureMO ensures that only relevant personnel can obtain appropriate access to their duties, and forms a list of user access and implements regular review of it. InsureMO also adjusts and cancels the employee’s user access right when the employee leaves post or departs from the company.
Cryptography	Cryptographic Controls. InsureMO has formulated regulations on the management of using cryptographic control, including identification of the protection level based on risk assessment and considering the type, intensity and quality of encryption algorithm. Cryptographic Management. InsureMO has formulated regulations on the cryptographic management so as to the whole process from the application, use, custody to destruction of key is under secure control.
Physical and Environmental Security Control	Secure Areas. InsureMO specifies the boundaries of secure areas and takes appropriate control measures, such as physical isolation, access control systems, video surveillance, etc. Equipment and Facilities Security. InsureMO ensures all kinds of equipment and facilities are placed in the appropriate area and appropriate protective measures are taken to reduce the risks from environmental threats and hazards, and opportunities for unauthorized access.
Operational Security Control	Operating Procedures. InsureMO has established necessary management, operating responsibilities and procedures for all data processing facilities. InsureMO controls the changes of data processing facilities and systems, and all system activities are under documented specification. InsureMO also implements a clear allocation of responsibilities in accordance with the basic requirements of secure operations to reduce risks due to negligence or misuse of the system. Individuals unauthorized or unmonitored shall not be able to access, modify or use system. Planning and Management of Capacity. InsureMO ensures that each controlled information system   is able to identify capacity requirements so as to guarantee timely assessment and improvement of the availability and efficiency when necessary. Separation of Development, Testing and Operational Environments. InsureMO identifies the separation level among the operation, testing and developing environment of the controlled information system to prevent overstepping or unauthorized operations. Protection from Malware. InsureMO has established effective computer virus prevention, detection and killing mechanism, implements the detection and protection control to prevent malware, and improves employees’ sense of prevention. Backup. InsureMO implements backup procedures and implements effective test on the backup data. Audit Logging and Logging Protection. InsureMO has established logging management regulations to prevent logging storage facilities from unauthorized tempering and operational problems. Important audit loggings are archived, including details such as user ID, date, time and key events, as well as system configuration, special access rights, the use of system utilities and applications. Control of Operational Software. InsureMO implements management procedures on software installations, and designates special personnel who have the skills that meet the requirements of daily software installation to install software on operating systems according the procedures. Clock Synchronization. InsureMO synchronizes the clocks to ensure the accuracy of the system loggings. Technical Vulnerability Control. InsureMO timely obtains the technical vulnerability information of controlled information systems to assess the protection of this kind of technical vulnerability and take appropriate control measures. Information Systems Audit Control. InsureMO implements information systems audit strictly in accordance with relevant audit procedures and policies. InsureMO makes detailed planning and assesses the risks associated with information systems audit when doing the audits.
Communications Security Control	Network Security Management. InsureMO implements network security management, divides the network secure areas, monitors and manages the network equipment and activities, develops network security policies and operating procedures, and protects the network information and supporting facilities. Information Processing Procedures. InsureMO has established a management procedure that handles, processes, stores and classifies information consistent with its communications, and dispose and mark all the media according to the classification standard.
System Security Control	Prevention of Data Disclosure. InsureMO limits the risk of data disclosure, regularly assesses the external communications security of data, conceals and adjusts the communication behavior of the system to reduce the possibility that third parties will infer information from these actions. InsureMO also regularly monitors the activities of individuals and system as well as the use of resources in computer systems under the existing laws and regulations. System Security Testing. InsureMO implements security testing on information system regularly and take a comprehensive testing before the information system gets online. System Acceptance Testing. The requirements and principles of the acceptance of new system will be clearly defined, formed into documents and through testing before the construction of new information system. The upgrade of new system and the update of new version will be operated online as a product only after formal testing and acceptance.
Security Incident Control	Policy on Information Security Incident. InsureMO has established the monitoring, reporting, warning, disposal, rectification mechanism of information security incident. InsureMO maintains a record of security incident, and knowledge gained from analyzing and resolving such incidents will be used to reduce the likelihood or impact of future incidents.
Business Continuity Control	Business Continuity Management. InsureMO has established the mechanism of identifying potential hazards that could lead to interruptions of business, as well as the possibility and impact of such interruptions and the security consequences due to the interruptions. InsureMO has formulated continual planning and implements emergency drills to ensure timely recovery upon interruptions or failure in critical business processes and to guarantee the availability of information.