DATA PROCESSING AGREEMENT

Last Updated: December 2024

This Data Processing Agreement (“DPA”) supplements the Shortlister Terms of Use and applies when Wellness Research Institute LLC, D/B/A Shortlister (“Shortlister“, “we”, “us”, or “our”) processes personal data on behalf of our business users (“you” or “Customer“) in connection with the Shortlister platform services.

This DPA is incorporated by reference into our Terms of Use and applies automatically when you use our Services to process personal data of individuals in the European Economic Area (EEA), United Kingdom (UK), or where otherwise required by applicable data protection laws.

1. DEFINITIONS

For purposes of this DPA:

Applicable Data Protection Laws” means all applicable data protection and privacy laws and regulations, including without limitation:

  • The EU General Data Protection Regulation (Regulation (EU) 2016/679) (“EU GDPR“)
  • The UK General Data Protection Regulation and Data Protection Act 2018 (“UK GDPR“)
  • The California Consumer Privacy Act (“CCPA“)
  • Any other applicable national, state, or local data protection laws

“Controller”, “Processor”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Processing”, and “Supervisory Authority” have the meanings given in the EU GDPR and UK GDPR.

“Customer Data” means any Personal Data that Customer uploads, submits, or otherwise provides to the Shortlister platform, or that is processed by Shortlister on Customer’s behalf.

“Services” means the Shortlister platform services as described in our Terms of Use, including vendor research, RFP management, and related features.

“Sub-processor” means any third party engaged by Shortlister to process Customer Data.

2. SCOPE AND ROLES

2.1 Applicability

This DPA applies when:

  • Customer uses the Services to process Personal Data
  • Customer acts as a Controller or Processor of Personal Data
  • The processing is subject to Applicable Data Protection Laws

2.2 Roles of the Parties

  • Customer as Controller: When Customer determines the purposes and means of processing Personal Data
  • Shortlister as Processor: When we process Personal Data on Customer’s behalf pursuant to Customer’s instructions
  • Independent Controller: Shortlister acts as an independent Controller for account registration data and platform analytics

2.3 Customer Responsibilities

Customer warrants and represents that:

  • It has all necessary legal bases for processing Personal Data
  • It has provided all required notices to Data Subjects
  • Its instructions to Shortlister comply with Applicable Data Protection Laws
  • It will respond promptly to Data Subject requests
  • Customer acknowledges the multi-party nature of the platform and that data shared with other users cannot be retrieved
  • Data legitimately shared with other platform users through normal platform operations is not subject to deletion from those users’ accounts

3. PROCESSING OF PERSONAL DATA

3.1 Processing Instructions

Shortlister will:

  • Process Customer Data only in accordance with Customer’s documented instructions
  • Process Customer Data only as necessary to provide the Services
  • Notify Customer if we believe an instruction violates Applicable Data Protection Laws
  • Not process Customer Data for our own purposes except as permitted by this DPA

3.2 Nature of Processing

Purpose of Processing:

  • Providing the Shortlister platform services
  • Facilitating vendor research and selection
  • Managing RFPs and proposals
  • Enabling communication between brokers and vendors
  • Providing analytics and reporting
  • Technical support and service improvement
  • Facilitating authorized data sharing between platform users (brokers, vendors, clients)

Categories of Data Subjects:

  • Customer’s employees and authorized users
  • Customer’s clients and their employees
  • Vendor representatives
  • Insurance brokers and consultants
  • Other platform participants

Types of Personal Data:

  • Contact information (name, email, phone, title)
  • Professional information (employer, role, department)
  • Account credentials and preferences
  • Platform usage and activity data
  • Communications and messages
  • Technical data (IP addresses, device information)

3.3 Duration

Processing will continue for the duration of the Services and as required for legal compliance or as instructed by Customer.

4. SECURITY MEASURES

4.1 Technical and Organizational Measures

Shortlister will implement and maintain appropriate technical and organizational measures to protect Customer Data, including:

  • Access Controls: Role-based access, strong authentication, regular access reviews
  • Data Encryption: Industry-standard encryption in transit and at rest for sensitive data
  • Network Security: Firewalls, intrusion detection, DDoS protection
  • Physical Security: Secured data centers with environmental controls
  • Incident Response: Security monitoring, incident response procedures
  • Business Continuity: Backup procedures, disaster recovery planning
  • Personnel Security: Confidentiality agreements, security training

4.2 Security Updates

We regularly review and update our security measures to address evolving threats and maintain effectiveness.

5. SUB-PROCESSORS

5.1 Authorized Use

Customer agrees that Shortlister may engage Sub-processors to process Customer Data, subject to:

  • Sub-processors agreeing to data protection obligations no less protective than this DPA
  • Shortlister remaining liable for Sub-processor compliance

5.2 Current Sub-processor

Our current Sub-processors are listed at: www.myshortlister.com/subprocessors

6. DATA SUBJECT RIGHTS

6.1 Cooperation

Shortlister will provide reasonable assistance to help Customer respond to Data Subject requests, including:

  • Right to access Personal Data
  • Right to rectification or erasure
  • Right to restrict processing
  • Right to data portability
  • Right to object to processing
  • Rights related to automated decision-making

6.2 Data Subject Requests

  • If we receive requests directly from Data Subjects, we will promptly notify Customer
  • We will not respond directly to Data Subjects unless authorized by Customer or required by law
  • Customer is responsible for responding to Data Subject requests
  • For data that has been shared with other platform users, we will inform Customer of the limitations on deletion/modification of such shared data

7. DATA BREACH NOTIFICATION

7.1 Breach Response

In the event of a Personal Data Breach, Shortlister will:

  • Take immediate action to contain and mitigate the breach
  • Notify Customer without undue delay and within 72 hours of becoming aware
  • Provide details about the breach including:

o Nature and scope of the breach

o Categories and number of affected Data Subjects

o Categories and number of affected Personal Data records

o Likely consequences and mitigation measures

  • Cooperate with Customer’s investigation and regulatory requirements
  • Maintain records of all breaches

7.2 Customer Notification Decision

Customer is responsible for determining whether to notify:

  • Affected Data Subjects
  • Supervisory Authorities
  • Other third parties

8. INTERNATIONAL TRANSFERS

8.1 Transfer Safeguards

If we transfer Customer Data outside the EEA or UK, we will ensure appropriate safeguards through:

  • EU/UK approved Standard Contractual Clauses
  • Adequacy decisions
  • Other approved transfer mechanisms under Applicable Data Protection Laws

8.2 Transfer Details

Information about countries where Customer Data may be processed is available in our Privacy Policy.

9. AUDITS AND COMPLIANCE

9.1 Compliance Demonstration

Shortlister will:

  • Maintain records of processing activities
  • Provide information necessary to demonstrate compliance
  • Make available certifications and audit reports upon reasonable request

9.2 Audit Rights

  • Customer may conduct audits of our data processing practices upon reasonable notice
  • Audits must be conducted during business hours with minimal disruption
  • Customer bears audit costs unless material non-compliance is discovered
  • We may provide independent third-party audit reports in lieu of Customer audits

10. DATA RETENTION AND DELETION

10.1 Retention

We retain Customer Data:

  • For the duration of the Services
  • As required by applicable law
  • As necessary for legitimate business purposes
  • As instructed by Customer

10.2 Deletion and Return

Upon termination or Customer request:

  • We will delete or return Customer Data (at Customer’s option)
  • We will delete existing copies unless legally required to retain
  • We will provide certification of deletion upon request

10.3 Multi-Party Data and Shared Data Limitations

Nature of Platform Operations:

The Shortlister platform is designed to facilitate data sharing between different parties (e.g., brokers sending RFPs to vendors, vendors submitting proposals to brokers). When Customer Data is shared through the platform’s intended operations:

Independent Controller Status:

  • Each recipient of shared data (e.g., a vendor receiving an RFP) becomes an independent controller of their copy of that data
  • Shortlister processes each party’s copy of shared data separately under their respective agreements
  • Each party is responsible for their own compliance with data protection laws regarding data they control

Deletion Limitations:

  • When Customer requests deletion of data that has been shared with other platform users:
  • Shortlister will delete the data from Customer’s account and cease processing it on Customer’s behalf
  • Shortlister cannot and is not required to delete copies held by other platform users who received the data through legitimate platform operations
  • Each platform user must independently manage retention and deletion of data in their own account

Customer Acknowledgment:

Customer acknowledges and agrees that:

  • Data shared with other platform users through intended platform operations cannot be retrieved or deleted from recipients’ accounts
  • Deletion requests apply only to data within Customer’s own account and control
  • Recipients may retain shared data for their legitimate business purposes, including record-keeping, compliance, and business operations
  • Customer is responsible for considering these limitations before sharing Personal Data through the platform

Audit Trails:

Notwithstanding deletion requests, Shortlister may retain minimal audit trail data necessary for:

  • Platform security and integrity
  • Compliance with legal obligations
  • Dispute resolution
  • Evidence of data sharing activities

11. LIABILITY AND INDEMNIFICATION

11.1 Liability

  • Our liability for data protection violations is as set forth in our Terms of Use
  • Nothing in this DPA excludes liability that cannot be limited under Applicable Data Protection Laws

11.2 Indemnification

Each party will defend and indemnify the other against third-party claims arising from that party’s violation of Applicable Data Protection Laws.

12. JURISDICTION-SPECIFIC TERMS

12.1 European Economic Area

For Customer Data from the EEA:

  • Shortlister acts as Processor under EU GDPR Article 28
  • Standard Contractual Clauses apply to transfers outside the EEA
  • Customer may exercise controller rights under EU GDPR

12.2 United Kingdom

For Customer Data from the UK:

  • Shortlister acts as Processor under UK GDPR Article 28
  • UK-approved transfer mechanisms apply to international transfers
  • The UK Information Commissioner’s Office is the relevant Supervisory Authority

12.3 California

For California residents’ Personal Data:

  • Shortlister acts as a Service Provider under CCPA
  • We will not sell or share Personal Data
  • We will assist with consumer rights requests

13. GENERAL PROVISIONS

13.1 Relationship to Terms of Use

  • This DPA supplements our Terms of Use
  • In case of conflict regarding data protection, this DPA prevails
  • Defined terms not defined here have meanings in the Terms of Use

13.2 Modifications

  • We may update this DPA to reflect legal or operational changes
  • Material changes will be notified via email or platform announcement
  • Continued use after changes constitutes acceptance

13.3 Severability

If any provision is invalid or unenforceable, the remainder continues in effect.

13.4 Governing Law

  • This DPA is governed by the Terms of Use governing law
  • Data protection matters are governed by Applicable Data Protection Laws

14. DATA PROTECTION CONTACT

For questions about this DPA or our data protection practices:

Data Protection Officer
Wellness Research Institute LLC
310 Busse Hwy,
#386 Park Ridge, IL 60068
Email: privacy@myshortlister.com

15. CUSTOMER ACCEPTANCE

For Business Accounts: By using the Services to process Personal Data, you accept this DPA on behalf of your organization.

Effective Date: This DPA is effective when you first use the Services after the Last Updated date above.

APPENDIX 1: STANDARD CONTRACTUAL CLAUSES

Where required for international transfers, the EU Commission’s Standard Contractual Clauses (Module 2: Controller to Processor) are incorporated by reference and available at: www.myshortlister.com/scc

For UK transfers, the UK International Data Transfer Agreement is incorporated by reference and available at: www.myshortlister.com/uk-idta

APPENDIX 2: CCPA ADDENDUM

For California Personal Information:

1. Definitions: Terms used have meanings in the CCPA.

2. Service Provider Obligations: Shortlister will:

o Process Personal Information only for the Services

o Not sell or share Personal Information

o Not retain, use, or disclose Personal Information outside the Services

o Provide reasonable assistance with consumer requests

3. Certifications: Shortlister certifies it understands and will comply with CCPA restrictions.

This Data Processing Agreement demonstrates Shortlister’s commitment to protecting personal data in compliance with global data protection regulations. For questions or concerns, please contact our Data Protection Officer.