Effective Immediately
Fogo Hospitality, Inc. and its worldwide affiliates and subsidiaries (collectively “Fogo de Chão”) require that its service providers, suppliers, distributors and other business partners and their employees (collectively “You”) comply with the requirements set forth in these Data Protection Standards (“Standards”) with respect to any information that Fogo de Chão or Fogo de Chão employees, representatives, clients, distributors, or other business partners make available to You in the context of Your business relationship with Fogo de Chão or a Fogo de Chão corporate client (“Fogo de Chão Data”).
1. Use and Transfer Limitations.You must not access, collect, store, retain, transfer, use or otherwise process in any manner any Fogo de Chão Data, except: (a) in the interest and on behalf of Fogo de Chão; (b) as directed by authorized personnel of Fogo de Chão in writing, including for the purposes of providing the services for which we have contracted You; and (c) in accordance with applicable law. Without limiting the generality of the foregoing, You may not make Fogo de Chão Data accessible to any processors, service providers, contractors, subprocessors, subcontractors or other third parties, or relocate Fogo de Chão Data to new locations, except as set forth in written agreements with, or written instructions from, Fogo de Chão. You must provide a list of authorized subprocessors upon request and ensure all subprocessors are bound by obligations of these Standards. All cross-border transfers of Fogo de Chão Data must comply with applicable laws, including the EU General Data Protection Regulation (“GDPR”), the UK General Data Protection Regulation (“UK GDPR”) and the Brazilian Lei Geral de Proteção de Dados (“LGPD”). For transfers from the European Economic Area, United Kingdom, or Switzerland to countries lacking an adequacy decision, Company shall implement appropriate safeguards such as Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum, or equivalent mechanisms. You must conduct and provide Fogo de Chão with Transfer Impact Assessments for all high-risk data transfers to ensure compliance with applicable laws. These assessments must be updated annually and whenever a material change occurs.
2. Data Retention and Deletion. You can retain Fogo de Chão Data only for as long as necessary to fulfill Your contractual obligations or as required by law. Upon termination of Your business relationship with Fogo de Chão or upon Fogo de Chão’s request, You shall securely delete or return all Fogo de Chão Data within 14 days unless retention is required by law. You shall certify in writing that all Fogo de Chão Data has been deleted or returned. If deletion is feasible, You must notify Fogo de Chão and continue to safeguard Fogo de Chão Data in compliance with these Standards.
3. Comply with Approved Policies. You must keep Fogo de Chão Data confidential and secure from unauthorized access and other data processing by using Your best efforts and state-of-the art organizational and technical safeguards. You must implement and maintain industry-standard security measures, including encryption of data at rest and in transit, pseudonymization, regular security audits, and access controls. These measures must align with the ISO/IEC 27001 standards or equivalent. If applicable, You must maintain certification with security frameworks such as SOC 2 Type II or NIST 800-53 or be substantially in compliance with the requirements thereof. You must comply with Fogo de Chão’s Supplier Information Security Policy (Link.Fogo.com/security), unless Fogo de Chão has expressly approved Your own information security policy in writing as an alternative (in which case You have to comply with the approved version of Your own policy, refrain from making any changes that reduce the level of security provided thereunder, and provide 24 hours prior written notice to Fogo de Chão of any significant changes to Your own information security policy). If You conduct SSAE 18, SOC or similar or successor audits, You must comply with Your SSAE 18, SOC or similar or successor standards and provide Fogo de Chão with thirty (30) prior days’ notice of any changes. You must impose contractual obligations on all of Your employees, contractors and onward recipients that are at least as protective of Fogo de Chão Data as these Standards.
4. Cooperate with Compliance Obligations. At Fogo de Chão’s reasonable request, You must: (a) accept amendments to these Standards where applicable laws require You and Fogo de Chão to agree to certain contractual terms relating to the processing of Fogo de Chão Data; and (b) agree to comply with laws or industry standards designed to protect Fogo de Chão Data, including, without limitation, the Standard Contractual Clauses approved by the European Commission for data transfers to processors and PCI Standards, if and to the extent such frameworks apply to any Fogo de Chão Data that You come into contact with; or else (c) allow Fogo de Chão to terminate certain or all contracts with You, subject to (i) a proportionate refund of any prepaid fees, (ii) transition or migration assistance as reasonably required, and (iii) without applying any early termination charges or other extra charges. You will notify Fogo de Chão as soon as possible, and in any case no later than five business days, after making a determination that You can no longer meet Your obligations under applicable laws, including the California Consumer Privacy Act of 2018, as amended, including by the California Privacy Rights Act of 2020, and its regulations (“CPRA”).
5. Submit to Audits. You must provide information on Your compliance program and provide relevant SOC 2 Type II or equivalent audit reports from an independent or internal auditor annually. You must submit to reasonable data security and privacy compliance audits by Fogo de Chão and, at Fogo de Chão’s request, by an independent third party, or clients of Fogo de Chão, to verify compliance with these Standards, applicable law, and any other applicable contractual undertakings. If You use Fogo de Chão Data in violation of law or these Standards, You grant Fogo de Chão a right, upon notice, to take reasonable and appropriate steps to stop and remediate Your unauthorized use.
6. Notify Breaches and Requests. If You become aware of or suspect any unauthorized access to Fogo de Chão Data or any security breach that is reportable under any law applicable to You or Fogo de Chão, You must notify Fogo de Chão within 48 hours of discovery. The notification must include details about the nature of the breach, affected data, remediation steps, and measures to prevent future incidents. You shall fully cooperate with Fogo de Chão in its investigation of the incident and shall be responsible for any costs related to the incident, unless You can clearly show that the incident was the result of the Fogo de Chão’s negligence or wrongdoing.
7. Data Subject Requests. You must fully cooperate with Fogo de Chão in responding to data subject rights requests under applicable privacy laws including but not limited to rights of access, rectification erasure, data portability and objection. You must provide necessary information or take required actions within five (5) business days of receiving such a request from Fogo de Chão, or sooner if required by law . You must also indemnify Fogo de Chão from any resulting damages and costs, including, without limitation, identity protection assistance and services procured for data subjects and reasonable attorneys’ and technical consultants’ fees for Fogo de Chão’s handling of the incident. If You receive a request from an individual, government agency or other entity to exercise rights under applicable law with respect to any data contained in Fogo de Chão Data, such as to access, correct or delete the personal data or restrict, object to, or control the processing of the personal data, You must immediately inform Fogo de Chão, hold off on responding or giving effect to the request without Fogo de Chão’s written consent and instruction unless you are otherwise required to do so by applicable law, and promptly provide all information and assistance necessary for You and Fogo de Chão to comply with the request in accordance with applicable law.
8. No Information Selling or Sharing. You acknowledge and confirm that You do not receive any Fogo de Chão Data as consideration for any services or other items that You provide to Fogo de Chão. You shall not have, derive or exercise any rights or benefits regarding Fogo de Chão Data. You must not sell or share any Fogo de Chão Data, as the terms “sell” and “share” are defined in the CPRA or under any other laws. You must not collect, retain, use or disclose any Fogo de Chão Data (a) for targeted or cross-context behavioral advertising, (b) but for the business purposes specified in a written contract with Fogo de Chão, or (c) outside Your direct business relationship with Fogo de Chão. You must not combine Fogo de Chão Data with other data if and to the extent this would be inconsistent with limitations on service providers or contractors under the CPRA or other laws. You certify that You understand the rules, requirements and definitions of the CPRA, and all restrictions in these Standards. You agree to refrain from taking any action that would cause any transfers of Fogo de Chão Data to or from You to qualify as “selling personal information” or “sharing personal information for advertising” under the CPRA or other laws. In the event of non-compliance with this section, Fogo de Chão reserves the right to terminate the agreement immediately and seek damages for any resulting harm, including regulatory fines.
9. EEA and UK Personal Data. With respect to any Fogo de Chão Data that is subject to the EU General Data Protection Regulation or similar laws of other countries or regions as “personal data,” You accept the Standard Contractual Clauses 2021 (“SCCs”) promulgated by Commission implementing decision (EU) 2021/914 of 4 June 2021, Modules 1, 2 and 3 and incorporated by reference herein. With respect to any Fogo de Chão Data that is subject to the UK General Data Protection Regulation, You accept the UK International Data Transfer Addendum to the SCCs, incorporated by reference herein. At Fogo de Chão’s request, You will sign full versions of these documents with us and provide completed Annexes to the SCCs, a list of subprocessors, and transfer impact assessments (as required by Clause 14 of the SCCs) for inclusion therein without undue delay. Where similar laws of other countries or regions apply, references specific to the EEA contained in the EU Standard Contractual Clauses shall be understood to refer to such other countries or regions.
10. Integration. In the event of any conflict between these Standards and any other terms, these Standards shall take precedence unless explicitly otherwise stated in writing by Fogo de Chão.