Resideo Data Processing AddendumPrivacy Policy

This Data Processing Addendum (“DPA”) applies to the Processing of Resideo Personal Data (as defined below) under or in connection with the Agreement.

  1. Definitions. Unless otherwise defined in this DPA or in Applicable Privacy Laws, terms capitalized in this DPA shall have the same meanings as ascribed to them elsewhere in the Agreement. Where a term is defined both in this DPA and in Applicable Privacy Laws, the latter definition shall take precedence. References to any Applicable Privacy Laws and to terms defined therein shall be replaced with or incorporate (as the case may be) references to any Applicable Privacy Laws replacing, amending, extending, re-enacting, or consolidating such Applicable Privacy Laws and the equivalent terms defined in such Applicable Privacy Laws once in force and applicable. References to Paragraphs are references to paragraphs in this DPA.

    “Applicable Privacy Laws” means all data protection, privacy, breach notification, data security, and network security laws, legally binding rules, and legally binding regulations (as amended or replaced from time to time) that apply to Supplier and/or Resideo from time to time, and includes, where applicable, any legally binding codes of practice issued or endorsed by any competent Regulator(s).

    “Controller” has the meaning ascribed to the term “Controller” under Applicable Privacy Laws or, where such term is not defined there, means the legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

    “Processing” has the meaning ascribed to the term “Processing” under Applicable Privacy Laws or, where such term is not defined there, means any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, access, consultation, use, acquisition, transfer, hosting (via server, web, cloud, or otherwise), disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction. Any activity defined as processing by or otherwise subject to the requirements of Applicable Privacy Laws shall fall within this definition. “Processed”, “Process” and any other variations of “Processing” shall also be defined as set out above.

    “Processor” has the meaning ascribed to the term “Processor” or “Service Provider” (as relevant) under Applicable Privacy Laws or, where such term is not defined there, means legal person, public authority, agency, or other body which Processes Personal Data on behalf of a Controller.

    “Resideo Personal Data” means Personal Data that Supplier and/or its Subprocessors Process under this Agreement for the purpose described in Paragraph 3 (Role of the Parties) and as further detailed in Attachment 2 to this DPA.

    “Personal Data” has the meaning ascribed to the term “Personal Data” or “Personal Information” or “Personally Identifiable Information” (as relevant) under Applicable Privacy Laws or, where such term is not defined there, means any information relating to an identified or identifiable natural person (the “Data Subject” unless otherwise defined in Applicable Privacy Laws) and an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

    “Regulator” has the meaning ascribed to the term “Supervisory Authority” under Applicable Privacy Laws or, where such term is not defined there, means any official entity duly exercising powers under Applicable Privacy Laws and which has competence over Supplier or Resideo.

    “Security Breach” has the meaning ascribed to the term “Personal Data Breach” under Applicable Privacy Laws (in so far as Resideo Personal Data is involved, affected or otherwise concerned) or, where such term is not defined in Applicable Privacy Laws, means any event involving any actual or reasonably suspected compromise of the confidentiality, integrity, or availability of Resideo Personal Data and/or the networks, systems, or databases on which the Resideo Personal Data is stored, transmitted, or otherwise Processed, including, but not limited to, any accidental, unlawful, or unauthorized disclosure, use, viewing, destruction, loss, alteration, or acquisition of, or access to, any Resideo Personal Data.
  2. Scope. The subject-matter and nature of the Processing of Resideo Personal Data by Supplier is detailed in the Agreement whereas the purpose and duration of such Processing is set out in Paragraph 3 (Roles of the Parties) and the types of Personal Data that make up the Resideo Personal Data and the categories of Data Subjects to whom the Resideo Personal Data relate are described in Attachment 2 to this DPA. Personal Data relating to any Party’s personnel and shared with the other Party in order to independently administer the Agreement (other than as part of providing the Services) is not subject to this DPA and in respect of such Personal Data the receiving Party acts as an independent Controller. The terms of the Agreement shall govern (i) to the extent local law recognizes property rights in data, the intellectual property, ownership and licensing rights in the Resideo Personal Data; and (ii) the confidentiality obligations that apply to the Resideo Personal Data, provided however for each of (i) and (ii) that in the event of any conflict or inconsistency the terms of this DPA apply.
  3. Roles of the Parties. Each Party shall comply with its obligations under Applicable Privacy Laws, not act or fail to act so as to put the other Party in breach of any Applicable Privacy Laws and notify the other Party in the event it determines that it can no longer comply with Applicable Privacy Laws. Resideo hereby appoints Supplier, acting as Processor, to Process Resideo Personal Data for the purpose of, and only to the extent and for the duration necessary for, the performance of the Services under the Agreement. In particular, Supplier shall not to retain, use, or disclose any Resideo Personal Data for any purpose other than for the purposes set out in this DPA or as otherwise permitted under the Applicable Privacy Laws and in no event shall Supplier sell any Resideo Personal Data or combine it with Personal Data that it Processes for its own purposes and/or on behalf of third parties. The legal entity or entities that are the Controller(s) of the Resideo Personal Data are one or more of Resideo, Resideo’s Affiliates, or Resideo’s or its Affiliates’ customers, which, in all cases, have authorized and instructed Resideo to act on its/their behalf concerning the Processing of the Resideo Personal Data as described in this Agreement (including as regards issuing instructions concerning the Processing of Resideo Personal Data). The Parties agree that by executing the Agreement Resideo enters into this DPA (including, where applicable, the SCC) also on behalf of those of its Affiliates (“Relevant Affiliates“) that are permitted under the Agreement to receive the Services and that this DPA shall therefore also apply separately as between Supplier and each Relevant Affiliate. Each Party’s and all the Relevant Affiliates’ liability arising out of or relating to the DPA, taken together in aggregate, is subject to (and, where relevant, limited by) the terms of this Agreement (including this DPA). Resideo shall be Supplier’s single point of contact for all notices and communications from or to the Relevant Affiliates under or relating to this DPA.
  4. Instructions and disclosures. Supplier shall Process Resideo Personal Data in accordance with the written instructions of Resideo as set forth in the Agreement and as issued by Resideo’s authorized representative(s) (including via any self-service functionality that forms part of the Services). If, in Resideo’s reasonable option, at any time Supplier Processes Resideo Personal Data contrary to Resideo’s instructions or Applicable Privacy Laws, Resideo may instruct Supplier to suspend promptly all such Processing. If, in Supplier’s reasonable opinion, any of Resideo’s instructions infringe Applicable Privacy Laws, Supplier shall inform Resideo promptly (providing reasonable details) and not act on such instructions unless confirmed or revised by Resideo. Supplier shall not disclose, share or otherwise make available any Resideo Personal Data to any third party unless: (i) Supplier is strictly required to do so by applicable law in which case Supplier shall notify Resideo promptly of such requirement (unless such notification is prohibited by applicable law) or (ii) Supplier has appointed such third party as its Subprocessor in accordance with Paragraph 7 (Subprocessors) below.  
  5. Data transfers.  The parties shall ensure that all international transfers of Resideo Personal Data from Resideo to the Supplier and from the Supplier to its Subprocessors meet the requirements of Applicable Privacy Laws. Where the Controller (as determined in accordance with Paragraph 3 (Role of the Parties)) is established within the European Economic Area, Switzerland and/or the United Kingdom and the Supplier (i) is not established there; (ii) is not established in a country that a competent Regulator has deemed as providing an adequate level of protection for Personal Data; and (iii) has not implemented approved Binding Corporate Rules for processors, then Attachment 1 shall apply to such transfers. 
  6. Supplier’s personnel.  Supplier shall ensure that its personnel engaged in the Processing of Resideo Personal Data are reliable, have received appropriate training on their responsibilities and are contractually or legally required to keep the Resideo Personal Data confidential. 
  7. Subprocessors. Without prejudice to any other terms of this Agreement regarding the appointment of subcontractors, Resideo authorizes Supplier to disclose Resideo Personal Data to any third party to which Supplier has subcontracted some or all of Supplier’s Processing of Resideo Personal Data hereunder (“Subprocessor“), provided that: (i) such disclosure is necessary to enable Supplier to provide the Services, (ii) Supplier has conducted appropriate due diligence of that third party in accordance with Applicable Privacy Laws; (iii) the terms on which Supplier has appointed such third party are enforceable and at least equally protective of Resideo Personal Data as those set out in this DPA, in particular providing sufficient guarantees from such third party to meet or exceed the requirements of Paragraph 8 (Security), and (iv) the Subprocessor is either listed in Attachment 2 to this DPA or Supplier has provided prior notice to Resideo of the proposed use as Subprocessor of such third party (such notice to include the identity of the proposed Subprocessor and the jurisdiction(s) in which it will Process Resideo Personal Data) and has given Resideo at least 30 days to object (on reasonable grounds) to such appointment. Resideo may require Supplier to provide a copy of the relevant parts of its agreement with the proposed Subprocessor and acknowledges that Resideo may disclose the identity of Supplier’s Subprocessors where reasonably necessary. In the event Resideo objects to the appointment of any proposed Subprocessor, Supplier shall not disclose or otherwise make available Resideo Personal Data to such proposed Subprocessor and shall make reasonable efforts to continue to provide the Services or to recommend a commercially reasonable change to Resideo’s use of the Services that does not unreasonably burden Resideo or cause it to incur additional costs or fees. In the event Supplier is unable to do so, Resideo may terminate the Agreement or relevant SOW(s) for convenience and without penalty and Supplier shall refund Resideo all prepaid but, as at the date of termination, unused fees paid to Supplier in respect of the terminated Services. In all cases, Supplier shall remain primarily liable for the acts and omissions of its Subprocessors as though they were the Supplier’s own acts or omissions and shall ensure at all times that its Subprocessors comply with Resideo’s instructions concerning the Processing of Resideo Personal Data (as specified in Paragraph 4 (Instructions and disclosures)) to the extent relevant.  
  8. Security.  Supplier shall implement and maintain (i) all technical, physical, and organizational measures and controls required to protect the security, confidentiality and integrity of the Resideo Personal Data, including protection against: (a) accidental or unlawful destruction, loss, alternation, or damage; (b) unauthorized disclosure or access; and (c) all other unlawful or unauthorized forms of Processing, as well as (ii) all additional security measures required under Applicable Privacy Laws. Resideo acknowledges that such measures and controls may evolve over time and Supplier may therefore modify such measures provided that the overall level of protection of Resideo Personal Data shall not decrease. Without prejudice to the preceding sentences of this Paragraph, Supplier shall comply with Resideo’s Supplier Information Security Addendum available at https://www.resideo.com/us/en/corporate/suppliers/ and which is hereby incorporated by reference.  
  9. Security Breach.  Supplier shall notify Resideo without undue delay, and in no event later than twenty-four (24) hours of becoming aware, of each Security Breach. Supplier shall investigate each Security Breach promptly and take all necessary measures to resolve it and mitigate its effects. Supplier shall provide all reasonably relevant information concerning each Security Breach to Resideo as it becomes available (including but not limited to: a detailed description of the nature, root cause and likely consequences of the Security Breach, the categories and approximate number of affected individuals, the types and approximate number of records of affected Resideo Personal Data, and the measures taken or proposed to be taken to remediate and/or mitigate the Security Breach). Supplier acknowledges that Resideo may need to notify affected individuals, Regulators and/or other third parties of any Security Breach and respond to their questions and/or inquiries. Therefore, if requested by Resideo, Supplier shall provide all reasonable cooperation and assistance regarding the Security Breach to Resideo and Supplier shall obtain Resideo’s prior consent before making any announcement or communication to any third party concerning any Security Breach that (i) specifically names or refers to Resideo or any of its Affiliates, or (iii) is directed at Resideo’s or its Affiliates’ employees, suppliers, or customers. 
  10. Indemnity. Notwithstanding anything in the remainder of this Agreement, Supplier will defend, hold harmless, and indemnify Resideo and its subsidiaries, Affiliates, and agents, and their respective officers, directors, shareholders, and employees, and Resideo’s customers (collectively “Indemnitees“) in full from and against, and reimburse the Indemnitees for, any and all DP Losses (as defined below) suffered or incurred by, awarded against or agreed to be paid by, any of the Indemnitees relating to, resulting from, or in connection with (i) any Security Breach and/or (ii) Supplier’s or its Subprocessor’s breach of any Applicable Privacy Laws or any of the terms and conditions or obligations relating to data protection, privacy, breach notification, data security, or Personal Data set out in the Agreement (including this DPA). “DP Losses” means, except to the extent prohibited by applicable law, all liabilities, costs, losses, material and non-material damages, claims, actions, and expenses including, but not limited to, the cost of legal fees; to the extent legally permissible, settlements, fines, penalties, sanctions, and similar assessments imposed by, and the reasonable costs of compliance with investigations conducted by, a Regulator having authority over an Indemnitee; loss or damage to reputation, brand, or goodwill; compensation or other amounts paid to any affected individual; and Security Breach investigation and response costs and expenses (including, but not limited to, the cost of call center support services, public relations and other crisis management services, and consulting, forensic, accounting, and auditing services). Notwithstanding anything to the contrary in the Agreement, the Parties acknowledge and agree that Supplier’s liability under this DPA is unlimited. 
  11. Data Subject rights and correspondence.  If Supplier receives any correspondence (including any Data Subject request to exercise rights under Applicable Privacy Laws, any correspondence from any Regulator, any enquiry from the public and/or any a subpoena or other judicial or administrative order) that relates to Resideo Personal Data and/or Supplier’s Processing of it, Supplier shall notify Resideo by email as soon as reasonably possible (and in any event within two (2) business days), providing a copy of such correspondence (unless such notification is prohibited by applicable law). Supplier shall not respond to such correspondence without Resideo’s prior written consent unless otherwise required by applicable law, in which case, Supplier shall, to the fullest extent possible under applicable law, ensure that Resideo receives a copy of, and an opportunity to provide feedback on, the content of any proposed Supplier response. 
  12. Information, audit and assistance.  Resideo is required under Applicable Privacy Laws to take reasonable and appropriate steps to ensure that Supplier Processes Resideo Personal Data in accordance with this DPA and to regularly review Supplier’s compliance with Applicable Privacy Laws (to the extent relevant to the Supplier’s Processing of Resideo Personal Data), this DPA, and the technical and organizational security measures described in Paragraph 8 (Security). Therefore, Supplier shall provide to Resideo upon request and without undue delay all information (including providing evidence of appropriate personnel training and, if applicable, copies of the documentation Supplier is required to maintain under Applicable Privacy Laws about its Processing of Resideo Personal Data) Resideo reasonably requires to satisfy itself of Supplier’s compliance. Where permitted by Applicable Privacy Laws, Supplier may demonstrate its compliance (in part or in full, as relevant) by making available to Resideo reasonable evidence of its and/or its Subprocessors most recent third-party certifications and/or external audit reports (for example, Service Organization Controls SOC 2 Type II), provided that such certifications and/or audit reports are (in Resideo’s reasonable opinion) relevant and appropriate for the purposes of this Paragraph. Alternatively, Supplier shall, no more than once per calendar year and upon reasonable prior notice (unless otherwise required under Applicable Privacy Laws or following a Security Breach), allow for and contribute to those audits and inspections by Resideo (or an auditor appointed by Resideo and reasonably acceptable to Supplier) that are reasonably required to demonstrate such compliance. If Supplier cannot demonstrate its compliance, Supplier shall promptly remedy such non-compliance and Resideo may (without prejudice to this Agreement) suspend the transfer of Resideo Personal Data to Supplier until such non-compliance is remedied. Supplier shall also provide to Resideo upon request all reasonable assistance concerning Supplier’s Processing of Resideo Personal Data that Supplier is required to provide under Applicable Privacy Laws. Where Resideo can obtain such assistance via self-service functionality provided via the Services, Resideo shall use such functionality. 
  13. Return and deletion.  Supplier shall return or delete the Resideo Personal Data it Processes (including Resideo Personal Data Processed by Supplier’s Subprocessors) under the Agreement as instructed by Resideo from time to time. At the termination or expiry of the Agreement and unless otherwise instructed, Supplier shall without undue delay securely delete such Resideo Personal Data. In the event Supplier is required under applicable law to retain any such Resideo Personal Data, Supplier shall (if legally permitted), promptly notify Resideo (providing reasonable details and cooperation). 
  14. Miscellaneous.  Failure by Supplier to comply with the obligations in this DPA or the Agreement relating to Personal Data shall be considered a material breach of the Agreement. This DPA shall continue to apply for as long as Supplier Processes Resideo Personal Data. Without prejudice to the terms of the Agreement, all notices that Supplier is required to provide to Resideo pursuant to this DPA shall be sent by email to ResideoPrivacy@resideo.com  

Attachment 1

Attachment 2