This Data Processing Agreement (“DPA”) sets forth confidentiality, security, and data privacy requirements with respect to Personal Data that is Processed by Minitab, LLC (“Minitab”) in connection with the provision of the Services. This DPA constitutes a data processing agreement for the purposes of Applicable Data Protection Law. This DPA is deemed part of the Agreement. The provisions of this DPA will apply if there is any conflict between this DPA and the Agreement. Unless otherwise defined in this DPA, all capitalized terms used in this DPA have the meanings given to them in the Agreement.
- Definitions. For the purposes of this DPA unless the context requires otherwise, the following terms have these meanings:
“DPA Effective Date” means the date the Service is first launched or as listed in the purchase confirmation, receipt, and/or on the invoice You receive from Us for the Service.
“Agreement” means the Subscription Agreement between You and Minitab, LLC or its affiliate, or any other agreement, for the Service, in effect as of the DPA Effective Date between Minitab and You.
“Applicable Data Protection Law” means California Data Protection Law, the Virginia Consumer Data Protection Act, other state and federal statutes relating to Processing of information relating to a Data Subject, and all amendments and regulations promulgated thereto, as well as any legislation replacing or updating the foregoing.
“Business,” “Business Purpose,” “Commercial Purposes,” “Sell,” and “Service Provider” have the meanings given to those terms in California Data Protection Law.
“California Data Protection Law” means the California Consumer Privacy Act of 2018 and the California Privacy Rights Act and all amendments and regulations promulgated thereto, as well as any legislation replacing or updating the foregoing.
“Data Subject” means an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Personal Data” means information You provide to Minitab in Your Content that (a) identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual, consumer, or household; and (b) is regulated as personal information, personal data, personally identifiable information, personal health information, individually identifiable health information, protected health information, or otherwise under any Applicable Data Protection Law. Anonymized data (i.e., data that has been permanently disassociated from personal identifiers) is not Personal Data.
“Personal Data Breach” means a breach of security leading to the misappropriation or accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed on Minitab systems or the Services environment that compromises the security, confidentiality or integrity of such Personal Data.
“Processing” (and “Process”) means any operation or set of operations which is performed on data or sets of data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Services” means the services subscribed to by You in accordance with the Agreement.
“Sub-Processor” means any party, other than an employee of Minitab, appointed by Minitab to Process Personal Data in connection with the Agreement.
- Relationship of the Parties. With respect to Personal Data subject to Applicable Data Protection Law, You are a Business or equivalent term, and Minitab is a Service Provider or equivalent term. In keeping with such designations, Minitab shall Process such Personal Data only on Your behalf and only for Your own business or Commercial Purposes.
- Purposes of Processing.
3.1.Permitted Processing. Minitab will Process Personal Data solely as necessary to perform its obligations under the Agreement (or as otherwise agreed in writing by Minitab and You) and strictly in accordance with the documented instructions You provide and Applicable Data Protection Law (the “Permitted Purposes”).
3.2.Restrictions on Processing. Minitab will not: (a) disclose Personal Data to any third party without Your prior written consent, unless (i) such third party has been specifically identified and approved by You in the Agreement to receive or Process Personal Data, and (ii) disclosure is necessary to perform the Services; or (b) use Personal Data for its own purposes without Your prior written consent. In furtherance of the foregoing, Minitab shall not: (1) sell, license, lease, timeshare, rent, or otherwise exchange Personal Data for monetary or other consideration; (2) retain, use, or disclose such Personal Data for any purpose other than for the specific purpose of performing the Services; (3) retain, use, or disclose such Personal Data for a Commercial Purpose other than providing the Services; or (4) retain, use or disclose such Personal Data outside of the direct business relationship between Minitab and You. Minitab certifies that it understands the restrictions in this Section 3.2 and will comply with them.
- Confidentiality Obligations. Minitab shall ensure that any person that it authorizes to Process Personal Data (including but not limited to Minitab’s employees, contractors and other individuals engaged to provide the Services) (“Authorized Personnel”) shall be subject to a strict duty of confidentiality, including without limitation any obligations of confidentiality that are set forth in the Agreement, and shall not permit any person who is not under such a duty of confidentiality to Process Personal Data. Minitab shall ensure that all Authorized Personnel use Personal Data solely to the extent necessary for the Permitted Purposes.
- Cooperation. Minitab shall provide all reasonable and timely assistance to You to enable You to respond to: (a) any request from a Data Subject to exercise any of their rights under Applicable Data Protection Law (including without limitation rights of access, correction, objection, erasure and data portability, as applicable); and (b) any other request, correspondence, inquiry or complaint received from a Data Subject, regulator or other third party in connection with the Processing of Personal Data provided by You (each, an “Inquiry”). If any Inquiry is made directly to Minitab, Minitab shall promptly inform You, providing full details of the Inquiry, and Minitab shall refrain from responding to such Inquiry unless required by law or authorized by You.
6.1.Security Measures. Minitab will maintain and use appropriate safeguards to prevent unauthorized access to or use of the Personal Data, and to implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of information or data that Minitab processes in the course of providing the Services. Such safeguards shall include, but are not limited to (a) security management policies and procedures including incident management procedures to address security events; (b) access controls, including password change controls, to ensure access to information is granted on a need to know and least privileged basis; (c) device and software management controls to guard against viruses and other malicious or unauthorized software; (d) industry standard encryption safeguards as appropriate and where required by law; (e) security awareness training to ensure employees understanding of their responsibilities in guarding against security events and unauthorized use or access to information; (f) logging procedures to proactively record user and system activity for routine review; and (g) facility access and protection controls to limit physical access to information resources and guard against environmental hazards (e.g., water or fire damage).
6.2.Notification. Minitab will notify You of a confirmed Personal Data Breach without undue delay but at the latest within 24 hours. As information regarding the Personal Data Breach is collected or otherwise reasonably becomes available to Minitab, Minitab will also provide You with (a) a description of the nature and reasonably anticipated consequences of the Personal Data Breach; (b) the measures taken to mitigate any possible adverse effects and prevent a recurrence; and (c) where possible, information about the types of Personal Data that were the subject of the Personal Data Breach. You agree to coordinate with Minitab on the content of Your intended public statements or required notices for the affected individuals and/or notices to the relevant regulators regarding the Personal Data Breach.
- Deletion or return of Personal Data. Upon termination of the Services, Minitab will promptly return or delete any remaining copies of Personal Data on Minitab’s systems or Services environments, except as otherwise stated in the Agreement.
- Audit. Minitab shall permit an independent Certified Public Accountant engaged by You (“Auditor”) to audit Minitab’s compliance with this DPA, and shall make available to You and Auditors information, systems and staff necessary to conduct such audit and to demonstrate compliance with Applicable Data Protection Law. Your Auditor shall be subject to a confidentiality and non-disclosure agreement in form and substance reasonably acceptable to Minitab, and subject to Minitab’s approval, which will not be unreasonably withheld. Minitab agrees that You and Auditors may enter its premises solely for the limited purpose of conducting this audit, provided that You give reasonable prior notice, conduct the audit during normal business hours, and take all reasonable measures to prevent unnecessary disruption to Minitab’s operations. You will not exercise this audit right more than once in any 12-month period, except (a) if and when required by a competent data protection authority or other regulator; or (b) if You believe a further audit is necessary due to a Personal Data Breach.
- Sub-Processors and Authorized Personnel. You grant Minitab a general authorization to engage Sub-Processors in connection with the performance of the Services by Minitab. To the extent Minitab engages Sub-Processors to Process Personal Data, such entities shall be subject to the same level of data protection and security as Minitab under this DPA. Minitab is responsible for the performance of any Sub-Processor’s obligations in compliance with the terms of this DPA and Applicable Data Protection Law.
- Survival. This DPA survives termination or expiration of the Agreement.