Deltek General Privacy Terms

20231201

These Deltek General Privacy Terms (“Privacy Terms”) are incorporated and form a part of the agreement entered into between the Customer and Deltek as well as any other applicable and associated written or electronic agreements such as terms of service and terms of use for the purchase of software and services (“Agreement”). The global network of Deltek entities shall, for purposes of the Privacy Terms, be collectively known as “Deltek.”

1. Purpose and Scope.  In order to provide Customer with the Products and/or Services outlined in the Agreement, it is necessary for Deltek to interact with Customer Data, including Personal Data. The purpose of the Privacy Terms is to ensure compliance with applicable data protection laws related to Personal Data and any processing, maintaining, handling, storing, accessing, or other operation/set of operations performed by Deltek on such Personal Data in order to deliver the Product(s) and/or perform the Service(s) as per the terms of the Agreement. Based on the nature of the data provided by Customer, scope of Deltek’s Processing activities, and governing jurisdiction(s), the extent of the obligations owed to and the rights exercisable by the Customer may vary. Customer is responsible for identifying and disclosing those applicable jurisdictions from which Personal Data may be transferred by indicating the appropriate Exhibit on the Order Form to be included with these generally applicable Privacy Terms.

2. Definitions.

2.1. “Confidential Information” shall have the same meaning as set forth in the underlying Agreement.

2.2. “Controller” may be used in the Exhibits as a reference to the applicable Privacy Law definitions and means the Customer.

2.3. “Personal Data” means information provided to Deltek by or at the direction of Customer, or to which access was provided to Deltek by or at the direction of Customer, in the course of Deltek’s performance under the Agreement that relates to an identified or reasonably identifiable natural person. For the purpose of the Privacy Terms, Personal Data shall encompasses similar terms, which vary based on jurisdiction but govern similar concepts, such as “Personally Identifiable Information” and “Personal Information.” Unless required by applicable law, Customer’s business contact information is not, by itself, entitled to the full scope of Data Subject rights as an individual’s Personal Data; Deltek has a legitimate interest in maintaining contact with the Customer for the purpose of performing the services outlined in the Agreement. Business contact information will still be subject to appropriate safeguards.

2.4. “Personal Data Breach” means the breach of security measures that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or misuse of, access to, Personal Data Processed by Deltek. Based on jurisdiction, the presence of a Personal Data Breach may take into account the potential risk of harm to the rights of individuals based on the nature of Personal Data and the context in which it is Processed.

2.5. “Privacy Laws” means legislation, statutory instruments and any other enforceable laws, codes, regulations, or guidelines regulating the collection, use, disclosure and/or free movement of Personal Data that applies to any of the parties, to the Privacy Terms, or to this Agreement, including, in particular: (i) the California Consumer Privacy Act and its implementing regulations, as well as the California Privacy Rights Act, as may be amended from time to time (collectively referred to as “CCPA”); (ii) Canada’s Personal Information Protection and Electronic Documents Act, as may be amended from time to time, and similar provincial implementations, (“PIPEDA”) and any applicable and substantially similar provincial legislation; (iii) the European Union’s (“EU”) General Data Protection Regulation (EU) 2016/679 and any Member State implementing legislation (“GDPR”); (iv) the Privacy and Electronic Communications Directive 2002/58/EC (as amended by Directive 2009/136/E) in the applicable EU Member State; (v) the Asia-Pacific (“APAC”) intraregional frameworks, in particular the Asia-Pacific Economic Cooperation Cross Border Privacy Rules; and (vi) substantially similar privacy, data protection, or security laws applicable to the parties.

2.6. “Process,” “Processed,” or “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

2.7. “Processor” may be used in the Exhibits in a manner that references the applicable Privacy Law definitions, but should be read to mean Deltek throughout.

2.8. “Product,” “Products,” “Service,” and “Services” shall have the same meaning as used in the underlying Agreement.

3. Customer Obligations

3.1. Deltek undertakes Processing in accordance with the agreed upon terms of the Agreement as well as the Customer’s instructions.  Therefore, it is incumbent upon Customer to ensure that proper procedures and processes, such as ensuring the lawfulness and fairness of Personal Data collection and issuing notice to individuals, are complied with prior to the transmittal to and Processing of Personal Data by Deltek. Personal Data should be collected, transferred, and disclosed only in a manner that protects individuals’ privacy while permitting Customer and Deltek to efficiently execute the terms of the Agreement. Customer is responsible for providing appropriate information and obtaining any required consent from its users of the Products in accordance with applicable Privacy Laws prior to any Processing of Personal Data by and through the Products. If Customer fails to comply with local requirements, Customer must immediately notify Deltek. 

3.2. Within the scope of Privacy Laws, individuals may have certain rights that they may exercise based on jurisdiction in relation to their Personal Data. These rights may include: the right to access, correct, update, disclose, delete, and port that individual’s Personal Data to withdraw their consent to Processing, opt-out of communications, restrict Processing of Personal Data, or make claims/complaints in relation to the exercise of such rights. As the responsible entity, Customer must respond to individuals’ requests to exercise their rights under Privacy Laws (“Data Subject Request”). Deltek will provide reasonable assistance to the Customer (at Customer’s request) should the Customer be unable to fulfil the request themselves in responding to individuals’ requests to exercise their rights, in accordance with applicable Privacy Laws. See Section 5 below.

3.3. In the event Customer is subject to additional industry or data specific legal or regulatory restrictions, based on its area of business, jurisdiction in which Customer is based or has Authorized Users, and/or categories of data it collects and maintains, including Personal Data beyond those covered in the applicable Exhibits, such as data localization or record specific retention requirements, Customer is responsible for notifying Deltek of any and all such restrictions that may impact Deltek’s Processing activities and the parties’ compliance obligations. Deltek cannot be responsible for complying with all relevant restrictions applicable to Customer’s business about which it is not reasonably aware.

4. Deltek Obligations

4.1. Deltek ensures reasonable and appropriate technical, administrative, and organizational security measures are in place to provide Customer with a level of security proportionate to the risk of unauthorized access to or disclosure, copying, or distribution of Personal Data. Access may only be granted to authorized Deltek personnel to the extent needed to perform their duties and satisfy Deltek’s obligations under the Agreement and in accordance with Customer’s lawful written instructions. Such access typically occurs at the behest and with the consent of the Customer. Authorized Deltek personnel are subject to confidentiality obligations no less stringent than those set forth herein. For an accounting of Deltek’s technical and organizational controls, Customer may request a copy of Deltek’s Service Organization Controls (SOC) Report(s) through its account administrator. Please email Privacy@deltek.com with any inquiries related to Deltek’s data handling practices.

4.2. Pursuant to these terms or the obligations set forth in the applicable Exhibit(s), Deltek may transfer or disclose Personal Data to affiliates located around the world in order to fulfil the terms of the Agreement, including, for example, fulfilling Customer support requests.

4.2.1. In the event Deltek’s Processing activities involve transferring Personal Data from a country in the European Economic Area and/or Switzerland to the United States or another country located outside those originating countries, Customer hereby acknowledges the application of the Standard Contractual Clauses set out in the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 for the transfer of personal data to third countries pursuant to the GDPR (“GDPR SCCs”), as may be amended from time to time by the European Commission, incorporated by reference in Exhibit 2 – Schedule 1.

4.2.2. In the event and to the extent that Deltek’s Processing activities involve transferring Personal Data from the United Kingdom to the United States or another country, Customer hereby acknowledges that the application of the GDPR SCCs as amended by the applicable Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the Information Commissioner’s Office (“ICO”) and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses.

4.3. If Deltek receives a governmental or supervisory authority request to disclose Personal Data subject to a legally enforceable order, Deltek must first (to the extent permitted by applicable law) inform Customer of the legal or regulatory requirement and give Customer, at Customer’s cost and expense, an opportunity to directly and promptly object to or challenge the requirement.

4.3.1. In the event Deltek is not legally permitted to notify Customer, Deltek will, unless prohibited from doing so under applicable law, notify Customer’s applicable supervisory authority, if appropriate, to determine how Deltek may comply with the disclosure request.

4.3.2. In any event, Deltek will seek to minimize the scope of information disclosed in response to a legally enforceable disclosure request to that which is absolutely necessary to meet the disclosure obligation under applicable law.

4.4. In addition to providing the Services in accordance with the Agreement, Deltek may, under select circumstances, use aggregate, performance-related data for the primary purpose of testing, trouble-shooting, or development purposes provided that Deltek personnel remain bound by the same confidentiality obligations described in these Privacy Terms and any applicable Exhibits.

4.5. In the event that Deltek becomes aware of a Personal Data Breach that affects the Processing of Customer’s Personal Data, it shall notify Customer without undue delay, but in no event later than seventy-two (72) hours after discovery, or in accordance with applicable Privacy Laws that impose a more stringent standard.

4.5.1. Deltek shall provide necessary assistance and reasonably cooperate with Customer to identify, contain, and respond to Personal Data Breaches to the extent practicable under the circumstances.

4.5.2. To the extent required by Privacy Laws, the parties shall ensure that the details of the Personal Data Breach and any subsequent notifications or reports related thereto remain Confidential Information.

4.6. In accordance with and to the extent required by applicable Privacy Laws, Deltek shall make available to Customer information necessary to demonstrate compliance with the obligations under these Privacy Terms and allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer upon Customer’s reasonable written request. Unless required by applicable Privacy Laws, the parties agree that any audits will be conducted no more than once in any twelve (12) month period.

5. Data Subject or Consumer Request.

5.1. As noted in Section 3.2, certain individuals, defined as Data Subjects under the GDPR or as Consumers under CCPA, may have available to them certain rights exercisable based on circumstances and jurisdiction. Deltek shall, to the extent legally permitted, promptly notify Customer if Deltek receives a Data Subject Request.

5.2. Taking into account the nature of the Processing, Deltek shall assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to a Data Subject Request to the extent required by Privacy Laws. In addition, in the event Customer does not have the ability to address a Data Subject Request, Deltek shall, upon Customer’s request, provide Customer with commercially reasonable assistance in responding to such Data Subject Request to the extent Deltek is legally permitted to do so and as required under Privacy Laws. However, Customer acknowledges that, in some situations, Deltek may deny providing assistance of information related to Data Subject Requests, such as: when requests constitute an unreasonable expense or burden, are repetitious or excessive by nature, would involve violating the rights of other individuals, or compromise the security of Confidential Information and Personal Data.

5.3. In the event that Data Subject Requests become excessive or manifestly unfounded, and therefore exceed what is reasonable under the circumstances, costs arising from Deltek’s assistance supporting Customer’s responsibility to address such Data Subject Requests shall be reimbursed by Customer on a time and materials basis.

5.4 Data Subject Requests can be submitted:

  • Via email at Privacy@deltek.com;
  • Written requests of notifications may be sent to:

    Deltek - Office of the General Counsel
    Attn: Privacy
    2291 Wood Oak Drive Herndon, VA 20171 USA

6. Limitation of Liability and Indemnification.  The limitation of liability and indemnification set forth in the Agreement remain in full force and effect and applies to these Privacy Terms and all incorporated Exhibits.

7. Use of Cookies.  Most Products contain functional cookies. Deltek sets and uses cookies for usage tracking purposes and statistical analysis, in accordance with applicable Privacy Laws. The use of cookies helps Deltek improve the Products by giving Deltek insight into how the Products are being used and the information obtained serves to support application functionality related to the Products and Services as outlined in the Agreement. Customer may request additional information regarding the use of cookies via email to DeltekTouch@deltek.com.

8. Incidental Collections of Personal Data in the course of Support Requests or Professional Services.  As part of providing the Services, there may be circumstances in which Customer’s authorized support contact(s) unintentionally, incidentally, or accidentally discloses data, which may include Personal Data, outside the scope and nature of what is agreed upon and typically transmitted for Processing by Deltek in order to provide the Service in accordance with the Agreement. Customer acknowledges that such exposure of Personal Data may result in Deltek’s incidental collection and Processing of said Personal Data and agrees that this situation does not constitute a Personal Data Breach or violation of the terms of the Agreement, Privacy Terms, or any incorporated Exhibits.

The parties agree that these Privacy Terms, and any of the incorporated Exhibits, are entered into and become a binding part of the Agreement as of the Effective Date. The parties’ signatures to the Agreement or Order Form qualifies as a signature to these Privacy Terms and each of the Customer’s selected Exhibits, including the UK SCCs and the GDPR SCCs, if applicable, attached to these Privacy Terms, unless otherwise indicated or required by law. If so required by the laws or regulatory procedures of any jurisdiction, the parties shall execute or re-execute the UK SCCs and/or the GDPR SCCs as separate documents setting out the proposed transfers of Personal Data in such manner as may be required.

 

(Customer and Deltek shall enter into this Exhibit 1 - Consumer Privacy Addendum, effective January 1, 2020, if, in performing the Agreement, Customer may be collecting, obtaining, receiving, accessing, sharing, and/or selling Personal Data of a California Consumer, defined under Cal. Code Regs. tit. 18., § 17014, in order to advance Customer’s commercial or economic interests. In addition to addressing changes in California law, this CPA addresses Canada’s PIPEDA requirements and anticipates the establishment of a federal standard in the United States.)

This Consumer Privacy Addendum (“CPA”) is part of the Agreement between Customer and Deltek, including other applicable and associated written or electronic agreements. This CPA applies exclusively to the extent that Deltek Processes Personal Data on behalf of the Customer for a “business purpose,” as defined under the CCPA or other applicable Privacy Laws, including, substantially similar (existing or future) state, local, provincial, or federal legislation in the United States or Canada addressing privacy and data security rights of applicable individuals to control the use, including the sale, of their Personal Data (“NA Privacy Laws”).

1. Customer Obligations under CCPA.

1.1. Customer is the entity responsible for the collection of Californian consumers’ (as defined in Cal. Code Regs. tit. 18., § 17014) Personal Data and/or on behalf of whom Deltek collects and processes consumers’ Personal Data. For the avoidance of doubt, Customer is a “business” or “service provider” under CCPA, effective January 1, 2020. Customer determines the purposes and means of Deltek’s Processing, pursuant to terms of the Agreement.

1.2. Customer represents and warrants that it understands and complies with its obligations as a “business” or “service provider” under the CCPA related to the rights of and obligations owed to Californian consumers determined based on its independent evaluation of the applicability of the CCPA. Customer must provide proper notice to consumers whose Personal Data is collected and Processed about Customer’s Personal Data sharing practices, inform consumers of their rights pertaining to the processing of their Personal Data, and obtain any necessary affirmations or consents, as required under the CCPA or other applicable NA Privacy Laws.

2. Deltek Obligations under CCPA.

2.1. Deltek is the entity that processes the Personal Data on behalf of the Customer as outlined in the terms of the Agreement. Deltek represents and warrants that it understands the applicable rules, restrictions, requirements, and definitions as a “service provider” under the CCPA that are relevant to the relationship between the parties. Deltek does not sell, nor exchange as valuable consideration for any Services, the Customer’s Personal Data obtained in the performance of the Agreement.

2.2. Deltek shall not “sell” any Personal Data and does not take any action that would cause any transfer of Personal Data to qualify as “selling” Personal Data under the CCPA.

2.3. Deltek provides Californian consumers with the ability to submit requests to exercise their rights and file complaints for alleged violations as permitted under the CCPA through its Security and Trust Center Privacy website.

3. Customer Obligations under PIPEDA.

3.1. To the extent Customer is subject to additional requirements or restrictions than those outlined in PIPEDA or local or provincial requirements impacting its use of an organization outside Canada, such as those applicable to certain Canadian public sector entities, Customer is responsible for satisfying any notice and consent requirements, as necessary, to properly facilitate transfers to Deltek entities in foreign jurisdictions.

3.2. Customers based in Canada and subject to data localization requirements acknowledge that Deltek may be required to transfer information, including Personal Data, outside Canada in the course of fulfilling its obligations under the terms of the Agreement. Customers must notify Deltek prior to initiating Processing of any such requirements and acknowledge that the enforcement of data localization may impact Deltek’s Processing activities.

4. Deltek Obligations under PIPEDA. The measures outlined in Section 6 of this CPA demonstrate that Deltek provides a comparable level of Personal Data protection as is required under PIPEDA, as well as any applicable local or provincial implementations thereof. Similarly, Deltek may utilize third parties in the course of its Processing, as set forth in Annex 3 of Exhibit 2 – Schedule 1. The acceptance of this CPA represents Customer’s acknowledgement and agreement that those third parties provide an appropriate level of protection to participate in the Processing of its Personal Data.

5. Collection and Handling of Personal Data. Deltek does not collect, retain, share, or use any Personal Data, except as necessary to perform the Agreement and to provide support services for Customer in accordance with Customer’s request. Deltek does not have, derive, nor exercise any rights or benefits regarding Personal Data under NA Privacy Laws, except as agreed upon between the parties.

6. Securing Personal Data. As per Section 4.1 of the Privacy Terms, Deltek maintains and applies appropriate technical, administrative, and organizational security measures, referred to in the CCPA as “reasonable security practices and procedures,” appropriate, based on the nature and scope of Personal Data, to safeguard against its misuse or unauthorized access, exfiltration, theft, or disclosure. For a complete accounting of Deltek’s technical and organizational controls, Customer may request a copy of Deltek’s SOC 2 Report through its account administrator or refer to Annex 2 of Exhibit 2 - Schedule 1.

7. Reporting Suspected Violations.

7.1. In the event a Californian consumer initiates a civil action against Customer for alleged violation of the duty to implement and maintain “reasonable security procedures and practices” under the CCPA, Customer must provide immediate written notification to Deltek via privacy@deltek.com upon receiving written notice from the consumer.

7.2. If Customer has a reasonable belief that Deltek may have committed a violation of its obligations under this CPA, Customer must provide an express written statement identifying the specific provisions it alleges Deltek has violated or is currently violating. In accordance with the CCPA, Deltek has thirty (30) days from receipt of said notice to conduct its investigation into the alleged violation(s) and, if necessary, the parties shall work together, in good faith, to cure any identified or confirmed violation(s) in a timely manner.

8. Integration. This CPA applies in addition to, not in lieu of, any other terms and conditions agreed upon between the parties, except as specifically and expressly agreed in writing with explicit reference to this CPA. This CPA shall not replace any additional rights relating to the use or sharing of Personal Data previously negotiated by Customer in the Agreement. In the event of inconsistencies between the provisions of this CPA and the Agreement, the provisions of this CPA shall prevail with regard to the parties’ data protection obligations as “business” and/or “service provider” for Personal Data of Californian consumers or, if appropriate, other analogous governing laws in the United States and/or Canada.

9. Updates and Amendments. In the event federal legislation pre-empts, supersedes, supplements, repeals, or amends the CCPA or other substantially similar state, local, provincial, or industry-specific NA Privacy Laws are enacted, the parties shall, in good faith, work together to enter into an updated version of the CPA to ensure the ongoing performance of the Agreement with respect to the secure handling of Personal Data of Californian consumers or residents of other US states and/or Canadian provinces and territories, as applicable.

(Customer and Deltek shall enter into this Exhibit 2 - Customer Data Processing Addendum if, in performing the Agreement, Customer may be transferring Personal Data from the European Union, Switzerland, other European Economic Area countries and/or the United Kingdom, if applicable to the United States and/or other third country/ies not deemed adequate by the European Commission nor subject to an approved alternative transfer mechanism as outlined in Chapter 5 of the GDPR.)

This Data Processing Addendum (“DPA”) is part of the Agreement between Customer, on behalf of itself and its affiliates, as appropriate (“Controller”) and Deltek, Inc. and/or a Deltek entity that has entered into such Agreement (collectively referred to as “Deltek” or “Processor”). The scope of the Agreement may include other applicable and associated written or electronic agreements, such as terms of service and terms of use for the purchase of software and services.

This DPA applies exclusively to the processing of Personal Data that is subject to the GDPR of Data Subjects who may be located in the EU, European Economic Area (“EEA”), Switzerland, and/or the United Kingdom (“UK”) (“Applicable Scope”). The Processing of Personal Data under this DPA is governed by the GDPR and its implementing regulations or, as applicable, substantially similar privacy, data protection, or security laws including the UK’s Data Protection Act 2018 (“European Privacy Laws”).

Capitalized terms not defined within this DPA shall have meaning set forth in the Agreement or applicable law, including the European Privacy Laws. If not defined in either the DPA, European Privacy Laws, or the Agreement, the term shall be given its commonly understood meaning.

This DPA shall not replace any additional rights relating to Processing of Personal Data previously negotiated by Customer in the Agreement. In the event of inconsistencies between the provisions of this DPA and the Agreement, the provisions of this DPA shall prevail with regard to the applicable data protection obligations within the Applicable Scope.

For the avoidance of doubt, Customer is Controller and Deltek is the Processor.

1. Controller Responsibilities

1.1 Controller will determine the scope, purposes, and manner by which its Personal Data may be Processed by Processor. Controller’s instructions for the Processing of Personal Data shall comply with European Privacy Laws.

1.2 Controller warrants that it has all necessary rights to provide Personal Data to Processor for the Processing to be performed as set forth in the Agreement. To the extent required by European Privacy Laws, Controller is responsible for ensuring that any necessary notifications are issued, consents to this Processing are obtained, and for ensuring that a record of such consents is maintained. Controller shall have sole responsibility for the acquisition, accuracy, quality, and legality of Personal Data.

2. Processor Responsibilities

2.1 Compliance with Controller’s instructions for Processing. Processor will Process Personal Data in accordance with the written instructions of Controller and any European Privacy Law requirements directly applicable to Processor’s performance under the Agreement, unless required to do otherwise by European Privacy Laws to which Processor is subject. Processor will inform Controller if it believes that an instruction provided by Controller violates European Privacy Laws unless legally prohibited from doing so.

2.2 Audits and information necessary to demonstrate compliance. In accordance with Section 4.6 of the Privacy Terms, Processor shall make available to Controller information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits conducted by Controller upon Controller’s reasonable written request. Unless required by European Privacy Laws, the parties agree that any audits will be conducted no more than once in any twelve (12) month period.

2.3 Assistance with Controller obligations. Processor shall reasonably assist Controller in ensuring compliance with its obligations under Articles 32-36 of the GDPR (security of Processing, Personal Data Breach notification, Data Protection Impact Assessments, and prior consultation), or equivalent European Privacy Law obligation, taking into account the nature of the Processing and information available to Processor.

2.4 Subject to the confidentiality obligations set forth in the Agreement, Processor will either provide Controller the applicable SOC 2 Type II Report covering the trust principles of Security, Availability, and Confidentiality, prepared by a reputable independent third party that attests to the compliance of the applicable security controls with industry standards or other documentation sufficient to address Processor’s compliance requirements.

2.5 Maintain records of processing. Processor shall keep records of all Processing of Controller’s Personal Data by Processor pursuant to Article 30 of the GDPR or equivalent European Privacy Law obligation.

2.6 Processor personnel and confidentiality. Without prejudice to any existing contractual arrangements between the parties, Processor shall treat all Personal Data as strictly confidential and it shall inform its employees, agents, and/or subprocessors who are engaged in Processing the Personal Data of its confidential nature and ensure that all relevant employees, agents, and/or subprocessors are committed to a duty of confidentiality.

2.7 Technical and organizational measures. Taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, without prejudice to any other security standards agreed upon by the parties, Controller and Processor shall implement appropriate technical and organisational measures to ensure a level of security of the Processing appropriate to the risk. Details regarding the technical and organisational measures may be found in Annex II to the GDPR SCCs incorporated by reference herein.

2.8 Personal Data Breach notification. If Processor becomes aware of a Personal Data Breach that impacts the Processing of the Personal Data that is the subject of the Agreement, it shall notify Controller without undue delay, but endeavours to do so no later than seventy-two (72) hours after discovery. Processor shall reasonably cooperate with Controller regarding such Personal Data Breaches.

2.9 Termination and return/destruction of Personal Data. Upon Controller’s termination of the Agreement, Processor shall, at the discretion of Controller, either delete, destroy, or return all Personal Data to Controller and destroy or return existing copies. To the extent that applicable laws require Processor to do otherwise, Processor will continue to meet the obligations set forth in this DPA with respect to such Personal Data and will use it only for the purpose for which it has been kept, such as to meet legal retention requirements.

2.10 The parties agree that the certification of deletion of Personal Data shall be provided by Processor to Controller upon Controller’s written request.

2.11 Cooperation with Data Subject Requests. In accordance with Section 5 of the Privacy Terms, Processor shall, to the extent legally permitted, promptly notify Controller if Processor receives a Data Subject Request to exercise the Data Subject’s right of access, right to rectification, restriction of Processing, erasure (“right to be forgotten”), data portability, object to the Processing, or its right not to be subject to an automated individual decision making. Taking into account the nature of the Processing, Processor shall assist Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Controller’s obligation to respond to a Data Subject Request under European Privacy Laws. In addition, to the extent Controller does not have the ability to address a Data Subject Request, Processor shall, upon Controller’s request, provide Controller with commercially reasonable assistance in responding to such Data Subject Request to the extent Processor is legally permitted to do so and as required under European Privacy Laws. To the extent legally permitted, Controller shall be responsible for reasonable costs on a time and materials basis arising from Processor’s provision of such assistance.

2.12 Use of third party sub-processors. Pursuant to Article 28(2) of the GDPR, Controller acknowledges and expressly agrees that Processor may engage third party sub-processors in connection with the services provided pursuant to the Agreement. Controller expressly agrees to the existing relevant third party sub-processors identified in Annex III of the GDPR SCCs incorporated by reference herein.

2.13 Processor will notify Controller of any changes to or new third party sub-processors as relevant to the Products and Services specified in the Agreement. If Controller has a reasonable basis to object to Processor’s use of a new third party sub-processor, Controller shall promptly notify Processor in writing within ten (10) business days after receipt of Processor’s notice.

2.14 Processor shall enter into a data processing agreement with each relevant third party sub-processor. These agreements shall impose the same data protection obligations on the third party sub-processor as Processor is subject to under this DPA and the Agreement. Where the third party sub-processor fails to fulfil its data protection obligations, Processor shall remain fully liable to the Controller for the performance of the third party sub-processor's obligations.

2.15 Cross-border transfers. In addition to the Deltek entities located in the EU and other countries deemed to offer an adequate level of data protection, Personal Data may be Processed by Deltek entities and/or third party sub-processors located outside of the EU/EEA (pursuant to Sections 2.12 through 2.14 of this DPA). Controller acknowledges that any Processing by the Deltek entities outside of Europe will be undertaken the same as any Processing of Personal Data undertaken in performance of the Agreement. These entities include: Deltek, Inc., Deltek Australia PTY LTD., Deltek Systems (Philippines), Ltd., and Deltek GB Ltd. Any transfer of Personal Data to Processor or a third party sub-processor located in a country that is deemed not to provide an adequate level of protection within the meaning of the European Privacy Law shall be governed by the terms of the UK SCCs and/or GDPR SCCs, as appropriate, found in Schedule 1 of this DPA. In the event of any inconsistencies between this DPA and the governing SCCs pertaining to the transfer of Personal Data within the Applicable Scope, the applicable SCCs shall prevail over the relevant Personal Data transfer.

2.16 Updates and amendments. In the event the GDPR SCCs are amended, replaced, or repealed by the European Commission or other competent authority under European Privacy Laws or the United Kingdom’s Information Commissioner’s Office approves or implements an alternative cross border data transfer mechanism, the parties shall work together, in good faith, to enter into an updated version of the relevant SCCs or negotiate an alternative solution to enable the cross-border transfer of Personal Data in compliance with European Privacy Laws.

2.17 Entire agreement. This DPA, including and together with any related schedules, appendices, and the applicable terms of any Agreement, constitutes the sole and entire agreement of the parties with respect to the subject matter contained herein and therein, and supersedes all prior and contemporaneous understandings, agreements, representations, and warranties, both written and oral, with respect to such subject matter.

ANNEX I


A. LIST OF PARTIES

MODULE TWO: Transfer controller to processor

Data exporter(s): [Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union]


  1. Name: Customer set forth in the Agreement

    Address: Details set forth in the Agreement

    Activities relevant to the data transferred under these Clauses: Utilizing the Products and Services as set forth in the Agreement

    Role (controller/processor): Controller

Data importer(s): [Identity and contact details of the data importer(s), including any contact person with responsibility for data protection]


  1. Name: Deltek, Inc. and its affiliated entities: Deltek Australia PTY Ltd., Deltek GB Limited, and Deltek Systems (Philippines), Ltd.

    Address: 2291 Wood Oak Drive, Herndon, VA 20171 U.S.A.

      Northpoint Tower, Level 40, 100 Miller Street, North Sydney, NSW 2060, Australia

      The Aircraft Factory Cambridge House, 100 Cambridge Grove, London W6 0LE, United Kingdom

      The Enterprise Center, Tower 1, 6676 Ayala Ave., 6th Floor, Makati City, Philippines

    Contact person’s name, position and contact details: Jon Knight, Senior Corporate Counsel – Privacy and Security, privacy@deltek.com

    Activities relevant to the data transferred under these Clauses: Providing Products and Services as set forth in the Agreement

    Role (controller/processor): Processor

    (The parties acknowledge that their respective signatures under the Agreement apply to this Annex I)

B. DESCRIPTION OF TRANSFER

MODULE TWO: Transfer controller to processor

Categories of data subjects whose personal data is transferred:

Customer (as controller) may submit Personal Data to Deltek in the course of its use of the Products and/or Services, including support services, the extent of which is determined and controlled by controller in its sole discretion and may include, but is not limited to, Personal Data relating to the following categories of Data Subjects:

  • Prospects, customers, business partners, and vendors and their respective points of contact;
  • Employees, contractors, and vendors of data exporter; and/or
  • Users authorized by controller to use the Products and/or Services.

Categories of Personal Data transferred:

The Personal Data transferred concern the following categories of data (please specify):

  • First and last name
  • Title
  • Position
  • Employer
  • Contact information
  • Unique identifying data (e.g., government identification numbers, Social Security Numbers, driver’s license number, etc.)
  • Professional life data (e.g., job qualifications, employment references, certifications, etc.)

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures:

Controller has the capability to insert data elements at their discretion and based on their use of the Products and/or Services. To the extent determined and at the sole discretion of the controller, controller may choose to submit, and thereby explicitly expose Deltek to, special categories of data, subject to the capabilities of the Products and/or Services. For the sake of clarity, any additional Personal Data, including special categories of data as defined under the GDPR, may only be processed and/or accessed by Deltek as necessary during the provisioning of support services.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):

Based on the nature of the Products and/or Services in accordance with the terms of the Agreement.

Nature of the processing: To provide the Product(s) and/or Service(s) as set forth in the Agreement

Purpose(s) of the data transfer and further processing: To provide the Product(s) and/or Service(s) as set forth in the Agreement

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: As set forth in the Agreement

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: See ANNEX III


C. COMPETENT SUPERVISORY AUTHORITY

MODULE TWO: Transfer controller to processor

Identify the competent supervisory authority/ies in accordance with Clause 13:

As set forth in the Agreement or Clause 13 of the GDPR SCCs.


ANNEX II

TECHNICAL AND ORGANIZATIONAL MEASURES INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Note: Customers utilizing Costpoint GovCon Cloud Moderate (“GCCM”) may expect the security safeguards in that offering to align with the measures outlined below; however, additional information of compliance with Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline equivalent controls is contained in the Customer Responsibility Matrix (“CRM”), available to GCCM customers upon request.

MODULE TWO: Transfer controller to processor

Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons are as follows:

Deltek implements and maintains administrative, physical, and technical safeguards for protection of the security, confidentiality, and integrity of Personal Data transferred to and among Deltek affiliates as provided in the Agreement.

For transparency, Deltek makes available current information regarding its Security, Compliance, and Privacy posture on its Security and Trust Center.

Security Control Framework

Deltek’s Security Control Framework is comprised of control requirements from a set of approved authoritative sources, which represent applicable regulations, contractual obligations, and corporate mandates. Examples of such authoritative sources include, but not limited to: GDPR, CCPA, PIPEDA, and NIST SP 800-53 rev. 5. The result is a consolidated list of security controls that is assigned to relevant control owners that Deltek communicates to all Deltek personnel via enterprise security policies. Controls are evaluated through internal assessments and external audits.

Audits and Assessment Documentation

Deltek’s Software-as-a-Service (SaaS) Products undergo an independent evaluation in the form of SOC 1 (SSAE 18) and SOC 2 reports. The Deltek SaaS Products include: for Ajera ConceptShare, Costpoint, Vantagepoint, GovWin, Deltek Collaboration, Maconomy, Project Information Management, Talent Management, TrafficLIVE, Vision, and Workbook. This list may be updated as new products are added or existing products are retired. Customers may request the most recent SOC 1 and SOC 2 reports from their account executive.

Customers may consult the Compliance page of the Security and Trust Center for more information on Deltek’s compliance standards.

Security Policies and Procedures

Deltek ensures effective implementation and communication of its Security Control Framework through its enterprise governance process, which includes a set of enterprise policies based upon common security domains. All Deltek personnel are required to abide by and complete annual training on enterprise, as well as business unit or process-specific, policies and procedures. Deltek’s written information security program includes policies and procedures specific to:

  • Access control
  • Business continuity
  • Business code of ethics and standards of conduct
  • Data classification and handling
  • Information security and privacy risk management
  • Information security red teaming
  • Information security training and awareness
  • Logging and monitoring
  • Privacy by design
  • Records retention
  • SaaS Product backup and retention
  • SaaS Product change management
  • SaaS Product continuity and disaster recovery plan
  • SaaS Product customer offboarding
  • SaaS Product support incident management
  • Secure system development life cycle
  • Security and privacy risk management
  • Security incident response
  • Supplier code of conduct (addressing health and safety provisions)
  • User security
  • Vulnerability management

Personnel Security Controls

Deltek personnel are required to conduct themselves in a manner consistent with Deltek’s enterprise policies regarding confidentiality, business ethics, appropriate usage, and professional standards. Deltek conducts appropriate backgrounds checks on its personnel, taking into account applicable local labor law and statutory regulations. Personnel are required to execute a confidentiality agreement and must acknowledge receipt of, and compliance with, Deltek’s confidentiality, privacy, and information security policies. All personnel are required to successfully complete security training at a minimum annually. Personnel handling Customer Data may be required to complete additional requirements (e.g., certifications) and role-based training modules appropriate to their job responsibilities. In addition to the annual training requirements, Deltek personnel receive security awareness communications on a regular basis containing information about various security awareness topical events.

Security Incident Management

Deltek maintains security incident management policies and procedures that detail the identification and reporting of and response to a Personal Data Breach. Multiple measures are implemented to detect Personal Data Breaches. Log correlation is used to detect anomalies and trigger alerts to threats that resemble potential security incidents. Deltek also performs incident response exercises no less than annually to ensure the security incident response plan is current and effective.

In accordance with the terms of the Agreement and in compliance with applicable Privacy Laws, Deltek notifies potentially impacted Customers without undue delay, but no later than seventy-two (72) hours, after discovery of a Personal Data Breach.

Product Environment

Deltek SaaS products take advantage of industry-leading cloud infrastructure providers and the built-in compliance and security features provided by the underlying infrastructure. These features include data center security and network infrastructure security controls to secure media handling and data encryption. Deltek builds upon this foundation when providing Deltek Services to Customers. “Deltek Services” may include troubleshooting to prevent, find, and fix problems with the operation of Deltek SaaS or other products, and as a means of improving features for identifying and protecting against security threats to Authorized Users.

Customer Data

Deltek Processes Customer Data to fulfil the Deltek SaaS products and Deltek Services purchased by the Customer under the Agreement and as requested or instructed by the Customer. In addition to Processing Personal Data in the Deltek SaaS products, under select circumstances and upon Customer request, Personal Data may become accessible to Deltek personnel via Deltek Services, for example in their performance of a statement of work or the administration of customer support operations. These Processing activities may involve hosting, storing, and accessing the Personal Data to provide relevant Deltek Services, which may include, but are not limited to, requests for maintenance and troubleshooting.

  • Data Transfers for Deltek Services: Customer’s Authorized Users maintain the capability to upload Customer Data, inclusive of Personal Data, to Deltek for customer onboarding, support, and other use cases. All Customer Data submitted to Deltek Services is governed by Deltek’s enterprise information security policies and procedures. Please note: This section does not apply to the GovWin IQ, Deltek Collaboration, nor Specification Solution (e.g., SpecPoint, e-SPECS, Product MasterSpec/MasterSpec, SpecBuilder Cloud) products.

    • Deltek enforces role-based/least privilege access controls and endpoint security software that scans application files and file systems for malware including Customer-supplied attachments.
    • Customer transfers of product databases are preceded or accompanied by a Data Consent Release form, completed by the Customer’s authorized support contact, upon submission of a support case to Deltek Services.
    • Data transfers that are uploaded to Deltek’s data staging services or secure file transfer services are automatically deleted thirty days after initial creation or transfer without exception.
    • The Deltek Services customer service portal uses defense-in-depth with multiple levels of security to protect information as well as network infrastructure through separately hosted, security-hardened pods with redundant firewalls and a demilitarized zone architecture.
  • Data Transfers for Deltek SaaS Products: Deltek has regional cloud hosting environments configured with primary and secondary storage locations in various regions for operational efficacy and to minimize the centralization of data in extraterritorial jurisdictions. The secondary storage facilities are geographically remote from their primary data centers while remaining within one region, along with required hardware, software, and Internet connectivity, in the event production facilities at the primary data centers were to be rendered unavailable.

    • Deltek SaaS Products are designed to keep Customer Personal Data in the Customer-designated hosting region (e.g., EU, NA, APAC) to the extent practicable and any transfers of Personal Data are limited to what is necessary to Deltek's Processing. This means that, in the ordinary course of using Deltek SaaS Products, Personal Data is maintained in the Customer-designated region and may be accessed by Deltek Personnel based in locations outside that region as necessary to maintain and ensure operational efficiency of Deltek SaaS Products.
  • Change Management: Deltek follows a strict change management processes that addresses risks, testing, contingencies, communication, and authorization in a standardized process to ensure minimal impact to the Customer.
  • Customer Data Backups: In accordance with Deltek’s backup practices, Customer Data, including inactive data, will be stored in backups. In Deltek SaaS Products, backups of Customer Data are taken nightly and retained for at least thirty (30) days and up to twelve (12) months, depending on the applicable record retention time periods and system capacity. This process is subject to applicable legal requirements as outlined in the underlying Agreement.
  • Data Integrity and Quality: Customer’s Authorized Users have the capability to insert and import data elements, including Personal Data, at their discretion and may view and report on said data based on their use of the Deltek SaaS Product. Deltek does not control or manipulate the data entered by the Authorized Users, unless explicitly directed to do so by Customer.
  • Data Segregation: Deltek utilizes a multi-tenant cloud hosting model for Deltek SaaS Products with logical segregation of client data. Controls are implemented at multiple layers to limit access to Customer Data to only their Authorized Users.
  • Data Retention: At the end of the data life-cycle, a strict data purging practice ensures that all Customer Data is safely deleted if it is no longer necessary for the purpose for which it was Processed or when authorized Deltek Personnel are instructed to remove the data.

    • Transactional Data: Upon termination of the Agreement, unless subject to an exception under applicable law, Customer Data Processed by Deltek SaaS Products is retained for no more than thirty (30) days, with the exception of Vantagepoint/Vision, which is retained for no more than six (6) weeks. During that time, Customers may request a copy of their database.
    • Service Logs: System and service logs are retained for at least twelve (12) months.
    • Support Cases: Attachments to support cases, which may include Personal Data, are deleted from Deltek support systems twelve (12) months after case closure.
  • Pseudonymization/Anonymization: The methodology, capability, and scope of pseudonymizing or anonymizing Personal Data within the Deltek SaaS Product depends on the nature, scope, and context of the Processing undertaken by the Deltek SaaS Product in question. Customers may request additional information and assistance through Deltek Services.
  • Data Destruction: Storage devices and technology used to store Customer Data are deleted from the Deltek SaaS Products when no longer in use or at the request of the Customer’s SaaS Administrator or authorized support contact. Deltek relies on cloud infrastructure providers for the enforcement of media decommissioning in accordance with industry best practices to ensure that media storing Customer Data is decommissioned securely.
    Please note: this section does not apply to Specification Solution or GovWin products.
  • Disaster Recovery: Deltek has disaster recovery plans in place and Deltek SaaS Products are tested at least once per year.

Encryption

Deltek implements encryption for data “in transit” and “at rest”. Due to differences in technology stacks, implementation details may vary by Deltek SaaS Product.

  • In Transit: Access to Deltek’s production networks is over encrypted protocols. Deltek uses strong industry standard encryption technologies to protect Customer Data and communications in transit over the public internet/channels, including 128-bit TLS Certificates and 2048-bit public keys at a minimum. Additionally, during replication, Customer Data is encrypted during transmission between data centers
  • At Rest: Deltek implements encryption “at rest”. Disk volumes and object stores that are encrypted use industry standard AES-256 ciphers. Database encryption is realized through various technical implementations

  Storage Encryption Database Encryption

 

Volume
(e.g., AWS EBS,
Azure Disk,
or similar)

Object
(e.g., S3, Azure Blob)

Transparent
Data
Encryption

Column
*highly sensitive data only

Ajera

X

X

X

 

ConceptShare

X

X

X

 

Costpoint

X

X

X

 

Vantagepoint

X

X

X

 

GovWin

X

X

X

 

Maconomy

X

X

X

 

Project Information Management

X

X

X

 

Talent Management

X

X

X

TrafficLIVE

X

X

X

 

Unionpoint

X

X

X

Vision

X

X

X

Workbook

X

X

X

Key Management

Deltek utilizes encryption key management services provided by industry-leading cloud infrastructure providers that are certified under multiple compliance schemes to be entrusted to control and protect this type of information. Encryption keys are created by the cloud infrastructure providers and maintained within the regional hosting locations. Access is infrequent, temporary, monitored, and subject to Deltek role-based access controls to small and select number of Deltek personnel. This practice aligns with industry standard for SaaS providers and Deltek’s controls maintain the confidentiality of Customer Data.

Vulnerability Management

The Deltek SaaS Products undergo recurring software and infrastructure vulnerability assessments by internal security personnel. Deltek security personnel leverage vulnerability and security assessment products and services to evaluate Deltek software and cloud infrastructure throughout the System Development Life-cycle. Identified vulnerabilities within software are addressed in accordance with Deltek’s policies and procedures.

Application penetration tests are performed on Deltek SaaS Products. Each Deltek SaaS Product goes through an annual penetration test. A summary copy of the most recent engagement is available upon request through Customer account representative(s). External, independent parties are contracted to provide Deltek with an independent evaluation of security posture and practices applicable to Deltek SaaS Products and the cloud operating environment.

Vulnerability scans are performed on open source code used in Deltek SaaS Products. The findings of such evaluations are managed according to a continuous, risk-based, and contextual treatment approach factoring in critically, industry best practice, CVSS score, and Deltek information security policies.

Network Security

Deltek SaaS Product environments are secured and logically isolated using Virtual Networks (Azure), Virtual Private Clouds (AWS), and other network segmentation methodologies. Access to production networks is kept to the minimum extent necessary to maintain the Deltek SaaS Product. All networking protection follows a deny-by-default rule base across the Deltek Cloud that will only provide access to those that have been explicitly permitted.

Deltek also protects applies Network Security Groups on the individual computing instance as well as other layers within the Deltek Cloud including load balancers and subnet layer. At the edge of the Deltek Cloud are next-generation firewalls that provide additional layers of isolation and filtering, including intrusion detection and prevention services.

Patch Management

Deltek Personnel test, deploy, and verify relevant patches on Deltek SaaS Products across multiple platforms and geographies. Automated workflows allow patches to be installed easily and in a timely manner. Output from patching processes where patches cannot be applied in a timely manner is managed according to a continuous, risk-based, and contextual treatment approach.

User Authentication

Deltek applies least privilege access so that access to Deltek systems is made available only to those with a legitimate need to know, based on their role and guided by their job requirements. Deltek has documented policies and procedures that address access controls, credentials, authorization, remote access, and access review and revocation. With respect to access to or storage of Personal Data, Deltek ensures that its access is limited to the extent and time necessary for the purposes outlined in the Agreement.

  • Access to application and network platforms is restricted and secured through the use of unique user identification, as well as multi-factor authentication (MFA) for remote access.
  • Access reviews for privileged accounts are performed on a quarterly basis while general users are reviewed at least annually by system owners.
  • Access may be revoked for any violations of Deltek information security policies.
  • Access is promptly revoked in the event of a change in role such that Deltek personnel no longer requires such access (e.g., transfer, retirement, furlough, or termination).

Physical Security

Deltek’s work facilities are secured and access is restricted for high-security areas. Personnel wear badges and must either scan the badge or enter access codes for entry. Visitors must register prior to entry.

Customer Data is hosted in Cloud Service Provider (CSP) data centers. Therefore, Deltek inherits physical security controls from its CSPs. These data centers facilities have access strictly controlled both at the perimeter and at building ingress points by professional security staff. Access to data center floors are further restricted by requiring two-factor authentication for authorized personnel. All physical access is logged and audited routinely.

The CSP data centers employ automatic fire detection and suppression equipment that utilizes smoke detection sensors in all data center environments, mechanical and electrical infrastructure spaces, chiller rooms, and generator equipment rooms. These areas are protected by either wet-pipe, double-interlocked pre-action, or gaseous sprinkler systems.

The CSP data center electrical power systems are designed to be fully redundant and maintainable without impact to operations, 24 hours a day, and seven days a week. Uninterruptible Power Supply (UPS) units provide back-up power in the event of an electrical failure for critical and essential loads in the facility. Data centers use generators to provide back-up power for the entire facility.

Climate control is required to maintain a constant operating temperature for servers and other hardware, which prevents overheating and reduces the possibility of service outages. CSP data centers are conditioned to maintain atmospheric conditions at optimal levels. Personnel and systems monitor and control temperature and humidity at appropriate levels.

Third Party Sub-processor Security

Prior to onboarding third party sub-processors, Deltek conducts an audit of their information security and privacy practices to ensure third party sub-processors provide the level of security and privacy appropriate to their access to Customer Data and the scope of the services they are engaged to provide. All Deltek third-party sub-processors are subject to data processing agreements, which include a lawful crossborder data transfer mechanism – if applicable, and require that they provide the same level of security that Deltek has promised to our customers. Throughout the term of their engagement, all Deltek third party sub-processors are required to abide by appropriate security, confidentiality, and privacy contract terms.

Data Privacy Office

Deltek’s Data Privacy Office can be contacted at privacy@deltek.com. Additional information regarding Deltek’s data protection and handling practices may be located on the Privacy page of the Security and Trust Center.


ANNEX III


LIST OF SUB-PROCESSORS

MODULE TWO: Transfer controller to processor

Deltek controls access to the infrastructure that stores and processes customer data used by Deltek’s SaaS Products. Each of Deltek’s SaaS Products contain multiple servers and services to deliver applications efficiently and effectively. Deltek SaaS products hosted in Amazon Web Service (AWS) are hosted in a primary region while backups are replicated to a secondary geographic region within the AWS Cloud. AWS regions include North America (storage in the US), EU (storage in Ireland and Germany), and ANZ (storage in Australia and Singapore). Deltek SaaS products hosted in Microsoft Azure are hosted in a primary region while backups are replicated to a secondary geographic region within the Azure Cloud. Azure regions include North America (storage in the US), EU (storage in Ireland and the Netherlands), Middle East and Africa (storage in South Africa and the UAE), Asia (storage in Hong Kong and Singapore), and Australia (storage in Australia).

By entering into the Agreement with Deltek, Customer has authorised the use of sub-processors. Please click product below for the list of sub processors specific to Deltek’s SaaS Products.

 

Product

Ajera

ArchiSnapper

ComputerEase

ConceptShare

Costpoint

GovWin

Maconomy

Product Information
Management (PIM)

SpecBuilder

SpecPoint

Talent Management

TrafficLIVE

Unionpoint

Vantagepoint

Vision

WorkBook

 

(Customer and Deltek shall enter into this Customer Cross Border Privacy Addendum if, in the performance of the Agreement, Customer may be transferring Personal Data from the Asia-Pacific region to a Deltek entity located in another jurisdiction that does not share a data protection legislative framework.)


  1. Purpose and Scope. The purpose of the Customer Cross Border Privacy Addendum (“CBPA”) is to ensure compliance with applicable Privacy Laws related to the flow of Personal Data originating from APAC and being transferred to different jurisdictions, such as the United States, that do not share a common legislative or regulatory framework of principles governing the Processing of Personal Data.
  2. Definitions.

      2.1. “APAC” includes Member Economies of the Asia-Pacific Economic Cooperation, including Cambodia, India, and Laos and excluding the Russian Federation, Canada, the United States, Mexico, Peru, and Chile.

      2.2. “Privacy Rules” means APAC intraregional frameworks for information privacy protection and any other enforceable laws, codes, regulations, or guidelines regulating the collection, use, disclosure and/or free movement of Personal Data to the Processing of Personal Data in the APAC region.
  3. Customer Obligations. Customer is responsible for providing appropriate information and obtaining any required consent from its users of the Services and/or Products in accordance with applicable Privacy Rules prior to any Processing of Personal Data by and through the Services and/or Products. If Customer fails to comply with local requirements, Customer must immediately notify Deltek and the parties shall work together in good faith to implement the terms of this CBPA in a manner that accommodates the terms of the Agreement and the Customer’s and Deltek’s respective obligations to secure privacy protections under the Privacy Rules, to the greatest extent possible.
  4. Deltek Obligations. Deltek ensures appropriate technical, administrative, and organizational security measures are in place as described in Section 4.1 of the Privacy Terms and Annex 2 to Exhibit 2 - Schedule 1 to prevent misuse of Personal Data and provide Customer with a level of security proportionate to the likelihood and risk of Personal Data Breach. Deltek takes reasonable steps with respect to its Processing to ensure Personal Data is protected in accordance with the Privacy Rules as applicable.
  5. Individual Access Rights. Subject to specific conditions, Privacy Rules may grant individuals certain rights to, for example, obtain confirmation and/or information regarding the Personal Data collected and Processed about them or rectify their Personal Data. In these circumstances, Deltek shall comply with Section 5 of the Privacy Terms.
  6. Integration. This CBPA applies in addition to, not in lieu of, any other terms and conditions agreed upon between the parties, except as specifically and expressly agreed in writing with explicit reference to this CBPA. This CBPA shall not replace any additional rights relating to the use or transfer of Personal Data previously negotiated by Customer in the Agreement. In the event of inconsistencies between the provisions of this CBPA and the Agreement, the provisions of this CBPA shall prevail with regard to the parties’ data protection obligations under applicable Privacy Laws.