Get Started

Support

Looking for access to technical support, best practices, helpful videos, or training tools? You’ve come to the right place.

About Accruent

Get the latest information on Accruent, our solutions, events, and the company at large.

Accruent's Data Privacy Addendum

(“SCC AMENDMENT”)

Client (on behalf of itself and its Authorized Affiliates, “Client”) has entered into a Master Services Agreement or other written or electronic agreement (“Master Services Agreement”) and Data Protection Addendum (“DPA,” and, together with the Master Services Agreement, “Agreement”) with Accruent or one of its Affiliates (“Accruent”). Client and Accruent are together referred to as the “Parties.” The Parties wish to amend the DPA as set out in this SCC Amendment as follows:

HOW THIS ADDENDUM APPLIES:

If Client is a direct customer of Accruent and signed the Agreement, this Addendum forms part of the Agreement. If Client has executed an Order Document with Accruent or its Affiliate pursuant to the Agreement, but is not itself a party to the Agreement, this Addendum forms part of that Order Document and any applicable renewal Order Document. For any entity that has a contract with an authorized reseller or distributor of Accruent services, this Addendum is not valid or legally binding, and it should contact the authorized reseller or distributor request any applicable amendment.

  1. INTERPRETATION. Capitalized terms that are not expressly defined in this SCC Amendment, including its schedules, have the meanings assigned to them in the Agreement. In the event of any conflict between this SCC Amendment and the Agreement, the provisions of this SCC Amendment shall prevail.
  1. REVISED TERMS FOR THE NEW SCCs.Any provisions in the Agreement (including Exhibits or Schedules) referring to and/or relating to data transfers in the event that Accruent receives or Processes any Personal Data transferred from the European Union, the European Economic Area and/or its member states, Switzerland, and/or the United Kingdom to countries that do not ensure an adequate level of data protection pursuant to the European Commission's Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council (notified under document C(2010) 593), are hereby deleted from the Agreement and replaced with the terms set out in Sections 2.1 and 2.2 below.

2.1 “Standard Contractual Clauses,” or “SCC",. means the version of the Standard Contractual Clauses as set out in Module Two (Controller to Processor) for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 found at https://www.accruent.com/privacy-addenda.

2.2 SCC Compliance.. The Parties agree they shall abide by: (i) the terms of the SCC Sections I, II, III and IV (as applicable), in the manner described in Exhibit A and Schedules 1, 2 and 3 of this SCC Amendment. The SCC shall apply to Accruent in its role as the “data importer,” and Client and, to the extent legally required, each of Client’s Authorized Affiliates established within the European Union, the European Economic Area and/or its member states, Switzerland, and/or the United Kingdom, in their role as “data exporters.” Client signs this SCC Amendment and the SCC in name and on behalf of these data exporters, and shall carry out the obligations of each data exporter set forth in the SCC on behalf of that data exporter.

 

 

EXHIBIT A
SCC OPERATIVE PROVISIONS AND ADDITIONAL TERMS

For the purposes of the Standard Contractual Clauses, Client is the data exporter and Accruent is the data importer, and the Parties agree to the following. If and to the extent an Authorized Affiliate relies on the Standard Contractual Clauses for the transfer of Personal Data, any references to ‘Client’ in this Schedule, include such Authorized Affiliate.

1.1 REFERENCE TO THE STANDARD CONTRACTUAL CLAUSES.. The relevant provisions contained in the SCC are incorporated by reference and are an integral part of the Agreement. The supplement information required for purposes of the SCC are set out in Schedule 1, 2 and 3 of this SCC Amendment.

1.2 INSTRUCTIONS. The Agreement (as amended through this SCC Amendment) are Client’s complete and final documented instructions to Accruent for the Processing of Personal Data. Any additional or alternate instructions must be consistent with the terms of Agreement, as amended hereby. For purposes of clause 8.1(a) of the SCC, Client’s instructions to Process Personal Data include onward transfer to third parties located outside of Europe for performance of the Services.

1.3 DELETION OR RETURN OF PERSONAL DATA; CERTIFICATION. Accruent shall, within a reasonable period of time following receipt of Client’s written request received within thirty (30) days following termination of the Agreement, either delete, overwrite or return all Personal Data to Client, and delete or overwrite any other copies thereof, unless storage is required by applicable law and, if so, Accruent shall inform Client of any such requirement. Accruent shall provide the certification of deletion of Personal Data described in clause 8.5 and 16(d) of the SCC to Client promptly following its completion of such activities.

1.4 TECHNICAL AND ORGANIZATIONAL MEASURES; SECURITY OF PROCESSING. Accruent shall implement and maintain, at its cost and expense, the technical and organisational measures set forth in Schedule 3 (Security Measures), taking into account the nature of the Processing of Personal Data described in Schedule 1 (Data Processing Details) and designed to ensure the protection of Personal Data and compliance with the terms of the DPA and this SCC Amendment. For the purposes of clause 8.6(a) of the SCC, Client is solely responsible for making an independent determination as to whether the technical and organisational measures set forth in Schedule 3 (taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of the Processing of its Personal Data, as well as the risks to individuals) meet Client’s requirements and provide a level of security appropriate to the risk with respect to its Personal Data. For purposes of clause 8.6(c) of the SCC, Accruent shall notify Client in the manner described in the DPA.

1.5 COMPLIANCE AUDITS. Accruent shall maintain controls designed to ensure compliance with the obligations set out in the Agreement. The Parties agree that the audits described in clause 8.9 of the SCC shall be carried out in accordance with the audit provisions as agreed in the Agreement.

1.6 SUBPROCESSING. For the purposes of clause 9(a) of the SCC, the Parties agree that Accruent has Client’s general authorization to engage the Subprocessors listed in Schedule 2, that Client shall be informed of any changes to the Subprocessor list via updates made by Accruent to the website listed in Schedule 2, Client’s failure to object to any such updates within sixty (60) days thereof shall be deemed Client’s consent to such updates, and that in any event, Client’s authorization shall not be unreasonably withheld, conditioned or delayed. In the case of any reasonable objection by Client, Accruent will use commercially reasonable effort to identify an alternative; provided, that, if no commercially reasonable alternative is available, the Parties will meet and confer and mutually negotiate a resolution. Where Accruent enters into EU Processor-to-Processor Transfer Standard Contractual Clauses with a Subprocessor in connection with the provision of the Services, Client hereby grants Accruent and Accruent’s Affiliates authority to provide a general authorization on Controller’s behalf for the engagement of subprocessors by Subprocessors engaged in the provision of the Services, as well as decision making and approval authority for the addition or replacement of any such subprocessors. Accruent shall require Subprocessors to ensure that their subprocessors agree to terms that are materially consistent with those set forth in the DPA and this SCC Amendment.

1.7 COMPLAINTS; REDRESS. For the purposes of clause 11 of the SCC, and subject to section 8 of the DPA, Accruent shall inform Data Subjects according to Accruent’s privacy notice, which is available at https://www.accruent.com/privacy-notice#privacy_notice. Each Party shall, if legally permitted, promptly inform the other Party if it receives a Complaint from a Data Subject with respect to Personal Data and provide the other Party with reasonable details of such Complaint.

1.8 SUPERVISION. For Clients established in United Kingdom and Switzerland, clause 13 shall apply as follows:

1.8.1  Where Client is established in the United Kingdom or falls within the territorial scope of application of UK Data Protection Laws, the Information Commissioner's Office shall act as competent supervisory authority.

1.8.2  Where Client is established in Switzerland or falls within the territorial scope of application of Swiss Data Protection Laws, the Swiss Federal Data Protection and Information Commissioner shall act as competent supervisory authority insofar as the relevant data transfer is governed by Swiss Data Protection Laws.

1.9 GOVERNING LAW. The governing law under clause 17 of the SCC shall be the law designated in the Governing Law section of Schedule 1.

1.10 CHOICE OF FORUM AND JURISDICTION. The courts under clause 18 of the SCC shall be those designated in the Choice of Forum and Jurisdiction section of Schedule 1.

1.11 DATA EXPORTS FROM THE UNITED KINGDOM AND SWITZERLAND UNDER THE SCC. In case of any transfers of Personal Data from the United Kingdom, which shall be subject to the UK General Data Protection Regulation, as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018, as modified by Schedule 1 to the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (“UK Data Protection Laws”) and/or transfers of Personal Data from Switzerland, which shall be subject to the Swiss Federal Act on Data Protection, as may be amended from time to time (“Swiss Data Protection Laws”): (i) general and specific references in the SCC to GDPR or EU or Member State Law shall have the same meaning as the equivalent reference in the UK Data Protection Laws or Swiss Data Protection Laws, as applicable; and (ii) any other obligation in the SCC determined by the Member State in which the data exporter or Data Subject is established shall refer to the United Kingdom or Switzerland, as applicable. In respect of data transfers governed by Swiss Data Protection Laws, the SCC also apply to the transfer of information relating to an identified or identifiable legal entity where such information is protected similarly as Personal Data under Swiss Data Protection Laws until such laws are amended to no longer apply to a legal entity.

1.12 CONFLICT. The SCC are subject to the DPA and the rights and obligations provided by the SCC will be exercised in accordance with the DPA, unless stated otherwise. In the event of any conflict or inconsistency between the terms of the DPA and the terms of the SCC, the SCC shall prevail.

SCHEDULE 1
DATA PROCESSING DETAILS

LIST OF PARTIES
Data Exporter: Client and its Authorized Affiliates
Address and Contact Person: As specified in the Agreement
Activities relevant to the data transferred: Performance of the Services pursuant to the Agreement
Signature and date: As of the Effective Date of the SCC Amendment.
Role: Controller

Data Importer: Accruent, LLC
Address and Contact Person: As specified in the Agreement or legal@accruent.com
Activities relevant to the data transferred: Performance of the Services pursuant to the Agreement.
Signature and date: As of the Effective Date of the SCC Amendment.
Role: Processor

CATEGORIES OF DATA SUBJECTS WHOSE PERSONAL DATA IS TRANSFERRED:

Client may submit Personal Data to the Services, the extent of which is controlled by Client in its sole discretion, and which may include, but is not limited to, Personal Data relating to the following categories of Data Subjects:

a. Client’s employees, agents, contractors, consultants, freelancers, temporary staff, contingent workers, advisors and/or partners (who are natural persons)
b. Natural persons who consume Client’s services, such as students, tenants or customers of Client
c. Client’s users who are authorized by Client to use the Services
d. Client’s prospects, customers, business partners, suppliers and vendors (who are natural persons)
e. Employees or contact persons of Client’s prospects, customers, business partners, suppliers and vendors

CATEGORIES OF PERSONAL DATA TRANSFERRED:

First and last name, job title, job position, contact information (e.g., company, email, phone number, physical address, username, login credentials, operator / license / certification numbers, ID data, IP addresses, login / logout times, persistent online identifiers (e.g., cookies), professional life / employment management data, pictures, voice / screen recordings, personal life data, location/localisation data, and unique identifiers or personal data contained in help requests, webchat / messaging requests, free text fields and other records.

SENSITIVE DATA TRANSFERRED (IF APPLICABLE):

The Services generally do not require any transmission or processing of sensitive data, unless the Data Exporter chooses to share such information in its sole discretion, such as through messaging requests, free text fields and other records.

FREQUENCY OF THE TRANSFER:

On a continuous basis depending on the use of the Services by Client.

NATURE OF THE PROCESSING; PURPOSE OF THE DATA TRANSFER AND FURTHER PROCESSING:

Accruent (and its Subprocessors) will process Personal Data as necessary in the provision and performance of, and in monitoring and ensuring the security of, the applicable Services pursuant to the Agreement and as further instructed by the Client in its use of the Services.

THE PERIOD FOR WHICH THE PERSONAL DATA WILL BE RETAINED:

Until its deletion in accordance with the provisions of the Agreement, unless otherwise agreed in writing.

SUBPROCESSOR TRANSFERS:

See Schedule 2 for the list of Subprocessors. As specified above.

COMPETENT SUPERVISORY AUTHORITY

The supervisory authority applicable to the data exporter by data exporter’s location or registration. Name and contact details of such supervisory authority to be disclosed by the data exporter without undue delay upon the data importer’s request. The data importer is subject to the authority of the United Kingdom, as to data subjects from the United Kingdom (UK) and UK GDPR, and the Netherlands, as to data subjects of the European Economic Area (EEA) and GDPR.

TECHNICAL AND ORGANISATIONAL MEASURES

As set forth in Schedule 3.

GOVERNING LAW

The governing law shall be the law of the EU Member State in which the data exporter is established. In the event, the data exporter is not established in an EU Member State, the SCC will be governed by: (i) if the Agreement is governed by the laws of the United Kingdom, the laws of the United Kingdom; (ii) if the Agreement is governed by the laws of Switzerland, the laws of Switzerland; or (iii) the laws of Netherlands.

CHOICE OF FORUM AND JURISDICTION

The choice of forum shall be the country designated pursuant to the preceding section and jurisdiction shall lie with the courts of such country.

SCHEDULE 2
APPROVED SUBPROCESSORS

A list of Accruent’s third party subprocessors can be found at https://www.accruent.com/subprocessor-list

SCHEDULE 3
SECURITY MEASURES

DESCRIPTION OF TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES IMPLEMENTED BY ACCRUENT

Technical Measures to Ensure Security of Processing

  1. Inventory and Control of Hardware Assets Actively manage all hardware devices on the network so that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access.
  1. Inventory and Control of Software Assets Actively manage all software on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution.
  1. Continuous Vulnerability Management Continuously acquire, assess, and take action on new information in order to identify vulnerabilities, remediate, and minimize the window of opportunity for attackers.
  1. Controlled Use of Administrative Privileges Maintain processes and tools to track, control, prevent, and correct the use, assignment, and configuration of administrative privileges on computers, networks, applications, and data.
  1. Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers Implement and manage the security configuration of mobile devices, laptops, servers, and workstations using a configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.
  1. Maintenance, Monitoring, and Analysis of Audit Logs Collect, manage, and analyze audit and security logs of events that could help detect, understand, or recover from a possible attack.
  1. Email and Web Browser Protections Deploy automated controls to minimize the attack surface and the opportunities for attackers to manipulate human behavior through their interaction with web browsers and email systems or content.
  1. Malware Defenses Control the installation, spread, and execution of malicious code at multiple points in the enterprise, while optimizing the use of automation to enable rapid updating of defense, data gathering, and corrective action.
  1. Limitation and Control of Network Ports, Protocols, and Services Manage (track, control, correct) the ongoing operational use of ports, protocols, services, and applications on networked devices in order to minimize windows of vulnerability and exposure available to attackers.
  1. Data Recovery Capabilities Maintain processes and tools to properly back up personal data with a proven methodology to ensure the confidentiality, integrity, availability, and recoverability of that data.
  1. Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches Implement and manage the security configuration of network infrastructure devices using a configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.
  1. Boundary Defenses Detect, prevent, and correct the flow of information transferring networks of different trust levels with a focus on personal data.
  1. Data Protection Maintain processes and tools used to prevent data exfiltration, mitigate the effects of exfiltrated data, and ensure the confidentiality and integrity of personal data.
  1. Controlled Access Based on the Need to Know Maintain processes and tools to track, control, prevent, and correct secure access to critical or controlled assets (e.g. information, resources, systems) according to the formal determination of which persons, computers, and applications have a need and right to access these critical or controlled assets based on an approved classification.
  1. Wireless Access Control Maintain processes and tools to track, control, prevent, and correct the secure use of wireless local area networks (WLANs), access points, and wireless client systems.
  1. Account Monitoring and Control Actively manage the life cycle of system and application accounts, their creation, use, dormancy, and deletion in order to minimize opportunities for unauthorized, inappropriate, or nefarious use.

Organisational Measures to Ensure Security of Processing

  1. Implement a Comprehensive Information Security Programme Through the implementation of a Comprehensive Information Security Program (CISP), maintain various administrative safeguards to protect personal data. These measures are designed to ensure:

    a. security, confidentiality, and integrity of personal data
    b. protection against unauthorized access to or use of (stored) personal data in a manner that creates a substantial risk of identity theft or fraud
    c. that employees, contractors, consultants, temporaries, and other workers who have access to personal data only process such data on instructions from the data controller.
  1. Implement a Security Awareness and Training Programme For all functional roles (prioritizing those mission critical to the business, its security, and the protection of personal data), identify the specific knowledge, skills and abilities needed to support the protection and defense of personal data; develop and execute an integrated plan to assess, identify gaps, and remediate through policy, organizational planning, training, and awareness programs.
  2. Application Software Security Manage the security life cycle of all in-house developed and acquired software in order to prevent, detect, and correct security weaknesses.
  3. Incident Response and Management Protect the organization’s information, including personal data, as well as its reputation, by developing and implementing an incident response infrastructure (e.g., plans, defined roles, training, communications, management oversight, retainers, and insurance) for quickly discovering an attack and then effectively containing the damage, eradicating the attacker's presence, and restoring the integrity of the organization’s network and systems.
  1. Security and Privacy Assessments, Penetration Tests, and Red Team Exercises Test the overall strength of the organization’s defense (the technology, processes, and people) by simulating the objectives and actions of an attacker; as well as assess and validate the controls, policies, and procedures of the organization’s privacy and personal data protections.
  1. Physical Security and Entry Control Require that all facilities meet the highest level of data protection standards possible, and reasonable, under the circumstances relevant to the facility and the data it contains, process, or transmits.