Data Processing Addendum
Updated on:This Data Processing Addendum (“DPA”) forms part of the Master Reseller Terms & Conditions or other written or electronic agreement between Symbol Security, Inc. (“Symbol”) and the Partner identified in the Service Order (“Partner”) (collectively, the “Parties”).
1. DEFINITIONS
1.1 “Data Protection Laws” means all applicable worldwide legislation relating to data protection and privacy, including the GDPR, UK GDPR, and CCPA/CPRA, as amended.
1.2 “Personal Data” means any information relating to an identified or identifiable natural person processed by Symbol on behalf of Partner in the course of providing the Services.
1.3 “Controller” means the entity that determines the purposes and means of the processing of Personal Data (the Partner or its Sub-Customers).
1.4 “Processor” means the entity that processes Personal Data on behalf of the Controller (Symbol).
2. SCOPE AND ROLE
2.1 Applicability: This DPA applies where Symbol processes Personal Data that is subject to Data Protection Laws.
2.2 Role of Parties: The Parties acknowledge that Symbol acts as a Processor (or Service Provider under CCPA) and Partner acts as a Controller (or represents the Controller).
2.3 Partner Obligations: Partner warrants and covenants that it has provided all necessary notices and obtained all necessary consents under Data Protection Laws, including ensuring a lawful basis for processing, to allow Symbol to process Personal Data as contemplated by the Agreement. Partner shall indemnify and hold Symbol harmless against all claims, liabilities, costs, and expenses arising from Partner’s failure to comply with its obligations under this DPA or Data Protection Laws.
3. PROCESSING OBLIGATIONS
3.1 Instructions: Symbol shall process Personal Data only on the documented instructions of Partner and for the sole purpose of providing the Services.
3.2 Confidentiality: Symbol shall ensure that its personnel authorized to process Personal Data are subject to a duty of confidentiality.
3.3 Security: Symbol shall implement appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, or damage.
4. SUB-PROCESSORS
4.1 Appointment: Partner grants a general authorization for Symbol to engage third-party Sub-processors (e.g., cloud hosting providers) to support the Services.
4.2 Notification: Symbol shall maintain a list of current Sub-processors at [symbolsecurity.com/legal/sub-processors]. Symbol shall provide Partner with notice of any new Sub-processor appointments by updating the website list with reasonable advance notice, which shall be deemed sufficient notice.
4.3 Liability: Symbol remains liable for the acts and omissions of its Sub-processors to the same extent Symbol would be liable if performing the services itself.
5. DATA SUBJECT RIGHTS
5.1 Assistance: Symbol shall, to the extent legally permitted, promptly notify Partner if it receives a request from a Data Subject to exercise their rights (e.g., access, deletion, or portability).
5.2 Fulfillment: Taking into account the nature of the processing, Symbol shall provide reasonable assistance to Partner to enable Partner to respond to such Data Subject requests, provided that Partner shall be responsible for all costs and fees incurred by Symbol in providing such assistance, unless otherwise agreed.
6. BREACH NOTIFICATION
6.1 Notification: Symbol shall notify Partner without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a confirmed Personal Data Breach. 6.2 Information: Symbol shall provide sufficient information to allow Partner to meet any obligations to report or inform Data Subjects or regulators of the Personal Data Breach.
7. INTERNATIONAL TRANSFERS
7.1 Standard Contractual Clauses (SCCs): If Personal Data originating in the EEA, Switzerland, or the UK is transferred to Symbol in a country not recognized as providing an adequate level of protection, the Parties agree that the then-current EU or UK Standard Contractual Clauses are hereby incorporated by reference and shall apply to such transfers.
8. AUDIT AND TERMINATION
8.1 Audit: Upon written request, and no more than once per year, Symbol shall make available to Partner information reasonably necessary to demonstrate compliance with this DPA, which Partner agrees to accept as sufficient evidence of compliance. Any further on-site audit request must be mutually agreed upon, conducted during Symbol's business hours, on reasonable prior notice, and at Partner's sole expense.
8.2 Deletion/Return: Upon termination of the Services, Symbol shall, at Partner’s choice, delete or return all Personal Data to Partner, unless applicable law requires storage of the Personal Data.
9. LIMITATION OF LIABILITY
The total aggregate liability of either Party under this DPA shall be subject to the limitation of liability provisions set forth in the Master Reseller Terms & Conditions. In no event shall either Party be liable for any punitive, indirect, special, or consequential damages.
ANNEX 1: DETAILS OF PROCESSING
A. LIST OF PARTIES
- Data Exporter: The Partner (Controller) identified in the Service Order.
- Data Importer: Symbol Security, Inc. (Processor), 115 Route 46 West, Bldg F, Mountain Lakes, NJ 07046.
B. DESCRIPTION OF TRANSFER
- Categories of Data Subjects: Employees, contractors, and authorized users of the Partner and its Sub-Customers.
- Categories of Personal Data: Name, business email address, IP address, job title, and security training performance data (e.g., phish click rates, course completion status).
- Sensitive Data: None. Symbol does not intentionally collect or process "Special Categories" of data (e.g., health or biometric data).
- Frequency of Transfer: Continuous for the duration of the Service.
- Nature of Processing: Storage and processing to deliver cyber awareness training, phishing simulations, and reporting.
C. LOCATION OF PROCESSING
- Personal Data is hosted in Symbol’s United States infrastructure by default. Symbol shall host Personal Data in its Brussels, Belgium (EU) node only upon the express instruction or technical selection by the Data Controller for specific accounts. The Data Controller (Partner) remains responsible for the accuracy of these instructions.
CONTACT INFORMATION.
If you have any questions about our Privacy Policy, please contact us at: support@symbolsecurity.com