THIS DATA PROCESSING ADDENDUM (“DPA”) to the Agreement (as defined below) is entered into as of the Addendum Effective Date by and between Foo Monk LLC, a Wyoming corporation with its principal business address at 30 N. Gould St., Ste. R, Sheridan, Wyoming, 82801, United States (“Instantly” or “Service Provider”); and the Subscriber identified on the Agreement (“Subscriber”), together the “Parties” and each a “Party.”
INTERPRETATION
In this DPA, the following terms shall have the meanings set out in this Section 1, unless expressly stated otherwise:
“Addendum Effective Date” means the effective date of the Agreement.
“Agreement” means the Terms of Service, accessible at: https://instantly.ai/terms.
“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Subscriber Personal Data.
“Subscriber Personal Data” means any Personal Data Processed by Service Provider or its Sub-Processor on behalf of Subscriber to perform the Service under the Agreement, except that Subscriber Personal Data does not include the contact information pertaining to Subscriber’s personnel or representatives who are business contacts of Subscriber (where Service Provider acts as a controller of such information).
“Data Subject” means the identified or identifiable natural person to whom Subscriber Personal Data relates.
“Data Subject Request” means the exercise by a Data Subject of its rights in accordance with Applicable Data Protection Laws in respect of Subscriber Personal Data and the Processing thereof.
“Deidentified Data” means data Processed by Service Provider or its Sub-Processor on behalf of Subscriber to perform the Services under the Agreement that cannot reasonably be used to infer information about, or otherwise be linked to, an identified or identifiable natural person, or device linked to such person.
“EEA” means the European Economic Area.
“GDPR” means, as and where applicable to Processing concerned: (i) the General Data Protection Regulation (Regulation (EU) 2016/679) (“EU GDPR”); and/or (ii) the EU GDPR as it forms part of UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018 (as amended, including by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019) (“UK GDPR”), including, in each case (i) and (ii) any applicable national implementing or supplementary legislation (e.g., the UK Data Protection Act 2018), and any successor, amendment or re-enactment, to or of the foregoing. References to “Articles” and “Chapters” of, and other relevant defined terms in, the GDPR shall be construed accordingly.
“Personal Data Breach” means a breach of Service Provider’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Subscriber Personal Data in Service Provider’s possession, custody or control. For clarity, Personal Data Breach does not include unsuccessful attempts or activities that do not compromise the security of Subscriber Personal Data (such as unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems).
“Personnel” means a person’s employees, agents, consultants or contractors.
“Processor” means a natural or legal person, public authority, agency or other body which Processes Subscriber Personal Data on behalf of the Controller.
“Restricted Transfer” means the disclosure, grant of access or other transfer of Subscriber Personal Data to any person located in: (i) in the context of the EEA, any country or territory outside the EEA which does not benefit from an adequacy decision from the European Commission (an “EEA Restricted Transfer”); and (ii) in the context of the UK, any country or territory outside the UK, which does not benefit from an adequacy decision from the UK Government (a “UK Restricted Transfer”), which would be prohibited without a legal basis under Chapter V of the GDPR.
“SCCs” means collectively (i) the standard contractual clauses approved by the European Commission pursuant to implementing Decision (EU) 2021/914 of 4 June 2021 (“EU SCCs”) and (ii) the UK Transfer Addendum to the EU SCCs, issued by the Information Commissioner (Version B1.0, in force on 21 March 2022) (“UK SCCs”).
“Sub-Processor” means any third party appointed by or on behalf of Service Provider to Process Subscriber Personal Data.
“Supervisory Authority” (i) in the context of the EEA and the EU GDPR, shall have the meaning given to that term in the EU GDPR; and (ii) in the context of the UK and the UK GDPR, means the UK Information Commissioner’s Office.
All capitalized terms used in this DPA that are not otherwise defined in this DPA shall have the meaning given to them in the Agreement.
SCOPE OF THIS DATA PROCESSING ADDENDUM
This DPA applies to Service Provider’s Processing of Subscriber Personal Data under the Agreement only to the extent that Applicable Data Protection Laws apply to the relevant Subscriber Personal Data.
The Parties acknowledge and agree that the details of Service Provider’s Processing of Subscriber Personal Data (including the respective roles of the Parties relating to such Processing) are as described in Annex 1 (Data Processing Details) to this DPA.
Annex 2 (European Annex) to this DPA applies only if and to the extent Service Provider’s Processing of Subscriber Personal Data under the Agreement is subject to the GDPR.
Annex 3 (California Annex) to this DPA applies only if and to the extent Service Provider’s Processing of Subscriber Personal Data under the Agreement is subject to the CCPA with respect to which Subscriber is a “business” (as defined in the CCPA).
Section 9 (Compliance Assistance; Audits) of this DPA applies to Service Provider’s Processing of Subscriber Personal Data to the extent required under any requirements concerning contracts with Processors under Applicable Data Protection Laws, and in such cases, only in respect of Processing of Subscriber Personal Data subject to such laws.
PROCESSING OF SUBSCRIBER PERSONAL DATA
Service Provider shall not Process Subscriber Personal Data other than on Subscriber’s written instructions or as required or permitted by applicable laws. For purposes of the Services and this DPA, Service Provider shall be considered as the Processor (or “service provider” as defined under Applicable Data Protection Laws). Notwithstanding the foregoing, Subscriber acknowledges and agrees that Service Provider may Process Subscriber Personal Data and Performance Data to improve, develop and personalize the Services, including by monitoring Services operations and disclosing Subscriber Personal Data related to email validity and deliverability (e.g., invalid email addresses, bounced emails) identified through the Services to third parties (the “Specific Purposes”). Subscriber understands and agrees that the Specific Purposes are designed to maintain the Subscriber Personal Data and other Personal Data processed by Service Provider from third parties in an accurate and up to date manner (including as may be required under Applicable Data Protection Laws or the Service Provider’s other legal obligations). Subscriber acknowledges and agrees that the Specific Purposes are part of the Services under the Agreement, and compatible with the instructions related to the Processing of Subscriber Personal Data necessary to provide the Services. Subscriber grants to Service Provider a non-exclusive, worldwide right to use Subscriber Personal Data to (a) provide the Services to Subscriber; (b) compile, derive, use, disclose and otherwise process de-identified, anonymous, or aggregated information, provided that no such information will directly identify and cannot be used to identify Subscriber; (c) exercise its rights and perform its obligations under the Agreement; and (d) maintain and improve the Services.
Subscriber instructs Service Provider to Process Subscriber Personal Data to provide the Services to Subscriber and in accordance with the Agreement (including this DPA). The Agreement is a complete expression of such instructions, and Subscriber’s additional instructions will be binding on Service Provider only pursuant to any written amendment to this DPA signed by both Parties. Where required by Applicable Data Protection Laws, if Service Provider receives an instruction from Subscriber that, in its reasonable opinion, infringes Applicable Data Protection Laws, Service Provider shall notify Subscriber.
The Parties acknowledge that Service Provider’s Processing of Subscriber Personal Data authorized by Subscriber’s instructions stated in the Agreement (including this DPA) are integral to the Services and the business relationship between the Parties. Access to Subscriber Personal Data does not form part of the consideration exchanged between the Parties in respect of the Agreement or any other business dealings.
SERVICE PROVIDER PERSONNEL
Service Provider shall require that its Personnel who are authorized to access Subscriber Personal Data are subject to appropriate confidentiality obligations.
SECURITY
Service Provider shall implement and maintain technical and organizational measures in relation to Subscriber Personal Data that are designed to protect Subscriber Personal Data against Personal Data Breaches as described in Annex 4 (Security Measures) (the “Security Measures”).
Service Provider may update the Security Measures from time to time, provided the updated measures do not materially decrease the overall protection of Subscriber Personal Data.
DATA SUBJECT REQUESTS
Taking into account the nature of the Processing of Subscriber Personal Data by Service Provider, Service Provider shall provide Subscriber with such assistance by implementing appropriate technical and organizational measures as Subscriber may reasonably request to assist Subscriber in fulfilling its obligations under Applicable Data Protection Laws to respond to Data Subject Requests.
Service Provider shall:
promptly notify Subscriber if it receives a Data Subject Request; and
not respond to any Data Subject Request, other than to advise the Data Subject to submit the request to Subscriber, except as required by Applicable Data Protection Laws. Subscriber will be responsible for responding to any such request.
PERSONAL DATA BREACH
Breach notification and assistance
Service Provider shall notify Subscriber without undue delay upon Service Provider’s confirmation of a Personal Data Breach affecting Subscriber Personal Data. Service Provider’s notification of or response to a Personal Data Breach shall not be construed as Service Provider’s acknowledgement of any fault or liability with respect to the Personal Data Breach.
To the extent the Personal Data Breach resulted from Service Provider’s breach of its security obligations under the Agreement, Service Provider shall provide Subscriber with reasonably requested information (insofar as such information is within Service Provider’s possession and knowledge and does not otherwise compromise the security of any Subscriber Personal Data Processed by Service Provider or the Service Provider’s other confidentiality or nondisclosure obligations, including any imposed by a law enforcement, a Supervisory Authority, or other governmental authority) designed to allow Subscriber to meet its obligations under the Applicable Data Protection Laws to report the Personal Data Breach. If the Personal Data Breach did not result from Service Provider’s breach of its security obligations under the Agreement, Service Provider shall reasonably cooperate with Subscriber; provided, however, Subscriber shall reimburse Service Provider for any costs incurred by Service Provider. Subscriber is solely responsible for complying with notification laws applicable to Subscriber and fulfilling any third-party notification obligations related to any Personal Data Breaches.
Notification to Service Provider
If Subscriber determines that a Personal Data Breach must be notified to any Supervisory Authority or other governmental authority, any Data Subject(s), the public or others under Applicable Data Protection Laws, to the extent such notice directly or indirectly refers to or otherwise identifies Service Provider, where permitted by applicable laws, Subscriber agrees to:
notify Service Provider in advance in writing; and
in good faith, consult with Service Provider and consider any clarifications or corrections Service Provider may reasonably recommend or request to any such notification, which: (i) relate to Service Provider’s involvement in or relevance to such Personal Data Breach; and (ii) are consistent with applicable laws.
SUB-PROCESSING
Subscriber generally authorizes Service Provider to appoint Sub-processors in accordance with this Section 8. Without limitation to the foregoing, Subscriber authorizes the engagement of the Sub-processors listed as of the effective date of the Agreement at the Sub-processor Site, as defined below.
Information about Sub-processors, including their functions and locations, is available at: https://help.instantly.ai/en/articles/8177025-instantly-sub-processors (as may be updated by Service Provider from time to time, subject to Service Provider’s obligations pursuant to Section 8.4 below) or such other website address as Service Provider may provide to Subscriber from time to time (the “Sub-processor Site”).
When engaging any Sub-processor, Service Provider will enter into a written contract with such Sub-processor containing data protection obligations not less protective than those in this DPA with respect to Subscriber Personal Data and to the extent applicable to the nature of the services provided by such Sub-processor. As between the Parties, Service Provider shall be liable for the acts and omissions of all Sub-processors under or in connection with this DPA to the same extent Service Provider would be liable under the terms of this DPA if performing such Services itself directly.
When Service Provider engages any Sub-processor after the effective date of the Agreement, Service Provider will notify Subscriber of the engagement (including the name and location of the relevant Sub-processor and the activities it will perform) by updating the Sub-processor Site or by other written means at least 15 days before such Sub-processor Processes Subscriber Personal Data. If Subscriber objects to such engagement in a written notice to Service Provider within 15 days after being notified of the engagement on reasonable grounds relating to the protection of Subscriber Personal Data, Subscriber and Service Provider will work together in good faith to consider a mutually acceptable resolution to such objection. If the Parties are unable to reach a mutually agreeable resolution within a reasonable timeframe, Subscriber may, within 30 days of its initial notification of its objection to Service Provider, as its sole and exclusive remedy, terminate the Agreement and cancel the Services by providing written notice to Service Provider and pay Service Provider for all amounts due and owing under the Agreement as of the date of such termination. If Subscriber does not object to Service Provider’s appointment of a Sub-processor during the objection period referred to in this Section 8.4, Subscriber shall be deemed to have approved the engagement and ongoing use of that Sub-processor.
COMPLIANCE ASSISTANCE; AUDITS
Taking into account the nature of the Processing of Subscriber Personal Data by Service Provider and the information available to Service Provider, Service Provider shall provide such information and assistance to Subscriber as Subscriber may reasonably request (insofar as such information is available to Service Provider and the sharing thereof does not compromise the security, confidentiality, integrity or availability of any data Processed by Service Provider) to help Subscriber meet its obligations under Applicable Data Protection Laws, including in relation to the security of Subscriber Personal Data, the reporting and investigation of Personal Data Breaches, the demonstration of Subscriber’s compliance with such obligations and the performance of any data protection assessments and consultations with Supervisory Authorities or other government authorities regarding such assessments in relation to Service Provider’s Processing of Subscriber Personal Data, including those required under Articles 35 and 36 of the GDPR.
Subject to Section 9.4 below, Service Provider shall make available to Subscriber such information as Subscriber may reasonably request for Service Provider to demonstrate compliance with Applicable Data Protection Laws and this DPA. Without limitation of the foregoing, Subscriber may conduct (in accordance with Section 9.3), at its sole cost and expense, and Service Provider will reasonably cooperate with, reasonable audits (including inspections, manual reviews, automated scans and other technical and operational testing only to the extent that Subscriber is entitled to perform these activities under Applicable Data Protection Laws), in each case, whereby Subscriber or a qualified and independent auditor appointed by Subscriber using an appropriate and accepted audit control standard or framework may audit Service Provider’s technical and organizational measures in support of such compliance and the auditor’s report is provided to Subscriber and Service Provider.
Subscriber shall give Service Provider reasonable advance notice of any such audits. Service Provider need not cooperate with any audit (a) performed by any individual or entity who has not entered into a non-disclosure agreement with Service Provider on terms acceptable to Service Provider in respect of information obtained in relation to the audit; (b) conducted outside of Service Provider’s normal business hours at the relevant site; or (c) on more than one occasion in any calendar year during the term of the Agreement, except for any additional audits that Subscriber is required to perform under Applicable Data Protection Laws. The audit must be conducted in accordance with Service Provider’s safety, security or other relevant policies, must not impact the security, confidentiality, integrity or availability of any data Processed by Service Provider and must not unreasonably interfere with Service Provider’s business activities. Subscriber shall not conduct any scans or technical or operational testing of Service Provider’s applications, websites, services, networks or systems without Service Provider’s prior approval (which shall not be unreasonably withheld).
If the controls or measures to be assessed in the requested audit are assessed in a SOC 2 Type 2, ISO, NIST or similar audit report performed by a qualified and independent third-party auditor pursuant to a recognized industry standard audit framework within twelve (12) months of Subscriber’s audit request (“Audit Report”) and Service Provider has confirmed in writing that there have been no known material changes to the controls audited and covered by such Audit Report(s), Subscriber agrees to accept provision of such Audit Report(s) in lieu of requesting an audit of such controls or measures. Service Provider shall provide copies of any such Audit Reports to Subscriber upon request.
Such Audit Reports and any other information obtained by Subscriber in connection with an audit under this Section 9 shall constitute the Confidential Information of Service Provider, which Subscriber shall use only for the purposes of confirming compliance with the requirements of this DPA or meeting Subscriber’s obligations under Applicable Data Protection Laws. Nothing in this Section 9 shall be construed to obligate Service Provider to breach any duty of confidentiality.
RETURN AND DELETION
Within 30 days after the expiration or earlier termination of the Agreement, Service Provider shall, to the fullest extent technically possible in the circumstances, either (i) return and/or delete all Subscriber Personal Data in Service Provider’s care, custody or control in accordance with Subscriber’s instructions as to the post-termination return and deletion of Subscriber Data expressed in the Agreement, or subject to Section 11.5, Subscriber’s further instructions or (ii) irreversibly anonymize or deidentify all Subscriber Personal Data in Service Provider’s care, custody or control.
Notwithstanding the foregoing, Service Provider may retain Subscriber Personal Data where required by law (or in the case of Subscriber Personal Data subject to the GDPR, the laws of the UK or European Economic Area, as applicable), provided that Service Provider shall (a) maintain the all such Subscriber Personal Data in accordance with this DPA and (b) Process the Subscriber Personal Data only as necessary for the purpose(s) and duration specified in the applicable law requiring such retention.
SUBSCRIBER’S RESPONSIBILITIES
Without limiting Section 1.4 of the Agreement, Subscriber agrees that, without limiting Service Provider’s obligations under Section 5 (Security), Subscriber is solely responsible for its use of the Services, including (a) making appropriate use of the Services to maintain a level of security appropriate to the risk in respect of the Subscriber Personal Data; (b) securing the account authentication credentials, systems and devices Subscriber uses to access the Services; (c) securing Subscriber’s systems and devices that Service Provider uses to provide the Services; and (d) backing up Subscriber Personal Data.
Subscriber shall ensure:
that there is, and will be throughout the term of the Agreement, a valid legal basis for the Processing by Service Provider of Subscriber Personal Data in accordance with this DPA and the Agreement (including, any and all instructions issued by Subscriber from time to time in respect of such Processing) for the purposes of all Applicable Data Protection Laws (including Article 6, Article 9(2) and/or Article 10 of the GDPR (where applicable)); and
that (and is solely responsible for ensuring that) all required notices have been given to, and all consents, permissions, and rights have been obtained from, Data Subjects and others as may be required by Applicable Data Protection Laws or otherwise for Service Provider to Process Subscriber Personal Data as contemplated in the Agreement.
Subscriber agrees that the Services, the Security Measures, and Service Provider’s commitments under this DPA are adequate to meet Subscriber’s needs, including with respect to any security obligations of Subscriber under Applicable Data Protection Laws, and provide a level of security appropriate to the risk in respect of the Subscriber Personal Data.
Subscriber shall not, and agrees to ensure its Authorized Users do not, provide or otherwise make available to Service Provider any Subscriber Personal Data that contains any (a) Social Security numbers or other government-issued identification numbers; (b) protected health information subject to the Health Insurance Portability and Accountability Act (HIPAA) or other information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional; (c) health insurance information; (d) biometric information; (e) credentials to any financial accounts or credit, debit or other payment card data subject to the Payment Card Industry Data Security Standard (PCI DSS); (f) tax return data; (g) precise geolocation; (h) data revealing racial or ethnic origin, religious beliefs, sex life or sexual orientation, union membership, citizenship, or immigration status; (i) genetic data; (j) data collected from a known child; (k) any information that constitutes a special category of personal data (as described in Article 9(1) of the GDPR) and/or data relating to criminal convictions and offences; and (j) any online account credentials. Subscriber acknowledges that Service Provider is not a business associate (as that term is defined under HIPAA) or a payment card processor. Subscriber acknowledges that the Services are not designed to be HIPAA or PCI DSS compliant.
Except to the extent prohibited by applicable law, Subscriber shall compensate Service Provider at Service Provider’s then-current professional services rates for, and reimburse any costs reasonably incurred by Service Provider in the course of providing, cooperation, information or assistance requested by Subscriber pursuant to Sections 6 (Data Subject Requests), 9 (Compliance Assistance; Audits), and 10.1 (in Return and Deletion) of this DPA, beyond providing self service features included as part of the Services.
DEIDENTIFIED, ANONYMIZED OR AGGREGATED DATA
To the extent Service Provider processes or generates any Deidentified Data, Service Provider shall take reasonable measures designed to prevent such data from being associated with a natural person.
If Service Provider’s creation and/or use of aggregated, anonymized or deidentified data is subject to Applicable Data Protection Laws, then Service Provider’s creation and/or use of such data, including but not limited to Deidentified Data, shall be permitted only to the extent such data constitutes “aggregate consumer information” or has been “deidentified” or “anonymized” (as such terms are defined under the Applicable Data Protection Laws).
LIABILITY
The total aggregate liability of either Party towards the other Party, howsoever arising, under or in connection with this DPA and the SCCs (if and as they apply) will under no circumstances exceed any limitations or caps on, and shall be subject to any exclusions of, liability and loss agreed by the Parties in the Agreement; provided that, nothing in this Section 13 will affect any person’s liability to Data Subjects under the third-party beneficiary provisions of the SCCs (if and as they apply).
CHANGE IN LAWS
Service Provider may on notice vary this DPA to the extent that (acting reasonably) it considers necessary to address the requirements of Applicable Data Protection Laws from time to time, including by varying or replacing the SCCs in the manner described in Paragraphs 2.1 and 2.2 of Annex 2 (European Annex).
INCORPORATION AND PRECEDENCE
This DPA shall be incorporated into and form part of the Agreement with effect from the Addendum Effective Date.
In the event of any conflict or inconsistency between:
this DPA and the Agreement, this DPA shall prevail; or
any SCCs entered into pursuant to Paragraph 2 of Annex 2 (European Annex) and this DPA and/or the Agreement, the SCCs shall prevail in respect of the Restricted Transfer to which they apply.
Annex 1
Data Processing Details
SERVICE PROVIDER / ‘DATA IMPORTER’ DETAILS
Name:
Foo Monk LLC
Address:
As set out in the preamble to the DPA
Contact Details for Data Protection:
Email:
[email protected]Service Provider Activities:
Foo Monk LLC provides a platform that helps its Subscribers to scale their email outreach campaigns as well as a business-to-business (‘B2B’) lead database, for Subscribers to either use it for cold email outreach campaigns and/or to find B2B lead contact data.
Role:
Processor
SUBSCRIBER / ‘DATA EXPORTER’ DETAILS
Name:
[]
Address:
[]
Contact Details for Data Protection:
Email: []
Subscriber Activities:
Subscriber’s activities relevant to this DPA are the use and receipt of the Services under and in accordance with, and for the purposes anticipated and permitted in, the Agreement as part of its ongoing business operations.
Role:
Controller
DETAILS OF PROCESSING
Categories of Data Subjects:
Relevant Data Subjects include:
Prospects of the Subscriber
Existing clients of the Subscriber
Each category includes current, past and prospective Data Subjects.
Categories of Subscriber Personal Data:
Relevant Subscriber Personal Data includes:
Identification data (e.g. name)
Marketing data (e.g. email address, email activity data)
Content uploaded by Subscriber (i.e. any Subscriber Personal Data contained in Subscriber Data such as title, company name, LinkedIn company description, phone number (corporate), number of employees at that company, industry, personal and company LinkedIn profile address, city state country of person or company, LinkedIn profile pages, Facebook URL, Twitter URL, and websites).
Sensitive Categories of Data, and associated additional restrictions/safeguards:
Categories of sensitive data:
N/A
Additional safeguards for sensitive data:
N/A
Frequency of transfer:
Ongoing – as initiated by Subscriber in and through its use, or use on its behalf, of the Services.
Nature of the Processing:
Processing operations required in order to provide the Services in accordance with the Agreement, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Purpose of the Processing:
Subscriber Personal Data will be processed: (i) as necessary to provide the Services as initiated by Subscriber in its use thereof, and (ii) to comply with any other reasonable instructions provided by Subscriber in accordance with the terms of this DPA.
Duration of Processing / Retention Period:
Concurrent with the term of the Agreement and then thereafter pursuant to Section 10 (Return and Deletion) of this DPA.
Transfers to Sub-processors:
Transfers to Sub-Processors are as, and for the purposes, described from time to time in the Sub-Processor List (as may be updated from time to time in accordance with the DPA).
Annex 2 European Annex
DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION
Taking into account the nature of the Processing of Subscriber Personal Data by Service Provider and the information available to Service Provider, Service Provider shall provide reasonable assistance to Subscriber, at Subscriber’s cost, with any data protection impact assessments and prior consultations with Supervisory Authorities which Subscriber reasonably considers to be required of it by Article 35 or Article 36 of the GDPR, in each case solely in relation to Processing of Subscriber Personal Data by Service Provider.
RESTRICTED TRANSFERS
EEA Restricted Transfers
To the extent that any Processing of Subscriber Personal Data under this DPA involves an EEA Restricted Transfer from Subscriber to Service Provider, the Parties shall comply with their respective obligations set out in the EU SCCs, which are hereby deemed to be:
populated in accordance with Part 1 of Attachment 1 to this Annex 2 (European Annex); and
entered into by the Parties and incorporated by reference into this DPA.
UK Restricted Transfers
To the extent that any Processing of Subscriber Personal Data under this DPA involves a UK Restricted Transfer from Subscriber to Service Provider, the Parties shall comply with their respective obligations set out in the UK SCCs, which are hereby deemed to be:
The EU SCCs as varied to address the requirements of the UK GDPR in accordance with the UK Transfer Addendum and populated in accordance with Part 2 of Attachment 1 to this Annex 2 (European Annex); and
entered into by the Parties and incorporated by reference into this DPA.
Adoption of new transfer mechanism
Service Provider may on notice vary this DPA and replace the relevant SCCs with:
any new form of the relevant SCCs or any replacement therefor prepared and populated accordingly (e.g., standard data protection clauses adopted by the European Commission for use specifically in respect of transfers to data importers subject to Article 3(2) of the EU GDPR); or
another transfer mechanism,
that enables the lawful transfer of Subscriber Personal Data by Subscriber to Service Provider under this DPA in compliance with Chapter V of the GDPR.
Provision of full-form SCCs
In respect of any given Restricted Transfer, if requested of Subscriber by a Supervisory Authority, Data Subject or further Controller (where applicable) – on specific written request (made to the contact details set out in Annex 1 (Data Processing Details); accompanied by suitable supporting evidence of the relevant request), Service Provider shall provide Subscriber with an executed version of the relevant set(s) of SCCs responsive to the request made of Subscriber (amended and populated in accordance with Attachment 1 to this Annex 2 (European Annex) in respect of the relevant Restricted Transfer) for countersignature by Subscriber, onward provision to the relevant requestor and/or storage to evidence Subscriber’s compliance with Applicable Data Protection Laws.
OPERATIONAL CLARIFICATIONS
When complying with its transparency obligations under Clause 8.3 of the EU SCCs, Subscriber agrees that it shall not provide or otherwise make available, and shall take all appropriate steps to protect Service Provider’s and its licensors’ trade secrets, business secrets, Confidential Information and/or other commercially sensitive information.
Where applicable, for the purposes of Clause 10(a) of Module Two of the EU SCCs, Subscriber acknowledges and agrees that there are no circumstances in which it would be appropriate for Service Provider to notify any third-party controller of any Data Subject Request and that any such notification shall be the sole responsibility of Subscriber.
For the purposes of Clause 15.1(a) of the EU SCCs, except to the extent prohibited by applicable law and/or the relevant public authority, as between the Parties, Subscriber agrees that it shall be solely responsible for making any notifications to relevant Data Subject(s) if and as required.
The terms and conditions of Section 8 of this DPA apply in relation to Service Provider’s appointment and use of Sub-processors under the EU SCCs. Any approval by Subscriber of Service Provider’s appointment of a Sub-processor that is given expressly or deemed given pursuant to Section 8 constitutes Subscriber’s documented instructions to effect disclosures and onward transfers to any relevant Sub-processors if and as required under Clause 8.8 of the EU SCCs.
The audits described in Clauses 8.9(c) and 8.9(d) of the EU SCCs shall be subject to any relevant terms and conditions detailed in Section 9 of this DPA.
Certification of deletion of Subscriber Personal Data as described in Clauses 8.5 and 16(d) of the EU SCCs shall be provided only upon Subscriber’s written request.
TO EUROPEAN ANNEXPOPULATION OF SCCs
Notes:
In the context of any EEA Restricted Transfer, the EU SCCs populated in accordance with Part 1 of this Attachment 1 are incorporated by reference into and form an effective part of the DPA (if and where applicable in accordance with Paragraph 2.1 of Annex 2 (European Annex) to the DPA).
In the context of any UK Restricted Transfer, the UK SCCs (i.e. the EU SCCs as varied by the UK Transfer Addendum and populated in accordance with Part 2 of this Attachment 1) are incorporated by reference into and form an effective part of the DPA (if and where applicable in accordance with Paragraph 2.2 of Annex 2 (European Annex) to the DPA).
PART 1: POPULATION OF THE SCCs – EU SCCs
SIGNATURE OF THE EU SCCs:
Where the EU SCCs apply in accordance with Paragraph 2.1 of Annex 2 (European Annex) to the DPA, (a) each of the Parties is hereby deemed to have signed the EU SCCs at the relevant signature block in Annex I to the Appendix to the EU SCCs; and (b) those EU SCCs are entered into by and between the Parties with effect from (i) the Addendum Effective Date; or (ii) the date of the first EEA Restricted Transfer to which they apply in accordance with Paragraph 2.1 of Annex 2 (European Annex) to the DPA, whichever is earlier.
MODULES
The following module of the EU SCCs apply in the manner set out below (having regard to the role(s) of Subscriber set out in Attachment 1 to Annex 2 (European Annex) to the DPA): Module Two of the EU SCCs applies to any EEA Restricted Transfer involving Processing of Subscriber Personal Data in respect of which Subscriber is a Controller in its own right.
POPULATION OF THE BODY OF THE EU SCCs
For Module Two of the EU SCCs, the following applies as and where applicable to that Module and the Clauses thereof:
The optional ‘Docking Clause’ in Clause 7 is not used and the body of that Clause 7 is left intentionally blank.
In Clause 9:
OPTION 2: GENERAL WRITTEN AUTHORISATION applies, and the minimum time period for advance notice of the addition or replacement of Sub-Processors shall be the advance notice period set out in Section 8.4 of the DPA; and
OPTION 1: SPECIFIC PRIOR AUTHORISATION is not used and that optional language is deleted; as is, therefore, Annex III to the Appendix to the EU SCCs.
In Clause 11, the optional language is not used and is deleted.
In Clause 13, all square brackets are removed and all text therein is retained.
In Clause 17: OPTION 1 applies, and the Parties agree that the EU SCCs shall be governed by the law of Ireland in relation to any EEA Restricted Transfer; and OPTION 2 is not used and that optional language is deleted.
For the purposes of Clause 18, the Parties agree that any dispute arising from the EU SCCs in relation to any EEA Restricted Transfer shall be resolved by the courts of Ireland, and Clause 18(b) is populated accordingly.
In this Paragraph 3, references to “Clauses” are references to the Clauses of the EU SCCs.
POPULATION OF ANNEXES TO THE APPENDIX TO THE EU SCCs
Annex I to the Appendix to the EU SCCs is populated with the corresponding information detailed in Annex 1 (Data Processing Details) to the DPA, with: Subscriber being ‘data exporter’; and Service Provider being ‘data importer’.
Part C of Annex I to the Appendix to the EU SCCs is populated as below:
Where Subscriber is established in an EU Member State, the competent supervisory authority shall be the supervisory authority of that EU Member State in which Subscriber is established.
Where Subscriber is not established in an EU Member State, Article 3(2) of the EU GDPR applies and Subscriber has appointed an EU representative under Article 27 of the EU GDPR: the competent supervisory authority shall be the supervisory authority of the EU Member State in which Subscriber’s EU representative relevant to the processing hereunder is based (from time-to-time).
Where Subscriber is not established in an EU Member State, Article 3(2) of the EU GDPR applies, but Subscriber has not appointed an EU representative under Article 27 of the EU GDPR: the competent supervisory authority shall be the supervisory authority of the EU Member State notified in writing to Service Provider’s contact point for data protection identified in Annex 1 (Data Processing Details) to the DPA, which must be an EU Member State in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located.
Annex II to the Appendix to the EU SCCs is populated as below:
General:
Please refer to Section 5 of the DPA and the Security Measures described therein.
In the event that Subscriber receives a Data Subject Request under the EU GDPR and requires assistance from Service Provider, Subscriber should email Service Provider’s contact point for data protection identified in Annex 1 (Data Processing Details) to the DPA.
Sub-Processors: When Service Provider engages a Sub-Processor under these Clauses, Service Provider shall enter into a binding contractual arrangement with such Sub-Processor that imposes upon them data protection obligations which, in substance, meet or exceed the relevant standards required under these Clauses and the DPA – including in respect of:
applicable information security measures;
notification of Personal Data Breaches to Service Provider;
return or deletion of Subscriber Personal Data as and where required; and
engagement of further Sub-Processors.
PART 2: UK RESTRICTED TRANSFERS – UK SCCs
UK TRANSFER ADDENDUM
Where relevant in accordance with Paragraph 2.2 of Annex 2 (European Annex) to the DPA, the EU SCCs also apply in the context of UK Restricted Transfers as varied by the UK Transfer Addendum (UK SCCs) in the manner described below –
Part 1 to the UK Transfer Addendum.
The Parties agree:
Tables 1, 2 and 3 to the UK Transfer Addendum are deemed populated with the corresponding details set out in Annex 1 (Data Processing Details) to the DPA and the foregoing provisions of this Attachment 1 to Annex 2 (European Annex) (subject to the variations effected by the UK Mandatory Clauses described in (b) below); and
Table 4 to the UK Transfer Addendum is completed by the box labelled ‘Data Importer’ being deemed to have been ticked.
Part 2 to the UK Transfer Addendum. The Parties agree to be bound by the UK Mandatory Clauses of the UK Transfer Addendum.
As permitted by Section 17 of the UK Mandatory Clauses, the Parties agree to the presentation of the information required by ‘Part 1: Tables’ of the UK Transfer Addendum in the manner set out in Paragraph 1.1 of this Part 2; provided that the Parties further agree that nothing in the manner of that presentation shall operate or be construed so as to reduce the Appropriate Safeguards (as defined in Section 3 of the UK Mandatory Clauses).
In relation to any UK Restricted Transfer to which they apply, where the context permits and requires, any reference in the DPA to the SCCs, shall be read as a reference to those SCCs as varied in the manner set out in Paragraph 1.1 of this Part 2.
Annex 3
California Annex
In this Annex, the terms “business,” “business purpose,” “commercial purpose,” “consumer,” “sell,” “share,” and “service provider” shall have the respective meanings given thereto in the CCPA; and “personal information” shall mean Subscriber Personal Data that constitutes “personal information” as defined in and that is subject to the CCPA.
The business purposes and Services for which Service Provider is Processing personal information are for Service Provider to provide the Services to and on behalf of Subscriber as set forth in the Agreement, as described in more detail in Annex 1 (Data Processing Details).
It is the Parties’ intent that with respect to any personal information, Service Provider is a service provider. Service Provider (a) acknowledges that personal information is disclosed by Subscriber only for the limited and specific purposes described in the Agreement; (b) shall comply with applicable obligations under the CCPA and shall provide the same level of privacy protection to personal information as is required by the CCPA; (c) agrees that Subscriber has the right to take reasonable and appropriate steps under Section 9 (Compliance Assistance; Audits) of this DPA to help ensure that Service Provider’s use of personal information is consistent with Subscriber’s obligations under the CCPA; (d) shall notify Subscriber in writing of any determination made by Service Provider that it can no longer meet its obligations under the CCPA; and (e) agrees that Subscriber has the right, upon notice, including pursuant to the preceding clause, to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information.
Service Provider shall not (a) sell or share any personal information; (b) retain, use or disclose any personal information for any purpose other than for the business purposes specified in the Agreement, including retaining, using or disclosing the personal information for a commercial purpose other than the business purpose specified in the Agreement, or as otherwise permitted by CCPA; (c) retain, use or disclose the personal information outside of the direct business relationship between Service Provider and Subscriber; or (d) combine personal information received pursuant to the Agreement with personal information (i) received from or on behalf of another person, or (ii) collected from Service Provider’s own interaction with any consumer to whom such personal information pertains.
Service Provider shall implement reasonable security procedures and practices appropriate to the nature of the personal information received from, or on behalf of, Subscriber, in accordance with Section 5 (Security) of the DPA.
When Service Provider engages any Sub-processor, Service Provider shall notify Subscriber of such Sub-processor engagements in accordance with Section 8 (Sub-Processing) of the DPA.
Annex 4
Security Measures
As from the Addendum Effective Date, Service Provider will implement and maintain the Security Measures as set out in this Annex 4.
Organizational management and dedicated staff responsible for the development, implementation and maintenance of Service Provider’s information security program.
Audit and risk assessment procedures for the purposes of periodic review and assessment of risks to Service Provider’s organization, monitoring and maintaining compliance with Service Provider’s policies and procedures, and reporting the condition of its information security and compliance to internal senior management.
Data security controls which include at a minimum: logical segregation of data, restricted (e.g., role-based) access and monitoring, and utilization of commercially reasonable encryption technologies for Subscriber Personal Data.
Logical access controls designed to manage electronic access to data and system functionality, based on authority levels and job functions.
Password controls designed to manage and control password strength, expiration and usage.
System audit or event logging and related monitoring procedures to proactively record user access and system activity.
Physical and environmental security of data centers, server room facilities and other areas containing Subscriber Personal Data designed to protect information assets from unauthorized physical access or damage.
Operational procedures and controls to provide for configuration, monitoring and maintenance of technology and information systems, including secure disposal of systems and media to render all information or data contained therein as undecipherable or unrecoverable prior to final disposal or release from Service Provider’s possession.
Change management procedures and tracking mechanisms designed to test, approve and monitor all material changes to Service Provider’s technology and information assets.
Incident management procedures designed to allow Service Provider to investigate, respond to, mitigate and notify of events related to Service Provider’s technology and information assets.
Network security controls that provide for the use of enterprise firewalls and intrusion detection systems designed to protect systems from intrusion and limit the scope of any successful attack.
Vulnerability assessment and threat protection technologies and scheduled monitoring procedures designed to identify, assess, mitigate and protect against identified security threats, viruses and other malicious code.
Business resiliency/continuity and disaster recovery procedures designed to maintain service and/or recovery from foreseeable emergency situations or disasters.
Service Provider may update the Security Measures from time to time in accordance with Section 5.2 (in Security) of the DPA.
