Privacy Laws Charter

Date – Released on 01/01/2020

Last Modified on – 12/06/2023

Applicability:

This document (“Requirements”) forms an integral and legally binding part of any Master Services Agreement, Statement of Work, or other contract (“Agreement”) between Shaip (“Company”) and the service provider (“Vendor/freelancer/consultants”).

1. Definitions

For the purposes of these Requirements, the following terms shall have the meanings set forth below:

  • “Applicable Data Protection Laws” means all international, federal, state, and local laws, rules, and regulations applicable to the Processing of Personal Data, including but not limited to the GDPR, UK GDPR, CCPA/CPRA, HIPAA, PIPEDA, and LGPD.
  • “Company Data” means all data, information, and materials, in any form or medium, provided to Vendor by or on behalf of the Company, or collected, generated, derived, pseudonymized, anonymized (if reversibility is possible), or Processed by Vendor on behalf of the Company. This includes Project Data and any Personal Data.
  • “Data Breach” means any actual or suspected breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Company Data.
  • “GDPR” means the General Data Protection Regulation (EU) 2016/679.
  • “Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject”) contained within the Company Data.
  • “Sensitive Personal Data” means any category of data considered sensitive under Applicable Data Protection Laws, including but not limited to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, or data concerning a natural person’s sex life or sexual orientation.
  • “Processing” means any operation performed on Company Data, such as collection, recording, organization, storage, adaptation, retrieval, use, disclosure, dissemination, or destruction.
  • “Project Data” means the specific data (e.g., voice, image, text) collected or created by the Vendor as part of the services delivered to the Company.
  • “Sub-processor” means any third party engaged by the Vendor to Process Company Data.

2. Vendor’s Role and Obligations

2.1 Role as a Processor/Sub-processor. The Vendor acknowledges that in Processing Company Data, it acts as a “Processor” or “Sub-processor” on behalf of the Company. The Vendor has no ownership or independent rights to the Company Data.

2.2 Processing on Instruction. The Vendor shall Process Company Data only in accordance with the documented, lawful instructions of the Company, including those set forth in the Agreement and relevant Statements of Work. The Vendor is expressly prohibited from Processing Company Data for its own purposes or for any purpose not explicitly instructed by the Company. Instructions shall include data retention and disposal requirements. If the Vendor believes an instruction violates Applicable Data Protection Laws, it must immediately inform the Company.

2.3 Compliance with Laws. The Vendor warrants and represents that it will comply with all Applicable Data Protection Laws in its performance of the Agreement and shall promptly notify the Company if any law prevents compliance or requires disclosure of Company Data (e.g., government access requests).

3. Technical and Organizational Security Measures

3.1 Security Standards. The Vendor shall implement and maintain appropriate technical and organizational security measures to protect Company Data against any Data Breach. These measures shall be commensurate with the level of risk and the nature of the data, and shall, at a minimum, include:

  1. Encryption: Encryption of all Company Data at rest and in transit.
  2. Access Control: Strict access controls based on least privilege, ensuring only authorized personnel have access to Company Data.
  3. Data Minimization: Collecting and processing only the minimum amount of Personal Data necessary for the specified project.
  4. Secure Environments: Ensuring that all systems used to Process Company Data are securely configured, patched, logged, and monitored.
  5. Secure Deletion: Implementing processes for the secure and permanent deletion of Company Data upon instruction from the Company, including deletion from backups.
  6. Physical Security: Securing all physical locations and devices where Company Data is stored or accessed.
  7. Testing & Monitoring: Regular penetration testing, vulnerability assessments, and continuous monitoring.
  8. Business Continuity: Maintaining incident response, disaster recovery, and business continuity plans.

4. Sub-processing

4.1 Prior Consent Required. The Vendor shall not engage any Sub-processor to Process Company Data without the prior, specific written consent of the Company.

4.2 Flow-Down of Obligations. If consent is granted, the Vendor must enter into a written agreement with the Sub-processor that imposes on the Sub-processor the same or more stringent data protection obligations as are imposed on the Vendor by these Requirements.

4.3 Sub-processor List. The Vendor shall maintain an up-to-date list of Sub-processors and provide it to the Company upon request. The Company reserves the right to object to any Sub-processor at any time.

4.4 Full Liability. The Vendor shall remain fully liable to the Company for the performance of the Sub-processor’s obligations and for any act or omission of the Sub-processor.

5. Data Breach Notification and Management

5.1 Immediate Notification. The Vendor shall notify the Company in writing without undue delay, and in no event later than twenty-four (24) hours after first becoming aware of any Data Breach.

5.2 Breach Details. The notification must, at a minimum:

  1. Describe the nature of the Data Breach, including categories and approximate number of Data Subjects and data records concerned.
  2. Provide the name and contact details of the Vendor’s data protection officer or other relevant contact point.
  3. Describe the likely consequences of the Data Breach.
  4. Describe the measures taken or proposed to be taken by the Vendor to address the Data Breach and mitigate its effects.

5.3 Ongoing Updates. The Vendor shall provide regular updates until the incident is fully resolved.

5.4 Cooperation. The Vendor shall fully cooperate with the Company in the investigation, remediation, and notification of any Data Breach. The Vendor shall bear all costs associated with a Data Breach to the extent caused by its breach of these Requirements.

6. International Data Transfers

6.1 The Vendor shall not transfer Company Data across international borders without the prior written consent of the Company. The Vendor must specify all countries in which it will Process Company Data.

6.2 Where required, the Vendor agrees to enter into Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), the UK Addendum, or any other mechanism mandated by the Company to ensure lawful data transfers.

6.3 Vendor shall comply with local data residency requirements where applicable.

7. Audits and Inspections

The Company, or its designated third-party auditor, shall have the right to conduct audits, at its own expense, to verify the Vendor’s compliance with these Requirements. The Vendor shall provide all necessary information, documentation, and access to facilities and personnel.

The Vendor shall undergo regular third-party certifications (e.g., ISO 27001, SOC 2) and/or self-assessments, and promptly remediate any deficiencies identified in audits or assessments within a mutually agreed timeframe.

8. Data Subject Rights Assistance

The Vendor shall promptly, and in no case later than forty-eight (48) hours, notify the Company of any request received from a Data Subject to exercise their rights (e.g., access, rectification, erasure, portability). The Vendor shall not respond directly to such requests unless instructed by the Company and shall provide all necessary assistance to enable the Company’s response.

9. Data Return and Deletion

Upon termination of the Agreement or at the Company’s request, the Vendor shall, at the Company’s choice, securely delete or return all Company Data within thirty (30) days. The Vendor shall ensure deletion from backups and provide written certification of such deletion.

10. Special Categories of Data

10.1 Healthcare Data (HIPAA): If Vendor Processes any Protected Health Information (PHI), Vendor acknowledges it is a “Business Associate” (or subcontractor to a Business Associate) under HIPAA. Vendor must comply with HIPAA requirements and shall execute the Company’s Business Associate Agreement (BAA).

10.2 Other Sensitive Data: For projects involving Sensitive Personal Data (including biometric data or data from children), Vendor must obtain Company approval and adhere to heightened security and handling protocols as specified by the Company.

11. Indemnification and Liability

The Vendor agrees to defend, indemnify, and hold harmless the Company, its affiliates, officers, and clients from and against any and all claims, liabilities, damages, losses, fines, penalties, and expenses (including reasonable attorneys’ fees) arising out of or relating to any breach of these Requirements by the Vendor, its employees, or its Sub-processors.

Liability shall not be capped for breaches involving Data Breaches, regulatory fines, willful misconduct, or fraud.

12. General Provisions

12.1 Primacy. In the event of any conflict between the terms of the Agreement and these Requirements, these Requirements shall prevail with respect to data protection.

12.2 Modification. These Requirements may only be modified by a written amendment signed by authorized representatives of both parties.

12.3 Survival. Obligations relating to confidentiality, data deletion, liability, and audit rights shall survive termination of the Agreement.

12.4 Governing Law. These Requirements shall be governed by and construed in accordance with the governing law set forth in the Agreement.