Data Processing Addendum

This DATA PROCESSING ADDENDUM (“Addendum” or “DPA”) is incorporated into the Motus Master Services Agreement, Motus SaaS Agreement, Everlance SaaS Services Agreement, and/or Order Forms (the “Agreement”) between Motus Operations, LLC (“Service Provider”) and Client (“Controller”).  By using Motus Services, Client agrees to the terms of the DPA.  The defined terms in the Agreement control unless a specific definition is contained within this DPA.

1. Definitions

1.1 “Personal Information” means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked with a specific individual pursuant to Data Protection Law(s).

1.2  “Processing” means any operation or set of operations which is performed on Personal Information or on sets of Personal Information, whether or not by automated means, pursuant to Data Protection Law(s), which may include  collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

1.3 “Data Breach” means a breach of security resulting in the unauthorized acquisition of, or access to, Personal Information, as defined by a Data Protection Law governing the processing of the impacted data.

1.4 “Data Protection Law(s)” means the laws and regulations regarding Personal Information and/or data security applicable to Motus and Client Data in connection with Motus’s provision of Services under the Agreement, including the California Consumer Privacy Act (Cal. Civ. Code §§ 1798.100 – 1798.199) of 2018, including as modified by the California Privacy Rights Act;  the Colorado Privacy Act C.R.S.A. § 6-1-1301 et seq. (SB 21-190) the Connecticut Data Privacy Act, S.B. 6 (Connecticut 2022); the Utah Consumer Privacy Act, Utah Code Ann. Sec. 13-61-101 et seq.; the Virginia Consumer Data Protection Act, Va. Code Ann. Sec. 59.1-575 et seq. (SB 1391); and the Canadian Personal Information Protection and Electronic Documents Act.

1.5 “Processing Services” means any and all Services provided by Service Provider under the Agreement that involve Processing of Personal Information pursuant to Data Protection Law(s).

2. General Obligations        

2.1 The Parties acknowledge and agree that Service Provider is a “service provider,” as that term is defined under the California Consumer Privacy Act (“CCPA”).

2.2 Service Provider shall inform Controller without undue delay: (i) if it cannot comply with any material term of this DPA regarding the Processing Services.  If this occurs, Service Provider shall use reasonable efforts to remedy the non-compliance. In the event of non-compliance, Controller may elect to suspend the communication of Personal Information and/or require Service Provider to cease further Processing of Personal Information; (ii)  of any request for access to any Client Personal Information received by Service Provider from any government official (including any data protection agency or law enforcement agency), prior to any disclosure.

2.3 Controller represents and warrants that Controller has obtained any consent required by law to enable Service Provider to lawfully process Personal Information on Controller’s behalf and otherwise provide the Services under the Agreement.

2.4  Service Provider shall provide a clear and conspicuous privacy notice to Users of the Services in compliance with applicable Data Protection Laws.

2.5 Service Provider shall not transfer the Personal Information across any national borders or permit remote access to the Personal Information from any employee, affiliate, contractor, or other third party outside of the country unless Service Provider has first entered into a written confidentiality agreement with such employee, affiliate, contractor, or other third party. Such agreement must be consistent with the confidentiality and security obligations undertaken by the Service Provider in this Agreement.  Service Provider shall be liable to Controller for such employee, affiliate, contractor, or other third party’s acts or omissions pursuant to the Agreement.

2.6 Service Provider shall cooperate with Controller in responding to inquiries (including but not limited to verifiable User requests under the CCPA), claims and complaints regarding the Processing of the Personal Information.

2.7 Service Provider’s Processing shall comply with Data Protection Laws.

3. Rights of Data Subjects

3.1 The Service Provider shall, without undue delay, instruct any User seeking to exercise any rights under any Data Protection Law (including but not limited to the CCPA) to redirect such request(s) to Controller. The Service Provider will provide commercially reasonable support to Controller where required for Controller’s processing of such inquiries or requests. Controller is solely responsible for taking measures to identify the User the inquiry or request is relating to, including for the avoidance of doubt requesting further information from the data subject.

4. Information Security Requirements

4.1 Service Provider has implemented and documented appropriate operational, technical and organizational measures designed to protect Personal Information against accidental or unlawful destruction, alteration, unauthorized disclosure or access, as set forth in Exhibit A.

4.2 If the Processing involves the transmission of Personal Information over a network, Service Provider shall have implemented appropriate supplementary measures designed to protect the Personal Information against the specific risks presented by the Processing.

4.3 Service Provider shall provide Controller with information about the Service Provider’s information security program as well as overall compliance with the obligations set forth in this Agreement by providing industry standard security questionnaire data and/or providing a copy of its annual SOC 2 Type II report upon request.

4.4 Service Provider will promptly and thoroughly investigate any Personal Information Breaches. Service Provider will notify Controller in compliance with applicable Data Protection Law, upon discovery of any Personal Information Breach. Service Provider will promptly mitigate such Personal Information Breach and reasonably cooperate with Controller by providing a report and/or details requested by Controller.

4.6 Service Provider shall carry appropriate insurance to address the risks from its Processing of the Personal Information.   

4.7 The parties acknowledge that risks and data security laws, rules and regulations change over time and consequently, a data privacy and security program must evolve.  As such, Service Provider may from time to time modify its policies and practices described in this DPA and Exhibit A, provided that any revisions to such practices shall not be any less protective of Client Personal Information than the policies and practices described herein.

EXHIBIT A: MOTUS TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

A. ANNUAL EVIDENCE OF COMPLIANCE

1. Third Party Security Audit. Motus shall be audited annually against the SOC 2 Type II standard, at Motus’s expense. The audit shall be completed by an independent third party. Upon Client’s written request, Motus will provide a copy of the resulting annual audit report. Although that report provides an independently audited confirmation of Motus’s security posture annually, the most common points of interest are further detailed below.

2. Executive Summary of Web Application Penetration Test. Motus shall continue to annually engage an independent, third party to perform a web application penetration test. Upon Client’s written request, Motus shall provide the executive summary of the report to Client.  Motus shall address all vulnerabilities in the findings of the report within a reasonable, risk-based timeframe.

B. SECURITY  

1. Process-Level Requirements.

• Motus shall implement user termination controls that include access removal/disablement promptly upon termination of staff.
• Documented change control process will be used to record and approve all major releases in Motus’s environment.
• Motus shall have and maintain a patch management process to implement patches in a reasonable, risk-based timeframe.
• Motus shall provide, and require completion of, annual Security Awareness training to all employees.

2. Network Requirements.

• Motus shall use firewall(s), Security Groups/VPCs, or similar technology to protect servers storing Client Data.
• Motus shall ensure that vulnerability scans are completed at minimum quarterly using an industry standard vulnerability scanning tool. All cloud hosted systems shall be scanned, where applicable and where approved by the cloud service provider. Findings shall be addressed within a reasonable, risk-based timeframe.

3. Hosting Requirements.

• Where Motus handles Client Data, servers shall be protected from unauthorized access with appropriate physical security mechanisms.  These physical security mechanisms may be provided by data center partners such as, but not limited to, AWS, Salesforce, and Microsoft.
• Two-factor or two-step authentication is required for any network interface which
  1. Allows access to stored Client Content,
  2. Only receives interactive login
• Motus will logically segregate all Client Data in accordance with its established procedures.

4. APPLICATION-LEVEL REQUIREMENTS.

• Motus shall maintain documentation on overall application architecture, process flows, and security features for applications handling Client Data.
• Motus shall employ secure programming techniques and protocols in the development of applications handling Client Data.
• Motus shall employ scanning tools or other techniques to identify application vulnerabilities prior to all major releases.

5. DATA-LEVEL REQUIREMENTS.

• Encryption and hashing protocols used for Client Data in transit and at rest shall support NIST approved encryption standards (e.g. TLS 1.2 or higher).
• Motus shall ensure laptop disk encryption.
• Motus shall ensure that access to information and application system functions is restricted to authorized personnel only.
• Client Data stored on archive or backup systems shall be stored at the same level of security or better than the data stored on operating systems.
• Motus shall have a process in place to properly delete Client Data.

6. END USER COMPUTING LEVEL REQUIREMENTS.

• Motus shall employ an endpoint security solution for laptops used to handle Client Data.
• Motus will have a policy and controls to prohibit the use of removable media for storing or carrying Client Data.

7. COMPLIANCE REQUIREMENTS.

• Motus shall adopt appropriate physical, technical and organizational security measures in accordance with industry standards, including but not limited to building access control and employee security awareness education.
• Motus will, when and to the extent legally permissible, perform criminal background verification checks on all of its employees that assist in the delivery of Services to Client prior to obtaining access to Client Data.  Such background checks shall be carried out in accordance with relevant laws, regulations, and ethics.
• Motus will maintain an Information Security Policy (ISP) that is reviewed and approved annually at the executive level.

8. SHARED RESPONSIBILITY. 

• The Motus Services require a shared responsibility model. For example, Client must maintain controls over Client User accounts (such as disabling/removing access when a Client employee is terminated, establishing password requirements for Client Users, etc.).