Skip to Main Content

Data Protection Agreement EU & UK


FISCALNOTE CUSTOMER DATA PROCESSING AGREEMENT FOR THE PROCESSING OF EU & UK RESIDENTS DATA

PREAMBLE

FiscalNote Inc., having its registered office at 1201 Pennsylvania Avenue NW, 6th Fl. Washington D.C. 20004 (FiscalNote) provides global policy and market intelligence software as a service solutions to help our customers navigate evolving political, corporate and regulatory environments. This Data Processing Agreement covers all services provided in the United States and Europe by FiscalNote and/or its subsidiaries.

This FiscalNote Data Processing Agreement (Agreement) forms part of the Terms and Conditions as referenced in the Order Form between our Customers and FiscalNote and/or its subsidiaries (as a Supplier), and sets out the obligations with respect to the Customer’s personal data processed by FiscalNote and/or its subsidiaries, when Customer uses FiscalNote’s and/ or its subsidiaries’ software as a service platforms and services.

This Agreement contains the clauses required by Article 28(3) of the EU GDPR & UK GDPR for contracts between controllers and processors, and is applicable where FiscalNote and/or its subsidiaries are providing services which involve the processing of EU and UK Residents Data only.

DEFINITIONS

1. Applicable Laws: means:

1a) To the extent the UK GDPR applies, the law of the United Kingdom or of a part of the United Kingdom.

1b) To the extent EU GDPR applies, the law of the European Union or any member state of the European Union to which the Supplier is subject.

2. Applicable Data Protection Laws: means:

2a)  A) the General Data Protection Regulation ((EU) 2016/679), as amended by the Data Protection, Privacy and Electronic Communication (Amendments etc.) (EU Exit) Regulations 2019.(The UK GDPR)

2b) And B) the General Data Protection Regulation ((EU) 2016/679).(The EU GDPR) Or any other secondary legislation implemented in connection with (or replacing) the EU GDPR or the UK GDPR in relation top the protection of personal data.

3. Customer; any organisation that uses FiscalNote and/or its subsidiaries (as Supplier) software as a Service platforms FiscalNote Core, FiscalNote State, FiscalNote Global, EU Issue Tracker, Professional Services and other services under the Terms and Conditions.

4. Customer Personal Data: any personal data which the Supplier processes in connection with this agreement, in the capacity of a processor on behalf of the Customer.

5. Purpose: the purposes for which the Customer Personal Data is processed, as set out in the Terms and Conditions.

6. Supplier: means FiscalNote, a company having its registered office at 1201 Pennsylvania Avenue NW, 6th Fl. Washington D.C. 20004, and/or any relevant subsidiaries.

7. Supplier Personal Data: any personal data which the Supplier processes in connection with this agreement, in the capacity of a controller.

8. Sub-Processor: any person or entity appointed by or on behalf of FiscalNote, or by or on behalf of an existing Sub-Processor, to process Personal Data on behalf of the Customer in connection with the Agreement.

9. Standard Contractual Clauses: the European Commission’s 2021 standard contractual clauses for the transfer of personal data to third countries which, as at the date of this Agreement, are available here https://commission.europa.eu/publications/standard-contractual-clauses-international-transfers_en

10. International Data Transfer Addendum: The UK Information Commissioner Office International Data Transfer Addendum to the EU Standard Contractual Clauses, which as at the date of this Agreements, are available here international-data-transfer-addendum.pdf (ico.org.uk)

DATA PROTECTION

1.1 For the purposes of this clause 1, the terms controller, processor, data subject, personal data, personal data breach and processing shall have the meaning given to them in the EU GDPR.

1.2 Both parties will comply with all applicable requirements of Applicable Data Protection Laws. This clause 1 is in addition to, and does not relieve, remove or replace, a party's individual obligations or rights under Applicable Data Protection Laws.

1.3 The parties have determined that, for the purposes of Applicable Data Protection Laws FiscalNote and/or any relevant subsidiaries shall process the personal data set out in Appendix 1, as a processor on behalf of the Customer in respect of the processing activities set out in the Terms and Conditions.

1.4 Should the determination in clause 1.3 change, then each party shall work together in good faith to make any changes which are necessary to this clause 1 or the related appendices.

1.5 By entering into this agreement, the Customer acknowledges that Fiscal Note will manage all Customer Personal Data in line with the then-current version of the Supplier's privacy policy (Privacy Policy). In the event of any inconsistency or conflict between the terms of the Privacy Policy and this agreement, the Privacy Policy will take precedence. The Customer will be responsible for any making any applicable transparency information available to their employees or customer if necessary under relevant Data Protection Laws,

1.6 Without prejudice to the generality of clause 1.2, the Customer will ensure that it has all necessary appropriate lawful basis as required under Applicable Data Protection Law in place to enable lawful transfer of the Supplier Personal Data and Customer Personal Data to FiscalNote for the duration and purposes of this agreement.

1.7 In relation to the Customer Personal Data, Appendix 1 sets out the scope, nature and purpose of processing by the Supplier, the duration of the processing and the types of personal data and categories of data subject.

1.8 Without prejudice to the generality of clause 1.2 FiscalNote shall, in relation to Customer Personal Data:

( a ) process that Customer Personal Data only on the documented instructions of the Customer, which shall be to process the Customer Personal Data for the purposes set out in the Terms and Conditions, unless the Supplier is required by Applicable Laws to otherwise process that Customer Personal Data. Where FiscalNote is relying on Applicable Laws as the basis for processing Customer Processor Data, FiscalNote shall notify the Customer of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit FiscalNote from so notifying the Customer. FiscalNote shall inform the Customer if, in the opinion of FiscalNote, the instructions of the Customer infringe Applicable Data Protection Laws;

( b ) implement the technical and organisational measures set out in the Annex to Appendix 1 to protect against unauthorised or unlawful processing of Customer Personal Data and against accidental loss or destruction of, or damage to, Customer Personal Data, which the Customer has reviewed and confirms are appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures;

( c ) ensure that any personnel engaged and authorised by FiscalNote to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory or common law obligation of confidentiality;

( d ) assist the Customer insofar as this is reasonably possible (taking into account the nature of the processing and the information available to FiscalNote), and at the Customer's cost and written request, in responding to any request from a data subject and in ensuring the Customer's compliance with its obligations under Applicable Data Protection Laws with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;

( e ) notify the Customer without undue delay on becoming aware of a personal data breach involving the Customer Personal Data;

( f ) at the written direction of the Customer, delete or return Customer Personal Data and copies thereof to the Customer on termination of the agreement unless the Supplier is required by Applicable Law to continue to process that Customer Personal Data. For the purposes of this clause 1.8(f) Customer Personal Data shall be considered deleted where it is put beyond further use by the Supplier; and

( g ) maintain records to demonstrate its compliance with this clause 1.

2. TRANSFERS TO THE USA

2.1 FiscalNote participates in and certifies compliance with and adherence to the EU-U.S. Data Privacy Framework, the UK Extension to the EU U.S. Data Privacy Framework. FiscalNote will (i) provide at least the same level of privacy protection as is required by the Data Privacy Framework Principles; (ii) notify Customer if FiscalNote makes a determination it can no longer meet its obligation to provide the same level of protection as is required by the Data Privacy Framework Principles, and (iii) upon notice, including under Section 2.5(d)(ii), take reasonable and appropriate steps to remediate unauthorized processing. You can view our Certification under the Data Privacy Framework Programme Website here.

2.2 In the event that the EU-U.S. Data Privacy Framework: being deemed invalid by the European Commission, an applicable regulator or supervisory authority, or the Court of Justice for the European Union for whatever reason, the Parties shall agree to fall back upon reliance on the EU SCCs, for all transfers of Personal Data out of the European Economic Area ("EEA") from the Customer (as a Controller) to the FiscalNote (as a Processor), and transfers of Personal Data out of the UK from the Customer (as a controller) to FiscalNote (as a processor) shall in addition to the EU SCC’s also be governed by the ICO International Data Transfer Addendum.

2.3 In the event that the EU-U.S. Data Privacy Framework being deemed invalid The Controller to Processor Model Clauses are incorporated into this Agreement as if they had been set out in full, and for the purposes of this Agreement shall apply only if and to the extent the parties Process the Personal Data outside of a territory of adequate protection, such clauses are required by Data Protection Legislation, and no alternative transfer mechanisms have been put in place Where necessary and addition to the Standard Contractual Clauses  the ICO International Data Transfer Addendum (UK SCC’s)  to the EU Commissions Standard Contractual Clauses, version B1.0, in force 21 March 2022 is incorporated into this Agreement as if it had been set out in full, and for the purposes of this Agreement shall apply only if and to the extent the parties Process the Personal Data outside of a Territory of Adequate Protection

3. Use of Sub Processors

3.1 The Customer hereby provides its prior, general authorisation for FiscalNote to:

( a ) appoint processors to process the Customer Personal Data, provided that the Supplier:

( i ) shall ensure that the terms on which it appoints such processors comply with Applicable Data Protection Laws, and are consistent with the obligations imposed on the Supplier in this clause 1;

( ii ) shall remain responsible for the acts and omission of any such processor as if they were the acts and omissions of the Supplier; and

( iii ) shall inform the Customer of any intended changes concerning the addition or replacement of the processors, via the notification system the company adopts from time to time, hereby giving the Customer the opportunity to object to such changes provided that if the Customer objects to the changes and cannot demonstrate, to the Supplier's reasonable satisfaction, that the objection is due to an actual or likely breach of Applicable Data Protection Law, the Customer shall indemnify the Supplier for any losses, damages, costs (including legal fees) and expenses suffered by the Supplier in accommodating the objection.

( b ) transfer Customer Personal Data outside of the EU & UK as required for the Purpose, provided that the Supplier shall ensure that all such transfers are effected in accordance with Applicable Data Protection Laws. For these purposes, the Customer shall promptly comply with any reasonable request of FiscalNote, including any request to enter into standard data protection clauses adopted by the EU Commission from time to time (where the EU GDPR applies to the transfer) or adopted by the UK Information Commissioner from time to time (where the UK GDPR applies to the transfer).

3.2 Either party may, at any time on not less than 30 days' notice, revise clause 2.2 & 2.3 by replacing it (in whole or part) with any applicable standard clauses approved by the EU Commission or the UK Information Commissioner's Office or forming part of an applicable certification scheme or code of conduct (Amended Terms). Such Amended Terms shall apply when replaced by attachment to this agreement, but only in respect of such matters which are within the scope of the Amended Terms.

3.3 Subject to any limitation of liability clauses in the Terms and Conditions, the Supplier's total aggregate liability in contract, tort (including negligence and breach of statutory duty howsoever arising), misrepresentation (whether innocent or negligent), restitution or otherwise, arising in connection with the performance or contemplated performance of this agreement or any collateral contract insofar as it relates to the obligations set out in this clause 1, or Applicable Data Protection Laws shall be limited to the annual value of the agreement.

APPENDIX 1: DESCRIPTION OF THE PROCESSING ACTIVITIES

Nature and purpose of the processing operations

Relevant Personal Data processed will be subject to the processing activities forming part of the Terms and Conditions.

Data subjects

Relevant Personal Data processed may concern the following categories of Data Subjects:

  • Customer’s Employees

Categories of data

Relevant Personal Data processed shall be any category of data processed as part of the Services, which may include the following categories of data:

  • Name
  • Job Role
  • Email address
  • Password
  • IP Address
  • Browser Details
  • Cookies
  • Business Address

Special categories of data (if appropriate) and applied safeguards or restrictions

  • None

Duration and frequency of Processing

The duration of processing shall be for the duration of the Services set out in the Terms and Conditions.

Period of retention of the data (or criteria used to determine the period)

Relevant Personal Data shall be retained for the duration of the Services set out in the Terms and Conditions or as determined by the Customer

Transfers to (sub-) processors (if applicable)

Specify the (sub-) processors:

  • Heap
  • Tableau
  • Segment.io
  • Stich
  • Snowflake
  • Data Bricks
  • DBT
  • ChrunZero
  • Chameleon
  • Salesforce
  • Google

Specify the subject matter, nature and duration of the processing activities:

  • Data Analytics, Transformation and Tech Services
  • Data Storage
  • CRM

The obligations and rights of the Customer

The obligations and rights of the Customer are set out in the Agreement and this Addendum.

ANNEX TO APPENDIX 1
SECURITY MEASURES

This Annex forms part of the Clauses and must be completed and signed by the parties.

Description of the technical and organizational security measures implemented by the data importer:

  • Training to relevant staff to ensure they are aware of our privacy obligations when handling personal data and disciplinary action in the event of non-compliance;
  • Immediate deletion of data if not relevant anymore (e.g. because the information is outdated);
  • Termination or suspension of the access to or license of the platform in case of a violation of the FiscalNote Terms of Service Agreement and/or the Security Policy;
  • Password protection and access control by appropriate FiscalNote personnel;
  • Network security and intrusion detection systems to protect the platform against sophisticated attacked and to minimize vulnerabilities;
  • Cloud computing infrastructure which provides redundancy and high availability at every level, from multiple Tier- ISP connections, redundant networking equipment and servers;
  • Hosting of the platform in secure SOC 2 Type II certified facilities that are protected from physical attacks and from natural disasters. The data centres are monitored on a 7x24 basis and entrance to the data centres is controlled and restricted to a select group of authorized personnel. Multiple forms of authentication must be used in order to enter any such data centres;
  • Security incident management;
  • Recovery, contingency and emergency plan.


last updated: 5/2/2024