Data Processing Addendum
Last Updated: May 13, 2024
This Data Processing Addendum (“DPA”) governs Cognition AI, Inc. (“Cognition”)’s processing of personal data or confidential information provided by Customer that Cognition processes on behalf of Customer (“Customer Data”) through Cognition’s enterprise services (“Services”) under the terms of certain agreement(s) between Customer and Cognition governing the Customer’s use of the Services (the “Agreement”), and is hereby incorporated into the Agreement. To the extent there is a conflict between the Agreement and this DPA, this DPA takes precedence unless the Agreement expressly overrides particular terms of this DPA.
Customer is the entity that determines the purposes and means for which Customer Data is processed (“Data Controller”), and Cognition processes Customer Data on the Data Controller’s behalf and in accordance with the Data Controller’s written instructions (“Data Processor”). The terms “Data Controller” and “Data Processor” shall have the same meaning as those similar concepts used in any applicable privacy, data security, and data protection laws and regulations (“Data Protection Laws”). Cognition and Customer each agree to comply with their respective obligations under Data Protection Laws.
1. Customer Data Processing Requirements. Cognition agrees to use Customer Data solely for the nature, purpose, and duration of the processing identified in the Agreement and in this DPA. For clarity, as Data Processor, Cognition will not sell or share Customer Data, nor will Cognition use, disclose, retain, or otherwise process Customer Data (i) for a purpose other than the specific purpose of providing the Services; (ii) outside of the direct business relationship between Cognition and Customer and the written instructions received from Customer; and (iii) in a manner inconsistent with applicable Data Protection Laws. The parties agree that any Customer Data exchanged between them in connection with the Agreement is not consideration from either party to the other with respect to the Agreement or otherwise. Where the Customer Data is subject to the California Privacy Rights Act of 2020 (“CCPA”), Cognition will not combine any Customer Data with any personal data or personal information as defined under applicable Data Protection Laws (“Personal Data”) that Cognition receives from or on behalf of another party, or collects from its own interactions with individuals, except as otherwise permitted under the CCPA. The foregoing sentence does not apply to Customer Data that has been anonymized, aggregated, or de-identified to the extent the Agreement permits or instructs Cognition to process or use Customer Data that is anonymized, aggregated, or de-identified. In such cases, Cognition will (i) adopt reasonable measures to prevent such de-identified data from being used to infer information about, or otherwise being linked to, a particular natural person or household; (ii) not make attempts to re-identify the information, except solely for the purpose of determining whether its de-identification process function as designed; and (iii) before sharing de-identified data with any other party, contractually obligate such recipients to comply with the requirements of this provision.
2. Subprocessors. Cognition may disclose Customer Data to Cognition’s sub-processors as necessary to deliver the Services or to help satisfy its obligations in accordance with this DPA (“Subprocessor”), and Customer hereby consents to the use of such Subprocessors. Cognition will enter into contractual arrangements with each Subprocessor binding them to provide a comparable level of data protection to that provided for in the Agreement and this DPA. Cognition agrees to be liable for the acts and omissions of its Subprocessors to the same extent Cognition would be liable under the terms of the DPA if it performed such acts or omissions itself, subject to the limitations of liabilities set forth in the Agreement. Upon Customer’s request, Cognition will provide Customer with a list of Cognition’s Subprocessors. Cognition will provide notification of a change regarding Subprocessors with at least fifteen (15) days prior notice before authorizing any new Subprocessors to process Customer Data. Customer may notify Cognition that Customer does not consent within fifteen (15) days on reasonable grounds relating to the protection of Customer Data by emailing privacy@. In such case, Cognition will use reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer’s configuration or use of the Services to avoid processing by the objected-to, new Subprocessor without unreasonable burden to Customer. If Cognition is unable to make such a change within a reasonable amount of time, which shall not exceed sixty (60) days, Customer may terminate any applicable Agreements, order forms, or usage with respect only to those Services which cannot be provided by Cognition without the use of the objected-to, new Subprocessor, by providing written notice to Cognition. Cognition will refund to Customer any prepaid fees covering the remainder of the term of such Agreements, order forms or usage following the effective date of termination of the applicable Services. Such termination right is Customer’s sole and exclusive remedy if Customer objects to any new Subprocessor.
3. Notifications to Customer. Cognition will inform Customer if Cognition determines that an instruction from Customer violates any applicable Data Protection Laws and/or if Cognition can no longer meet its obligations under this DPA. If Cognition is required by Data Protection Laws to process any Customer Data for reasons outside of the Agreement, Cognition will inform Customer in advance of any such processing, unless prohibited by law. Cognition will provide Customer prompt notice if Cognition becomes aware of a legally required request for disclosure of Customer Data to law enforcement authorities, unless prohibited by law.
4. Data Subject Rights. If Customer’s data subjects submit a complaint or request with respect to access to or the rectification, erasure, restriction, portability, objection, blocking, or deletion of Customer Data directly to Cognition, Cognition will inform the Customer and will not respond to such a request without Customer’s prior written authorization. Cognition will provide reasonable assistance to Customer to provide information necessary to respond to such requests.
5. Security and Breach Prevention. Cognition will maintain reasonable and appropriate organizational and technical security measures to protect against unauthorized or accidental access, loss, alteration, disclosure or destruction of Customer Data, and protect the rights of the Customer Data subjects. Appropriate safeguards will be taken to confirm that Cognition personnel are protecting the security, privacy, and confidentiality of Customer Data consistent with the requirements of this DPA, and require that persons employed by Cognition and other persons engaged to perform on its behalf to be subject to a duty of confidentiality with respect to the Customer Data and to comply with the data protection obligations applicable to Cognition under the Agreement and this DPA. Cognition will inform Customer without undue delay if Cognition becomes aware of any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to Customer Data processed by Cognition for Customer (“Data Breach Incident”) by Cognition, its Subprocessors, or any other third parties acting on Cognition’s behalf. Cognition will provide reasonable assistance to Customer for investigation of any Data Breach Incident.
6. Customer Assistance, Audits, and Assessments. Cognition will cooperate with assessments or audits performed by or on behalf of Customer to confirm that Cognition is processing Customer Data in a manner consistent with this DPA and Data Privacy Laws (“Audits”) on the condition that: (i) the Audit is required by law; (ii) where permitted by law, Cognition may first provide a summary of the results of a third-party audit or certification report (“Third-Party Certification”) to demonstrate compliance; (iii) the Audit occurs if such Third-Party Certification is not sufficient to demonstrate Cognition’s compliance with the obligations set out in this DPA and Data Privacy Laws; (iv) Cognition is given at least 30 days advance written notice of the Audit; (v) the parties mutually agree upon the scope, time, and duration of the Audit; (vi) the Audit is at the Customer’s sole expense; and (vii) the Audit is conducted in a manner that is minimally disruptive to Cognition’s business. The results of such Audits and any Third-Party Certifications provided to Customer shall be the Confidential Information of Cognition. Where required by law, Cognition grants Customer the right to stop and remediate unauthorized use of Customer Data. Cognition will provide commercially reasonable assistance to Customer for the preparation of data protection impact assessments with respect to the processing of Customer Data by Cognition, and where necessary, provide consultations with any supervisory authority with jurisdiction over such processing.
7. Customer Obligations. Customer represents and warrants that it has and will maintain throughout the term all necessary rights, consents, and authorizations to provide Customer Data to Cognition, and that it shall only transfer Customer Data to Cognition using secure, reasonable and appropriate mechanisms to the extent these mechanisms are within Customer’s control. Customer authorizes Cognition to use, disclose, retain, and otherwise process Customer Data as contemplated by the Agreement, this DPA, and/or other processing instructions provided by Customer to Cognition. Customer acknowledges and agrees that Customer, not Cognition, is responsible for certain design and configuration decisions related to the Services, and the secure implementation of these decisions that complies with applicable Data Protection Laws.
8. International Transfers. Cognition will process Customer Data only on documented instructions from Customer, including transfers to a third country or an international organization, unless required to do so by applicable Data Protection Laws. Where Customer Data that originates in the European Economic Area is transferred to a country outside of Europe that is not subject to an adequacy decision, Cognition will do so in accordance with the standard contractual clauses adopted by the EU Commission on June 4, 2021 (“SCC”) which are hereby incorporated into this DPA by reference and deemed entered into and completed as follows: (i) Module 2 (Controller to Processor) of the SCCs apply when Customer is a controller and Cognition is processing Customer Data as a processor; (ii) Module 3 (Processor to Processor) of the SCCs apply when the Customer is a processor and Cognition is processing Customer Data as a subprocessor. For each of these modules, the following applies: (a) Clause 7 (Docking Clause) does not apply; (b) In Clause 9(a), Option 2 (General Written Authorization) is selected, and the minimum time period for prior notice shall be as set forth in Section 2 of this DPA; (c) the optional language in Clause 11 (Redress) does not apply; (d) the square brackets (“\[“ and “\]”) in Clause 13 (Supervision) are hereby removed; (e) In Clause 17 (Governing Law), Option 1 is selected, and the parties agree that the SCCs will be governed by the law of the EU member state in which the data exporter is located; (f) in Clause 18 (Choice of Forum and Jurisdiction), the parties agree that any disputes arising from the SCCs shall be resolved by the courts of the EU member state in which the data exporter is located. The information required in Annex I and II of the SCCs are included in Appendix A and B of this DPA. Customer Data that originates from Switzerland and is transferred to a country outside of Switzerland that is not subject to an adequacy decision shall be processed in accordance with the SCCs, with the following changes: (I) the term “EU member state” must not be interpreted to exclude data subjects from bringing legal proceedings before the courts in their place of habitual residence of Switzerland in accordance with Clause 18(c); and (II) the Swiss Federal Data Protection and Information Commissioner shall act as the competent supervisory authority insofar as the relevant data transfer is governed by the Swiss Federal Act on Data Protection. For Customer Data transfers originating from the United Kingdom and to a country outside of the United Kingdom that is not subject to an adequacy decision, the parties will comply with the terms of the Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the Information Commissioner’s Office and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on February 2, 2022, as revised under Section 18 of the Mandatory Clauses (“UK Addendum”). The information required for Part One of the UK Addendum is set out in Appendix A of this DPA, as applicable. For the purposes of Table 4 of Part One of the UK Addendum, either party may end the UK Addendum when it changes.
9. Term and Termination. This DPA will remain in effect for as long as Cognition is processing Customer Data on Customer’s behalf, or until the termination of the Agreement, and all Customer Data has been returned or deleted in accordance with this DPA. Upon termination of this DPA, Cognition will direct each Subprocessor to delete Customer Data within thirty (30) days of the termination, unless prohibited by law.
APPENDIX A: COGNITION AI DPA
SCC ANNEX I
-
LIST OF PARTIES
Data Exporter(s): Customer
Role: For the purposes of SCC Module 2, Customer is a controller. For the purposes of SCC Module 3, Customer is a processor.
Data Importer(s): Identity and contact details of the data importer(s), including any contact person with responsibility for data protection.
Company Name: Cognition AI, Inc.
Address: 5 Union Square W, New York, NY 10003
Contact person’s name, position, and contact details: Salima Ghadimi, Operations, privacy@cognition.ai
Activities relevant to the data transferred under these Clauses: Performance of the Services pursuant to the Agreement.
Signature and date:
Role: Processor
-
DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred
Data exporter’s users.
Categories of personal data transferred
Name, contact information, usernames, demographic information, and other information provided by users.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
No sensitive data is intended to be transferred, unless a user voluntarily and unexpectedly submits it.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Continuous.
Nature of the processing
The performance of the Services as described in the Agreement.
Purpose(s) of the data transfer and further processing
The performance of the Services as described in the Agreement.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
During the term of the Agreement.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
The performance of the Services as described in the Agreement.
-
COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13
The data protection authority of the EU member state in which the data exporter is located.
APPENDIX B: COGNITION AI DPA
SCC ANNEX II
-
TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Cognition has put in place technical and organizational security measures to protect Customer Data:
Authentication and Authorization Controls. Cognition maintains best practices for authenticating and authorizing employee permissioning and service access:
- Cognition uses single sign-on (SSO) to authenticate to third-party services. Role Based Access Controls (RBAC) are used when provisioning internal access to the Services via Okta;
- Multi-factor authentication is used by employees;
- Review and approval processes for any access requests to services storing Customer Data;* Established procedures for promptly revoking access rights upon employee separation;
- Use of a third-party identity access management service to manage Customer identity (SSO);
- Separation of Customer Data by organization account.
Security. Cognition maintains best practices for securing and operating its cloud infrastructure, including the following measures:
- Separate production and non-production environments;
- Primary backend resources are deployed behind a VPN;
- All employees are issued company devices and prohibited from using personal devices;
- All devices are provisioned via MDM, and devices are protected in the event of physical loss;
- Keys for cryptographic protected are securely managed and stored in AWS KMS;
- Services logs are monitored for security and availability;
- Cognition’s maintains the following policies and standards: (1) information security policy; (2) computer and network security policy; (3) access control policy; (4) asset management policy; (5) incident management response policy;
- Cognition obtained SOC 2 Type I certification on April 2, 2024.
Data Controls. Cognition maintains best practices to prevent the unauthorized reading, modification or disclosure of data at rest and during transfer:
- All data transmission is encrypted in transit and at rest;
- Production software is routinely monitored via logging, error handling and monitoring dashboards of live metrics. Unusual application states (ie. unusually high error rates, slowness, failures) trigger alerts which are promptly investigated;
- Employee access to the Services follows the principle of least privilege, such that only employees with the relevant roles have access to the Services environment;
- Customer Data submitted to the Services is only used in accordance with the terms of the DPA, Agreement, and any other applicable contractual agreements in place with Customer.
Personnel. Cognition ensures all personnel are vetted and trained with respect to security practices.
- Cognition requires all personnel to complete security training at least annually;
- All employees are run through background checks.