Sodexo Data Processing Agreement

December 2023 Version

This Data Processing Agreement, along with its Appendices (collectively referred to as the "DPA"), represents the mutual understanding between the involved parties regarding the processing of Personal Data. This processing will be carried out by Sodexo Operations, LLC, or its affiliates in the United States or Canada, (“Sodexo”) acting on behalf of a customer organization (“Customer”). It applies in the context of any service agreements established between the parties (hereinafter each referred to as an "Agreement").

The provisions set forth below apply where Sodexo (“Provider”) processes Personal Data of Customer for the purposes of performing the services, or in connection with the provision of the services, under the Agreement.

Definitions

Controller: any natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data that may be performed as part of the Master Agreement. Unless, otherwise specified, Customer is Controller.

Customer Data Protection Contact Email: To be specified in Agreement.

Data Protection Regulation(s): This means all applicable laws and regulations relating to the processing, protection or privacy of the Personal Data, including where applicable, the guidance and codes of practice issued by regulatory bodies in any relevant jurisdiction. This may include the GDPR, and all additional regulations and rules in force in the relevant Member State(s) of the European Union applicable to the Processing.

Data Subject: any identified or identifiable natural person from whom Personal Data is collected. This definition may be expanded based on local Data Protection Regulation requirements. (e.g. the California Consumer Privacy Act of 2018, as amended (Cal. Civ. Code §§ 1798.100 to 1798.199), and related regulations or guidance provided by the California Attorney General (collectively “CCPA”) definition including that of the household).The categories of Data Subjects concerned by the Processing are mentioned in Annex A of this DPA.

General Data Protection Regulation or GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27th, 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC. GDPR applies to Controller Personal Data of the Master Agreement when Customer specifically intended to draw European Economic Area (EEA) Data Subjects as customers.

Personal Data: any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Personal Data will also include, as applicable Data Protection Regulation requires, the data under the defined terms of personal information, personally identifiable information, credit card information, or patient health information. The type(s) of Personal Data processed by Processor is specified in Annex A of this DPA.

Personal Data Breach or Breach: any suspected or actual security incident leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Controller Personal Data transmitted, stored, or otherwise Processed.

Processing or Processed: every operation or set of operations which is performed with regard to Personal Data, including without limitation the collection, recording, organization, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, combining, linking to other data, blocking, erasure or destruction of Controller Personal Data. Processing includes the purposes and operations mentioned in Annex A of this DPA.

Processor: the person or body which processes or sub-processes Personal Data under the instructions of Customer or any other relevant Controller(s). Processor for the purposes of this DPA is Provider. Provider and/or its Affiliates is (are) Processor(s). Processor is also to be a Service Provider as defined under the CCPA.

Provider Data Protection Contact Email: Provider’s data protection contact email shall be privacy.noram@sodexo.com.

Service: the product or service provided by the Provider as part of the Master Agreement.

Standard Contractual Clauses - SCC: means the Standard Contractual Clauses for the transfer of Personal Data between Controllers and Processors as set out in the Regulation (EU) 2016/679 of the European Parliament and of the Council from June 4, 2021, as available here: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN as may be amended from time to time.

Subprocessor: any natural or legal person engaged by Processor only for the performance of the Processing under the Services and as specifically authorized in advance in writing by Controller.

Third Party(/ies): any company or entity other than Customer, Provider or an affiliate and other than Processor, Data Subject and Controller and persons who, under the direct authority of Controller or Processor are authorized to process Personal Data.

Third-Party Country: any country, territory or specified sector within that country, outside of the Personal Data country of origin.

Compliance with Data Protection Regulation

(a) Each party warrants to the other that it shall comply at all times with their respective obligations under the applicable Data Protection Regulation in disclosing Personal Data to the other party, and in the performance of its obligations under this DPA.

(b) Each party shall comply with its obligations as set out in the Data Protection Regulation. In the unlikely event that Provider does act as Controller in relation to any of the Personal Data Processed for the Services, Customer shall do so in compliance with the Data Protection Regulation.

(c) If there is any conflict between this DPA and the Master Agreement, this DPA shall prevail to the extent of that conflict in connection with the Processing of Controller Personal Data. Notwithstanding the foregoing, and solely to the extent applicable to any Controller Personal Data comprised of patient, medical or other protected health information regulated by HIPAA or any similar U.S. federal or state health care laws, rules or regulations (“HIPAA Data”), if there is any conflict between this DPA and a Business Associates Agreement between Customer and Provider (“BAA”), then the BAA shall prevail solely with respect to such HIPAA Data.

Obligations of Provider

Provider shall:

(a) comply with the Data Protection Regulation in relation to its performance of the Processing, in such a way as to not expose Customer to any violation of the Data Protection Regulation;

(b) process Customer Personal Data as a Processor on behalf of and only in accordance with the written instructions of Controller (and only for the purposes of performing the services and determined by Controller, as documented in Annex A “Description of the Processing");

(c) promptly inform Customer if Provider cannot provide such compliance for whatever reason of its inability to comply, in which case Customer reserves the right to immediately and automatically suspend any Processing and/or terminate the Master Agreement;

(d) not modify, amend or alter the contents of the Personal Data unless Provider has the prior written consent of Customer;

(e) upon Customer’s request, assist Customer in the fulfilment of Customer’s obligations to provide Data Subjects with the required information, to respond to requests and complaints made by the Data Subjects, to put in place appropriate security measures, to notify Personal Data Breach to the supervisory authority and/or to Data Subjects if required, and to carry out a data protection impact assessment or to prior consult the supervisory authority where required;

(f) maintain a record of all categories of Processing activities carried out on behalf of Customer in the performance of the Services;

(g) promptly notify Customer Data Protection Contact Email if Provider receives a request from a data subject to exercise the data subject's right of access, right to rectification, restriction of processing, erasure, data portability, objection to the processing, or its right not to be subject to an automated individual decision making (“Data Subject Request”). Taking into account the nature of the processing, Provider shall assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer's obligation to respond to a Data Subject Request under Data Protection Legislation. In addition, to the extent Customer, in its use of the Services, does not have the ability to address a Data Subject Request, Provider shall, upon Customer's request, provide commercially reasonable efforts to assist Customer in responding to such Data Subject Request, to the extent Provider is legally permitted to do so and the response to such Data Subject Request is required under applicable Data Protection Legislation;

(h) promptly inform Customer Data Protection Contact Email if it receives any correspondence or request for information from a supervisory authority in relation to Customer Personal Data to which this DPA relates; Provider shall provide such reasonable assistance to the Data Subject in order to respond to such supervisory authority; and provide assistance and co-operation by supporting Customer to carry out any required risk assessments and audits of Provider's Data Processing operations; and

(i) delete or return all Customer Personal Data and any copies thereof which it is processing, has processed or have had processed on behalf of Customer in a format agreed upon with Customer after the end of the performance of the Services at the choice of Customer, and delete existing copies unless the applicable local law requires storage of the Personal Data. Deletion of data shall be performed in a manner that is at a minimum compliant with Data Protection Regulation requirements.

Security and Confidentiality Measures

(a) Provider shall take and implement the appropriate, relevant industry standard, technical and organizational security and confidentiality measures (examples include applicable ISO or SSAE standard industry certifications standards) to ensure the security and confidentiality of Customer Personal Data, and regularly update them, to ensure a level of security appropriate to the risk related the Processing of the Personal Data to protect such data from any unauthorized or unlawful Processing, accidental loss, alteration, destruction or damage, as may be required or directed by Customer from time to time. Required protections include, but are not limited to, the following:

• i. Physical Access Controls - Provider shall take relevant industry standard measures to prevent physical access to Personal Data, such as security personnel and secured buildings; prevent unauthorized persons from gaining access to Personal Data, and/or ensure that the third party data centers it uses to provide the services are adhering to similar controls.
• ii. Data Access Controls - Provider shall take relevant industry standard measures to ensure that Personal Data is accessible only by its properly authorized personnel; Personal Data cannot be read, copied, modified or removed without authorization in the course of Processing; and direct database query access is restricted and application access rights are established and enforced to ensure that the personnel entitled to use a data processing system only have access to the Personal Data to which they have privilege of access.
• iii. System Access Controls - Provider shall take relevant industry standard measures to prevent Personal Data from being used without authorization. These measures may vary based on the nature of the Processing undertaken and may include authentication via passwords and/or two-factor authentication, documented authorization processes, documented change management processes, and/or logging of access on several levels.
• iv. Input Controls - Provider shall take relevant industry standard measures to ensure that it is possible to check and establish whether and by whom Personal Data has been entered into data processing systems, modified or removed. 
• v. Transmission Controls - Provider shall take relevant industry standard measures to prevent Personal Data from being read, copied, altered or deleted by unauthorized parties during the transmission thereof. 
• vi. Logical Separation - Provider shall logically segregate Personal Data from different company customer environments on Provider's systems so Personal Data that is collected for different purposes may be separately processed.
• vii. Data Backup - Provider shall back-up the databases used to provide the services on a regular basis, and ensure that such databases are secured, tokenized and/or encrypted so that Personal Data is protected against accidental loss or destruction when hosted by Provider.

These obligations must at a minimum comply with Article 32 of the GDPR.

(b) Provider shall implement awareness programs on Personal Data protection and confidentiality.

• i. During the term of the Master Agreement, Provider shall implement and maintain an up to date training and awareness program regarding Personal Data security for its employees and Subprocessors who may have access to Personal Data. Provider shall ensure persons authorized to process Personal Data are properly trained in the Processing of Personal Data and only have access to the Personal Data on a need-to-know basis subject to obligation of confidentiality. Provider shall also take steps to ensure that the authorized persons do not Process Personal Data except on instructions from Customer, unless Provider is required to do so by locale law.
• ii. Provider shall require that any authorized persons entrusted with Processing Personal Data hereunder have undertaken to comply with the principle of confidentiality and have been duly instructed about the Data Protection Regulation.  

Credit Card Information

Where Personal Data includes credit card information, Provider must validate Payment Card Industry Digital Security Standard (“PCI DSS”) compliance in accordance with guidelines set forth by Provider’s acquiring bank, and Provider shall subject its point-of-sale network to quarterly vulnerability scans as applicable. 

Sub-processors

(a) Provider shall not disclose or permit the disclosure of Personal Data to any Third Party, and/or shall not subcontract whole or part of the Processing to any Third Party, unless Provider has the prior written consent of Customer or as required by Data Protection Regulation. 

(b) Sub-Processing

Accordingly, Customer provides a general authorization to Provider to engage onward subcontractors that are involved in processing of Personal Data or sub-processing Personal Data in connection with the provision of the Services (“Sub-processors”), subject to compliance with the requirements in the Data Protection Regulation, all Sub-processors are bound by contractual terms no less onerous than those contained in this DPA, and subject to Provider properly vetting Sub-processors for such compliance. The parties agree that the copies of the Sub-processor agreements that must be provided by Provider to Customer may have all commercial information, or clauses unrelated to the Standard Contractual Clauses or their equivalent and the data protection clauses, removed by Provider beforehand, and that such copies will be provided by Provider, in a manner to be determined in its discretion, only upon written request by Customer. 

The general authorization may be revoked in specific instances where Customer believes that a Sub-processor selected by Provider is objectionable, where such objection is reasonable. Provider must then cease the Sub-processor’s processing of Customer’s data until reasonable steps have been taken to address the objections raised by Customer and Customer has been provided with a reasonable written explanation of the steps taken to remediate the reasons for objection.

(c) Sub-processor List

Provider will:

• i. upon written request by Customer, make available to Customer a list of all Sub-processors, if any, together with a description of the nature of services provided by each Sub-processor (“Sub-processor List”); and
• ii. be liable for the acts and omissions of its Sub-processors to the same extent Provider would be liable if performing the services of each of those Sub-processors directly under the terms of this DPA, except as otherwise set forth in this DPA.

International Personal Data transfers 

(a) This Section 7 shall apply (i) where Customer is a EU Controller, or (ii) where Customer, even if not established in the European Union where Provider is established in the European Union, or where goods or services are offered to Data Subjects in the European Union, or where the behavior of such Data Subjects is monitored to the extent such behavior takes place within the European Union.

(b) Provider will process Personal Data in any Third-Party Country and/or have Personal Data processed in any Third-Party Country (including a Sub-processor), including for onward transfers of Personal Data from a Third-Party Country to another Third-Party Country, only where Provider has in place the required legal protections. Provider shall: 

• i. execute, with Customer, the SCC’s or any agreement applicable according to the Data Protection Regulation; 
• ii. only process or transfer Personal Data in or, in the case of transfer, to, any country or territory outside the country where Customer is established or the EEA if and for so long the SCCs apply or the relevant international transfers are covered by an adequacy decision (article 45 of the GDPR), or an alternative appropriate safeguard (article 46 of the GDPR);
• iii. implement alternative means to the SCC in order to ensure an adequate level of protection of Personal Data for the purpose of the Data Protection Regulation; and
• iv. warrant that any duly authorised Subprocessor processing Personal Data in any Third-Party Country shall comply with the same obligations as set forth in this clause.

(c) The applicable SCCs are hereby incorporated into the DP Agreement in their entirety (as amended by Annex B) and Customer and Provider shall comply with the applicable SCCs as follows:

• i. Module 1 EU SCC shall apply to all transfers of Personal Data from a Party acting as a Controller in the EU or the EEA to a Party acting as a Controller in a Third-Party Country.
• ii. Module 2 EU SCC shall apply to all transfers of Personal Data from a Party acting as a Controller in the EU or the EEA to a Party acting as a Processor in a Third-Party Country.
• iii. Module 3 EU SCC shall apply to all transfers of Personal Data from a Party acting as a Processor in the EU or the EEA to a Party acting as a Processor in a Third-Party Country.
• iv. Module 4 EU SCC shall apply to all transfers of Personal Data from a Party acting as a Processor in the EU or the EEA to a Party acting as a Controller in a Third-Party Country.

Personal Data Breach

(a) In the event of a Personal Data Breach arising during the performance of the services by Provider, Provider shall, at its own cost:

• i. notify Customer Data Protection Contact Email about the Personal Data Breach without undue delay of becoming aware and, where possible, provide information on:
  • A. the nature of the Breach, including the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned;
  • B. the name and contact details of the data protection officer or other point of contact where more information can be obtained;
  • C. the likely consequences of the Breach, including if Customer systems are possibly impacted; and
  • D. the measures taken or proposed to be taken to address the Breach including, where appropriate, measures to mitigate its possible adverse effects.
• ii. after investigating the causes of such a Personal Data Breach, take actions as may be necessary or reasonably expected by Customer to minimize the effects of any Breach;
• iii. take all actions as may be required by Data Protection Regulation and, more generally, provide Customer with reasonable assistance in relation to Customer’ obligations to notify to the supervisory authority and to the Data Subjects, as the case may be, of the Breach;
• iv. maintain a record of all information relating to the Breach, including the results of its own investigations and authorities’ investigations; and
• v. cooperate with Customer and take all measures as necessary to prevent future Breaches from occurring again.

(b) In the event that it is determined in a forensic audit conducted by an independent third party engaged by Customer that a Breach is due solely or in part to Provider’s failure to comply with applicable data protection standards, regulations, this Amendment, or laws, then Provider shall reimburse Customer for all reasonable costs and expenses, apportioned based on degree of fault as assigned by the audit. This reimbursement of all costs and expenses may include, but not be limited to, all fees due to such qualified, independent third party for such forensic audit, all fees and fines associated with the Breach (including notification costs), and any costs associated with a one-year contract for credit monitoring services if Customer decides to offer such monitoring as a result of the Breach.

Evidence and Audit Rights

(a) Provider shall provide, upon request of Customer, all information necessary to demonstrate compliance with the obligations laid down in this DPA.

(b) Provider shall promptly provide to Customer, upon request, all information reasonably necessary to demonstrate its compliance with this DPA and the Data Protection Regulation. In addition, during normal hours of business and with reasonable prior notice to Provider, Customer or its designated third party may audit Provider’s processing and maintenance of Personal Data and compliance with this DPA and: (i) once annually; (ii) any time a Breach has occurred; and (iii) if Customer, in its sole discretion, reasonably believes that a Breach has occurred or Provider is not in compliance with this DPA. Such audit procedures may occur through: (i) conversations with Provider personnel responsible for compliance with the applicable terms of this DPA, who shall be made available by Provider for such purpose; and (ii) other customary audit procedures, and a review of any security policies. Provider shall, and shall ensure any Sub-processors, assist and cooperate in the performance of such audit procedures. 

(c) Where Personal Data includes credit card information, Provider must validate PCI DSS compliance in accordance with guidelines set forth by Customer’s acquiring bank, and Provider shall subject its point of sale network to quarterly vulnerability scans as applicable.

Processing of Personal Data of Provider

In the event that Customer Processes Provider Personal Data that is collected in connection with the performance of the services:

(a) Provider Personal Data will be Processed for purposes of contractual relationship management with Provider, risk management purposes and data analytics purposes. 

(b) Customer shall grant rights of access, rectification, limitation, erasure, and opposition on legitimate grounds in relation to Provider Personal Data that can be exercised by sending an email to Provider Data Protection Contact Email.

(c) Customer shall grant the right to data portability.

(d) Provider Personal Data will be Processed in accordance with the Data Protection Regulation and corresponding obligations as stated in above for Provider.

Appendix A – Description of the Processing

Duration Of The Personal Data Processing: Provider will process Personal Data throughout the duration of the contracted services provided to Customer.

Nature And Purpose: For the purpose of fulfilling the food, facilities management, or other related services as detailed under the Master Agreement or applicable SOWs.

Types Of Personal Data Processed: Identifiers, such as a full name, job title, online identifier, account name, address, birth date and personal or professional email address.

Credit card, debit number, or other related financial information (where point of sale systems or online ordering is used)

Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.

Browsing history, search history, information on a consumer's interaction with a website, application, or advertisement.

Food preference or allergen information.

For University or school sites only - education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records.

Categories Of Data Subjects: Customer customers, visitors of Customer locations, Customer employees

Appendix B – Standard Contractual Clauses

1. Modules applicable

   For transfers of Personal Data from the EEA, Switzerland and/or UK that are subject to Section 7 of this DPA, the applicable EU SCCs are hereby incorporated into this Agreement in their entirely (as amended below, in clause 3 of this Annex) and Customer, Supplier and its Subprocessors shall comply with the applicable SCCs as follows:

   a. Module 2 EU SCCs shall apply to all transfers of Personal Data from Customer acting as a Controller and Data Exporter in the EU or the EEA to Supplier acting as a Processor and Data Importer in a Third-Party Country.

   b. Module 3 EU SCCs shall apply to all transfers of Personal Data from Supplier acting as a Processor and Data Exporter in the EU or the EEA to its Subprocessor acting as a Processor and Data Importer in a Third-Party Country.

2. Hierarchy

   For the avoidance of doubt, the Parties agree that the terms of this Annex are not intended to amend or modify the Standard Contractual Clauses.  

   In the event of any conflict between the terms of this DPA and the provisions of the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.

3. EU SCCs

   In accordance with Clause 1 of this Appendix, the EU SCCs shall apply as follows:

   a. In Clause 7, the optional docking clause shall not apply;

   b. In Clause 9, option 2 shall apply in accordance with Section 6 of the DPA. The list of sub-processors already authorised by Customer can be found in Section 6 of this DPA; 

   c. The option under Clause 11(a) shall apply;  

   d. In Clause 13, the supervisory authority with responsibility for ensuring compliance by the data exporter shall be one of the following:

   • i. Where the data exporter is established within an EU member state, the supervisory authority of that EU member state, OR
   • ii. Where the data exporter is subject to GDPR pursuant to Article 3(2) of the GDPR and has appointed a representative in France, the supervisory authority of that EU member state, OR
   • iii. Where the data exporter is subject to GDPR pursuant to Article 3(2) GDPR but has not appointed a representative in an EU member state, the supervisory authority of the EU member state where the relevant data subjects are located. 

   e. In Clause 17, option 2 shall apply. The SCCs shall be governed by the laws of France, if the law of the data exporter does not allow for third-party beneficiary rights; 

   f. In Clause 18, the courts of the EU Member State where the data exporter is established shall have jurisdiction in relation to the SCCs. If the data exporter is not established in an EU Member State, the Courts of France shall have jurisdiction;  

   g. Annex I.A (List of Parties) shall be deemed to be completed with the information specified at the beginning of this DPA regarding the information of the Customer and the Supplier; 

   h. Annex I.B (Description of Transfer) shall be deemed to be completed with the information specified in Appendix 1 of this DPA;  

   i. Annex II (Technical and organisational measures) shall be deemed to be completed with the information specified in Section 4 of this DPA.  

4. Switzerland  

   For transfers of Personal Data from Switzerland that are subject to Clause 7.3 of this DPA, the EU SCCs, completed as set out in clause 3 of this Appendix, shall apply to transfers of such Personal Data, except: 

   a. the competent supervisory authority in respect of such Personal Data shall be the Swiss Federal Data Protection and Information Commissioner;

   b. in Clause 17, the governing law shall be the laws of Switzerland; 

   c. references to “Member State(s)” in the EU SCCs shall be interpreted to refer to Switzerland, and data subjects located in Switzerland shall be entitled to exercise and enforce their rights under the EU SCCs in Switzerland; and 

   d. references to the “General Data Protection Regulation”, “Regulation 2016/679” or “GDPR” in the EU SCCs shall be understood to be references to the Swiss Federal Act on Data Protection (as amended or replaced).

5. United Kingdom 
     
   For transfers of Personal Data from the United Kingdom that are subject to Clause 7.3 of this DPA, the EU SCCs, completed as set out in clause 3 of this Appendix shall apply, as deemed amended by the UK Data Transfer Addendum, which is incorporated in this Agreement by reference: 

   a. Table 1 of the UK Data Transfer Addendum shall be deemed to be completed with the information specified at the beginning of this DPA regarding the information of the Customer (as Exporter) and the Supplier (as Importer). The relevant information of the Key Contact shall be deemed to be completed with the information specified in the Agreement;

   b. Table 2 of the UK Data Transfer Addendum, regarding the version of the Approved EU SCCs, modules, and selected clauses shall be deemed to be completed with the information set out in clause 1 and clause 1.3 of this Appendix; 

   c. In table 3 of the UK Data Transfer Addendum: 

   • i. Annex 1.A (List of Parties) shall be deemed to be completed with the information specified at the beginning of this DPA regarding the information of the Customer and the Supplier;
     ii. Annex 1.B (Description of Transfer) shall be deemed to be completed with the information specified in Appendix 1 of this DPA;  
   • iii. Annex II (Technical and organisational measures including technical and organisational measures to ensure the security of the data), shall be deemed to be completed with the information specified in Section 4 of this DPA.
   • iv. Annex III (List of Sub processors) shall be deemed to be completed with the information specified in Section 6.C of this DPA.  
   d. Table 4 of the UK Data Transfer Addendum shall be deemed completed by selecting "Exporter”. Only the Exporter can end the Addendum when the Approved Addendum changes. The Importer shall contact the Exporter if he considers that the Addendum should end. The Parties agree to implement in good faith a valid transfer tool in accordance with article 46 of the UK GDPR.