OneSpan Sign Data Processing Addendum ("DPA")

If you elect a European instance for your OneSpan Sign Service (the “Service”), the European General Data Protection Regulation (“GDPR”) applies and OneSpan Canada Inc. and its affiliated entities (“OneSpan”) and Customer agree on the following conditions in regards of Data Processing.  Capitalized terms used herein and not defined shall have the meaning set forth in the OneSpan Sign Service Terms and Conditions (the “Agreement”):

1. ADDITIONAL DEFINITIONS

 “Data Controller” means the Customer which, alone or jointly with others, determines the purposes and means of Processing of Personal Data.

“Data Processor” means a natural or legal person, public authority, agency or any other body which Processes Personal Data on behalf of the Data Controller. For the purposes of this Addendum, OneSpan and its Affiliates is a Data Processor. 

“EU Data Protection Laws” means: (i) up to 25 May 2018, the Data Protection Directive 95/46/EC; and (ii) from 25 May 2018 onwards, the General Data Protection Regulation (EU) 2016/679 (“GDPR”).

“Data Protection Laws” means all data protection laws applicable to the Processing of Personal Data under this Addendum, including local, state, national and/or foreign laws, treaties, and/or regulations, EU Data Protection Laws, and implementations of EU Data Protection Laws into national law.

“Data Subject” means the person to whom the Personal Data relates.

“EEA” means the European Economic Area.

 “Processing” or “Process” means any operation or set of operations performed on Personal Data or sets of Personal Data, such as collecting, recording, organizing, structuring, storing, adapting or altering, retrieving, consulting, using, disclosing by transmission, disseminating or otherwise making available, aligning or combining, restricting, erasing or destroying.

“Sub-processor” means a OneSpan Affiliate or third-party entity engaged by OneSpan or a OneSpan Affiliate as a Data Processor under the Agreement.

“Valid Transfer Mechanism” means a data transfer mechanism permitted by EU Data Protection Laws as a lawful basis for transferring Personal Data to a recipient outside the EU and the EEA.

2. PROCESSING PERSONAL DATA

2.1. Scope.  This Addendum applies to the Processing of Personal Data by Data Processor in the course of providing the Service under the European instance.

2.2. Instructions for Processing.  Data Processor will Process Personal Data on Customer’s documented instructions or as otherwise agreed to by the parties in writing. Customer instructs Data Processor to Process Personal Data to provide the Service. 

2.3. Compliance with Laws.  OneSpan shall (a) implement appropriate technical and organizational measures designed to meet the requirements of the various Data Protection Laws applicable to OneSpan in its role as a Data Processor; and (b) assist the Customer in complying with the obligations of Articles 32 to 36 of the GDPR, taking into account the nature of the Processing and the information at OneSpan’s disposal. For the avoidance of doubt, OneSpan is not responsible for complying with Data Protection Laws applicable to Customer or Customer’s industry such as those not generally applicable to the Service. Customer shall comply with all Data Protection Laws applicable to Customer.

3. SUB-PROCESSORS

3.1. Use of Sub-processors.  Data Processor is authorized under this Addendum to engage third party Sub-processors to process Customer data. The list of currently authorized Sub-processors can be found at https://www.esignlive.com/landings/sub-processors-eu/. This Addendum also applies to OneSpan Affiliates that Process Personal Data as a Sub-processor.  OneSpan shall be liable for the acts and omissions of its Sub-processors to the same extent as if the acts or omissions were performed by OneSpan. 

3.2. Notification of New Sub-processors.  Prior to engaging a new Sub-processor OneSpan shall make available to Customer the name of the new third party Sub-processor authorized to Process Personal Data for the applicable Service engagement on the OneSpan website. If Customer has not sent to OneSpan its objection within 30 days following the publication, the new Sub-processor shall be deemed accepted. 

4. DATA CENTER LOCATION AND DATA TRANSFERS 

4.1     Storage of Personal Data.  Data will be stored in the data centers in Europe indicated on the Order Form between the parties, and if no such data centers is indicated, then the data centers  OneSpan deems most appropriate in its sole judgement.

4.2.  Access to Personal Data.   Customer agrees that OneSpan may Process Personal Data in (i) countries in the EEA, (ii) countries formally recognized by the European Commission as providing an adequate level of data protection (“Adequate Countries”), (iii) other countries in accordance with Section 4.3, or (iv) countries where Customer and/or its Affiliates are located.

4.3.     Data Transfer. In the event Personal Data is intended to be transferred outside the EEA and Adequate Countries, the parties agree to execute the EU Standard Contractual Clauses to handle cross-border processing of Personal Data.

5. RIGHTS OF DATA SUBJECTS

5.1. Correction, Deletion or Restriction.  OneSpan shall, upon Customer’s request, and to the extent (i) Customer does not otherwise have access to the relevant information, and (ii) that such information is reasonably available to  OneSpan: provide commercially reasonable efforts to assist Customer in responding to Data Subject Requests by, at  OneSpan’s discretion, either (a) providing Customer the ability within the Service to correct or delete Personal Data or restrict its Processing; or (b) making such corrections, deletions, or restrictions on Customer’s behalf if such functionality is not available within the Service or if such functionality  involves other OneSpan services. 

5.2. Access to Personal Data. OneSpan will, upon request, as necessary to enable Customer to meet its obligations under applicable Data Protection Laws, provide reasonable assistance to make such Personal Data available to Customer, to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is reasonably available to OneSpan.

5.3. Handling of Data Subject Requests.  For the avoidance of doubt, Customer is responsible for responding to Data Subject requests for access, correction, deletion or restriction of that person’s Personal Data (“Data Subject Request”). If OneSpan receives a Data Subject Request, OneSpan shall promptly redirect the Data Subject Request to Customer. 

5.4. Data Portability.  During the term of the Agreement, Customer may access Personal Data from the Service in accordance with the Documentation and the relevant provisions of the Agreement, including so that Customer may provide the Personal Data to an individual who makes a data portability request under EU Data Protection Laws.

6. GOVERNMENT ACCESS REQUESTS. Unless prohibited by applicable law or a legally-binding request of law enforcement, OneSpan shall promptly notify Customer of any request by government agency or law enforcement authority for access to or seizure of Personal Data.

7. ONESPAN PERSONNEL. OneSpan shall take reasonable steps to require personnel who may have access to Personal Data to receive appropriate training on their responsibilities regarding the handling and safeguarding of Personal Data and sign confidentiality agreements with OneSpan. 

8. SECURITY

8.1. Breach Notification.  To the best of its ability OneSpan shall notify Customer of any relevant unauthorized disclosure or use of Personal Data without undue delay in accordance with the relevant provisions of the Agreement or as required to meet the objectives of applicable law. 

8.2. Security Program.   OneSpan shall implement appropriate technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data in accordance to Art. 32 of the GDPR. 

9. SECURITY ASSESSMENTS.  OneSpan undergoes certain assessments, certifications and/or audits related to security and/or privacy of the Service. 

10. DELETION OF PERSONAL DATA. Upon termination of the Agreement, Customer may access the Service to transfer the Personal Data to another Customer data location for a period of 30 days after termination of the Service. OneSpan shall delete Personal Data in accordance with relevant provisions of the Agreement or in accordance to OneSpan’s internal data removal schedule.

11. ADDITIONAL PRODUCTS. This Addendum does not apply to the Processing of Personal Data by additional products which are not part of the Service. 

12. GENERAL PROVISIONS

12.1. Customer Affiliates.  Customer is responsible for coordinating all communication with OneSpan on behalf of its Affiliates with regard to this Addendum.

12.2. Termination.  The term of this Addendum will end simultaneously and automatically with the termination of the Agreement. This Addendum may not be terminated in the interim.

12.3. Miscellaneous.  The section headings contained in this Addendum are for reference purposes only and shall not in any way affect the meaning or interpretation of this Addendum. If there is a conflict between the Agreement and this Addendum then the terms of this Addendum shall prevail. 

12.4. Customer Warranty. Customer represents and warrants that Customer (i) will transfer to OneSpan only Personal Data necessary for the performance of the Service, (ii) has provided due notice to and obtained all necessary consents of the data subject for the transfer and use of Personal Data to OneSpan; and (iii) maintains security and safety measures in the transfer and access to OneSpan of Personal Data (including de-identification of client or end-user related information unless transfer is necessary for the Service).

12.5. Access Requests. Customer can request access to Personal Data that OneSpan maintains. To protect privacy of Personal Data, OneSpan will take reasonable steps to verify Customer’s or the requesting person’s identity before granting access to or making changes to Personal Data.

Last revised: May 18, 2018.