.png){kind=logo}
DATA PROCESSING
​
This Data Processing Addendum (“Addendum”) forms part of the Terms of Service available at: https://www.incubate-iq.com and Privacy Policy available at: https://XXXXXXX (collectively, the “Agreement”) between Incubate-IQ, LLC. (“Incubate-IQ”) and you (as defined in the agreement). Incubate-IQ and you have collectively deemed the “Parties”.
​
1. Subject Matter and Duration.
​
a) Subject Matter. This Addendum reflects the parties' commitment to comply with applicable data protection laws with respect to the processing of your personal data in connection with Incubate-IQ's performance of the Agreement. All capitalized terms not specifically defined in this Data Processing Addendum shall have the meanings ascribed to them in the Agreement. If and to the extent any language in this Addendum or any of its exhibits conflicts with the Agreement, this Addendum shall control.
​
b) Term and Survival: This Addendum becomes legally binding on the date you accept and agree to the Agreement. Incubate-IQ will process your personal data until the end of the relationship as set forth in the Agreement. Incubate-IQ's obligations and your rights under this Addendum will continue as long as Incubate-IQ processes your Personal Data.
​​​​
​
2. Definitions
​
For the purposes of this Addendum, the following terms and those defined within the body of this Addendum apply.
​​
"Applicable Data Protection Law(s)" means the relevant data protection and privacy laws, rules and regulations to which Your Personal Data is subject. "Applicable Data Protection Law(s)" includes, but is not limited to, the principles and requirements of the EU General Data Protection Regulation 2016/679 ("GDPR").
​
a) "Your Personal Data" means personal data relating to you or your employees that is processed by Incubate-IQ.
​
b) "Controller" means the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of Personal Data.
​
c) "Personal Data" shall have the meaning assigned to the terms "personal data" or "personal information" under the applicable data protection law(s).
​
d) "Process", "Processes", "Processing" means any operation or set of operations performed on data or sets of data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
​
e) "Procesor" means a natural or legal person, public authority, agency or other body which processes your Personal Data on your behalf in accordance with this Addendum.
​​
f) "Security Incident(s)" means the breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to your personal data processed by Incubate-IQ.
​
g) "Third Party(ies)" means Incubate-IQ's authorized contractors, agents, vendors and third-party service providers who process your personal information.
​
​
3. Data Use and Processing.
a) Compliance with Laws. Your Personal Data will be processed in accordance with the terms of this Addendum and any applicable data protection law(s).
​
b) Documented Instructions. Incubate-IQ and its Third Parties will only process Your Personal Data in accordance with Your documented instructions or as specifically authorized by this Addendum or the Agreement. Unless prohibited by law, Incubate-IQ will notify you in writing if it reasonably believes that there is a conflict between your instructions and applicable law or otherwise seeks to process your Personal Data in a manner inconsistent with your instructions.
​
c) Authorization to Use Third Parties. To the extent necessary to fulfill Incubate-IQ's contractual obligations under the Agreement, you hereby authorize:
I. Incubate-IQ to engage Third Parties; and
II. Third Parties to engage sub-processors. Any processing of your Personal Data by Third Parties will be in accordance with your reasonable documented instructions and will comply with all applicable data protection laws.
d) Incubate-IQ and Third-Party Compliance. Incubate-IQ agrees to (i) enter into a written agreement with third parties regarding the processing of your personal data by such third parties that imposes on such third parties (and their sub-processors) data protection and security requirements for our personal data that comply with the applicable data protection law(s); and (ii) remain responsible to you for the failure of Incubate-IQ's third parties (and their sub-processors, if any) to comply with their obligations with respect to the processing of your personal data.
​
e) Right to Object to Third Parties. Upon reasonable request, Incubate-IQ will provide you with a list of the Third Parties that process your Personal Data. You may reasonably object to Incubate-IQ's use of a new Third Party by notifying Incubate-IQ in writing within ten business days of receipt of Incubate-IQ's notice by updating this Addendum. If you have a legitimate objection to the use of a new Third Party, the parties will work together in good faith to resolve the grounds for the objection for at least 30 days, and if no resolution is reached, you may terminate the portion of the Services performed under the Agreement that cannot be performed by Incubate-IQ without the use of the objectionable Third Party.
​
​
f) Confidentiality. Any person or third party authorized to process your personal information must agree to maintain the confidentiality of such information or be subject to an appropriate legal or contractual obligation of confidentiality.
​
g) Personal Data Inquiries and Requests. Incubate-IQ agrees to comply with all reasonable instructions from you with respect to any requests from individuals exercising their rights under applicable data protection law(s) with respect to Personal Data ("Privacy Request"). Upon your request and without undue delay, Incubate-IQ agrees to assist you in responding to or complying with any Privacy Request to the extent possible.
​
h) Data Protection Impact Assessment and Prior Consultation. Incubate-IQ agrees to provide you with reasonable assistance, at your expense, if you believe that the type of processing Incubate-IQ is engaged in is likely to result in a high risk to the rights and freedoms of natural persons (e.g., systematic and extensive profiling, large-scale processing of sensitive personal data and large-scale systematic monitoring, or if the processing involves the use of new technologies) and thus requires a data protection impact assessment and/or prior consultation with the relevant data protection authorities.
​
i) Demonstration of Compliance. Incubate-IQ agrees to maintain records of its processing in compliance with the applicable data protection law(s) and to provide you with any records necessary to demonstrate compliance upon reasonable request.
​
4. Cross-Border Transfers of Personal Data.
​
​
​a) Cross-Border Transfers of Personal Data. You authorize Incubate-IQ and its Third Parties to transfer Your Personal Data across international borders, including from the European Economic Area to the United States. Any cross-border transfer of Your Personal Data must be supported by an approved adequacy mechanism.
​
b) Standard Contractual Clauses. You and Incubate-IQ will use the European Commission Decision C (2010)593 Standard Contractual Clauses for Controllers to Processors ("Model Clauses") as an adequacy mechanism to support the transfer and processing of Your Personal Data, the terms of which are incorporated herein by reference and made a part hereof. For purposes of Appendix 1 of the Model Clauses, the "Data Exporter" is you and the "Data Importer" is Incubate-IQ, and the information required by Appendix 1. For the purposes of Appendix 2 of the Model Clauses, the technical and organizational measures implemented by the data importer are those listed in Section 5 of this Addendum. Pursuant to Section 5(h) of the Model Clauses, you agree that Incubate-IQ may engage new Third Parties in accordance with Sections 3(c) - 3(e) of this Addendum. The parties agree that the Illustrative Clause (Optional) is expressly not included in the Model Terms. Each Party's execution of this Addendum shall be deemed to be a signature on the Model Terms. If required by the laws or regulatory procedures of any jurisdiction, the Parties shall execute or re-execute the Model Clauses as separate documents.
​
5. Information Security Program.
​
​a) Incubate-IQ agrees to implement appropriate technical and organizational measures to protect your personal data as required by applicable data protection law(s) (the "Information Security Program"). Such measures shall include the following:
​
I. Pseudonymize Your Personal Data, where appropriate, and encrypt Your Personal Data in transit and at rest;
​
II. The ability to ensure the ongoing confidentiality, integrity and availability of Incubate-IQ's processing and Your Personal Data;
​
III. The ability to restore availability and access to Your Personal Data in the event of a physical or technical incident;
​
IV. A process to periodically test, assess and evaluate the effectiveness of Incubate-IQ's information security program to ensure the security of your personal data against reasonably suspected or actual accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access.
​​​
​
6. Security Incidents.
​
​a) Security Incident Procedure. Incubate-IQ will establish and follow policies and procedures to detect, respond to and otherwise address Security Incidents, including procedures to:
​​
I. identify and respond to reasonably suspected or known Security Incidents, mitigate the harmful effects of Security Incidents, document Security Incidents and their outcomes, and
​
II. timely restore the availability of or access to your personal information.
​
​b) Notice. Incubate-IQ agrees to provide prompt written notice to your Designated POC without undue delay and within the timeframe required under Applicable Data Protection Law(s) (but in no event later than 48 hours) upon becoming aware that a Security Incident has occurred. Such notice shall include all available details required under the Applicable Data Protection Law(s) to enable you to comply with your own notification obligations to any regulatory authorities or individuals affected by the Security Incident.
​​​
7. Data storage and deletion
​
​
​a) Data Storage. Incubate-IQ will comply with the following with respect to the storage of Your Personal Data:
​
I. Incubate-IQ will not store or retain any of Your Personal Data except as necessary to perform the Services under the Agreement.
​
II. Incubate-IQ will notify you in writing of all countries in which Your Personal Data will be processed or stored; and
​
III. obtain your consent to the processing or storage in the identified countries. As of the Effective Date, Incubate-IQ stores Your Personal Data in the following countries to which you hereby consent United States.
​
​ ​b) Data Deletion. Incubate-IQ will comply with the following with respect to the deletion of Your Personal Data:
​
I. Within ninety (90) calendar days of the expiration or termination of the Agreement, Incubate-IQ will securely destroy (pursuant to subsection (iii) below) all copies of Your Personal Data (including automatically created archival copies).
​
II. Upon your request, Incubate-IQ will promptly return to you a copy of all of Your Personal Data within 30 calendar days and, if you also request deletion of Your Personal Data, will do so as set forth above.
​
III. Any deletion of Your Personal Data will be conducted in accordance with standard industry practices for the deletion of sensitive data.
​
IV. Tapes, hard copies, optical disks, and other physical media will be physically destroyed by a secure method, such as shredding by a bonded service provider. Upon your request, Incubate-IQ will provide you with proof that Incubate-IQ has deleted all of your personal information. Incubate-IQ will provide the "Certificate of Deletion" within 30 calendar days of your request.