Data Processing Agreement
This Data Processing Agreement (“DPA”) forms part of, and is incorporated into, the Master Services Agreement, Order Form or other written or electronic agreement (the “Agreement”) between Overjet, Inc., a Delaware corporation (“Overjet”) and the customer that is a party to the Agreement (“Customer”).
Subject Matter and Duration
● Subject Matter. This DPA reflects the parties’ commitment to abide by Applicable Data Protection Laws concerning the Processing of Customer Personal Data in connection with Overjet’s execution of the Agreement. All capitalized terms that are not expressly defined in this DPA will have the meanings given to them in the Agreement. If and to the extent language in this DPA or any of its Exhibits conflicts with the Agreement, this DPA shall control.
● Duration and Survival. This DPA will become legally binding upon the Effective Date of the Agreement or upon the date upon which both parties have signed this DPA, if it is completed after the Effective Date of the Agreement. Overjet will Process Customer Personal Data until the relationship terminates as specified in the Agreement. Overjet’s obligations and Customer’s rights under this DPA will continue in effect so long as Overjet Processes Customer Personal Data.
IT IS AGREED AS FOLLOWS:
1. Definitions and Interpretation
Unless otherwise defined herein, capitalized terms and expressions used in this DPA shall have the following meaning:
“Applicable Data Protection Laws” means any applicable privacy or data protection legislation or regulations, including but not limited to European Data Protection Laws, and the California Consumer Privacy Act, as amended by the California Privacy Rights Act and its implementing regulations as amended or superseded from time to time (“CCPA”). In the event of a conflict in the meanings of defined terms in the Applicable Data Protection Laws, the meaning from the law applicable to the region of residence of the relevant Data Subject applies;
“Controller” shall be interpreted consistent with Applicable Data Protection Laws and includes, at a minimum and where applicable “controller” as that term is defined under European Data Protection Laws and “business” as the term is defined under the CCPA;
"Customer Personal Data" means any Personal Data Processed by Overjet as a Processor on behalf of Customer or Third-Party Controller pursuant to the Agreement;
“Data Subject” shall be interpreted consistent with Applicable Data Protection Laws, and includes at a minimum and where applicable “data subject” as that term is defined under European Data Protection Laws and “consumer” as the term is defined under the CCPA and Applicable Data Protection Laws in the U.S.;
“Data Subject Rights” means all rights granted to Data Subjects under Applicable Data Protection Laws, which may include, as applicable, rights to information, access, rectification, erasure, restriction, portability, objection, the right to withdraw consent, and the right not to be subject to automated individual decision-making in accordance with Applicable Data Protection Laws;
"Data Transfer" means a disclosure of Customer Personal Data by an organization subject to European Data Protection Laws to another organization located outside the EEA, the UK, or Switzerland;
"DPA" means this Data Processing Agreement; "EEA" means the European Economic Area;
"European Data Protection Laws" means the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and the e-Privacy Directive 2002/58/EC (as amended by Directive 2009/136/EC), their national implementations in the EEA, including the European Union, and all other data protection laws of the EEA, the United Kingdom (“UK”), and Switzerland, each as applicable, and as may be amended or replaced from time to time;
“EU-US Data Privacy Framework” means the adequacy decision laid down in the Commission Implementing Decision of July 10, 2023, pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework, C(2023) 4745 final;
“Personal Data” shall be interpreted consistent with Applicable Data Protection Laws, and includes at a minimum and where applicable “personal data” as that term is defined under European Data Protection Laws and “personal information” as the term is defined under the CCPA;
“Process” and “Processing” shall be interpreted consistent with Applicable Data Protection Laws;
“Processor” shall be interpreted consistent with Applicable Data Protection Laws, and includes at a minimum and where applicable a “processor” as the term is defined under European Data Protection Laws and “service provider” or “contractor” as those terms are defined under the CCPA;
“SCCs” means the clauses annexed to the EU Commission Implementing Decision 2021/914 of June 4, 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council as amended or replaced from time to time;
"Services" means the services provided by Overjet to the Customer under the Agreement.
"Subprocessor" means any person appointed by Overjet to Process Personal Data on behalf of the Customer in connection with the Agreement;
“Third-Party Controller” means a Controller for which the Customer is a Processor; and
“UK Addendum” means the addendum to the SCCs issued by the UK Information Commissioner under Section 119A(1) of the UK Data Protection Act 2018 (version B1.0, in force March 21, 2022).
The terms, "Commission", "Member State", "Personal Data Breach" and "Supervisory Authority" shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.
The terms, “Business Purpose”, “Share”, and “Shared” shall have the same meaning given to them under the CCPA. The terms “Sell” and “Selling” shall have the meaning defined in Applicable Data Protection Laws in the U.S.
2. Scope
2.1 This DPA applies to the Processing of Customer Personal Data by Overjet subject to Applicable Data Protection Laws to provide the Services.
2.2 The subject matter, nature and purposes of the Processing, the types of Customer Personal Data and categories of Data Subjects are set out in Annex I, which is an integral part of this DPA.
2.3 Customer is a Controller and appoints Overjet as a Processor on behalf of Customer. Customer is responsible for compliance with the requirements of Applicable Data Protection Laws applicable to Controllers. In particular, and where applicable, Customer acknowledges and agrees that it will provide notice to Data Subjects about the Processing of Personal Data by Overjet as described in this DPA, and obtain Data Subjects’ consent to such Processing by Overjet as necessary to comply with Applicable Data Protection Law. Overjet shall comply with the obligations of Applicable Data Protection Laws and, as applicable, shall provide the level of privacy protection to Customer Personal Data required by such Applicable Data Protection Laws.
2.4 Customer warrants and represents that it has the right to share the Personal Data contained in the Customer Data with Overjet and that the Personal Data has been collected or otherwise obtained in compliance with the Data Protection Legislation, and may be lawfully processed, disclosed and transferred as described in or in connection with this DPA.
2.5 If Customer is a Processor on behalf of a Third-Party Controller, then Customer: is the single point of contact for Overjet; must obtain all necessary authorizations from such Third-Party Controller; and undertakes to issue all instructions and exercise all rights on behalf of such other Third-Party Controller.
2.6 Customer acknowledges that Overjet may Process Personal Data relating to the operation, support, or use of the Services for its own business purposes, such as billing, account management, data analysis, benchmarking, technical support, product development, research and development of its AI models, improvement of its systems and technologies, and compliance with law. For purposes of European Data Protection Laws, Overjet is the separate independent data Controller for such Processing and will Process such data in accordance with such Data Protection Laws.
3. Processing of Customer Personal Data
3.1 Overjet shall not Process Customer Personal Data other than on the relevant Customer’s documented instructions. The Customer’s instructions are documented in this DPA, the Agreement, and any applicable Sales Order, and Overjet shall process Customer Personal Data for the limited and specific purposes of carrying out these documented instructions or as otherwise expressly permitted by Applicable Data Protection Laws. Where permitted by Applicable Data Protection Laws, Customer has the right to take reasonable and appropriate steps to ensure that Overjet uses Customer Personal Data consistent with Customer’s obligations under Applicable Data Protection Laws.
3.2 Solely for the purposes of the CCPA, and except as expressly permitted by the CCPA, Overjet is prohibited from: (i) Selling or Sharing Customer Personal Data, (ii) retaining, using, or disclosing Customer Personal Data for any purpose other than for the specific purpose of performing the Services, (iii) retaining using, or disclosing Customer Personal Data with Personal Data obtained from, or on behalf of, sources other than Customer, except as expressly permitted under the CCPA. The parties acknowledge and agree that the exchange of Personal Data between the parties does not form part of any monetary or other valuable consideration exchanged between the parties with respect to the Agreement or this DPA.
3.3 Unless prohibited by applicable law, Overjet will inform Customer if Overjet is subject to a legal obligation that requires Overjet to Process Customer Personal Data in contravention of Customer’s documented instructions.
4. Personnel
Overjet shall take reasonable steps to ensure the reliability of any employee, agent or contractor who may have access to the Customer Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Customer Personal Data, as strictly necessary for the purposes of the Agreement, and ensuring that all such individuals are subject to contractual confidentiality obligations or professional or statutory obligations of confidentiality.
5. Security
5.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Overjet shall in relation to the Customer Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures listed in Annex II.
5.2 In assessing the appropriate level of security, Overjet shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.
6. Subprocessing
6.1 Customer hereby authorizes Overjet to engage Subprocessors. Customer hereby authorizes Overjet’s current Subprocessors at www.overjet.com/legal/trust-center and generally authorizes Overjet to engage Subprocessors from time to time to process the Personal Data as part of the provision of the Services.
6.2 Overjet will enter into a written agreement with Subprocessors which imposes the same obligations as required by Applicable Data Protection Laws and remain liable to the Customer for the performance of the Subprocessors’ performance of its obligations. Overjet will notify Customer prior to any intended change to Subprocessors. Customer may object to the addition of a Subprocessor by providing written notice detailing the grounds of such objection within thirty (30) days following Overjet’ notification of the intended change. After such time-period, should the Customer not have objected to the intended change, the change shall be deemed approved. Should the Customer object to the intended change, Customer and Overjet will work together in good faith to address Customer’s objection, provided such objection is reasonable. If Overjet chooses to retain the Subprocessor, Overjet will inform Customer at least thirty (30) days before authorizing the Subprocessor to Process Customer Personal Data, and either party may immediately discontinue providing or using the relevant parts of the Services, as applicable, and may terminate the relevant parts of the Services within thirty (30) days.
7. Data Subject Rights
7.1 Taking into account the nature of the Processing and the information available to Overjet, Overjet shall assist the Customer by implementing appropriate technical and organizational measures, as appropriate, for the fulfillment of the Customer’s obligations to respond to requests to exercise Data Subject Rights.
7.2 Overjet shall:
7.2.1 promptly notify Customer if it receives a request from a Data Subject under any Applicable Data Protection Laws in respect of Customer Personal Data; and
7.2.2 ensure that it does not respond to that request except on the documented instructions of Customer or as required by applicable laws.
8. Personal Data Breach
Overjet shall notify Customer without undue delay upon and in any event within 48 hours of becoming aware of a Personal Data Breach affecting Customer Personal Data, providing Customer with sufficient information to allow the Customer to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Applicable Data Protection Laws. Overjet shall co-operate with the Customer and take reasonable commercial steps as requested by Customer to assist in the investigation, mitigation and remediation of each such Personal Data Breach as stated in Annex II hereto, at Overjet’s discretion.
9. Data Protection Impact Assessment and Prior Consultation
Overjet shall provide reasonable assistance to the Customer with any data protection impact assessments, and prior consultations with Supervisory Authorities or other competent data privacy authorities, which Customer reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Applicable Data Protection Laws, in each case solely in relation to Processing of Customer Personal Data by, and taking into account the nature of the Processing and information available to Overjet.
10. Deletion or Return of Customer Personal Data
This DPA is terminated upon the termination of the Agreement.The Customer may request return of Customer Personal Data in Overjet’s or Overjet’s Subprocessors’ possession up to thirty (30) days after termination of the Agreement. Unless required or permitted by applicable law, Overjet will delete all remaining copies of Customer Personal Data thirty (30) days after termination of the Agreement. Overjet may retain Customer Personal Data to the extent required by applicable law, but only to the extent and for such period as required by such law and always provided that Overjet shall ensure the confidentiality of all such Customer Personal Data.
11. Audit rights and Compliance
11.1 Subject to this Section 11, and upon reasonable request of Customer, Overjet shall make available to the Customer on request all information and documentation necessary to demonstrate compliance with this DPA. Where permitted by law, Overjet may instead make available to Customer a summary of the results of a third-party audit or certification reports relevant to Overjet' compliance with this DPA.
11.2 Where permitted by Applicable Data Protection Laws, Customer has the right to monitor Overjet’ compliance with this DPA through reasonable audits and inspections by Customer or the Customer’s designated auditor. Overjet shall cooperate with any audit or inspection initiated by Customer, provided that such audit or inspection will not unreasonably interfere with the normal conduct of Overjet’ business. Unless the audit or inspection reveals a breach by Overjet of this DPA or Applicable Data Protection Law, Customer shall bear the costs of the audit or inspection.
11.3 Information rights of the Customer only arise under Section 11.1 to the extent that the Agreement does not otherwise give the Customer information rights meeting the relevant requirements of Applicable Data Protection Law.
11.4 Solely for the purpose of the CCPA, Overjet shall promptly notify Customer if it determines that it can no longer meet its obligations under the CCPA. Upon receiving notice from Overjet in accordance with this subsection, Customer may direct Overjet to take reasonable and appropriate steps to stop and remediate unauthorized use of Customer Personal Data.
12. Data Transfer
12.1 Customer hereby authorizes Overjet to perform Data Transfers to any country deemed to have an adequate level of data protection by the European Commission, including on the basis of the EU-US Data Privacy Framework, or by other competent authorities (including in the UK and Switzerland), as appropriate; on the basis of adequate safeguards in accordance with European Data Protection Laws; or pursuant to the SCCs and the UK Addendum referred to in Sections 12.2 and below.
12.2 By entering into this DPA, Customer and Overjet conclude Module 1 (controller-to-controller) to the extent Overjet is a data Controller, Module 2 (controller-to-processor) of the SCCs and, to the extent Customer is a Processor on behalf of a Third-Party Controller, Module 3 (Processor-to-Subprocessor) of the SCCs, which are hereby incorporated and completed as follows: the “data exporter” is Customer; the “data importer” is Overjet; the optional docking clause in Clause 7 is implemented; Option 2 of Clause 9(a) is implemented and the time period therein is specified in Section 6.3 above; the optional redress clause in Clause 11(a) is struck; Option 1 in Clause 17 is implemented and the governing law is the law of Ireland; the courts in Clause 18(b) are the Courts of Ireland; Annex I and II to Module 1, 2 and 3 of the SCCs are Annex I and II to this DPA respectively. For Data Transfers from Switzerland, Data Subjects who have their habitual residence in Switzerland may bring claims under the SCCs before the courts of Switzerland.
12.3 By entering into this DPA, Customer and Overjet conclude the UK Addendum, which is hereby incorporated and applies to Data Transfers outside the UK. Part 1 of the UK Addendum is completed as follows: (i) in Table 1, the “Exporter” is Customer and the “Importer” is Overjet, their details are set forth in this DPA, and the Agreement; (ii) in Table 2, the first option is selected and the “Approved EU SCCs” are the SCCs referred to in Section 12.2 of this DPA; (iii) in Table 3, Annexes 1 (A and B) and II to the “Approved EU SCCs” are Annex I and II respectively; and (iv) in Table 4, both the “Importer” and the “Exporter” can terminate the UK Addendum.
13. General Terms
13.1 Any person authorized to Process Customer Personal Data must agree to maintain the confidentiality of such information or be under an appropriate statutory or contractual obligation of confidentiality.
13.2 All notices and communications given under this DPA must be in writing and will be delivered personally, sent by post or sent by email to the address or email address set out in the Agreement, or at such other address as notified from time to time by the parties changing address.
13.3 The parties acknowledge and agree that with respect to Overjet Analysis Data, Overjet is an independent controller, not a joint controller with Customer. Overjet will process Overjet Analysis Data as a controller (i) to manage the relationship with Customer; (ii) to carry out Overjet’s core business operations, such as accounting, audits, tax preparation and filing and compliance purposes; (iii) to monitor, investigate, prevent and detect fraud, security incidents and other misuse of the Service, and to prevent harm to Customer; (iv) for identity verification purposes; (v) to comply with legal or regulatory obligations applicable to the processing and retention of Personal Data to which Overjet is subject; and (vi) as otherwise permitted under Applicable Data Protection Laws and in accordance with this DPA and the Agreement. Overjet may also process Overjet Analysis Data as a controller to provide, optimize, and maintain the Service, to the extent permitted by Applicable Data Protection Laws. Any processing by Ovejet as a controller shall be in accordance with Overjet’s privacy policy set forth at https://www.overjet.com/privacy-policy.
ANNEX I
DESCRIPTION OF THE TRANSFER
A. LIST OF PARTIES
Data Exporter:
● Name: Customer (as defined in the Agreement)
● Address: The address specified in the Agreement.
● Contact person’s name, position, and contact details: The contact specified in the Agreement.
● Activities relevant to the data transferred under these Clauses: Customer receives Overjet’s Service as described in the Agreement and Overjet Processes Personal Data on behalf of Customer in that context.
● Role (controller/processor): Controller, or Processor on behalf of Third-Party Controller
Data Importer:
● Name: Overjet, Inc.
● Address:
2093 Philadelphia Pike #9194, Claymont, DE 19703
● Contact person’s name, position and contact details: Data Privacy Officer at [email protected]
● Activities relevant to the data transferred under these Clauses: Overjet provides its Service to Customer as described in the Agreement and Processes Personal Data on behalf of Customer in that context.
● Role (controller/processor): Processor on behalf of Customer, or Subprocessor on behalf of Third-Party Controller
B. DESCRIPTION OF INTERNATIONAL DATA TRANSFER
● Categories of Data Subjects whose Personal Data is transferred:
Customer’s end-users, Customer’s patients, Customer’s employees and other staff members, data subjects whose characteristics are present in files, data and materials uploaded by the Customer into Overjet’s Services.
● Categories of Personal Data transferred:
Name, contact information, medical records, audio or video recordings, text input, images, payment information, third-party reimbursement claims, or other information uploaded by the Customer into Overjet’s Services.
● Sensitive Data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
Customer may submit special categories of data to Overjet, the extent of which is determined and controlled by the Customer in its sole discretion, and which may include Personal Data concerning health information of the Customer’s patients. Customer agrees that it has reviewed and assessed the applicable restrictions and safeguards applied to the special categories of Personal Data, and has determined that such restrictions and safeguards are sufficient.
● The frequency of the International Data Transfer (e.g. whether the Personal Data is transferred on a one-off or continuous basis):
On a continuous basis.
● Nature of the processing:
The Personal Data will be processed and transferred as described in the Agreement.
● Purpose(s) of the International Data Transfer and further Processing:
The Personal Data will be transferred and further processed for the provision of the services as described in the Agreement.
● The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period:
Personal Data will be retained for as long as necessary taking into account the purpose of the Processing, and in compliance with applicable laws, including laws on the statute of limitations and Data Protection Law.
● For International Data Transfer to (Sub)Processors, also specify subject matter, nature and duration of the Processing:
For the subject matter and nature of the Processing, reference is made to the Agreement and this DPA. The Processing will take place for the duration of the Agreement.
C. COMPETENT SUPERVISORY AUTHORITY
● The competent authority for the Processing of Personal Data relating to Data Subjects located in the EEA is the Supervisory Authority of the EU Member State in which the data exporter is established.
● The competent authority for the Processing of Personal Data relating to Data Subjects located in the UK is the UK Information Commissioner.
● The competent authority for the Processing of Personal Data relating to Data Subjects located in Switzerland is the Swiss Federal Data Protection and Information Commissioner.
ANNEX II
TECHNICAL AND ORGANIZATIONAL MEASURES INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Overjet will, at a minimum, implement the following types of security measures when Processing Customer Personal Data. The measures in this Annex apply to all transfers described in this DPA.
1. DEFINITIONS.
1.1. Personal Data means any information relating to an identified or identifiable natural person, or an identified or identifiable legal entity (where such information is protected similarly as personal data or personally identifiable information under applicable data protection laws and regulations) and is processed by Overjet on behalf of Customer pursuant to or in connection with this DPA.
1.2. Customer Data means all information and data provided or made available to Overjet by the Customer. To the extent Customer Data contains Personal Data as defined herein, the terms related to Personal Data will also apply.
1.3. Security Incident means a violation of Overjet’s or its computer security policies, acceptable use policies, or standard security practices that has or is reasonably expected to have a material impact on Overjet’s Services and business operations, including but not limited to unplanned disruptions, denials of service attack, malware infection such as ransomware, or an outside cyber-attack intended to disrupt, disable or destroy Overjet’s computing environment.
1.4. Security Breach means any breach of Overjet’s or its subcontractor’s security that results in the unauthorized acquisition, access, use, deletion or disclosure of Customer Data.
1.5. Services shall have the same meaning as that in the Agreement.
1.6. Overjet Representatives means Overjet and its affiliate’s employees and contractors.
2. SECURITY GOVERNANCE
2.1. General: Overjet will implement and maintain appropriate organizational, administrative, and technical controls that meet or exceed applicable and currently accepted industry standards to protect Customer Data from accidental loss, destruction, or unauthorized disclosure.
2.2. Security Program: Overjet shall implement and maintain a comprehensive information security program that is aligned with industry best practices and appropriate to the nature and scope of Overjet’s activities and services. Such program shall utilize a standard set of controls and shall include the use of precautionary measures.
2.3. Security Policies: Overjet shall document and maintain information security policies, standards and procedures, which shall be kept up to date, and revised whenever relevant changes are made that impact the security, confidentiality, and integrity of the Services provided. All policies shall be reviewed no less often than annually.
3. PERSONNEL MANAGEMENT
3.1. Background Checks: Overjet shall, in accordance with applicable law and regulation, perform, or require to have performed, background checks for all Overjet Representatives prior to sharing Customer Data.
3.2. Acceptable Use: Overjet shall train Overjet Representatives on the acceptable use and handling of Customer Data.
3.3. Security & Privacy Training: Overjet shall implement and maintain security and privacy awareness programs to train all Overjet Representatives. This program shall include but is not limited to training about data classification obligations, physical security controls, security practices, and security incident reporting.
o Overjet shall provide said training upon hire and annually thereafter, and in some cases and where appropriate, more frequently.
o Violations: Overjet shall have policies to address personnel violations of internal policies and procedures, and implement any disciplinary measures appropriate for the violation committed, including requiring repeat training, and up to termination of employment.
4. BUSINESS CONTINUITY AND DISASTER RECOVERY
4.1. Business Continuity: Overjet shall maintain a formal Business Continuity Plan (“BCP”) that clearly defines roles and responsibilities of its applicable workforce personnel as well as sets out the appropriate scope and purpose of contingency plans to ensure organizational resiliency.
o The BCP shall be tested and communicated to all workforce personnel annually, and associated findings resulting from plan testing must be remediated.
o Overjet shall maintain a BCP that covers resiliency of both the organization itself and the Services being provided to Customer. The BCP shall include a Disaster Recovery process which is to be tested at least annually.
o The BCP shall be reviewed annually and updated as necessary to address new risks and align with industry standards.
4.2. Disaster Recovery: Overjet must maintain a formal Disaster Recovery Process (“DRP”) with clearly defined roles and responsibility to ensure resiliency of the Services being provided to Customer. The DRP shall be tested at least annually, with any associated findings remediated promptly.
5. DATA SECURITY AND MANAGEMENT
5.1. Data Availability: Overjet shall ensure that Customer Data is protected against accidental destruction or loss, and that disaster recovery and business resumption plans are implemented and tested in accordance with industry best practices.
5.2. Data Transfer: Overjet shall ensure that Customer Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage, and that the recipients of any transfer of Customer Data can be established and verified.
5.3. Data Return and Destruction: For 30 days after this DPA terminates or expires, Overjet shall make all Customer Data available for Customer to download. Within 30 days of this DPA terminating, expiring, or upon Customer’s request, Overjet shall destroy all Customer Data in accordance with NIST 800-88, unless otherwise required to maintain copies by law, regulatory request, or law enforcement directive, in which case Overjet will continue to protect Customer Data in accordance with the terms of the Agreement and this Exhibit.
6. APPLICATION SECURITY
6.1. Secure Systems Development Life Cycle (“SSDLC”): Overjet must establish and implement SSDLC policies and procedures to ensure that security and privacy controls are adequately considered when Overjet develops any systems that store, process, or provide access to Customer Data.
6.2. Software Development Life Cycle (“SDLC”): Overjet must maintain and implement SDLC policies and procedures to ensure the security, hygiene, and integrity of its code output, which shall include regular code review, quality assurance checks, and adherence to the OWASP Standards or other applicable industry standards for coding practices.
6.3. Production Environments: Production environments shall be logically or physically separated from any testing, development, or staging environments. Production code may not be released without Overjet personnel first conducting static code reviews and analysis.
7. SECURITY RISK MANAGEMENT
Overjet shall develop and utilize a defined security risk management and assessment methodology to identify ongoing security risks and how to address them. Risk assessments shall be conducted at least annually, and whenever there is a significant change to company operations or products. Such risk assessments, their findings, and attendant remediation plans shall be documented.
8. CONFIGURATION AND CHANGE MANAGEMENT
Overjet shall document and implement formal configuration and change management policies which shall be reviewed and updated as needed, but in no case reviewed less than annually. Any change to Overjet’s systems shall be documented in accordance with an industry-recognized change control procedure, and shall be implemented utilizing segregation of duties – the change performer must differ from the change approver.
9. ACCESS MANAGEMENT
9.1. Physical Security: Overjet shall ensure appropriate physical security controls to prevent unauthorized physical access to areas in which Customer’s Data is handled, processed, or stored, over which Overjet has control. As a part of these controls, Overjet shall regularly monitor areas under its control where Customer Data is handled, processed and/or stored.
9.2. Access Controls: Overjet shall implement and maintain commercially reasonable and appropriate technical controls, which shall follow industry best practices such as least privilege principle and segregation of duties, to prevent unauthorized access and disclosure of Customer Data.
o Overjet shall no less than annually perform access reviews for all employees and contractors in accordance with its internal policy. Findings shall be remediated in a timely manner.
o Overjet shall ensure its Overjet personnel, when accessing Overjet systems or Customer’s systems in an environment controlled by Overjet, are utilizing the then-most current and secure wireless security protocols such as Wi-Fi Protected Access 2 (“WPA2”) or better.
9.3. Remote Access. If Overjet permits work-from-home options for its employees or contractors, Overjet must ensure that any remote connectivity to Overjet-controlled network(s) is implemented through VPN servers or a similar mechanism (e.g., VDI).
9.4. Third-Parties: Overjet shall permit authorized individuals to use a third-party system to access Overjet or Customer’s systems that contain Customer Data, or to process, store, or transmit Customer Data, only after Overjet has verified the adequacy of the third-party system’s controls and the connection type, and has executed the necessary agreements to enable the processing activity.
9.5. Multi-factor Authentication (“MFA”): MFA shall be used for all accounts with privileged access rights to systems or applications that store or process Customer Data.
10. ASSET MANAGEMENT
10.1. General: Overjet shall implement and maintain an asset management program, which includes a centralized asset management tool with remote lock and remote wipe capabilities. Overjet shall only use trusted devices that are configured with security software (i.e., anti-virus, anti-malware, encryption, etc.) and protected against corruption, loss, or disclosure.
10.2. Endpoint Security: Overjet shall implement and maintain the following for all endpoints (desktops, laptops, and if applicable, smartphones):
o Tag and maintain an up-to-date inventory of all assets, including workstations, servers, and software using an asset management inventory system;
o Ensure all endpoints are encrypted (i.e., full disk encryption);
o Ensure firewall is enabled on all endpoints;
o Implement web filters to block access to inappropriate, unnecessary, and malicious websites on all endpoints used to service Customer;
o Perform at a minimum weekly vulnerability scanning with any findings remediated in accordance with Overjet’s Vulnerability Management Program;
o Ensure Overjet’s personnel are utilizing the latest and most secure web-browser when accessing Overjet’s production environment;
o Limit the administrative privileges of assets to authorized Overjet’s personnel with a need for access;
o Configure endpoints in accordance with industry best practices with respect to logical session termination, password rotation, account lock, failed log-in attempts, use of default passwords, password age, and password complexity; and
o Configure endpoints to automatically apply patches using a central tool. All operating system and application security patches must be installed in accordance with industry best practices.
11. ENCRYPTION
11.1. Encryption at Rest: Any Customer Data stored on Overjet managed or controlled systems, networks, and environments shall be encrypted using industry standard mechanisms and cipher suites.
11.2. Encryption in Transit: Customer Data that is transmitted, including but not limited to, via web services, FTP, email, webmail, chat messages, shall be encrypted using industry standard mechanisms and cipher suites.
11.3. Key Management: Overjet shall utilize only dedicated encryption keys to encrypt Customer Data.
o All keys shall be protected against modification and unauthorized disclosure.
o FIPS-approved or NIST-recommended cryptographic algorithms commensurate with key size shall be used.
o When a cryptographic key is compromised, all use of the key shall cease.
o Encryption key management systems shall be designed so that the compromise of a single key does not cause failure to the systems.
o Overjet shall have a key compromise recovery plan for restoring cryptographic security services.
12. NETWORK SECURITY
12.1. Network Security: Overjet shall secure its networks using a defense-in-depth approach that incorporates both commercially available equipment and industry standard techniques. Overjet shall implement either a network or host-based Intrusion Detection Solution or Intrusion Protection Solution on all Overjet-controlled networks used to store, process, transmit or access Customer Data. Unauthorized attempts to access Overjet network shall be investigated accordingly. Overjet shall review access logs not less than quarterly to ensure that access permissions are appropriate and necessary.
12.2. Guest Access: Overjet shall implement appropriate controls to ensure that only authorized devices are connected to its networks and, if applicable, Customer systems. A segregated network must be deployed to allow guest access for visitors to Overjet facilities. In no case shall Overjet allow guests or endpoints not managed by Overjet to access Overjet’s corporate or production networks, or to Customer systems, if applicable.
12.3. Wireless Security: Overjet shall implement the then-most current and secure wireless security protocols, such as Wi-Fi Protected Access 2 (“WPA2”) or stronger, in facilities it manages.
13. VULNERABILITY MANAGEMENT
13.1. Vulnerability Management Program: Overjet shall maintain a Vulnerability Management Program that adheres to industry best practices. At minimum, Overjet shall conduct comprehensive scans for known vulnerabilities on all externally facing systems, environments, and networks that are managed and/or controlled by Overjet.
13.2. Vulnerability Remediation: All vulnerabilities identified through the scans/testing performed by Overjet shall be remediated by the Overjet in accordance with the following timelines (risk ratings of vulnerabilities shall be based on the Common Vulnerability Scoring System):
o Critical and high-risk vulnerabilities must be remediated with 30 days of discovery;
o Medium-risk vulnerabilities must be remediated within 90 days of discovery; and
o Low-risk vulnerabilities must be remediated within 180 days of discovery.
Should Overjet be unable to remediate the vulnerabilities within the defined time frame, mitigating controls must be implemented offering the same level of protection.
13.3. Third-Party Patches: Patches provided by third-party suppliers for urgent, critical, and high vulnerabilities, will be remediated within the timelines set out in Section 13.2.
13.4. Penetration Test: At least annually, a qualified independent third-party supplier shall conduct a penetration test of Overjet’s systems, network, and environments that are in scope for the Services provided to Customer.
14. INDEPENDENT CERTIFICATION/ATTESTATION
At least annually, from a qualified independent third-party, Overjet shall obtain a SOC2 Type II Report or a similar report that encompasses the infrastructure, applications, platform and environment used in providing Services to Customer. A summary copy of the most recent report will be provided to Customer upon request.
15. THIRD-PARTY RISK MANAGEMENT
15.1. Risk Management Program: Overjet shall maintain and implement a comprehensive third-party risk management program that includes initial and ongoing assessments to ensure the security of its third-party providers at least complies with industry expectations.
15.2. Security Requirements: Overjet will ensure all third-parties who access, process, or store, or have access to any systems that process or store Customer Data to enter into a written agreements that commit them to adhere to reasonable security requirements. Third-parties that have access to Customer Data must enter into written agreements that commit them to adhere to general security requirements appropriate for size and scope of their organization, and to the type of service or product they provide to Overjet.
16. INCIDENT AND BREACH MANAGEMENT
16.1. Incident Response Plan: Overjet shall establish and maintain formal incident response policies and procedures (“Incident Response Plan” or “IRP”) that responds to both Security Incidents and Security Breaches. The IRP must establish responsibilities for incident oversight and management, and shall be reviewed at least annually to ensure its consistency with industry standards and company practices. Overjet shall train all workforce personnel on IRP procedures based on roles and responsibilities as outlined within IRP.
16.2. Breach Notifications: Overjet shall report Security Breaches to the Customer in an appropriate and timely manner, but in no case later than 48 hours of discovery of the breach. After notifying Customer about the Security Breach, Overjet shall provide regular updates regarding its investigation, remediation, and resolution of the issue, including, but not limited to, the following details, as soon as they become available:
o Vector of attack (i.e. software vulnerability, phished credentials);
o Type and quantity of Customer Data impacted;
o Overjet systems impacted;
o The immediate security measures taken to mitigate the incident's impact; and
o Remediation plan.
In addition to conducting its own investigation of the Security Breach, Overjet shall provide reasonable cooperation with Customer’s own investigation, including, but not limited to: (i) promptly making available reasonably requested materials (e.g., network and activity logs, indicators of compromise, hash files of malware) and (ii) making available Overjet’s personnel to assist in such investigation.
Last Updated November 11, 2024. For earlier versions, please send a request to [email protected] (with “Previous DPA Request” in the subject line).