February 7, 2024
This Data Processing Agreement (“DPA”) forms part of and is incorporated into the Kudos Terms of Service (order form or other written or electronic agreement governing Customer's use of the Service (“Main Agreement”) between Customer and Kudos (each a “party” and together the “parties"). In the course of providing the Service to Customer, Kudos may process Customer Data (defined below) and the parties agree to comply with the following provisions with respect to any processing of Customer Data by Kudos as a processor or service provider to Customer.
The term of this DPA will follow the term of the Agreement. Terms not otherwise defined in this DPA will have the meaning as set forth in the Agreement.
“Affiliate” means an entity that, directly or indirectly, owns or controls, is owned or is controlled by, or is under common ownership or control with a Party and is a beneficiary of the Agreement.
“Applicable Data Protection Laws” means all applicable laws, rules, regulations, and governmental requirements relating to the privacy, confidentiality, or security of Personal Data, as they may be amended or otherwise updated from time to time.
“CCPA” means the California Consumer Privacy Act, Cal. Civ. Code, including any amendments and any implementing regulations thereto that become effective on or after the Effective Date of this DPA.
“Customer Personal Data” means the Personal Data processed by Kudos Inc. on behalf of Customer or Customer Affiliate in connection with the provision of the Services.
"Data Protection Laws" means the applicable data protection and privacy laws and regulations in the United Kingdom, United States, European Union, and Canada, including but not limited to a. In the United Kingdom, the Data Protection Act 2018 and the General Data Protection Regulation (EU) 2016/679 (GDPR); b. In the United States (US), the California Consumer Privacy Act (CCPA), and any other relevant federal and state data protection laws; c. In the European Union, the GDPR, as well as any additional or modified data protection laws of EU member states; and d. In Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) and any applicable provincial data protection laws.
“Data Subject” means a natural person whose Personal Data is Processed.
“EEA” means the European Economic Area.
“GDPR” means Regulation (EU) 2016/679 (the “EU GDPR”) or, where applicable, the “UK GDPR” as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the UK European Union (Withdrawal) Act 2018 or, where applicable, the equivalent provision under Swiss data protection law.
“Instruction” means any documented instruction, submitted by Controller to Processor, directing Processor to perform a specific action regarding Customer Personal Data, including but not limited to the description of the Services to be provided by Processor under the Agreement.
“Personal Data” means any data or information that: (a) is linked or reasonably linkable to an identified or identifiable natural person; or (b) is otherwise “Personal Data,” “personal information,” “personally identifiable information,” or similarly defined data or information under Applicable Data Protection Laws.
“PIPEDA” means the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada.
“Processing” means any operation or set of operations which are performed on Personal Data or on sets of Personal Data, whether or not by automated means. “Process”, “Processes” and “Processed” will be interpreted accordingly.
“Security Incident” means a breach of security or other event leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to (including unauthorized internal access to), Personal Data.
“Services” means the services provided by Processor to Controller under the Agreement.
“Standard Contractual Clauses” or “SCCs” means Module Two (controller to processor) and/or Module Three (processor to processor) of the Standard Contractual Clauses annexed to Commission Implementing Decision (EU) 2021/914.
“Sub-processor” means an entity appointed by Processor to Process Personal Data on its behalf.
“US Data Protection Laws” means federal and state laws relating to data protection, the Processing of Personal Data, privacy and/or data protection in force from time to time in the United States.
2.1. This DPA is incorporated into and forms an integral part of the Agreement. This DPA supplements and (in case of contradictions) supersedes the Agreement with respect to any Processing of Personal Data.
2.2. This Addendum shall apply to the Processing of Personal Data by Kudos Inc. on behalf of the Customer. Data
2.3 The Processing of Personal Data shall be carried out in accordance with the terms and conditions set forth in this Addendum, and in compliance with the Applicable Data Protection Laws.
The Parties acknowledge and agree that:
3.1. For the purposes of the GDPR, Kudos Inc. acts as “processor” or “sub-processor” (as defined in the GDPR). Processor's function as processor or sub-processor will be determined by the function of Controller:
a) In general, Customer acts as a controller, Processor acts as a processor.
b) In certain cases, Customer acts as a processor on behalf of another controller, Processor acts as a sub-processor.
3.2. For the purposes of the US Data Protection Laws, Kudos Inc. will act as a “service provider” or “processor” (as defined in US Data Protection Laws), as applicable, in its performance of its obligations pursuant to the Agreement and this DPA.
4.1. The details of data processing (such as subject matter, nature and purpose of the processing, categories of personal data and data subjects) are described in the agreement and in Schedule 1.
4.2. Customer Personal Data will only be processed on behalf of and under the instructions of Customer and in accordance with Applicable Data Protection Laws. The agreement and this DPA shall be customer's Instructions for the processing of Customer Personal Data.
4.3. If Customer’s instructions will cause Kudos Inc to process Personal Data in violation of applicable law or outside the scope of the Agreement or the DPA, Kudos Inc. shall promptly inform Customer thereof, unless prohibited by applicable law (without prejudice to the SCCs).
4.4. Kudos Inc. may store and process Personal Data anywhere Kudos Inc. or its sub-processors maintain facilities, subject to Clause 5 of this DPA.
5.1. Customer grants Kudos Inc. general authorization to engage sub-processors, subject to Clause 5.2, as well as Kudos Inc.’s current sub-processors listed in Schedule 3 as of the Effective Date.
5.2. Kudos Inc. shall (i) enter into a written agreement with each sub-processor imposing data protection obligations no less protective of Personal Data than Kudos Inc.’s obligations under this DPA to the extent applicable to the nature of the services provided by such sub-processor; and (ii) remain liable for each sub-processor’s compliance with the obligations under this DPA.
5.3. Kudos Inc. shall provide Customer with at least fifteen (15) days’ notice of any proposed changes to the sub- processors it uses to process Customer Personal Data (including any addition or replacement of any sub- processors). Customer may object to Kudos Inc.’s use of a new sub-processor (including when exercising its right to object under Clause 9(a) of the SCCs) by providing Kudos Inc. with written notice of the objection within ten (10) days after Kudos Inc. has provided notice to Customer of such proposed change (an “Objection”). In the event Customer objects to Kudos Inc.’s use of a new sub-processor, Customer and Kudos Inc. will work together in good faith to find a mutually acceptable resolution to address such objection. If the parties are unable to reach a mutually acceptable resolution within a reasonable timeframe, either party may, as its sole and exclusive remedy, terminate the Agreement by providing written notice to the other party. During any such objection period, Kudos Inc. may suspend the affected portion of the services.
6.1. As between the Parties, Customer shall have sole discretion and responsibility in responding to the rights asserted by any individual in relation to Customer Personal Data (“Data Subject Request”).
6.2. Kudos Inc. will forward to Customer without undue delay any Data Subject Request received by Kudos Inc. or any sub-processor from an individual in relation to their Customer Personal Data and may advise the individual to submit their request directly to Customer.
6.3. Kudos Inc. will (considering the nature of the processing of Customer Personal Data) provide Customer with functionality through the Services or other reasonable assistance as necessary for Customer to fulfill its obligation under applicable law to respond to Data Subject Requests.
7.1. Audit Rights. Kudos Inc. shall make available to Customer all information reasonably necessary to demonstrate compliance with this DPA, industry standard security practices, and allow for and contribute to audits, including inspections by Customer to assess compliance with this DPA. Customer acknowledges and agrees that it shall exercise its audit rights under this DPA (including this Clause 7.1 and where applicable, the SCCs) and any audit rights granted by Data Protection Laws, by instructing Kudos Inc. to comply with the audit measures described in Clause 7.2 and 7.3 below.
7.2. Security Reports. Customer acknowledges that Kudos Inc. is regularly audited against SSAE 18 standard by independent third party auditors. Upon written request, Kudos Inc. shall supply (on a confidential basis) a summary copy of its most current audit report(s) (“Report”), to Customer and any other relevant reports or independent evaluations so that Customer can verify Kudos Inc’s compliance with the audit standard against which it has been assessed and this DPA.
7.3. Security Due Diligence. In addition to the Report, Kudos Inc. shall respond to all reasonable requests for information made by Customer to confirm Kudos inc.’s compliance with this DPA, including responses to information security, due diligence, and audit questionnaires, by making additional information available regarding its information security program upon Customer’s written request to email@example.com.
8.1. Kudos Inc. will notify Customer in writing without undue delay after becoming aware of any Security Incident (but in no event later than 48 hours after becoming aware of such Security Incident), and reasonably cooperate in any obligation of Customer under Applicable Data Protection Laws to make any notifications, such as to individuals or supervisory authorities.
8.2. Kudos Inc. shall take reasonable steps to contain, investigate, and mitigate any Security Incident, and shall, without undue delay, send Customer timely information about the Security Incident, including, but not limited to, the nature of the Security Incident, the measures taken to mitigate or contain the Security Incident, and the status of the investigation. Kudos Inc.’s notification of or response to a Security Incident under this Clause 8 will not be construed as an acknowledgement by Kudos Inc. of any fault or liability with respect to the Security Incident.
Kudos Inc. shall, within 90 days of the date of termination or expiry of the Agreement, (a) if requested to do so by Customer within that period, return a copy of all Customer Personal Data or provide self-service functionality allowing Customer to do the same; and (b) delete and use all reasonable efforts to procure the deletion of all other copies of Customer Personal Data processed by Kudos Inc. or any sub-processors.
This DPA will commence on the Effective Date and, notwithstanding any termination of the Agreement, will remain in effect until, and automatically expire upon, Kudos Inc.’s deletion of all Customer Personal Data as described in this DPA.
The Parties agree that the terms of the Standard Contractual Clauses Module Two (Controller to Processor) and Module Three (Processor to Processor), as further specified in Schedule 3 of this DPA, are hereby incorporated by reference and shall be deemed to have been executed by the Parties and apply to any transfers of Customer Personal Data falling within the scope of the GDPR from Customer (as data exporter) to Kudos Inc. (as data importer).
Kudos Inc. will provide Customer reasonable support to enable Customer’s compliance with the requirements imposed on international transfers of Personal Data. Kudos Inc. will, upon Customer’s request, provide information to Customer which is reasonably necessary for Customer to complete a transfer impact assessment (“TIA“) under Applicable Data Protection Laws. If as a result of such TIA, it is determined that supplementary measures are required, Kudos Inc. further agrees to implement the supplementary measures to be agreed upon by both parties to enable Customer’s compliance with requirements imposed on international transfers of Personal Data under Applicable Data Protection Laws.
To the extent Kudos Inc. Processes Customer’s Personal Data originating from and protected by Data protection Laws in the following Jurisdictions EU, UK, US, and Canada Data Protection Laws. In the event of any conflict or ambiguity between the Jurisdiction-Specific Terms and any other terms of this DPA, the applicable Jurisdiction-Specific Terms will take precedence, but only to the extent of the Jurisdiction-Specific Terms’ applicability to Kudos Inc.
Notwithstanding anything to the contrary in the Agreement or this DPA, each party’s entire liability, taken in the aggregate, arising out of or relating to this DPA, the Standard Contractual Clauses, and any other data protection agreements or security addendum signed by the parties in connection with the Agreement (if any), whether in contract, tort, or under any other theory of liability, will be subject to the exclusions and limitations on liability section in the Agreement, and any reference in such section to the liability of a party means the total aggregate liability of that party under the Agreement, and this DPA.
A.1. Data Exporter
Name: Customer and Customer Affiliate’s as defined in the Kudos Inc. Terms of Service
Address: Customer's address, as set out in the Order Form
Contact person’s name, position and contact details: The Customer's contact details, as set out in the Order Form and/or as set out in the Customer’s Kudos Account.
The activities relevant to the data transfer under these Clauses are defined by the Agreement and the data exporter (customer) who decides on the scope of the processing of personal data in connection with the Services further described in this Schedule 1 and in the Agreement.
A.2. Data Importer
Name: Kudos Inc.
Address: 2500, 500 4 Avenue SW, Calgary, Alberta T2P 2V6, Canada
Contact person’s name, position and contact details: Kudos Privacy team, firstname.lastname@example.org
The data importer’s activities relevant to the data transfer under these Clauses are as follows: the data importer processes personal data provided by the data exporter on behalf of the data exporter in connection with providing the Services to the data exporter as further specified in Clause 7 and 8 of this Schedule 1 and in the Agreement.
B.1. Categories of Data Subjects
Categories of data subjects whose Customer’s Personal Data will be transferred: Employees of Customers and Customer Affiliates
B.2. Categories of Personal Data
Customer may upload, submit, or otherwise provide certain personal data to the Service, the extent of which is typically determined and controlled by Customer in its sole discretion, and include the following types of minimum required personal data: Employee first name, last name, and email address available optional fields includes department, job title, line manager, external ID (employee ID), employment start dates, bio, accreditations, education, preferred name, favorites, location, country, birthday(day and month only), supervisor email, phone number and extension.
B.3. Sensitive Data
Kudos Inc. does not want to, nor does it intentionally, collect or process any Sensitive Data in connection with the provision of the Service.
B.4. The Frequency of Processing
Continuous and as determined by the Customer.
B.5. Nature of the Processing
Kudos Inc. shall Process Personal Data only in accordance with the Agreement.
B.6. Purpose(s) of Processing
Processor is providing the Services described in the Agreement.
B.7. Duration of Processing and Period for which Personal Data will be Retained
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period as contained in the term of the Agreement and as outlined in Clause 9.
Technical and organizational measures including technical and organizational measures to ensure the security of the data.
The technical and organizational measures are described below. Description of the technical and organizational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, considering the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.
Measures of pseudonymization of personal data
Kudos Inc. has implemented a de-identification process that uses random values for PII values and columns so that personal data can no longer be associated with a specific data subject.
Measures of encryption of personal data
Data is encrypted at rest using AES-256 Algorithm. Employees laptops are encrypted.
In addition, Data transfers between users and the Kudos platform are secured by using 256-bit AES encryption.
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services
System is designed to permit users access to information based on least privilege provisioning. Encryption protocols are used to protect customer data at rest and in transit.
Kudos conducts annual SOC 2 Type II Audit by an independent service Auditor.
Penetration tests are conducted annually by an independent third-party assessor.
Disaster recovery plans including restoration of backups have been developed and tested annually. The outcomes of tests are evaluated, and consequently, contingency plans are updated.
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
All security related incidents are logged, tracked, and communicated to affected parties. Kudos Incident Response Plan ensures that all incidents are resolved in a timely manner in accordance with our incident management process. Tabletop exercises are performed at defined intervals.
Processes for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing
An assessment over the effectiveness and efficiency of the internal controls, processes and policies is reviewed by management on at least an annual basis and identified deficiencies are remediated in a timely manner.
Measures for user identification and authorization
A user access policy and a process to register and authorize users prior to issuing system credentials and granting access to the system has been implemented.
Access to the Kudos infrastructure and supporting applications requires the use of unique user identifiers (IDs) and strong passwords. User accounts are required to use multi-factor authentication (MFA).
Measures for the protection of data during transmission
Encryption technologies are used to protect communication and transmission of data over public networks and between systems. (Using TLS 1.2 or greater)
Measures for the protection of data during storage
Data is encrypted at rest (stored and backup) using storage layer encryption.
Disk encryption is enabled for all employee laptops across the organization.
Measures for ensuring physical security of locations at which personal data are processed
Kudos employee recognition and rewards Platform is hosted in AWS (Amazon Web Services) Data center. AWS is responsible for providing physical and environmental security controls, administration of their infrastructure, and reporting any logical or physical security incidents.
Kudos performs reviews of SOC reports from AWS to review the appropriateness of scope, impact of identified exceptions and applicable complementary user entity controls.
Measures for ensuring events logging
Implementation of a robust logging and monitoring control for our infrastructure and application. Logging is enabled to monitor administrative activities; logon attempts and data deletions at the application and infrastructure level. Automated alerts are configured to notify IT management and issues identified are resolved in a timely manner.
Measures for ensuring system configuration, including default configuration
Kudos ensures a secure configuration of the service environment by well-defined baseline standards when deploying and making changes to its environment.
Kudos has a Change Management and Access Control policy in place.
Measures for internal IT and IT security governance and management
Kudos security and compliance program is based on industry standards including ISO 27001, SOC 2, COBIT, SANS CIS 18 and OWASP.
Security policies are reviewed and approved by management at least annually and accessible to all the employees of the organization.
Measures for certification/assurance of processes and products
Kudos engages the services of an independent service Auditor to examine and provide reasonable assurance that Kudos’ service commitments and system requirements were achieved based on the trust services criteria relevant to security set forth in TSP 100, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (AICPA, Trust Services Criteria).
Measures for ensuring data minimization
Kudos ensures data minimization by processing only the data that is relevant and necessary for service delivery.
Access to personal data is restricted on a “need to know” principle.
Measures for ensuring data quality
Kudos ensures data quality for data available within its systems by ensuring that such information are up-to-date, continuously reviewing data, and adhering to data deletion processes.
Kudos maintains a formal data retention and disposal procedure for ensuring secure retention and disposal of information.
The quality assurance team ensures that the product is tested and implemented as designed before deployment to production.
Measures for ensuring limited data retention
Kudos ensures limited data retention in accordance with its policy on data retention and deletion. Contract provisions govern the system boundaries for data collection, use, retention, disclosure, and disposal.
Measures for ensuring accountability
Kudos ensures accountability with automated monitoring systems that generate reports and notifications about user activities, exceptions, faults, and security events.
Designated personnel conduct routine reviews of event logs. Log information is protected from modification and unauthorized access. Employees must comply with these processes.
Measures for allowing data portability and ensuring erasure
Kudos ensures data portability by allowing customers the right to receive their data in a structured, commonly used and machine- readable format.
Customers can exercise their data rights - right of access, rectification, erasure (deletion), restriction of processing, data portability, objection, and not to be subject to a decision based exclusively on automated processing - by submitting a request to email@example.com.
To ensure Kudos Inc. deliver the Subscription Service, we engage Sub-Processors to assist with our data processing activities. A list of our Sub-Processors and our purpose for engaging them is listed below.
Purpose of Transfer
Amazon Web Services
Cloud Computing Services for system infrastructure.
Privacy Officer -
Data warehouse solution for analytics and visualizations.
Chief Information & Data Officer - firstname.lastname@example.org
Global Rewards Services (GRS)
Reward management system
Help desk and customer service
General Counsel - email@example.com
Privacy Team -
Product and feature usage insights and analytics
Privacy Team - firstname.lastname@example.org