Guidelines for Data Sub-Processors
Introduction
This document outlines the data protection and security guidelines that all Data Sub-Processors ("Sub-Processors") must adhere to when contracted to process data on behalf of FORA ("The Company"). These guidelines are supplementary to the terms defined in the Data Processing Agreement ("DPA") signed between The Company and the Sub-Processor and aim to further clarify data protection obligations.
1. Compliance with Applicable Laws
Sub-Processors must comply with all laws and regulations applicable to the processing of personal data, including but not limited to the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and other jurisdiction-specific data protection laws.
2. Data Security
Encryption: All data in transit and at rest must be encrypted using industry-standard encryption algorithms.
Access Controls: Implement strong access control measures, including multi-factor authentication and role-based access to ensure that only authorized personnel can access personal data.
Security Audits: Regular security audits must be conducted, and the reports should be made available to The Company upon request.
3. Data Minimization
Sub-Processors should only collect and process personal data that is necessary for the completion of their contractual obligations.
4. Transparency and Notification
Data Processing Records: Maintain accurate and up-to-date records of all data processing activities.
Incident Reporting: In the event of a data breach or other security incidents, Sub-Processors are required to notify The Company immediately, and in any case, within the timelines stipulated in the DPA.
5. Sub-Contracting
No subcontracting of data processing activities is allowed without the explicit written consent of The Company.
6. Data Subject Rights
Sub-Processors must facilitate the fulfillment of data subject rights, such as the right to access, correct, or delete personal data, in a timely and efficient manner.
7. Data Retention and Deletion
Sub-Processors should not retain personal data longer than is necessary for the performance of the contracted services or as required by applicable law. Data must be securely deleted after the end of the contract or upon request by The Company.
8. Audits and Inspections
Sub-Processors must allow for and cooperate with audits and inspections conducted by The Company or a third-party auditor appointed by The Company.
9. Liability
Sub-Processors are liable for any data breaches or non-compliance with these guidelines or the DPA, and must indemnify The Company for any fines, penalties, or legal actions arising from such breaches.
This document is intended to serve as a guideline and does not replace or supersede the terms agreed upon in the Data Processing Agreement between The Company and the Sub-Processor. Always consult a legal advisor for compliance with specific laws and regulations.