Data Processing Addendum

Privacy Policy Terms Partner Terms Documentation Reporting Security Vulnerabilities Security Addendum Service Level Agreement Data Processing Addendum Data Request

How this DPA applies
Terms
Appendix

Forma DATA PROCESSING ADDENDUM

‍

BY EXECUTING AN ORDER FORM AND/OR STATEMENT OF WORK THAT REFERENCES THIS DATA PROCESSING ADDENDUM (“DPA” OR “ADDENDUM”, TOGETHER WITH Forma’s MASTER TERMS AND CONDITIONS, THIS “AGREEMENT”), YOU AGREE YOU HAVE READ AND ARE BOUND BY THE TERMS OF THIS DPA, WHICH IS INCORPORATED IN AND FORMS A PART OF THE AGREEMENT. IF YOU ARE ENTERING INTO THIS AGREEMENT ON BEHALF OF A COMPANY OR OTHER LEGAL ENTITY, YOU REPRESENT THAT YOU HAVE THE AUTHORITY TO BIND SUCH ENTITY TO THIS AGREEMENT, IN WHICH CASE THE TERM “CUSTOMER” WILL REFER TO SUCH ENTITY. IF YOU DO NOT HAVE SUCH AUTHORITY, OR IF YOU DO NOT AGREE WITH THIS AGREEMENT, YOU MUST NOT ACCEPT THIS AGREEMENT AND MAY NOT USE THE Forma PLATFORM. IN THE EVENT OF A CONFLICT BETWEEN THE TERMS OF THE AGREEMENT AND THIS DPA, THE TERMS OF THE DPA WILL APPLY.

This DPA is made as of the Effective Date of the Agreement between Twic, Inc. DBA Forma, a Delaware corporation with a place of business at 47000 Warm Springs Blvd, Suite 1-170, Fremont, CA 94539 (“Forma”), and the Customer identified in the applicable Order Form (“Customer”).

‍

HOW THIS DPA APPLIES

Forma provides services to Customer under the Agreement. Pursuant to the Agreement, Forma may from time to time process Personal Data (as defined below) for which Customer may be a “Controller” or “Business” as defined by Applicable Data Protection Law (defined below), including the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”), the retained version of the GDPR as it forms part of the law of England by virtue of the European Union (Withdrawal) Act 2018, as amended (“UK GDPR”), and the California Consumer Privacy Act as amended by the California Privacy Rights Act. When processing such Personal Data, Forma may be a “Processor” or “Service Provider” as defined by Applicable Data Protection Law.

‍

TERMS

Definitions. All capitalized words not defined below will have the meaning set forth in the Agreement.
1. “Applicable Data Protection Law” means privacy and data protection laws, regulations, and binding decisions by a Supervisory Authority or other applicable governmental entity applicable to Customer or Forma, respectively.
2. “DPA Effective Date” means the Effective Date of the Agreement.
3. “Personal Data” means all data which is defined as ‘personal data,’ ‘personal information,’ or ‘sensitive data’ as described under Applicable Data Protection Law, and which is provided by the Customer to Forma and is accessed, stored, or otherwise Processed by Forma pursuant to the Agreement.
4. “Processing”, “Controller,” “Data Subject,” “Supervisory Authority,” and “Processor” have the same meaning set forth in the GDPR.
5. “Standard Contractual Clauses” mean the standard data protection clauses annexed to the EU Commission Implementing Decision 2021/914 of June 4, 2021 for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.
6. “Security Practices Summary” means summary documentation of Forma’s security practices (including without limitation third-party security attestations and certifications, as applicable) that Forma makes generally available to its customers, as may be updated by Forma from time to time. A copy of the Security Practices Summary, current as of the DPA Effective Date, is incorporated into Appendix 2 to this DPA.
7. “Subprocessor” means a third party sub-contractor Forma may retain from time to time that Processes Personal Data to provide services to Forma necessary for Forma to perform its obligations under the Agreement.
Role of Parties. Customer will at all times act as the “Controller” or “Business” as defined by Applicable Data Protection Law, and Forma will at all times act as the “Processor” or “Service Provider” as defined by Applicable Data Protection Law.
Processing of Personal Data. With respect to the processing of Personal Data as detailed in Appendix 1:
1. Forma will process Personal Data only in accordance with Applicable Data Protection Law and upon documented instructions from Customer, including as set forth in the Agreement and this DPA, unless otherwise required by applicable law to which Forma is subject; in such a case, Forma will inform Customer of the relevant legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
2. Unless otherwise permitted by Applicable Data Protection Law, Forma will not retain, use, or disclose Personal Data: (a) outside of the direct business relationship between Forma and Customer; (b) for any other purpose than the business purposes specified in the Agreement; or (c) for any commercial purpose other than the business purposes specified in the Agreement.
3. Forma will not sell Personal Data or share Personal Data for cross-context behavioural advertising purposes.
4. Forma will implement and maintain appropriate technical and organizational measures to ensure a level of security for Personal Data consistent with Applicable Data Protection Law, such measures to be described in the Security Practices Summary, as may be updated from time to time; provided, however, that Forma will not materially degrade the level of security in effect as of the DPA Effective Date.
5. Forma will ensure that those of Forma’s personnel who process Personal Data have a “need-to-know” such Personal Data in order to fulfill Forma’s obligations under the Agreement and are subject to confidentiality obligations to use and protect such Personal Data as required under the Agreement and this DPA.
6. Forma will promptly notify Customer upon Forma’s or its Subprocessors’ receipt of any request, dispute or claim directly from a Data Subject (including, without limitation, requests related to the exercise of that Data Subject’s rights under Applicable Data Privacy Law with respect to Personal Data), and not respond to such request, dispute or claim unless and until Customer provides written consent to such response to Forma. Forma will provide reasonable assistance to Customer, upon Customer’s request, to enable Customer to respond to Data Subject requests, disputes or claims.
7. Forma will notify Customer without undue delay (and in no case later than is required under Applicable Data Protection Law) if Forma or its Subprocessors reasonably suspect or know of any accidental or unlawful destruction or accidental loss, alteration, or unauthorized disclosure or access of Personal Data (a “Data Breach”), and, taking into account the nature of Forma’s processing and the information available to Forma, provide reasonable assistance to Customer with respect to any Data Breach (including without limitation cooperating with Customer with respect to notification of Supervisory Authorities and communicating to Data Subjects regarding a Data Breach).
8. Forma will provide reasonable assistance to Customer where processing performed by Forma is relevant to a data protection impact assessment or prior consultation with a Supervisory Authority.
9. To the extent Forma engages any Subprocessors, Forma will abide by the terms set forth in subsections 4.2.1 – 4.2.3 below.
10. Forma will promptly notify Customer upon Forma’s or its Subprocessors’ receipt of any request for disclosure of Personal Data from a Supervisory Authority, government entity or court of law of a competent jurisdiction, or pursuant to a subpoena (unless otherwise prohibited by law).
11. Forma will promptly notify Customer upon Forma’s or its Subprocessors’ determination that they can no longer meet their obligations under Applicable Data Protection Law, and their obligations to provide the level of protection to Personal Data required under the Agreement and this DPA.
12. Upon notice by Customer, where Customer has reasonably determined Forma is no longer processing data in accordance with the Agreement and this DPA, Forma will, and grant Customer the right to, take reasonable and appropriate steps to stop and remediate such unauthorized processing.
13. Forma will grant Customer the right to take reasonable and appropriate steps to ensure that Forma uses the Personal Data pursuant to the Agreement, including in a manner consistent with Customer’s obligations under Applicable Data Protection Law. Specifically, Customer may request to review Forma records directly relating to its use of Personal Data pursuant to the Agreement, provided that: (a) Customer must provide reasonable advance notice (of no less than 30 days) to Forma of any such requested review; (b) Customer may make such request no more than once annually; (c) in advance of Customer’s review, the Parties shall mutually agree upon the scope, timing, and duration of the review; (d) to the extent Customer will access any of Forma’s confidential and/or proprietary information in the review, Customer shall be bound by confidentiality obligations set forth in the Agreement or other terms reasonably specified by Forma to protect the confidentiality of such information; and (e) the review shall be conducted at Customer’s expense.
14. At the choice of Customer, Forma will delete or return all Personal Data to Customer after the end of Forma’s provision of services and delete existing copies unless applicable law requires storage of the Personal Data.
Standard Contractual Clauses
1. To the extent that the processing of Personal Data under this Agreement involves transfers of Personal Data out of the EEA from Customer to Forma in the United States, Forma and the Customer enter into and agree to be bound by the provisions of Module 2 of the Standard Contractual Clauses, incorporated herein by reference and completed as follows: the “data exporter” is Customer; the “data importer” is Forma; the optional docking clause in Clause 7 is not implemented; Clause 9(a) option 2 is implemented and the time period therein is specified as twenty (20) days; the optional redress clause in Clause 11(a) is struck; Clause 13(a) paragraph 1 is implemented; Clause 17 option 2 is implemented and the governing law is the law of the Republic of Ireland; the court in Clause 18(b) are the Courts of the Republic of Ireland; Annex 1 and 2 to module 2 of the Standard Contractual Clauses are Appendix 1 and 2 to this Addendum respectively.
2. To the extent an adequate transfer safeguard is required under the UK GDPR for the transfer of Personal Data by Customer from the United Kingdom to Forma in the United States, the Customer and the Forma enter into and agree to be bound by the provisions of Module 2 of the Standard Contractual Clauses, as incorporated herein by reference and completed as set out in Section 4.1, with the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner, Version B1.0 (“UK Addendum”), also incorporated herein by reference and completed as follows: the start date in Table 1 is the Effective Date of the Agreement; the Parties’ details in Table 1 are as set forth above in this DPA; the key contacts of each Party in Table 1 are as set forth in Section A of Appendix 1 herein; in Table 2, the first box (stating “the version of the Approved EU SCCs which this Addendum is appended to, detailed below, including the Appendix Information”) is selected and the effective date of the Agreement is inserted; in Table 3, the list of Parties, description of transfer, and technical and organizational measures are as set forth in Appendix 1 and 2 hereto; and in Table 4, the “Importer” and “Exporter” boxes are selected. In the event the UK Addendum applies, the Parties agree that their execution of the Agreement shall also constitute their execution of the UK Addendum. Pursuant to Clause 9 (a) of the Standard Contractual Clauses: some text
  1. Customer acknowledges and agrees that Forma may retain Subprocessors for the purposes of providing services under the Agreement, and hereby provides general authorization to the use of Subprocessors as described herein. In addition, Customer hereby provides general authorization to the use of those Subprocessors engaged by Forma as of the DPA Effective Date.
  2. Upon written request from Customer (not more than once annually, unless required by a Supervisory Authority), Forma will provide to Customer a list of its then-current Subprocessors (the “Subprocessor List”). Forma shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub-processors at least ten (10) days in advance. Customer will have ten (10) days after receipt of the Subprocessor List to provide written notice to Forma of any objections Customer has with respect to one or more Subprocessors. Forma will have a commercially reasonable time after the receipt of any such objection to either (i) provide clarification to Customer regarding the Subprocessor’s processing activities, security profile, and compliance with Applicable Data Protection Law, and thereafter receive Customer’s authorization to use such Subprocessor (such authorization not to be unreasonably withheld) or (ii) make reasonable changes to Forma’s processing in order to accommodate the objection, and gain Customer’s approval of such changes. If Forma is unable to comply with (i) or (ii), Customer may terminate any services provided by Forma to Customer that involve processing by objected-to Subprocessors.
  3. Forma will enter into a written contract with each Subprocessor which imposes on such Subprocessor terms no less protective of Personal Data than those imposed on Forma in this DPA. Forma agrees to be liable for the acts and omissions of its Subprocessors to the same extent as Forma would be if performing the services of its Subprocessors under the terms of the Agreement.
3. Pursuant to Clause 9 (c) of the Standard Contractual Clauses:some text
  1. Customer agrees that the copies of the Subprocessor agreements may be provided only upon reasonable request, and only once annually (unless requested by a Supervisory Authority).
  2. Customer agrees that such copies may be provided in summary form or, upon reasonable request from Customer, in a form with all commercial information and clauses unrelated to data privacy and security redacted by Forma.
4. Pursuant to Clause 8.9 of the Standard Contractual Clauses an “audit” as described therein will be carried out as follows:some text
  1. Upon written request by Customer, and subject to the confidentiality obligations of the Agreement, Forma will make available to Customer the security information Forma generally makes available to its customers.
  2. In the event an on-site review is required by a Supervisory Authority or is otherwise reasonably requested by Customer, Customer and Forma will mutually agree upon the scope, timing, and duration of such on-site review. On-site audits will be carried out at Customer’s expense.
Miscellaneous‍
1. This DPA shall remain in full force and effect until the earlier of:
  1. the expiration or termination of the Agreement;
  2. the mutual agreement of the parties to terminate.
2. In the event of a conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses will apply to the extent the Standard Contractual Clauses are relevant to Forma’s processing of Personal Data.

‍

APPENDIX 1

LIST OF PARTIES
1. Data exporter(s): The legal entity that has executed the Standard Contractual Clauses as the data exporter, which is identified as the Customer in the Order Form. The Order Form is incorporated by reference herein, including without limitation the following Customer Information, as listed in the Order Form:
  1. Name: Customer Name, as set forth in the Order Form
    ‍
    Adress: Customer Address, as set forth in the Order Form
    ‍
    Contact person’s name, position and contact details: As set forth in the Order Form
    
    Activities relevant to the data transferred under these Clauses: Data exporter may submit, for processing by Data importer, Personal Data of its employees, agents, contractors and/or advisors who wish to use Forma’s platform and services for administering and participating in employee benefits programs.
    
    Signature and date: As set forth in the Order Form
    
    Role (controller/processor): Controller
2. Data importer(s): The legal entity that has executed the Standard Contractual Clauses as the data importer (also referred to herein as Forma).
  1. Name: Twic Inc. DBA Forma
    
    Address: 47000 Warm Springs Blvd, Suite 1-170, Fremont, CA 94539
    
    Contact person’s name, position and contact details: Max Hsieh, CTO, max@joinforma.com
    
    Activities relevant to the data transferred under these Clauses: Forma is a provider of software and related services, and which from time to time processes Personal Data upon the instruction of the data exporter in accordance with the terms of the Agreement.
    
    Signature and date: As set forth in the Order Form
    
    Role (controller/processor): Processor
3. ‍
DESCRIPTION OF TRANSFER
1. Categories of data subjects whose personal data is transferred
2. Data exporter may submit Personal Data to the data importer, the extent of which is determined and controlled by the data exporter in its sole discretion, and which may include, but is not limited to, Personal Data relating to the following categories of data subjects:
  - Data exporter’s assigned users of the Forma software and services
  - Data exporter’s employees, agents, contractors or advisors (who are natural persons)
3. Categories of personal data transferred
4. The personal data transferred concern the following categories of data (please specify):
5. From data subjects at customers that participate in post-tax benefits programs, the data importer collects names, email addresses, work location, department, and other work related information such as title and employment status. In addition, from data subjects at customers that participate in pre-tax benefits programs, the data importer will also collect date of birth, mailing address, benefits election data, including information related to data subjects’ participation in post-tax benefits programs as controlled and selected by the data exporter such as gym memberships and home office equipment reimbursements.
6. Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
7. The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
8. On a continuous basis.
9. Nature of the processing
10. The performance of the services by Forma as set forth in the Agreement.
11. Purpose(s) of the data transfer and further processing
12. The objective of Processing Personal Data by the data importer is the performance of the services by Forma as set forth in the Agreement.
13. The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
14. The personal data will be retained for as long as necessary for the purpose of the processing and taking into account applicable laws.
15. For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
16. A list and details of sub-processors can be provided on written request by Customer
COMPETENT SUPERVISORY AUTHORITY
1. Identify the competent supervisory authority/ies in accordance with Clause 13
2. The supervisory authority will be designated in accordance with Clause 13.

‍

APPENDIX 2

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

‍

The Data Importer has implemented and will maintain appropriate technical and organisational measures to protect the personal data against misuse and accidental loss or destruction as set forth in Forma’s Security Practices Summary, a version of which is current as of the DPA Effective Date and accessible through the following link: https://www.joinforma.com/legal/security-addendum.

Forma may update its Security Practices Summary from time to time at its sole discretion, as described in this DPA. Forma will provide an updated version of its Security Practices Summary upon request.