Data Sub-processor Guidelines

Guidelines for Data Sub-Processors

Introduction

This document outlines the data protection and security guidelines that all Data Sub-Processors ("Sub-Processors") must adhere to when contracted to process data on behalf of FORA ("The Company"). These guidelines are supplementary to the terms defined in the Data Processing Agreement ("DPA") signed between The Company and the Sub-Processor and aim to further clarify data protection obligations.

1. Compliance with Applicable Laws

Sub-Processors must comply with all laws and regulations applicable to the processing of personal data, including but not limited to the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and other jurisdiction-specific data protection laws.

2. Data Security

Encryption: All data in transit and at rest must be encrypted using industry-standard encryption algorithms.
Access Controls: Implement strong access control measures, including multi-factor authentication and role-based access to ensure that only authorized personnel can access personal data.
Security Audits: Regular security audits must be conducted, and the reports should be made available to The Company upon request.

3. Data Minimization

Sub-Processors should only collect and process personal data that is necessary for the completion of their contractual obligations.

4. Transparency and Notification

Data Processing Records: Maintain accurate and up-to-date records of all data processing activities.
Incident Reporting: In the event of a data breach or other security incidents, Sub-Processors are required to notify The Company immediately, and in any case, within the timelines stipulated in the DPA.

5. Sub-Contracting

No subcontracting of data processing activities is allowed without the explicit written consent of The Company.

6. Data Subject Rights

Sub-Processors must facilitate the fulfillment of data subject rights, such as the right to access, correct, or delete personal data, in a timely and efficient manner.

7. Data Retention and Deletion

Sub-Processors should not retain personal data longer than is necessary for the performance of the contracted services or as required by applicable law. Data must be securely deleted after the end of the contract or upon request by The Company.