Data Processing Policy

 Faith Technologies Incorporated (FTI) is committed to protecting the privacy and personal data of all individuals with whom we interact. This Data Processing Policy (“DPP”) explains how we collect, process, and secure personal data obtained through our website, marketing efforts, sales and service interactions, lead generation activities, and other business channels. 

In the course of interacting with and/or providing products and/or services (known individually or in combination as the “Services”) to Data Subject pursuant to this DPP, FTI may Process Client Personal Data and the Parties agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith. 

The terms of this DPP will be effective and replace any previously applicable data processing terms as of the date of execution. 

Designated Data Center Location: United States 

DEFINITIONS 

In this DPP, the following terms shall have the following meanings: 

“Additional Products” means products, services and applications (whether made available by FTI or a third party) that are not part of the Services. 

“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity. 

“Data Controller”, “Data Processor”, “Data Subject”, “Personal Data” and “Processing or Process” (and “Process”) shall have the meanings given in Applicable Data Protection Law. The term “Personal Data” shall be deemed to include concepts of “Personal information” or “Personally Identifiable Information” if and as those terms may be defined under Applicable Data Protection Law. 

“EU Data Protection Laws” means: (i) up to 25 May 2018, the Data Protection Directive 95/46/EC; and (ii) from 25 May 2018 onwards, the General Data Protection Regulation (EU) 2016/679 (“GDPR”). 

“Data Protection Laws” means all data protection laws applicable to the Processing of Personal Data under this DPP, including local, state, national and/or foreign laws, treaties, and/or regulations, EU Data Protection Laws, and implementations of EU Data Protection Laws into national law. 

“Personal Data Breach” means (i) a ‘personal data breach’ as defined in the GDPR affecting Personal Data, and (ii) any Security Breach affecting Personal Data. 

“Subprocessor” means a FTI Affiliate or third-party entity engaged by FTI or a FTI Affiliate as a Data Processor under this DPP. 

“Valid Transfer Mechanism” means a data transfer mechanism permitted by USA Data Protection Laws as a lawful basis for transferring Personal Data to a recipient outside the USA. 

SECTION 1. PROCESSING PERSONAL DATA 

1.1 Scope and Role of the Parties. This DPP applies to the Processing of Personal Data by FTI in the course of doing business. For the purposes of this DPP, Data Subject and its Affiliates are the Data Controller(s) and FTI and its Affiliates are the Data Processor, Processing Personal Data on Data Subject’s behalf. 

1.2 Instructions for Processing. FTI shall Process Personal Data in accordance with this policy and applicable law.  Data Subject authorizes FTI to Process Personal Data in accordance with this DPP.  Data Subject may provide additional instructions to FTI to Process Personal Data, however FTI shall be obligated to perform such additional instructions only if they are consistent with the terms and scope of a fully executed sales or service Agreement and this DPP. 

1.2.1. Data Subject Instructions. FTI shall inform Data Subject immediately if actions constitute a breach of contract and/or (ii) if FTI is unable to follow Data Subject’s instructions included in a fully executed sales or service Agreement for the Processing of Personal Data. 

1.2.2 FTI’s Processing of Personal Data. FTI shall treat Personal Data as Confidential Information and shall Process Personal Data for the following purposes: (i) Processing in accordance with the DPP and applicable Order Form(s); (ii) Processing initiated by Users in their use of the Services; and (iii) Processing to comply with other documented reasonable instructions provided by Data Subject (e.g., via email) where such instructions are consistent with the terms of the DPP and an applicable fully executed sales or service Agreement. 

1.2.3. Details of the Processing. The subject-matter of Processing of Personal Data by FTI is the performance of legal business practice including marketing, sale, and aftermarket activities related to sales of goods and services. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this DPP. 

1.3 Compliance with Laws. FTI shall comply with all Data Protection Laws applicable to FTI in its role as a Data Processor Processing Personal Data. For the avoidance of doubt, FTI is not responsible for complying with Data Protection Laws applicable to Data Subject or ’s Data Subject’s industry . Customers shall comply with all Data Protection Laws applicable to Customers as a Data Controller. 

SECTION 2. SUBPROCESSORS 

2.1 Use of Subprocessors.  It is agreed that FTI and their Affiliates may engage Subprocessors to Process Personal Data. FTI or their relevant Affiliate shall ensure that such Subprocessor has entered into a written agreement requiring the Subprocessor to abide by terms no less protective than those provided in this DPP. Upon Data Subject’s request, FTI will make available to Data Subject a summary of the data processing terms. For the avoidance of doubt, the data processing terms that apply to FTI Affiliates when Processing Personal Data as a Subprocessor are those set out in this DPP. FTI shall be liable for the acts and omissions of any Subprocessors to the same extent as if the acts or omissions were performed by FTI. 

SECTION 3. DATA CENTER LOCATION AND DATA TRANSFERS 

3.1  Storage of Personal Data. Personal Data will be housed in data centers located in a secure data center of FTI’s choosing unless the parties otherwise expressly agree in writing. 

3.2 Access to Personal Data. Notwithstanding Section 3.1, in order to provide the Service FTI and its Subprocessors will only access Personal Data from (i) countries in the EEA, (ii) countries or territories formally recognized by the European Commission as providing an adequate level of data protection (“Adequate Countries”) and (iii) the United States provided, in this case, that FTI makes available to Data Subject a Valid Transfer Mechanism. When FTI or its Subprocessors access Personal Data from outside the Designated Data Center Location for the purposes set forth above, Data Subject agrees that Personal Data may be temporarily stored in that country. 

SECTION 4. RIGHTS OF DATA SUBJECTS 

4.1 Correction, Deletion or Restriction. FTI will, at its election and as necessary to enable Data Subject to meet its obligations under applicable Data Protection Laws, either (i) provide Data Subject the ability, via written notice to correct or delete Personal Data or restrict its Processing; or (ii) make such corrections, deletions, or restrictions on Data Subject’s behalf if such functionality is not available within the Service. 

4.2 Access to Personal Data. To the extent a Data Subject’s Personal Data is not accessible to Data Subject through the Service, FTI will, as necessary to enable Data Subject to meet its obligations under applicable Data Protection Laws, provide reasonable assistance to make such Personal Data available to Data Subject. 

4.3 Handling of Data Subject Requests. For the avoidance of doubt, Data Subject is responsible for responding to Data Subject requests for access, correction, deletion or restriction of that person’s Personal Data (“Data Subject Request”). If FTI receives a Data Subject Request, FTI shall promptly redirect the Data Subject to Data Subject. 

4.4 Data Portability. During the term of an Agreement, Data Subject may extract Personal Data from the Service in accordance with the Documentation and the relevant provisions of the Agreement, including so that Data Subject can provide the Personal Data to an individual who makes a data portability request under EU Data Protection Laws. 

SECTION 5. GOVERNMENT ACCESS REQUESTS 

Unless prohibited by applicable law or a legally binding request of law enforcement, FTI shall promptly notify Data Subject of any request by government agency or law enforcement authority for access to or seizure of Personal Data. 

SECTION 6. FTI PERSONNEL 

FTI shall take reasonable steps to require screening of its personnel who may have access to Personal Data and shall require such personnel (i) to receive appropriate training on their responsibilities regarding the handling and safeguarding of Personal Data; and (ii) to agree to comply with confidentiality obligations which shall survive the termination of employment. 

SECTION 7. PERSONAL DATA BREACH 

In the event FTI becomes aware of a Personal Data Breach it shall without undue delay notify Data Subject in accordance with the Security Breach provisions of the Agreement. To the extent Data Subject requires additional information from FTI to meet its Personal Data Breach notification obligations under applicable Data Protection Laws, FTI shall provide reasonable assistance to provide such information to Data Subject taking into account the nature of Processing and the information available to FTI. 

SECTION 8. SECURITY PROGRAM 

FTI shall implement appropriate technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data. 

8.1. Controls for the Protection of Data Subject Data. FTI shall maintain appropriate technical and organizational measures for protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Data Subject Data), confidentiality and integrity of Data Subject Data. FTI regularly monitors compliance with these measures. FTI will not materially decrease the overall security of the Services during a subscription term. 

8.2. Audit. If Data Subject requests an Audit, at the Data Subject’s sole expense, FTI may make available to Data Subject information to demonstrate compliance with the obligations set out in this DPP, including those obligations required by applicable Data Protection Laws and Regulations, as set forth in this section 8.2. 

8.2.1. Findings. Data Subject must promptly provide FTI with information regarding any non-compliance discovered during the course of an Audit. 

8.3 Security of Processing. Data Subject is solely responsible for making an independent determination as to whether FTI’s technical and organizational measures meet Data Subject’s requirements and agrees that (taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of the Processing of its Personal Data as well as the risks to individuals) the security measures and policies implemented and maintained by FTI provide a level of security appropriate to the risk with respect to its Personal Data. Personal data breaches will be handled in accordance with section 9 of this DPP. 

SECTION 9. DATA SUBJECT DATA INCIDENT MANAGEMENT AND NOTIFICATION 

FTI maintains security incident management policies and procedures and shall notify Data Subject after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Data Subject Data, including Personal Data, transmitted, stored or otherwise Processed by FTI or its Sub-processors of which FTI becomes aware (a “Data Subject Data Incident”). FTI shall make reasonable efforts to identify the cause of such Data Subject Data Incident and take such steps as FTI deems necessary and reasonable to remediate the cause of such a Data Subject Data Incident to the extent the remediation is within FTI’s reasonable control. The obligations herein shall not apply to incidents that are caused by Data Subject or Data Subject’s Users. 

SECTION 10. RETURN AND DELETION OF PERSONAL DATA 

Upon termination of the relevant Service, FTI shall return and delete Personal Data in accordance with relevant provisions of the Agreement. 

SECTION 11. ADDITIONAL PRODUCTS 

Data Subject acknowledges that if it installs, uses, or enables Additional Products that interoperate with the Service but are not part of the Service itself, then by such actions Data Subject is instructing FTI to cause the Service to allow such Additional Products to access Personal Data as required for the interoperation of those Additional Products with the Service. Such separate Additional Products are not required to use the Service and may be restricted for use as determined by Data Subject’s system administrator. This DPP does not apply to the Processing of Personal Data by Additional Products which are not part of the Service. 

SECTION 12. GENERAL PROVISIONS 

12.1 Data Subject Affiliates. Data Subject is responsible for coordinating all communication with FTI on behalf of its Affiliates with regard to this DPP. Data Subject represents that it is authorized to issue instructions as well as make and receive any communications or notifications in relation to this DPP on behalf of its Affiliates. 

12.3 Termination. The term of this DPP will end when all Personal Data is deleted from FTI’s systems. 

12.4 Conflict.  With regard to the subject matter of this DPP, in the event of inconsistencies between the provisions of this DPP and an Agreement for goods or services, the provisions of this DPP shall prevail with regard to the parties’ data protection obligations. 

12.5 Data Subject Affiliate Enforcement. Data Subject’s Affiliates may enforce the terms of this DPP directly against FTI, subject to the following provisions: 

(i) if it were a party to the Agreement (each an “Affiliate Claim”) directly against FTI on behalf of such Affiliate, except where the Data Protection Laws to which the relevant Affiliate is subject require that the Affiliate itself bring or be party to such Affiliate Claim; and 

(ii) for the purpose of any Affiliate Claim brought directly against FTI by Data Subject on behalf of such Affiliate in accordance with this Section, any losses suffered by the relevant Affiliate may be deemed to be losses suffered by Data Subject. 

12.6 Remedies. Data Subject’s remedies (including those of its Affiliates) with respect to any breach by FTI or its Affiliates of the terms of this DPP, and the overall aggregate liability of FTI and its Affiliates arising out of, or in connection with the Agreement (including this DPP) will be subject to any aggregate limitation of liability that has been agreed between the parties under the Agreement (the “Liability Cap”) and the applicable remedies established in the applicable jurisdiction(s). For the avoidance of doubt, the parties intend and agree that the overall aggregate liability of FTI and its Affiliates arising out of, or in connection with the Agreement (including this DPP) shall in no event exceed the Liability Cap. 

12.7 Miscellaneous. The section headings contained in this DPP are for reference purposes only and shall not in any way affect the meaning or interpretation of this DPP. 

12.8. Limitation Of Liability.  Unless otherwise prohibited by applicable laws, each party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPP, and all DPPs between Authorized Affiliates and FTI, whether in contract, tort or under any other theory of liability, is subject to the ‘Limitation of Liability’ section of the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and all DPPs together. 

For the avoidance of doubt, FTI’s and its Affiliates’ total liability for all claims from Data Subject and all of its Authorized Affiliates arising out of or related to the Agreement and all DPPs shall apply in the aggregate for all claims under both the Agreement and all DPPs established under the Agreement, including by Data Subject and all Authorized Affiliates, and, in particular, shall not be understood to apply individually and severally to Data Subject and/or to any Authorized Affiliate that is a contractual party to any such DPP. 

ADDENDUM 1 

DATA SUBJECTS 

Prospective, current and former employees and other workers, as well as related persons. 

CATEGORIES OF DATA 

Prospective, current and former employee data: Such employee data as is necessary for human resources and benefits processing, including name; contact information (including home and work address; home and work telephone numbers; mobile telephone numbers; web address data; instant messenger data; home and work email address); marital status; ethnicity; citizenship information; visa information; national and governmental identification information; drivers’ license information; passport information; banking details; military service information; religion information; birth date and birth place; gender; disability information; employee identification information; education, language(s) and special competencies; certification information; probation period and employment duration information; job or position title; business title; job type or code; business site; company, supervisory, cost center and region affiliation; work schedule and status (full-time or part-time, regular or temporary); compensation and related information (including pay type and information regarding raises and salary adjustments); payroll information; allowance, bonus, commission and stock plan information; leave of absence information; employment history; work experience information; information on internal project appointments; accomplishment information; training and development information; award information; membership information. 

Related person’s data: Name and contact information of dependents or beneficiaries (including home address; home and work telephone numbers; mobile telephone numbers); date of birth; gender; emergency contacts; beneficiary information; dependent information).