Data-protection-addendum-emea-aug-07-2025

This Data Protection Addendum ("Addendum") forms part of and is expressly incorporated in that certain agreement, howsoever titled ("Agreement "), between: (i) the client defined in the Agreement ("Company") and (ii) Sterling Technology Limited ("Vendor").
In consideration of the mutual obligations set forth herein, the sufficiency of which the parties acknowledge, the parties hereby agree that the terms and conditions set out below shall constitute an Addendum to and form a part of the Agreement. Except where the context requires otherwise, references in this Addendum to the Agreement are to the Agreement as amended by, and including, this Addendum.
1. Definitions
1.1 In this Addendum, the following terms shall have the meanings set out below:
1.1.1 "Applicable Laws" means, to the extent applicable: (a) European Union, Member State or UK laws governing the processing of Company Personal Data, including EU Data Protection Laws and UK Data Protection Laws; and (b) any other law with respect to the processing of any Company Personal Data, including other applicable Data Protection Laws;
1.1.2 "Company Personal Data" means any Personal Data that is Processed by a Contracted Processor for the Company pursuant to or in connection with the Agreement;
1.1.3 "Contracted Processor" means Vendor or a Subprocessor of Vendor;
1.1.4 "Data Protection Laws" means, to the extent applicable, EU Data Protection Laws, UK Data Protection Laws and the data protection or privacy laws of any other country;
1.1.5 "EEA" means the European Economic Area;
1.1.6 "EU Data Protection Laws" means the GDPR and laws implementing or supplementing the GDPR, as amended, replaced or superseded from time to time;
1.1.7 "GDPR" means EU General Data Protection Regulation 2016/679;
1.1.8 "Restricted Transfer" means:
1.1.8.1 a transfer of Company Personal Data from Company to a Contracted Processor; or
1.1.8.2 an onward transfer of Company Personal Data from one Contracted Processor to another Contracted Processor, or between two establishments of a Contracted Processor;
1.1.8.3 in each case, where such transfer would be prohibited by Data Protection Laws in the absence of the protection for the transferred Company Personal Data afforded pursuant to this Addendum.
1.1.9 "Services" means the services and other activities to be supplied to or carried out by or on behalf of Contracted Processor for Company pursuant to the Agreement;
1.1.10 "Standard Contractual Clauses" means, as the context requires or otherwise indicated in this Addendum, (i) Module 2 of the EU standard contractual clauses set out in the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“Module 2 SCC”), and/or (ii) Module 2 SCC deemed amended by the provisions of Part 2 (Mandatory Clauses) of the UK IDTA (“UK SCC”); each is expressly incorporated herein by reference, as amended or replaced from time to time by a competent authority under the relevant Data Protection Laws;
1.1.11 "Subprocessor" means any person (including any third party but excluding an employee of Vendor) appointed by or on behalf of Vendor to Process Personal Data for Company in connection with the Agreement;
1.1.12 “UK Data Protection Laws” means GDPR as transposed into United Kingdom national law by operation of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (“UK GDPR”), together with the Data Protection Act 2018, and any subordinate, related or implementing domestic legislation; in each case, as amended, replaced or superseded from time to time; and
1.1.13 “UK IDTA” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner under section 119A(1) Data Protection Act 2018.
1.1.14 The terms "Controller", "Data Subject", "Member State", "Personal Data", “Processes”, "Personal Data Breach", "Processing" and "Supervisory Authority" shall have the same meaning as in the GDPR.
1.1.15 References to “GDPR” shall be construed as references to “GDPR” and/or “UK GDPR”, as applicable.
1.1.16 References to the plural shall include the singular and the singular shall include the plural, as appropriate.
2. Authority
Vendor agrees that, before Vendor Processes any Company Personal Data, Vendor's entry into this Addendum will have been duly and effectively authorised.
3. Processing of Company Personal Data
3.1 The parties acknowledge that for purposes of this Addendum, Company is a Controller and Vendor is a Processor of Company Personal Data. This Addendum sets forth the requirements applicable to Company Personal Data Processed by Vendor or through Vendor’s (or a Subprocessor’s) systems in connection with providing the Services. Schedules 1 and 2 hereto (including the Annexes thereto) set out the parties’ understanding of the Company Personal Data to be Processed by Vendor pursuant to this Addendum, as required by Article 28(3) of the GDPR, and the Standard Contractual Clauses, as applicable. Company will inform Vendor of any changes to any such Schedule or Annex hereto required in order to reflect Company’s actual use of the Services. Vendor shall not Process Company Personal Data other than on Company’s instructions unless Processing is required by applicable laws to which the Vendor is subject, in which case Vendor shall to the extent permitted by law inform Company of that legal requirement before the relevant Processing of Company Personal Data.
3.2 Company shall:
3.2.1 expressly inform Vendor in writing every time Services involve Company Personal Data prior to the time that Vendor commences such Services and complete as necessary Schedule 1 and the Annexes in Schedule 2 hereto;
3.2.2 instruct Vendor (and authorises Vendor to instruct each Subprocessor) to:
3.2.2.1 Process Company Personal Data; and
3.2.2.2 transfer Company Personal Data to any country or territory,
as reasonably necessary for the provision of the Services and consistent with the Agreement and all Data Protection Laws.
4. Vendor Personnel
Vendor shall take reasonable steps to protect the confidentiality and privacy of Company Personal Data, ensuring in each case that access is limited to those individuals who reasonably need to know and/or access the relevant Company Personal Data for the purposes of the Agreement, and to comply with Applicable Laws in the context of that individual's duties to the Contracted Processor, ensuring that all such individuals are subject to confidentiality undertakings.
5. Security
5.1 Taking into account the state of the art, the costs of implementation and the disclosed nature, scope, context and purposes of Processing hereunder as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Vendor shall in relation to the Company Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, as set forth in Schedule 2, Annex II.
5.2 In assessing the appropriate level of security, Vendor shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.
6. Subprocessing
6.1 Company authorises Vendor to appoint Subprocessors in accordance with this Section 6 and any restrictions in the Agreement.
6.2 Company understands that Vendor is in the business of supplying professional linguists and other Service providers who are independent contractors (not full-time employees of Vendor) . Each such linguist or other Service provider is a Subprocessor. For each project that Vendor executes for Company, Vendor will identify and select the linguist or other Service provider that is the best match for the project in light of the nature and circumstances of the Service and project, including, but not limited to, the languages involved, the underlying subject matter of the information requiring Services, availability, cost and other relevant factors and the Company authorizes the use of such Service Providers.
6.3 For Services with respect to which Company has provided notification pursuant to section 3.2.1 of this Addendum that the Services involve Company Personal Data, Vendor shall:
6.3.1 maintain a list of the Subprocessors engaged and provide this list to the Company upon written request;
6.3.2 ensure that the arrangement between Vendor and the Subprocessor is governed by a written contract including data protection terms that meet the requirements of the relevant Data Protection Laws (which contract may be this Addendum);
6.3.3 remain fully liable to the Company for the performance of the Subprocessor’s obligations; and
6.3.4 if that arrangement involves a Restricted Transfer, ensure that the Standard Contractual Clauses are at all relevant times incorporated into the agreement between the Vendor and the Subprocessor.
6.4 Company hereby specifically authorizes Vendor to engage Subprocessors for the purpose of providing the Services, subject to the following conditions: (i) Vendor will maintain a list of the Subprocessors engaged and provide this list to the Company upon written request; (ii) upon written request of the Company, Vendor will provide to the Company at least 2 days’ prior notice of the addition or replacement of any Subprocessor on this list so that the Company may have an opportunity to object in writing to such addition(s) or replacement(s); and (iii) if the Company makes such an objection on reasonable grounds and Vendor is unable to modify the Services to prevent Subprocessor’s processing of Company Personal Data, the Company shall have the right to terminate the relevant Processing, without penalty for either party, notwithstanding anything to the contrary in the Agreement .
7. Data Subject Rights
7.1 Taking into account the nature of the processing, Vendor shall assist the Company by taking appropriate technical and organizational measures for the fulfilment of the Company’s obligation under Data Protection Laws to respond to requests for exercising Data Subject rights.
7.2 Vendor shall promptly notify Company if any Contracted Processor receives a request from a Data Subject under any Data Protection Law in respect of Company Personal Data.
8. Personal Data Breach
8.1 Vendor shall notify Company without undue delay upon Vendor’s or any Subprocessor’s becoming aware of a Personal Data Breach affecting Company Personal Data (“Breach”), providing Company with sufficient information to allow Company to meet any obligations to report or inform Data Subjects of the Breach under the Data Protection Laws.
8.2 Vendor shall reasonably co-operate with Company and take such reasonable commercial steps as are directed by Company to assist in the investigation, mitigation and remediation of each such Breach.
9. Data Protection Impact Assessment and Prior Consultation
Vendor shall provide reasonable assistance to Company with any data protection impact assessments, and prior consultations with Supervisory Authorities or other competent data privacy authorities, which Company reasonably considers to be required by Article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Company Personal Data by, and taking into account the nature of the Processing and information available to, the Contracted Processors.
10. Deletion or return of Company Personal Data
10.1 Upon written request of Company, Vendor shall (a) delete or return all Company Personal Data to Company; and/or (b) delete and procure the deletion of all other copies of Company Personal Data Processed by any Contracted Processor.
10.2 Each Contracted Processor may retain Company Personal Data to the extent required by law provided that Vendor and each Subprocessor shall ensure the confidentiality of all such Company Personal Data and shall ensure that such Company Personal Data is only Processed as necessary for the purpose(s) specified in the applicable law requiring its storage and for no other purpose.
11. Audit rights
11.1 Vendor shall make available to Company information reasonably necessary to demonstrate compliance with the obligations laid down in this Addendum and in the Data Protection Laws and allow for and contribute to audits, including inspections, reasonably conducted by Company or another auditor mandated by Company; provided, however that: (a) Company gives at least two weeks’ written notice to Vendor; (b) such audit or inspection will be conducted during normal business hours and shall not interfere with Vendor operations; and (c) Company shall not be entitled access to any information (including Personal Data) that is not Company Personal Data and that is subject to a confidentiality obligation under law or contract, including without limitation any such obligation owed to another customer of Vendor. Notwithstanding the foregoing, Company shall be entitled to exercise its rights under this Section 11 more than once per year during the term of the Agreement in the event of a Breach or if required by a Supervisory Authority.
12. Restricted Transfers
12.1 Company and each Company Affiliate (each as “data exporter”) and Vendor and each Vendor Affiliate (“data importer”), with effect from the commencement of the relevant transfer, hereby enter into (i) the Module 2 SCC in respect of any Restricted Transfer from Company or any Company Affiliate to Vendor governed by GDPR; and/or (ii) the UK SCC in respect of any Restricted Transfer from Company or any Company Affiliate to Vendor governed by UK Data Protection Law.
12.2 The parties agree that with respect to any Restricted Transfer that is subject to the GDPR, the provisions of the Module 2 SCC are expressly incorporated herein by reference and shall apply with the following options:
12.2.1 Clause 7 – Docking clause, shall apply;
12.2.2 Clause 9 – Use of subprocessors, Option 1 shall apply and the time period shall be two (2) days;
12.2.3 Clause 11(a) – Redress, the optional language shall not apply;
12.2.4 Clause 13(a) – Supervision, the following shall be inserted: [Where the data exporter is established in an EU Member State:] The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Schedule 2, Annex I.C, shall act as competent supervisory authority.
[Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679:] The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Schedule 2, Annex I.C, shall act as competent supervisory authority.
[Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679:] The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behavior is monitored, are located, as indicated in Schedule 2, Annex I.C, shall act as competent supervisory authority.
12.2.5 Clause 17 – Governing law, Option 1 shall apply and the Member State shall be The Netherlands;
12.2.6 Clause 18 – Choice of forum and jurisdiction, the Member State shall be The Netherlands;
12.2.7 Annex I shall be deemed populated with the relevant sections of Schedule 2, Annex I hereto; and
12.2.8 Annex II shall be deemed populated with the relevant sections of Schedule 2, Annex II hereto.
12.3 The parties agree that with respect to any Restricted Transfer that is subject to the UK GDPR, the Module 2 SCC are expressly incorporated by reference and shall be read in accordance with, and deemed amended by, the provisions of Part 2 (Mandatory Clauses) of the UK SCC, and the parties confirm that the information required for the purposes of Part 1 (Tables) of the UK SCC is hereby completed as follows:
12.3.1 For Table 1: the parties’ fields will be deemed to be pre-populated with the exporter and importer parties set out in Schedule 2, Annex I.A. hereof;
12.3.2 For Table 2: the Module 2 SCC including the Appendix Information and with only the modules, clauses or optional provisions of the Module 2 SCC listed in Section 12.2 above, brought into effect for the purpose of the UK SCC;
12.3.3 For Table 3: the Appendix Information is set out in the following:
12.3.3.1 Annex 1A: List of parties: as set out in Schedule 2, Annex I.A. hereof;
12.3.3.2 Annex 1B: Description of Transfer: as set out in Schedule 2, Annex I.B. hereof;
12.3.3.3 Annex II: Technical and organizational measures including technical and organizational measures to ensure the security of the data: as set out in Schedule 2, Annex II hereof;
12.3.4 For Table 4: the parties agree that neither of them may end the UK SCC in accordance with the provisions of Section 19 of the UK SCC.
12.4 If, at any time, a Supervisory Authority or a court with competent jurisdiction over a party mandates that transfers of Personal Data from Controllers in the EEA or the UK to Processors established outside the EEA or the UK must be subject to specific additional safeguards (including but not limited to specific technical and organizational measures), the parties shall work together in good faith to implement such safeguards and ensure that any transfer of Company Personal Data is conducted with the benefit of such additional safeguards.
13. General Terms
13.1 This Data Protection Addendum comes into force upon signature by the parties. The term of this Addendum corresponds to the term of the Agreement. This Addendum shall be governed by the law of the country as set forth in the Agreement. For all disputes in connection with this Addendum, the sole place of jurisdiction shall be the place of jurisdiction as set forth in the Agreement.
13.2 This Addendum supplements, and does not replace, any existing obligations related to the privacy and security of Company Personal Data set forth in the Agreement. In the event of a conflict between the terms of this Addendum and the Agreement, Vendor shall comply with the obligations that provide the most protection for Company Personal Data. In the event of any conflict or inconsistency between the terms of the Agreement or this Addendum, and the terms of any Standard Contractual Clauses, the latter shall control.
13.3 Any amendment, waiver or modification of this Addendum shall only be enforceable if in writing.
13.4 The terms used in this Addendum shall have the meanings set forth in this Addendum. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement or under the Data Protection Laws. Except as modified herein, the terms of the Agreement shall remain in full force and effect. Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.

SCHEDULE 1

DESCRIPTION OF PROCESSING AND SECURITY MEASURES
This Schedule includes certain details of the Processing of Company Personal Data as required by Articles 28(3) and 28(4) GDPR.
Subject matter and duration of the Processing of the Company Personal Data
The subject matter activities relevant to the data transferred under these Clauses shall be as set forth in the Agreement, or equivalent document, and shall depend on which of the following services are selected by the Company: The Vendor offers the following basic processing activities: foreign language translation services and/or litigation support services . As a foreign language translation services provider, Vendor will translate the Company’s documents and information, including, but not limited to, human resources documents, legal documents, medical documents, and business and operational documents. As a litigation support services provider, Vendor will provide technology platforms and human support services to assist law firms and corporations with searching and preparing documents for litigations, arbitrations and investigations (collectively, “Disputes”), identifying and collecting electronic documents in connection with Disputes, reviewing and producing documents in connection with Disputes, supplying stenographers, document review attorneys, and “virtual data rooms” in connection with corporate transactions.
The duration of the processing is set out in the Agreement addressing the scope of services.
The nature and purpose of the Processing of the Company Personal Data
The nature and purpose of the processing is to provide the services set forth in the Agreement, as summarized above.
The categories of Data Subjects to whom the Company Personal Data relates

The categories of Data Subjects to whom the Company Personal Data relates include, but are not limited to, employees, customers, clients, patients and test subjects of the Company.
The types of Company Personal Data to be Processed
The types of Company Personal Data to be Processed include, but are not limited to, names, addresses, contact information and account numbers of Data Subjects that may be contained within documents the Company delivers to Vendor for Services.
Special categories of Company Personal Data (if appropriate)
No special category of personal data is expected to be included in the Services unless the Company informs the Vendor to the contrary in writing.
The obligations and rights of Controller
The obligations and rights of Controller are set out in the Agreement.
TECHNICAL AND ORGANISATIONAL MEASURES
Vendor has implemented comprehensive technical and organisational measures including, without limitation, compliance with global data security standards like ISO 27001 and 9001, SSAE16 and/or PCI Compliance certifications for certain of Vendor’s service lines. Upon written request from the Company for a particular project, Vendor will detail the applicable and relevant organisational security measures implemented.
SCHEDULE 2
ANNEX I
A. LIST OF PARTIES
Data exporter(s) (Company): [Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union]
1. Name: As set forth in the Agreement
Address: As set forth in the Agreement
Contact person’s name, position and contact details: As set forth in the Agreement
Activities relevant to the data transferred under these Clauses: Data exporter (Company) and data importer (Vendor) have entered into the Agreement, whereby the data exporter provides personal data to the data importer so that the latter can provide data exporter the services described in the Agreement
Signature and date: As set forth in the Agreement
Role (controller/processor): As set forth in the Agreement
Data importer(s) (Vendor): [Identity and contact details of the data importer(s), including any contact person with responsibility for data protection]
1. Name: Sterling Technology Limited
Address: First Floor, 5 Fleet Place, London, United Kingdom, EC4M 7RD
Contact person’s name, position and contact details: Stacey Watanabe, Data Protection Officer, dpo@sterlingvdr.com
Activities relevant to the data transferred under these Clauses shall be as set forth in the Agreement or any purchase order, statement of work or similar document and shall depend on which of the following services are selected by Company: The Vendor offers the following basic processing activities: foreign language translation services and/or litigation support services. As a foreign language translation services provider, Vendor will translate the Company’s documents and information, including, but not limited to, human resources documents, legal documents, medical documents, and business and operational documents. As a litigation support services provider, Vendor will provide technology platforms and human support services to assist law firms and corporations with searching and preparing documents for litigations, arbitrations and investigations (collectively, “Disputes”), identifying and collecting electronic documents in connection with Disputes, reviewing and producing documents in connection with Disputes, supplying stenographers, document review attorneys, and “virtual data rooms” in connection with corporate transactions.
Signature and date: As set forth in the Agreement
Role (controller/processor): Processor

B. DESCRPTION OF TRANSFER
Categories of data subjects whose personal data is transferred
The categories of data subjects to whom the personal data relates include, but are not limited to, employees, customers, clients, patients and test subjects of the Company.
Categories of personal data transferred
The types of personal data to be processed include, but are not limited to, names, addresses, contact information and account numbers of data subjects that may be contained within documents the Company delivers to Vendor.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
No sensitive data is expected to be transferred unless the Company informs the Vendor to the contrary in writing.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis)
Company will make such transfers at such times as necessary for Vendor to fulfil its contractual obligations to Company while such contract remains in effect.
Nature of the processing
See Annex I for activities relevant to the data transferred under these Clauses.
Purpose(s) of the data transfer and further processing
The purpose of the processing is to provide the services set forth in the relevant contract between Company and Vendor.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
The Company Personal Data will be retained only so long as necessary for Vendor to comply with its legal obligations under the relevant contract between Company and Vendor.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
The subject matter and nature will be the same as shall be conducted by the Vendor hereunder. The duration shall be only for so long as Subprocessor is required to perform services hereunder for the Vendor.
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13
The competent supervisory authority of the data exporter

ANNEX II
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
1. Vendor Security Measures. As part of this, Vendor agrees and warrants that it has implemented technical and organizational measures appropriate to protect Customer Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation. The measures Vendor has taken include, as appropriate and without limitation:
 Vendor shall have in place, maintain and follow a comprehensive, written information security program that materially conforms with the ISO/IEC 27001:2022 Information technology, and meets or exceeds industry standards for technical, physical, administrative and organizational security measures
 Implementation of and compliance with a written information security program consistent with established industry standards and including administrative, technical, and physical safeguards appropriate to the nature of Customer Data and designed to protect such information from: unauthorized access, destruction, use, modification, or disclosure; unauthorized access to or use that could result in substantial harm or inconvenience to the Customer , its customers or employees; and any anticipated threats or hazards to the security or integrity of such information.
 Adopting, documenting in one or more parts, and implementing reasonable policies and standards related to security;
 Assigning responsibility for information security management;
 Devoting adequate personnel resources to information security;
 Conducting appropriate background checks and requiring, Vendors and others with access to the Customer's Confidential Data to enter into written confidentiality agreements;
 Conducting training to make employees and others with access to Customer Confidential Data aware of information security risks and to enhance compliance with its policies and standards related to data protection;
2. Access Control and Prevention Measures. Preventing unauthorized access to the Customer Data [including Customer Intellectual Property ] through the use, as appropriate, of physical and logical (passwords) entry controls, secure areas for data processing, procedures for monitoring the use of data processing facilities, built-in system audit trails, use of secure passwords, network intrusion detection technology, encryption and authentication technology, secure log-on procedures, and Malware protection, monitoring compliance with its policies and standards related to data protection on an ongoing basis. In particular, Vendor has implemented and complies with, as appropriate and without limitation:
 Physical access control measures to prevent unauthorized access to data processing systems (e.g., access ID cards, card readers, desk officers, alarm systems, motion detectors, burglar alarms, video surveillance and exterior security);
 Denial-of-use control measures to prevent unauthorized use of data protection systems (e.g., automatically enforced password complexity and change requirements, firewalls, etc.);
 Requirements-driven authorization scheme and access rights, and monitoring and logging of system access to ensure that persons entitled to use a data processing system have access only to the data to which they have a right of access, and that Customer Confidential Data cannot be read, copied, modified or removed without authorization;
 Data transmission control measures to ensure that Customer Confidential Data cannot be read, copied, modified or removed without authorization during electronic transmission, transport or storage on data media, and transfer and receipt records.
 Following Section 10 below, encryption of any Customer Data transmitted electronically (other than by facsimile) to a person outside Vendor’s IT system, transmitted over a wireless network, or stored on any movable or portable media.
 Data entry control measures to ensure that it is possible to check and establish whether and by whom Customer Data has been input into data processing systems, modified, or removed;
 Vendor supervision measures to ensure that, in the case Vendor is permitted to use Subprocessors, the data is processed strictly following the Controller's instructions including, as appropriate and without limitation;
 Measures to ensure that Customer Data is protected from unauthorized processing and accidental destruction or loss including, as appropriate and without limitation, data backup, retention and secure destruction policies; secure offsite storage of data sufficient for disaster recovery; uninterrupted power supply, and disaster recovery programs;
 Measures to ensure that data collected for different purposes can be processed separately including, as appropriate and without limitation, physical or adequate logical separation of Customer Data.
3. Business Continuity and Disaster Recovery. Vendor will ensure that it has in place at all times an appropriate business continuity and disaster recovery plan for its business (the “Business Continuity Plan”) which will ensure the continued performance of its obligations under this Agreement and operational resilience generally. Vendor will:
(i) develop and update the Business Continuity Plan from time to time, and in any event annually, following good industry practice, and the Vendor will, upon request, deliver a copy of the current plan to Customer;
(ii) if required by Customer, explain how the procedures set out in it will interface with any business continuity and disaster recovery plans and procedures of Customer notified to the Vendor from time to time;
(iii) test the Business Continuity Plan at least annually; and
(iv) take such other steps as may be appropriate under the circumstances.
4. Malware Security; Detection. Vendor will, on a regular basis, cause the Service Software and Systems through which the Services are hosted or otherwise delivered to be processed by one or more then-current, industry-standard Malware detection programs. Vendor will not make available any Service or portion thereof that Vendor knows has Malware. “Malware” means computer code that is not a normal feature of the Service or any part thereof and that is designed or intended to have any of the following functions: (i) disrupting, disabling, otherwise substantially impeding the normal operation of, or providing unauthorized access to a computer system or network, software or other device; or (ii) damaging or destroying any data file without Customer’s consent. If Vendor detects a Malware in the Service Software or Systems, Vendor will notify Customer as soon as reasonably possible, and will eliminate the Malware, mitigate any losses of operational efficiency or data and be responsible for all data cleanup and reconstruction costs incurred by Customer directly or indirectly from the introduction of the Malware.
5. Vulnerability Testing. Vendor acknowledges and agrees that Customer will conduct vulnerability testing of the Systems and applications that Vendor uses or delivers, or proposes to use or deliver, during the provision of Services. Such testing will occur once prior to production use or launch of an application or Service hereunder, and then periodically thereafter in production or post-launch of such application or Service, at Customer’s discretion, during the Term . Vendor will, upon receipt of notice from Customer that it intends to conduct such vulnerability testing, promptly provide Customer and its designated representatives (if any) with access to such Systems, Vendor Personnel and any other resources at Vendor’s disposal as may reasonably be required by Customer to conduct such testing. Vendor further acknowledges that such testing may originate external to its Systems, via the public Internet or via Customer’s internal network private extranet connection.
6. Security Incident Response Plan and Remediation Plan. The Vendor shall maintain a solution-specific Security Incident Response Plan and Remediation Plan (“SIRPR Plan”) that either meets or exceeds industry standards, such as ISO 27001:2022 and National Institute for Standards and Technology (“NIST”), or equivalent to maintain the information security component of the solution’s requirements. The plan should document, at the minimum, the following incident response and remediation sequences: 1) incident trigger phase (identification); 2) evaluation phase, 3) escalation phase, 3) response phase, 4) recovery phase, 5) de-escalation phase, 6) post-incident review phase. The following information should also be included in the SIRPR Plan: incident time/date, report date, reported by, incident type, location, description, data compromise, systems impacted, no. of hosts affected, IP address, operating systems, source IP address, other applications, impact assessment, resulting damage, immediate action is taken, planned action, result in corrective/preventive measures and remediated measures etc. In case of a Security Breach, Vendor will follow the incident notification requirements in the Addendum and promptly provide the SIRPR Plan to client.
7. Third Party Security Attestation. Vendor will maintain a consistent third-party penetration testing or security-focused code review of the solution provided to the Customer. The penetration test or security-focused code review shall attest to the security of the solution and be conducted by an independent third party on a regular cadence not less than on an annual basis. This attestation shall be provided to the Customer upon request.
8. Return or Deletion of Data. Vendor will return or delete Customer Data in accordance with the terms of the Addendum.
9. Audits; Compliance Verification. Vendor will follow the audit and compliance verification requirements in accordance with the terms of the Addendum.
10. Encryption – At a minimum, Vendor shall encrypt all files containing Customer Data either at rest and in transit using industry-standard algorithms that meet or exceed PCI DSS encryption standards and or any other encryption standards under applicable laws (for example: TLS 1.2 in transit, AES 256 at rest, relevant field encryption for restricted data, etc.) The contractor shall ensure that all encryption keys/passwords used to access encrypted Customer Data will be encrypted and securely stored separately from the encrypted Customer Data, accessible only to authorized individuals with authorized privileges.

Sterling Technology Data Protection Addendum

STERLING
TECHNOLOGY LTD.

GET IN TOUCH

Sterling Technology Data Protection Addendum

STERLINGTECHNOLOGY LTD.

GET IN TOUCH

STERLING
TECHNOLOGY LTD.