Personal Information

Processing Agreement

This Personal Information Processing Agreement (“PIPA”), entered into by the provider of goods and or services (“Provider”) identified on the applicable agreement, or ordering document (“Service Provider Agreement”) and the Tow Foundation, Inc. (along with its affiliates, the “Foundation” or “Customer”), governs the processing of Personal Information by Provider on behalf of the Foundation in connection with such goods and/or services.

This Agreement is incorporated into the relevant Foundation goods and/or services agreement or ordering document by reference. Collectively, this PIPA and the applicable agreement or ordering documents are referred to in this PIPA as the “Agreement.” 

Definitions and Interpretation

  1. The following definitions and rules of interpretation apply in this PIPA.“Business Purpose” means the services described in the Service Provider Agreement or any other purpose specifically identified in Appendix A.”Data Subject” means an individual who is the subject of the Personal Information and to whom or about whom the Personal Information relates or identifies, directly or indirectly.”Personal Information” means any information the Provider processes for the Foundation that (a) identifies or relates to an individual who can be identified directly or indirectly from that data alone or in combination with other information in the Provider’s possession or control or that the Provider is likely to have access to, or (b) the relevant Privacy and Data Protection Requirements otherwise define as protected personal information.”Processing, processes, or process” means any activity that involves the use of Personal Information or that the relevant Privacy and Data Protection Requirements may otherwise include in the definition of processing, processes, or process. It includes obtaining, recording, or holding the data, or carrying out any operation or set of operations on the data including, but not limited to, organizing, amending, retrieving, using, disclosing, erasing, or destroying it. Processing also includes transferring Personal Information to third parties.

    Privacy and Data Protection Requirements” means all applicable federal, state and foreign laws and regulations relating to the processing, protection, or privacy of the Personal Information, including where applicable, the guidance and codes of practice issued by regulatory bodies in any relevant jurisdiction.

    Security Breach” means any act or omission that compromises the security, confidentiality, or integrity of Personal Information or the physical, technical, administrative, or organizational safeguards put in place to protect it. The loss of or unauthorized access, disclosure, or acquisition of Personal Information is a Security Breach whether or not the incident rises to the level of a security breach under the Privacy and Data Protection Requirements.

  2. The Appendices form part of this PIPA and will have effect as if set out in full in the body of this PIPA. Any reference to this PIPA includes the Appendices.
  3. A reference to writing or written includes faxes but not email.
  4. In the case of conflict or ambiguity between:
    1. any provision contained in the body of this PIPA and any provision contained in the Appendices, the provision in the body of this PIPA will prevail;
    2. the terms of any accompanying invoice or other documents annexed to this PIPA and any provision contained in the Appendices, the provision contained in the Appendices will prevail; and
    3. any of the provisions of this PIPA and the provisions of the Service Provider Agreement, the provisions of this PIPA will prevail.

Personal Information Types and Processing Purposes

  1. The Foundation retains control of the Personal Information and remains responsible for its compliance obligations under the applicable Privacy and Data Protection Requirements, including providing any required notices and obtaining any required consents, and for the processing instructions it gives to the Provider.
  2. Appendix A describes the general Personal Information categories and related types of Data Subjects the Provider may process to fulfill the Business Purposes of the Service Provider Agreement. The Foundation discloses Personal Information to the Provider only for the limited and specified Business Purposes.

Provider’s Obligations

  1. The Provider will only process, retain, use, or disclose the Personal Information to the extent, and in such a manner, as is necessary for the Business Purposes in accordance with the Foundation’s written instructions. The Provider will not process, retain, use, or disclose the Personal Information for any other purpose, outside of the parties’ business relationship, or in a way that does not comply with this PIPA or the Privacy and Data Protection Requirements. This includes not combining or updating the Personal Information with personal information obtained outside of this contract unless the Privacy and Data Protection Requirements permit the action. The Provider must promptly notify the Foundation if, in its opinion, the Foundation’s instruction would not comply with the Privacy and Data Protection Requirements.
  2. The Provider must promptly comply with any Foundation request or instruction requiring the Provider to amend, transfer, or delete the Personal Information, or to stop, mitigate, or remedy any unauthorized processing.
  3. The Provider will maintain the confidentiality of all Personal Information, will not sell it to or share it for cross-contextual advertising with anyone, and will not disclose it to third parties unless the Foundation or this PIPA specifically authorizes the disclosure, or as required by law. If a law requires the Provider to process or disclose Personal Information, the Provider must first inform the Foundation of the legal requirement and give the Foundation an opportunity to object or challenge the requirement, unless the law prohibits such notice.
  4. The Provider will reasonably assist the Foundation with meeting the Foundation’s compliance obligations under the Privacy and Data Protection Requirements, taking into account the nature of the Provider’s processing and the information available to the Provider.
  5. The Provider must promptly notify the Foundation of any changes to Privacy and Data Protection Requirements, or its ability to meet those obligations, that may adversely affect the Provider’s performance of the Service Provider Agreement or this PIPA.
  6. The Provider will only collect Personal Information for the Foundation using a notice or method that the Foundation specifically pre-approves in writing, which contains an approved data privacy notice informing the Data Subject of the Foundation’s identity, the purpose or purposes for which their Personal Information will be processed, and any other information that is required by applicable Privacy and Data Protection Requirements. The Provider will not modify or alter the notice in any way without the Foundation’s prior written consent.

Provider’s Employees

  1. The Provider will limit Personal Information access to:
    1. those employees who require Personal Information access to meet the Provider’s obligations under this PIPA and the Service Provider Agreement; and
    2. the part or parts of the Personal Information that those employees strictly require for the performance of their duties.
  2. The Provider will ensure that all employees:
    1. are informed of the Personal Information’s confidential nature and use restrictions and are obliged to keep the Personal Information confidential;
    2. have undertaken training on the Privacy and Data Protection Requirements relating to handling Personal Information and how it applies to their particular duties; and
    3. are aware both of the Provider’s duties and their personal duties and obligations under the Privacy and Data Protection Requirements and this PIPA.
  3. The Provider will take reasonable steps to ensure the reliability, integrity, and trustworthiness of, and conduct background checks consistent with applicable law on, all of the Provider’s employees with access to the Personal Information.

Security

  1. The Provider must at all times implement appropriate technical and organizational measures designed to safeguard Personal Information against unauthorized or unlawful processing, access, copying, modification, storage, reproduction, display, or distribution, and against accidental loss, destruction, unavailability, or damage including, but not limited to, the security measures set out in Appendix B. The Provider must document those measures in writing and periodically review them, at least annually, to ensure they remain current and complete.
  2. The Provider will immediately notify the Foundation if it becomes aware of any advance in technology and methods of working, which indicate that the parties should adjust their security measures.
  3. The Provider must take reasonable precautions to preserve the integrity of any Personal Information it processes and to prevent any corruption or loss of the Personal Information, including but not limited to establishing effective back-up and data restoration procedures.

Security Breaches and Personal Information Loss

  1. The Provider will promptly notify the Foundation if any Personal Information is lost or destroyed or becomes damaged, corrupted, or unusable. The Provider will restore such Personal Information at its own expense.
  2. The Provider will immediately notify the other party if it becomes aware of:
    1. any unauthorized or unlawful processing of the Personal Information; or
    2. any Security Breach.
  3. Immediately following any unauthorized or unlawful Personal Information processing or Security Breach, the parties will coordinate with each other to investigate the matter. The Provider will reasonably cooperate with the Foundation in the Foundation’s handling of the matter, including:
    1. assisting with any investigation;
    2. providing the Foundation with physical access to any facilities and operations affected;
    3. facilitating interviews with the Provider’s employees, former employees, and others involved in the matter; and
    4. making available all relevant records, logs, files, data reporting, and other materials required to comply with all Privacy and Data Protection Requirements or as otherwise reasonably required by the Foundation.
  4. The Provider will not inform any third party of a Security Breach without first obtaining the Foundation’s prior written consent, except when law or regulation requires it; provided that, Provider may notify its insurers, as well as legal and other advisors where reasonably required.
  5. The Provider agrees that the Foundation has the sole right to determine, except when law or regulation requires:
    1. whether to provide notice of the Security Breach to any Data Subjects, regulators, law enforcement agencies, or others, as required by law or regulation or in the Foundation’s discretion, including the contents and delivery method of the notice; and
    2. whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy.
  6. The Provider will cover all reasonable expenses associated with the performance of the obligations under Section 6.2 and Section 6.3, unless the matter arose from the Foundation’s specific instructions, negligence, willful default, or breach of this PIPA, in which case the Foundation will cover all reasonable expenses.
  7. The Provider will also reimburse the Foundation for actual reasonable expenses the Foundation incurs when responding to and mitigating damages, to the extent that the Provider caused a Security Breach, including all costs of notice and any remedy as set out in Section 6.5.

Cross-Border Transfers of Personal Information

  1. Appendix A lists all of the countries where the Provider may receive, access, transfer, or store Personal Information. The Provider must not receive, access, transfer, or store Personal Information outside the countries listed on Appendix A without the Foundation’s prior written consent.
  2. The Provider will not transfer any Personal Information to another country unless the transfer complies with the Privacy and Data Protection Requirements. In Appendix A, the Provider must identify the legal basis supporting any transfers it makes and must immediately inform the Foundation of any change to that status.

Subcontractors

  1. The Provider may only authorize a third party (subcontractor) to process the Personal Information if:
    1. the Foundation provides prior written consent after the Provider supplies the Foundation with full details regarding such subcontractor;
    2. the Provider enters into a written contract with the subcontractor that contains terms substantially the same as those set out in this PIPA and, upon the Foundation’s written request, provides the Foundation with copies of such contracts;
    3. the Provider maintains control over all Personal Information it entrusts to the subcontractor; and
    4. the subcontractor’s contract terminates automatically on termination of this PIPA for any reason.
  2. The Provider must provide the Foundation with a list of all approved subcontractors and include any subcontractor’s name and location and contact information for the person responsible for privacy and data protection compliance.
  3. Where the subcontractor fails to fulfill its obligations under such written agreement, the Provider remains fully liable to the Foundation for the subcontractor’s performance of its agreement obligations.
  4. The Parties consider the Provider to control any Personal Information controlled by or in the possession of its subcontractors.
  5. Upon the Foundation’s written request, the Provider will audit a subcontractor’s compliance with its obligations regarding the Foundation’s Personal Information and provide the Foundation with the audit results.

Complaints, Data Subject Requests, and Third-Party Rights

  1. The Provider must notify the Foundation immediately if it receives any complaint, notice, or communication that directly or indirectly relates to the Personal Information processing or to either party’s compliance with the Privacy and Data Protection Requirements.
  2. The Provider must notify the Foundation within two (2) working days if it receives a request from a Data Subject to exercise any rights the individual may have regarding their Personal Information, such as access, correction, deletion, or to opt-out of or limit certain activities like sales, disclosures, or other processing actions.
  3. The Provider will give the Foundation its full cooperation and assistance in responding to any complaint, notice, communication, or Data Subject request.
  4. The Provider must not disclose the Personal Information to any Data Subject or to a third party unless the disclosure is either at the Foundation’s request or instruction, permitted by this PIPA, or is otherwise required by law.

Term and Termination

  1. This PIPA will remain in full force and effect so long as:
    1. the Service Provider Agreement remains in effect; or
    2. the Provider retains any Personal Information related to the Service Provider Agreement in its possession or control (the “Term“).
  2. Any provision of this PIPA that expressly or by implication should come into or continue in force on or after termination of the Service Provider Agreement in order to protect Personal Information will remain in full force and effect.
  3. The Provider’s failure to comply with the terms of this PIPA is a material breach of the Service Provider Agreement. In such event, the Foundation may terminate the Service Provider Agreement/any part of the Service Provider Agreement authorizing the processing of Personal Information effective immediately upon written notice to the Provider without further liability or obligation.
  4. If a change in any Privacy and Data Protection Requirement or either party’s circumstances prevents a party from fulfilling all or part of its Service Provider Agreement obligations, the parties will suspend the processing of Personal Information until the party’s processing complies with the requirements. If the parties are unable to bring the Personal Information processing into compliance with the Privacy and Data Protection Requirements, they may terminate the Service Provider Agreement upon reasonable written notice to the other party.

Data Return and Destruction

  1. At the Foundation’s request, the Provider will give the Foundation a copy of or access to all or part of the Foundation’s Personal Information in its possession or control in the format and on the media reasonably specified by the Foundation.
  2. On termination of the Service Provider Agreement for any reason or expiration of its term, the Provider will securely destroy or, if directed in writing by the Foundation, return and not retain, all or any Personal Information related to this agreement in its possession or control.
  3. If any law, regulation, or government or regulatory body requires the Provider to retain any documents or materials that the Provider would otherwise be required to return or destroy, it will notify the Foundation in writing of that retention requirement, giving details of the documents or materials that it must retain, the legal basis for retention, and establishing a specific timeline for destruction once the retention requirement ends. The Provider may only use this retained Personal Information for the required retention reason or audit purposes.
  4. The Provider will certify in writing that it has destroyed the Personal Information within two (2) days after it completes the destruction.

Records

  1. The Provider will keep detailed, accurate, and up-to-date records regarding any processing of Personal Information it carries out for the Foundation, including but not limited to, the access, control, and security of the Personal Information, approved subcontractors and affiliates, the processing purposes, and any other records required by the applicable Privacy and Data Protection Requirements (the “Records“).
  2. The Provider will ensure that the Records are sufficient to enable the Foundation to verify the Provider’s compliance with its obligations under this PIPA.
  3. The Foundation and the Provider must review the information listed in the Appendices to this PIPA once a year to confirm its current accuracy and update it when required to reflect current practices.

Audit

  1. At least once per year, the Provider will conduct site audits of its Personal Information processing practices and the information technology and information security controls for all facilities and systems used in complying with its obligations under this PIPA, including, but not limited to, obtaining a network-level vulnerability assessment performed by a recognized third-party audit firm based on recognized industry best practices.
  2. Upon the Foundation’s written request, the Provider will make all of the relevant audit reports available to the Foundation for review, including as applicable: The Provider’s latest Payment Card Industry (PCI) Compliance Report, Service Organization Controls (SOC) Type 1, 2, or 3 audit reports, Statement on Standards for Attestation Engagements (SSAE) No. 18 audit reports for Reporting on Controls at a Service Organization and reports relating to its ISO/IEC 27001 certification.
  3. The Provider will promptly address any issues, concerns, or exceptions noted in the audit reports with the development and implementation of a corrective action plan by the Provider’s management.

Warranties

  1. The Provider warrants and represents that:
    1. its employees, subcontractors, agents, and any other person or persons accessing Personal Information on its behalf are reliable and trustworthy and have received the required training on the Privacy and Data Protection Requirements relating to the Personal Information; and
    2. it and anyone operating on its behalf will process the Personal Information in compliance with both the terms of this PIPA and all applicable Privacy and Data Protection Requirements and other laws, enactments, regulations, orders, standards, and other similar instruments; and
    3. it has no reason to believe that any Privacy and Data Protection Requirements prevent it from providing any of the Service Provider Agreement’s contracted services; and
    4. considering the current technology environment and implementation costs, it will take appropriate technical and organizational measures to prevent the unauthorized or unlawful processing of Personal Information and the accidental loss or destruction of, or damage to, Personal Information, and ensure a level of security appropriate to:
      1. the harm that might result from such unauthorized or unlawful processing or accidental loss, destruction, or damage; and
      2. the nature of the Personal Information protected; and
      3. comply with all applicable Privacy and Data Protection Requirement and its information and security policies, including the security measures required in clause 5.1.
    5. The Foundation warrants and represents that the Provider’s expected use of the Personal Information for the Business Purpose and as specifically instructed by the Foundation will comply with all Privacy and Data Protection Requirements.

Indemnification

  1. The Provider agrees to indemnify, keep indemnified, and defend at its own expense the Foundation against all costs, claims, damages, or expenses incurred by the Foundation or for which the Foundation may become liable due to any failure by the Provider or its employees, subcontractors, or agents to comply with any of its obligations under this PIPA or applicable Privacy and Data Protection Requirements.
  2. Any limitation of liability set forth in the Service Provider Agreement will not apply to this PIPA’s indemnity or reimbursement obligations.
  3. During the Term, the Provider must, at its own cost and expense, obtain and maintain insurance, in full force and effect, sufficient to cover the Provider’s potential indemnity or reimbursement obligations. The Provider will produce the policy and premium payment receipt to the Foundation on request. The Provider will give the Foundation thirty (30) days advance written notice if the policy materially changes or is cancelled.

Notice

  1. Any notice or other communication given to a party under or in connection with this PIPA must be in writing and delivered as outlined in the Service Provider Agreement.
  2. Section 16.1 does not apply to the service of any proceedings or other documents in any legal action or, where applicable, any arbitration or other method of dispute resolution.
  3. A notice given under this agreement is not valid if sent by email.

APPENDIX A

Personal Information Processing Purposes and Details

Business Purposes: (a) as instructed by the Foundation in writing solely relating to, and (b) only to the extent necessary, for Service Provider to provide goods and/or services pursuant to the Service Provider Agreement.

Personal Information Categories: as instructed by the Foundation in writing.

Data Subject Types: as instructed by the Foundation in writing.

Processing Duration: as instructed by the Foundation in writing.

Approved Subcontractors: as instructed by the Foundation in writing.

Countries where the Provider may receive, access, transfer or store Personal Information are as follows: United States of America.

Any other countries must be approved in advance by the Foundation in writing. 

Appendix B

Security Measures

  1. Service Provider shall maintain an information security program that encompasses administrative, technical, and physical safeguards designed that meet or exceed the requirements specified in the then-current SISR (as defined in Section 5 below) and applicable industry standards to protect against threats to the unauthorized or accidental destruction, loss, alteration, or use of Foundation Information and/or unauthorized disclosure or access to Foundation Information
  2. Service Provider personnel who are provided access to the Foundation’s facilities and/or network and computing resources shall abide by all applicable Acceptable Use policies and complete the information security training reasonably required by the Foundation. For such personnel, Service Provider shall conduct background checks and/or other investigations deemed necessary, as appropriate and permitted by applicable law. Service Provider personnel with direct, unrestricted access to the Service Provider’s access or connectivity may be terminated at any time upon violation of the Foundation’s policies and/or misuse or abuse of Service Provider’s privileges.
  3. If Service Provider discovers or is notified of a breach or potential breach of security relating to the Foundation Information that is not intended for public release, or that would otherwise interrupt or degrade the Services to the Foundation, Service Provider shall: (a) notify the Foundation within 24 hours and in any case without undue delay of such breach or potential breach; and (b) if Foundation Information was in the possession of Service Provider at the time of such breach or potential breach, Service Provider shall (i) provide the Foundation with information to allow the Foundation to assess such breach, promptly investigate and remediate the effects of the breach or potential breach, and (ii) provide the Foundation with satisfactory assurance that such breach or potential breach will not reoccur.
  4. No Foundation Information shall be sold, assigned, leased or otherwise disposed of to a third party, or commercially exploited, by or on behalf of Service Provider or its personnel without the Foundation’s express written consent. Service Provider shall not collect, share, disclose or use any Foundation Information except as necessary to perform the services or exercise rights described in the Agreement. Furthermore, Service Provider represents and acknowledges that it does not receive, nor is the Foundation providing, any such Foundation Information in consideration for the provision of the services or otherwise. Service Provider additionally represents and warrants that the provision of the Services shall comply with applicable data protection laws.
  5. SISR” means the Foundation’s Service Provider Information Security Requirements in effect as of the Effective Date, as revised from time to time by the Foundation and made available to Service Provider. Service Provider shall have 30 days after receipt of a SISR revision to object to any new requirements contained therein that would cause a material increase in Service Provider’s efforts to comply with such new requirements in connection with an existing Service Provider Agreement. In such case, Service Provider shall notify the Foundation of any proposed additional fees for such new requirements, which shall apply only if the parties sign a corresponding change order. Absent the parties signing such change order, the Foundation may terminate this Agreement without further liability. If Service Provider intends to implement a change to its systems, policies or procedures that would reduce the level of safeguards in place as of the Effective Date, Service Provider shall notify the Foundation and only implement such change upon the Foundation’s approval.