PRIVACY POLICY

Effective Date: 4/29/2019; Updated 10/10/2023

This “Privacy Policy” describes the privacy practices of Daasity, Inc. (“Daasity”, “we”, “us” or “our”). This Privacy Policy describes how we collect, use, disclose and otherwise process personal information in connection with our website and other Internet-enabled services (together “Services”), and explains the privacy rights and choices available to individuals. This Privacy Policy governs any of the Services on which the policy is posted.

PRIVACY POLICY STATEMENT

Please note that this Privacy Policy does not apply to the information we process on behalf of our clients. Our platform helps the direct to consumer community make optimal use of the vast quantities of highly complex customer, order, product, marketing and supply chain data by integrating the data points into our platform and placing the data into a useful context. Our processing of data on behalf of our clients is governed by agreements between us and our clients. These agreements require our clients to comply with applicable privacy laws and, to the extent the clients are legally required, provide privacy notices to the individuals whose data our clients process using Daasity’s platform. You can find further details on our processing of data on behalf of our clients in our Product Privacy Statement.

Table of Contents

1. Personal Information We Collect
2. How We Use Your Personal Information
3. How We Share your Personal Information
4. Your Choices
5. Cookies and Similar Technologies
6. Other Important Privacy Information
7. How to Contact Us
8. Notice to European Users

Personal Information We Collect

Information you give us. You may provide information to us when you interact with the Services, for example, by registering, establishing an account, requesting information or otherwise communicating with us via the Services. You may provide your personal and business information, such as your name, mailing and email address, telephone number, company and other details you may choose to share with us.

Information we collect automatically. Our servers and third party service providers may automatically record certain information about how you use the Services, such as your Internet Protocol (IP) address, domain name, device and browser type, operating system, Internet service provider, referring/exit pages, clickstream data, the pages or features of the Services that you browse and the time you spend on those pages or features, the frequency with which you use the Services, the links that you click on or use and other statistics. We collect this information in server logs and by using cookies and similar tracking technologies. See our Cookie Policy for more information.

How We Use Your Personal Information

We use the information we collect for the following purposes:

To operate and improve the Services, including to:

• Establish and manage accounts and registrations;
• Communicate with you regarding the Services, including by sending you announcements, updates, security alerts, and support and administrative messages;
• Respond to your requests, questions and feedback related to the Services;
• Analyze our visitors’ and users’ needs and interests, and personalize experience with the Services; and
• Analyze use of the Services to study trends and users’ movements around the Services, improve the Services and develop new features and services.

To send you marketing and survey communications.

We may send you surveys, newsletters or other marketing communications, but you may opt out of receiving them as described in the Opt out of marketing section below.

For compliance, fraud prevention and safety.

We may use your personal information as we believe appropriate to (a) investigate violations of and enforce our Terms of Service; (b) protect our, your or others’ rights, privacy, safety or property (including by making and defending legal claims); and (c) protect, investigate and deter against fraudulent, harmful, unauthorized, unethical or illegal activity.

For compliance with law.

We may use your personal information as we believe appropriate to (a) comply with applicable laws, lawful requests and legal process, such as to respond to subpoenas or requests from government authorities; and (b) where permitted by law in connection with a legal investigation.

With your consent.

We may ask for your consent to collect, use or share your personal information, such as when we are required to do so by law.

How We Share your Personal Information

We do not share your personal information with third parties without your consent, except in the following circumstances:

Affiliates. We will share your personal information with our corporate affiliates for purposes consistent with this Privacy Policy.

Service providers. We may share your personal information with third parties that provide services that help us with our business activities (such as customer support, payment processing, hosting and storage, website analytics, email delivery and legal and other professional advice). We authorize these third parties to access your personal information to the extent reasonably necessary for them to provide their services.

For legal reasons. We may disclose your personal information as we believe appropriate to government or law enforcement officials or to private parties for the purposes described above under the following sections: For compliance, fraud prevention and safety and for compliance with law.

Business transfers. We may sell, transfer or otherwise share some or all of our business or assets, including your personal information, in connection with a business deal (or potential business deal) such as a corporate divestiture, merger, consolidation, acquisition, reorganization or sale of assets, or in the event of bankruptcy or dissolution.

Your Choices

Access or update your information. Service account holders may review or update information in their registration profile by logging into their account or contacting us at privacy@daasity.com.

Opt out of marketing emails. You may opt out of marketing-related emails by following the unsubscribe instructions in the email. You may continue to receive Services-related and other non-marketing emails.

Cookies and Similar Technologies

We may allow service providers and other third parties to use cookies and similar technologies to track your browsing activity over time and across the Services and third party websites. For more details, see our Cookie Policy. Some Internet browsers may be configured to send “Do Not Track” signals to the online services that you visit. We currently do not respond to “Do Not Track” or similar signals. To find out more about “Do Not Track,” please visit http://www.allaboutdnt.com.

Other Important Privacy Information

Third party sites and services. The Services may contain links to other websites and services operated by third parties. These links are not an endorsement of, or representation that we are affiliated with, any third party. We do not control third party websites, applications or services, and are not responsible for their actions. Other websites and services follow different rules regarding their collection, use and sharing of your personal information. We encourage you to read their privacy policies to learn more.

Security practices. The security of your personal information is important to us. We employ a number of organizational, technical and physical safeguards designed to protect the personal information we collect.

Changes to this Privacy Policy. We reserve the right to modify this Privacy Policy at any time. If we make material changes to this Privacy Policy we will notify you by email or through the Services if we are required to do so by applicable law.

How to Contact Us

Daasity, Inc.
4250 Executive Square
Suite 200
San Diego, CA 92037
privacy@daasity.com

Notice to European Users

The following applies to individuals in the European Economic Area.

Controller. Daasity, Inc. is the controller of your personal information covered by this Privacy Policy for purposes of European data protection legislation.

Legal bases for processing. We describe the legal bases for our processing of your personal information in the table below. If you have questions about the legal basis of how we process your personal information, contact us at privacy@daasity.com.

PROCESSING PURPOSE
LEGAL BASIS
To operate and improve the Services
To send you marketing and survey communications
For compliance, fraud prevention and safety
These activities constitute our legitimate interests. We do not use your personal information for activities where our interests are overridden by the impact on your rights and freedoms (unless we have your consent or are otherwise required or permitted to by law). In some cases, for example where you establish an account on the site, we process your data to fulfill our obligations under a contract with you or with the organization with which you are associated.

For compliance with law
Processing is necessary to comply with our legal obligations.

With your consent
Processing is based on your consent. Where we rely on your consent you have the right to withdraw it anytime in the manner indicated in the Services.
To share your personal information as described in this Privacy Policy
This sharing constitutes our legitimate interests, and in some cases may be necessary to comply with our legal obligations.

Retention

We retain personal information where we have an ongoing legitimate business need to do so (for example, to provide you with a service you have requested; to comply with applicable legal, tax or accounting requirements; to establish or defend legal claims; or for fraud prevention). When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize it or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.

Cross-border data transfer

If we receive or transfer your personal information from the European Economic Area (“EEA”) or the United Kingdom (including Gibraltar) to a third country and are required to apply additional safeguards to your personal information under European data protection legislation, we will do so. See our Data Privacy Framework Statement, below, for more information.

Your rights

European data protection laws give you certain rights regarding your personal information. You may ask us to take the following actions in relation to your personal information that we hold:

  • Provide you with information about our processing of your personal information and give you access to your personal information.
  • Update or correct inaccuracies in your personal information.
  • Delete your personal information.
  • Transfer a machine-readable copy of your personal information to you or a third party of your choice.
  • Restrict the processing of your personal information.
  • Object to our reliance on our legitimate interests as the basis of our processing of your personal information that impacts your rights.

You may submit these requests by email to privacy@daasity.com or our postal address provided above. We may request specific information from you to help us confirm your identity and process your request. Applicable law may require or permit us to decline your request. If we decline your request, we will tell you why, subject to legal restrictions. If you would like to submit a complaint about our use of your personal information or our response to your requests regarding your personal information, you may contact us or submit a complaint to the data protection regulator in your jurisdiction. You can find your data protection regulator here.

You may also have the right to make a GDPR complaint to the relevant Supervisory Authority. A list of Supervisory Authorities is available here: https://edpb.europa.eu/about-edpb/board/members_en

Cookie Policy

This Cookie Policy explains how Daasity, Inc. (“Daasity”, “we”, “us” or “our”) uses cookies and similar tracking technologies when you visit our website at www.daasity.com or any other site to which we post this Cookie Policy (the “Sites”).

What are cookies?

Cookies are small data files that are placed on your computer when you visit a site. Cookies serve different purposes, like helping us understand how a site is being used, letting you navigate between pages efficiently, remembering your preferences and generally improving your browsing experience.

Who places cookies on my device?

Cookies set by the site you visit are called “first party cookies”. Cookies set by parties other than us are called “third party cookies”. Third party cookies enable third party features or functionality within the site, such as site analytics. The parties that set these third party cookies can recognize your computer or device both when it visits the site in question and also when it visits certain other sites and/or mobile apps. We do not control how these third parties use your information, which is subject to their own privacy policies. See below for details on use of third party cookies and similar technologies with our Sites.

How long will cookies stay on my device?

The length of time a cookie will stay on your device depends on whether it is a “persistent” or “session” cookie. Session cookies will only stay on your device until you stop browsing. Persistent cookies stay on your browsing device after you have finished browsing until they expire or are deleted.

What other tracking technologies should I know about?

Cookies are not the only way to track visitors to a site or app. Companies use tiny graphics files with unique identifiers called beacons (and also “pixels” or “clear gifs”) to recognize when someone visits its sites. These technologies often depend on cookies to function properly, and so disabling cookies may impair their functioning.

What types of cookies and similar tracking technologies does Daasity use?

We use cookies and other tracking technologies in the following categories described in the table below.


TYPE AND WHO SERVES THE COOKIES
DESCRIPTION
HOW TO CONTROL THEM
Analytics / Google Analytics
These cookies help us understand how our Sites are performing and being used. These cookies may work with clear gifs included in emails we send to track which emails are opened and which links are clicked by recipients
See ‘your choices’ below.Google Analytics uses its own cookies. You can find out more information about Google Analytics cookies here and about how Google protects your data here. You can prevent the use of Google Analytics relating to your use of our Sites by downloading and installing a browser plugin available here.

Your choices

Most browsers let you remove or reject cookies. To do this, follow the instructions in your browser settings. Many browsers accept cookies by default until you change your settings. Please note that if you set your browser to disable cookies, the Sites may not work properly.

For more information about cookies, including how to see what cookies have been set on your computer or mobile device and how to manage and delete them, visit http://www.allaboutcookies.org.

For more information about how we collect, use and share your information, see our Privacy Policy.

Changes

Information about the cookies we use may be updated from time to time, so please check back on a regular basis for any changes.

Questions

If you have any questions about this Cookie Policy, please contact us by email at privacy@daasity.com.

PRODUCT PRIVACY STATEMENT

Daasity, Inc. (“Daasity”) provides a platform that helps direct to consumer organizations (“Users”) make optimal use of the vast quantities of highly complex customer, order, product, marketing and supply chain data by integrating the data points into our platform and placing the data into a useful context.

This Services Privacy Statement explains how we collect, use, disclose, and otherwise process personal data that Users process via our platform. Daasity is the data processor with respect to the personal data, and Users are the data controllers or are otherwise authorized by data controllers to direct Daasity to process the personal data.

Daasity’s processing of personal data is governed by this Privacy Statement and our customer agreements. In the event of any conflict between this Privacy Statement and a customer agreement, the customer agreement will control to the extent permitted by applicable law.

Information We Collect

When Users upload data into our platform, the information they upload may include personal information, such as order history or marketing history that can be associated with individuals.

How We Use Information

Our platform allows Users to manipulate and analyze the information they upload into the platform. We use the personal data to facilitate the manipulation, analysis and other processing of data in the platform. We also use the information to provide customer support to our Users, to maintain and improve our platform, develop new services for our Users, comply with applicable law, enforce the terms and conditions that govern the platform, protect our rights, privacy, safety or property, and/or that of you or others, and protect, investigate and deter against fraudulent, harmful, unauthorized, unethical or illegal activity.

We may also use the information we process in the platform to generate de-identified or aggregate analytics, which cannot be associated with any User or the individuals to whom the information pertains.

How We Share Information

We may share personal data with third party service providers that provide services in connection with our platform. We authorize these third parties to access personal information only to the extent necessary for them to provide services to Daasity or Users.

We may also share personal information as required by law or legal process, enforce the terms and conditions that govern the platform, and protect, investigate and deter against fraudulent, harmful, unauthorized, unethical or illegal activity.

We may transfer the personal data as part of Daasity’s platform or other assets in connection with a business transaction, such as a merger, consolidation, acquisition, reorganization, or in the event of bankruptcy. In the event of such a transfer, we will require the transferee to continue to abide by the terms of this Privacy Statement and any customer agreements that govern our processing of the personal information, as specified in detail in the relevant customer agreements.

Information Security

We employ a number of organizational, technical and physical safeguards designed to protect the personal information in our platform, as we further describe our Security Overview webpage.

Data Subject Rights

Users are responsible for responding to requests that individuals submit to exercise any privacy rights, to the extent such requests are submitted by or on behalf of individuals to whom the personal information the Users process using the platform pertains. Daasity will assist Users in responding to such requests as set forth in the customer contract.

Cross Border Data Transfer

We may transfer personal data outside of the country in which Users provide it, including to the United States. In this case, we will safeguard the data as described in this Privacy Statement and the relevant customer agreements.

Data Retention

Daasity retains personal data for as long as necessary to (a) facilitate User’s processing of personal data via the platform; (b) comply with legal obligations; (c) resolve disputes; and (d) enforce the terms of customer agreements, as described in the customer contracts.

Third Party Products and Services

The Services may integrate with or enable access to third party tools. Third party tools registered, installed, or accessed by end users are governed by those third party providers’ privacy notices. Please review those notices carefully, as Daasity does not control and cannot be responsible for these providers’ privacy or information security practices.

Contact Us

If you have any question about this Privacy Statement, you can contact our privacy team at privacy@daasity.com.

Data Privacy Framework STATEMENT

Daasity complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and the United Kingdom (including Gibraltar), as applicable to the United States in reliance on the EU-U.S. Data Privacy Framework and the UK Extension to the EU-U.S. DPF, respectively.  Daasity has certified to the Department of Commerce that it adheres to the Data Privacy Framework Principles with respect to such information.  If there is any conflict between the terms in this privacy policy and the Data Privacy Framework Principles, the Data Privacy Framework Principles shall govern.  To learn more about the Data Privacy Framework program, and to view our certification, please visit https://www.privacyshield.gov/.

With respect to personal data received or transferred pursuant to the Data Privacy Framework, Daasity is subject to the regulatory and enforcement powers of the U.S. Federal Trade Commission (FTC).

This Data Privacy Framework Statement explains how Daasity complies with the Privacy Principles in handling Personal Data.

The Data Privacy Framework Privacy Principles are:

• Notice
• Choice
• Accountability for Onward Transfer
• Security
• Data Integrity & Purpose Limitation
• Access
• Recourse, Enforcement & Liability

Scope

Our Data Privacy Framework certification and this Data Privacy Framework Statement apply to Personal Data – personal information, such as name, mailing or email address, that we process on our own behalf or on behalf of our clients through our platform, to the extent the information is transferred from the EEA to Daasity in the United States.

Daasity’s Role in Processing Personal Data

Daasity provides a platform that helps individuals and organizations in the direct to consumer community (“Users”) make optimal use of the vast quantities of highly complex customer, order, product, marketing and supply chain data data by integrating the data points into our platform and placing the data into a useful context (the “Services”).

Daasity acts as a processor for the Services. This means that Daasity is a vendor that processes Personal Data on behalf of and on the instructions of Users. The Users act as data controllers or have been authorized by data controllers to instruct Daasity. Users control the purposes for which Daasity processes Personal Data, and are responsible for the processing to individuals to whom the Personal Data pertains. See our Product Privacy Statement for more information.

Daasity also may act as a controller when we collect or process data about visitors and Users of our Services. See our Privacy Policy Statement for more information.

Notice

When it acts as a processor, Daasity relies on its Users to provide notice to individuals regarding our privacy practices associated with the Services. Daasity has informed its Users that they are responsible for providing the notice. To assist Users in providing notice, we have provided Users with our Services Privacy Statement, which explains our privacy and security practices with respect to Personal Data.

Choice

Daasity has informed its Users that they are responsible for providing individuals with any required privacy choices regarding Daasity’s processing of Personal Data on behalf of the User. Daasity does not use Personal Data for purposes other than to provide our services, and as otherwise authorized by relevant customer agreements. We do not share Personal Data with third parties for those parties’ own purposes, except as follows:

We may share Personal Data with third party service providers that provide services in connection with our platform. We authorize these third parties to access Personal Data only to the extent necessary for them to provide services to Daasity or Users.

We may also share Personal Data as required by law or legal process, enforce the terms and conditions that govern the platform, and protect, investigate and deter against fraudulent, harmful, unauthorized, unethical or illegal activity.

We will provide an individual opt-out choice, or opt-in for sensitive data, before we share your data with third parties other than our agents, or before we use it for a purpose other than which it was originally collected or subsequently authorized. To request to limit the use and disclosure of your personal information, please submit a written request to privacy@daasity.com.

Accountability for Onward Transfer of Personal Data

Daasity may share Personal Data with third party services providers that perform services on behalf of Daasity. Daasity does not authorize these service providers to use or disclose the Personal Data except as necessary to perform services on behalf of Daasity or Daasity Users, or to comply with legal requirements. Daasity maintains contracts with these providers restricting their access, use and disclosure of Personal Data in compliance with the Privacy Principles, and requiring these providers to appropriately safeguard the privacy and security of the Personal Data they process. If Daasity has knowledge that a third party to which it has disclosed Personal Data subject to this Data Privacy Framework Statement is processing such Personal Data in a way that is inconsistent with the Principles, or if Daasity has knowledge that such third party is no longer capable of processing such Personal Data consistent with the Principles, Daasity will take reasonable and appropriate steps to prevent or stop and remediate such processing.

Daasity’s accountability for personal data that it receives in the United States under the Data Privacy Framework and subsequently transfers to a third party is described in the Data Privacy Framework Principles. In particular, Daasity remains responsible and liable under the Data Privacy Framework Principles if third-party agents that it engages to process personal data on its behalf do so in a manner inconsistent with the Principles, unless Daasity proves that it is not responsible for the event giving rise to the damage.

Security

Daasity takes reasonable and appropriate measures to protect Personal Data from loss, misuse, and unauthorized access, disclosure, alteration and destruction, as further described in our Security Overview webpage.

Data Integrity and Purpose Limitation

Daasity limits the Personal Data it collects to the Personal Data that is relevant for the purpose(s) for which it is being processed. Daasity does not use Personal Data for purposes incompatible with the purpose(s) for which it was collected.

In addition, Daasity takes reasonable steps to ensure that the Personal Data it processes is reliable for its intended use and is accurate, complete and current. Daasity depends on its Users to provide accurate Personal Data to Daasity and to correct and keep such Personal Data up to date, or to instruct merchants and consumers to do so.

Access

Users are responsible for responding to requests that individuals submit to exercise any privacy rights, to the extent such requests are submitted by or on behalf of individuals to whom the personal information the Users process using the platform pertains. Daasity will assist Users in responding to such requests as set forth in the customer contract.

Pursuant to the Data Privacy Framework Frameworks, EU individuals have the right to obtain our confirmation of whether we maintain personal information relating to you in the United States. Upon request, we will provide you with access to the personal information that we hold about you. You may also correct, amend, or delete the personal information we hold about you. An individual who seeks access, or who seeks to correct, amend, or delete inaccurate data transferred to the United States under Data Privacy Framework, should direct their query to privacy@daasity.com. If requested to remove data, we will respond within a reasonable timeframe.

Recourse, Enforcement and Liability

Daasity has established procedures for periodically reviewing and verifying the accuracy of this Data Privacy Framework Statement, for verifying the company’s implementation of and compliance with the Principles, and for remedying any issues identified during such reviews. Daasity conducts an annual self-assessment of its Personal Data practices to verify that the attestations and assertions the company makes about its privacy practices are true, that the company’s privacy practices have been implemented as represented, and that any identified issues have been remedied. Daasity personnel with access to the Personal Data covered by this policy are responsible for conducting themselves in accordance with the policies described in this Data Privacy Framework Statement, the failure of which may result in disciplinary action up to and including termination.

In compliance with the Data Privacy Framework Principles, Daasity commits to resolve complaints about your privacy and our collection or use of your personal information transferred to the United States pursuant to Data Privacy Framework. European Union individuals with Data Privacy Framework inquiries or complaints should first contact Daasity by email at privacy@daasity.com.

Daasity will respond to any such inquiries or complaints within forty-five (45) days.

In compliance with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), Daasity commits to resolve complaints about our collection or use of your personal information transferred to the U.S. pursuant to the EU-U.S. DPF. EU individuals with inquiries or complaints should first contact Daasity at privacy@daasity.com.

[ has further committed to refer unresolved DPF Principles-related complaints to a U.S.-based independent dispute resolution mechanism, BBB NATIONAL PROGRAMS. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit www.bbbprograms.org/dpf-complaints for more information and to file a complaint. This service is provided free of charge to you.

If your DPF complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See https://www.dataprivacyframework.gov/s/article/ANNEX-I-introduction-dpf

US Federal Trade Commission Jurisdiction

Daasity’s commitments under the Principles are subject to the jurisdiction and the investigatory and enforcement authority of the United States Federal Trade Commission.

Required Disclosure

Daasity may be required to disclose Personal Data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

How to Contact Us

If you have any questions, comments or concerns about this Data Privacy Framework Statement, please contact us at privacy@daasity.com.

DATA PROCESSING ADDENDUM

This Data Processing Addendum (the Addendum) forms part of the underlying Terms of Service executed between Daasity, Inc. (Daasity) and the identified User, inclusive of any amendments thereto, pursuant to which Daasity provides the Services to User (the Agreement), to the extent the Processing of User Data is governed by Data Protection Laws and Regulations, and reflects the parties' agreement with regard to the Processing of Personal Data (as defined below) in accordance with the requirements of the applicable Data Protection Laws and Regulations. This Addendum is governed by and subject to the terms and conditions of the Agreement. All capitalized terms not defined herein shall have the meaning set forth in the Agreement.

In the course of providing the Services to User pursuant to the Agreement, Daasity only Processes Personal Data on behalf of User pursuant to the Instructions. The parties agree to comply with the following provisions with respect to any Personal Data contained in User Data. Nothing in this Addendum shall alter the parties' agreement, as set forth in the Agreement, with respect to representations, warranties, liability, indemnification, or any other commercial terms with respect to data protection or data security; in the event of any such conflict between this Addendum and the Agreement, the Addendum shall prevail only to the extent of such conflict.

1. Definitions

User Data has the same meaning as in the Agreement (whether referred to as User Data or Partner Data).

Controller to Processor SCCs means the Module 2 of the EU Standard Contractual Clauses set out in the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as amended or replaced from time to time by a competent authority under the relevant Data Protection Laws;

Data Controller means the entity that determines the purposes and means of the Processing of Personal Data.

Data Processor means the entity that Processes Personal Data on behalf of the Data Controller.

Data Protection Laws and Regulations means all laws and regulations, including laws and regulations of the European Union, the European Economic Area and their member states, applicable to the Processing of Personal Data under the Agreement, and including the General Data Protection Regulation (Regulation (EU) 2016/679) (the GDPR) as of its effective date, and the UK Data Protection Laws.

Data Subject means the individual to whom Personal Data relates.

Data Subject Request means a Data Subject's request to access, correct, amend, transfer, block or delete that person's Personal Data consistent with that person's rights under Data Protection Laws and Regulations.

EU Restricted Transfer means, where the GDPR applies, a transfer of User Personal Data by User to Daasity (or any onward transfer), in each case, where such transfer would be prohibited by the GDPR in the absence of the protection for the transferred User Personal Data provided by the EU Standard Contractual Clauses;

 EU Standard Contractual Clauses or SCCs means the standard contractual clauses set out in the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, including the Controller to Processor SCCs and the Processor to Processor SCCs, as amended or replaced from time to time by a competent authority under the relevant Data Protection Laws. Where the European Parliament and the Council adopt an updated set of EU standard contractual clauses, “EU Standard Contractual Clauses” will be taken to mean the most recent adaptation.

GDPR Assistance Materials means those materials Daasity provides to its general customer base as information on the Services' Processing of User's Personal Data and, where required under Data Protection Laws and Regulations, as assistance for User's data protection impact assessment(s) and/or prior consultations with Regulators. GDPR Assistance Materials will include, at a minimum, the Daasity Product Privacy Statement and our Data Privacy Framework Certification found here.

Instructions means User's instructions to Daasity with respect to the Processing of Personal Data, comprising the Agreement and any written amendments to the Agreement, and any sale or work orders or amendments thereto.

Member State means a member state of the EU.

Personal Data has the meaning set forth in Data Protection Laws and Regulations, namely (and without limitation) any information relating to an individual Data Subject, including sensitive data, to the extent such data is contained in User Data.

Processor to Processor SCCs means the Module 3 of the EU Standard Contractual Clauses set out in the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as amended or replaced from time to time by a competent authority under the relevant Data Protection Laws.

Regulator means any supervisory authority with authority under Data Protection Laws and Regulations over all or any part of the provision or receipt of the Services or the Processing of Personal Data.

 Subprocessor means any Data Processor engaged by Daasity to support delivering the Services.

Subprocessor List Page means Daasity's Subprocessors Page available at https://www.daasity.com/legal/subprocessors.

Supervisory Authority means (a) an independent public authority which is established by a Member State pursuant to Article 51 EU GDPR; and (b) any similar regulatory authority responsible for the enforcement of Data Protection Laws.

UK Data Protection Laws means the EU GDPR as transposed into United Kingdom national law by operation of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 ("UK GDPR"), together with the Data Protection Act 2018, the Privacy and Electronic Communications (EC Directive) Regulations 2003 (as amended) and other data protection or privacy legislation in force from time to time in the United Kingdom.

UK Restricted Transfer means, where the UK Data Protection Laws apply, a transfer of User Personal Data by User to Daasity (or any onward transfer), in each case, where such transfer would be prohibited by UK Data Protection Laws in the absence of the protection for the transferred User Personal Data provided by the UK IDTA.

UK IDTA means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner under section 119A (1) Data Protection Act 2018.

UK Supervisory Authority means the UK Information Commissioner’s Office.

2. Subject matter duration nature and purpose of the processing type of personal data and categories of data subjects

2.1 Subject-matter of the Processing. The Processing of Personal Data is carried out pursuant to the Agreement, including as described in the Daasity Services Privacy Notice and in ‎Appendix 1 of this Addendum.

2.2 Duration of the Processing. The Processing begins and ends with performance of the Services for the User, as specified in the Instructions.

2.3 Nature and Purpose of the Processing. The purpose and object of the Processing of Personal Data by Daasity is to perform and provide the Services pursuant to the Instructions, as specified in the ‎Appendix 1 of this Addendum.

2.4 Type of Personal Data and Categories of Data Subjects. The type of personal data and categories of affected Data Subjects are set out in ‎Appendix 1 of this Addendum.

3. Instructions commitment to confidentiality

3.1 Daasity's Processor Role. Daasity shall only Process Personal Data on behalf of the User. The User is the Data Controller or otherwise provides Instructions to Daasity on behalf of and as specifically authorized by the Data Controller.

3.2 Instructions. Daasity shall only Process Personal Data on behalf of and in accordance with the Instructions and shall protect Personal Data as User Data and/or Confidential Information. User shall ensure that its Instructions to Daasity comply with Data Protection Laws and Regulations. The Instructions are User's complete and final instructions to Daasity for the Processing of Personal Data. Any additional or alternate instructions must be agreed upon separately with prior written agreement between User and Daasity.

3.3 Commitment to Confidentiality. Daasity shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have committed themselves to confidentiality. Daasity shall ensure that such confidentiality obligations survive the termination of the personnel engagement. Daasity restricts its personnel from Processing Data to those personnel who require such access to perform the Agreement.

4. Security of personal data

Security Controls. Daasity maintains appropriate administrative, organizational and technical controls as set out in ‎Appendix 2 of this Addendum. Daasity may update or modify the stated security controls from time to time provided that such updates and modifications meet or exceed the stated security controls. User agrees that Daasity has no obligation to protect Personal Data that User elects to store outside of Daasity and its backup systems. User has assessed the level of security appropriate to the Processing of Personal Data in the context of its obligations under Data Protection Laws and Regulations and agrees that the security measures set out in ‎Appendix 2 of this Addendum are consistent with such assessment.

5. Subprocessors

5.1 Appointment of Subprocessors and User Consent. User acknowledges and specifically authorizes Daasity's use of its Subprocessors existing as of the Effective Date, including subprocessors listed on the Subprocessors Page. User hereby gives a general authorization to further Subprocessors, provided Daasity follows the following procedure:

      (a) Daasity agrees to provide notice to User of any new or replacement Subprocessor that Processes Personal Data under the Agreement thereby giving the User the opportunity to object to such changes within ten (10) days from the date of receipt of notice (Subprocessor Notice). User agrees that it will not object to any Subprocessor with which Daasity has executed a written agreement that obligates the Subprocessor to:

            (i) protect such Personal Data to the same extent as is required of Daasity by the Agreement and this Addendum;

            (ii) be in compliance with applicable Data Protection Laws and Regulations;

      (b) if User has reasonable grounds to object to Daasity's use of a new or replacement Subprocessor, User shall notify Daasity promptly in writing within ten (10) days after receipt of the Subprocessor Notice and specify those grounds. Such reasonable grounds (provided that such reason does not conflict with the Conditions above) may be that the new or replacement Subprocessor is unlikely to be able to comply with the terms of the Agreement so far as they relate to the protection of Personal Data, or other reasons that are at least as important. User acknowledges that Daasity provides a standardized service to all customers which does not allow using different Subprocessors for different customers and, therefore, that the inability to use a particular new or replacement Subprocessor for the Services to the User may result in delay in performing the Services, inability to perform the Services or increased fees. Daasity will notify User in writing of any change to Services or fees that would result from Daasity's inability to use a new or replacement Subprocessor to which User has objected. User may either execute a written amendment to the Agreement implementing such change or exercise its right to terminate the Agreement in accordance with the termination provisions thereof. Such termination shall not constitute termination for breach of the Agreement. This termination right shall be User's sole and exclusive remedy for such termination of the Agreement.

5.2 Processing Restrictions. Daasity will require Subprocessors to only access and use Personal Data in accordance with the terms of the Agreement (including this Addendum) and will bind the Subprocessors by written obligations:

      (a)that require them to provide at least the level of data protection required by Data Protection Laws and Regulations and by the Agreement; and 

      (B)where applicable, that impose the level of data protection required by the Privacy Shied.

5.3 Liability. Daasity shall be liable for the acts and omissions of its Subprocessors to the same extent Daasity would be liable if performing the Services of each Subprocessor directly under the terms of this Addendum.

5.4 List of Current Subprocessors and Notification of New Subprocessors. A current list of Subprocessors as may be used for Processing Data is available to User without charge. Daasity will keep the Subprocessor list current and inclusive of any new Subprocessors and will make available to User the updated Subprocessor list upon request by User. Daasity shall notify User prior to using any Subprocessor not included in such list, in accordance with clause ‎5.1

6. Rights of data subjects and cooperation with regulators

6.1 Correction, Deletion and Blocking. To the extent User, in its use of the Services, does not have the ability to correct, amend, block or delete Personal Data as required by Data Protection Laws and Regulations, Daasity shall provide User with assistance to comply with any reasonable request by User to facilitate such actions to the extent Daasity is legally permitted to do so. User shall be responsible for any costs arising from Daasity's provision of such assistance.

6.2 Data Subject Requests. Daasity shall, to the extent legally permitted, promptly notify User if it receives a Data Subject Request. Daasity shall not respond to any such Data Subject request without User's prior written consent except to confirm that the request relates to User, unless the Data Subject request relates only to that Data Subject's registration data for accessing the Services. Daasity shall provide User with assistance in relation to handling of a Data Subject Request, to the extent legally permitted and to the extent User does not have access to such Personal Data through its use of the Services. If legally permitted, User shall be responsible for any costs arising from Daasity's provision of such assistance.

6.3 Daasity shall promptly notify User of all enquiries from a Regulator that Daasity receives which relate to the Processing of Personal Data or the provision to or receipt of the Services by User, unless prohibited from doing so by law or by the Regulator.

6.4 Unless a Regulator requests in writing to engage directly with Daasity or the parties (acting reasonably and taking into account the subject matter of the request) agree that Daasity shall handle a Regulator request itself, User shall: 

      (a) be responsible for all communications or correspondence with the Regulator in relation to the Processing of Personal Data and the provision or receipt of the Services; and 

      (b) keep Daasity informed of such communications or correspondence to the extent permitted by law.

7. Assistance and information for data protection impact assessment notifications

7.1 The information made available as GDPR Assistance Materials is intended to assist User in complying both with its obligations under the GDPR, such as data protection impact assessment(s), prior consultation with the Regulator and other Regulator inquiries, and with any requests by User with respect to Daasity's privacy practices, including any audit request (Privacy Inquiries). User agrees that Daasity's GDPR Assistance Materials will be used to fulfil User's Privacy Inquiries. Except as otherwise agreed to in the Agreement, in the event that User requires information in addition to the GDPR Assistance Materials, including to demonstrate compliance with this Addendum, such information shall be made available under a separately-executed audit support agreement. User shall be responsible for the costs on a time and materials basis for Daasity's provision of such assistance at Daasity's then-current Professional Services rates.

7.2 If Daasity becomes aware of a security incident which leads or is likely to lead to a material infringement of Data Protection Laws and Regulations, or of this Addendum, that compromises the security, confidentiality or integrity of Personal Data and that would require reporting to a regulatory authority (as defined under applicable Data Protection Laws and Regulations) (a Security Incident), Daasity will notify User of such Security Incident without undue delay. Daasity will take appropriate actions to contain, investigate and mitigate the Security Incident and work with User to provide information to User concerning the Security Incident, and will assist User with any required notifications to affected individuals, subject to any related limitations set forth in the Agreement. Notification of or response to a Security Incident under this section will not be construed as an acknowledgement by Daasity of any fault or liability with respect to the Security Incident.

7.3 Except as otherwise agreed to in the Agreement, to the extent that the Security Incident is the result of Daasity's failure to comply with the terms of the Agreement or this Addendum, Daasity shall bear the actual, reasonable costs of notifying affected individuals. Daasity and User shall mutually agree on the content and timing of any such notifications, in good faith and as needed to meet applicable legal requirements. Notwithstanding the preceding sentence, the parties agree that Daasity shall have no obligation to send notification letters or provide credit monitoring for User unless such letters are legally required or otherwise reasonably required to alert individuals of potential harm.

8. Deletion or return of personal data

8.1 Daasity shall return Personal Data to User or delete Personal Data in accordance with the terms of the Agreement and the policies and schedules set forth in Daasity's Record Retention Policy and Schedule, which Policy and Schedule adhere to limitations required by law and regulation, except as required by law or as required in order to defend any actual or possible legal claim.

8.2 User acknowledges and agrees that Daasity shall have no liability for any losses incurred by User arising from or in connection with Daasity's inability to perform the Services as a result of Daasity complying with a request to delete or return Personal Data made by User under this section ‎8.

9. Making available information to demonstrate compliance

Distribution of GDPR Assistance Materials. Daasity will make available upon User request its GDPR Assistance Materials (along with such additional information as the parties may agree to as part of an audit support agreement, described in section ‎7.1) to demonstrate compliance with this Addendum and Data Protection Laws and Regulations.

10. Transfers of User Data to the United States 

11.1 In respect of any EU Restricted Transfer, User, (as "data exporter") and Daasity (as "data importer") with effect from the commencement of the relevant transfer hereby enter into the relevant and appropriate SCCs which are incorporated into this Addendum by reference. This may be the Controller to Processor SCCs or the Processor to Processor SCCs, or any module which is relevant and appropriate to the relationship between Daasity and the User, subject to the following changes:

      (a) Annex 1 to the relevant and appropriate SCCs shall be deemed to be pre-populated with the relevant sections of Appendix 1 to this Addendum and the processing operations are deemed to be those described in the Agreement. Annex 2 to the relevant and appropriate SCCs shall be deemed to be pre-populated with the relevant sections of Appendix 2 (Technical and Organisational Measures) to this Addednum. Annex 3 to the relevant and appropriate SCCs shall be deemed to be pre-populated with the relevant sections of Appendix 3 to this Addendum (Subprocessors); 

      (b) in Clause 7, the optional docking clause will not apply;

      (c) in Clause 9, option 2 will apply, and the time period for prior notice of Subprocessor changes will be in accordance with the notification process set out in section 5 of this Addendum;

      (d) in Clause 11, the optional redress language will not apply;

      (e) in Clause 17, Option 1 will apply, and the Standard Contractual Clauses will be governed by the law specified in the Master Services Agreement, provided that law is an EU Member State law recognizing third party beneficiary rights, otherwise, the laws of Ireland apply; and

      (f) in Clause 18(b), disputes shall be resolved before the courts specified in the Agreement, provided these courts are located in an EU Member State, otherwise those courts shall be the courts of Ireland.

11.2 In respect of any UK Restricted Transfer, User (as "data exporter") and Daasity (as "data importer") with effect from the commencement of the relevant transfer hereby enter into the relevant and appropriate SCCs which are incorporated into this Addendum by reference, and which are read in accordance with, and deemed amended by, the provisions of Part 2 (Mandatory Clauses) of the UK IDTA, subject to the following changes:

      (a) Clause 13(a) – Supervision. The following shall be inserted: The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, shall be the UK’s Information Commissioner’s Office;

      (b) Clause 17 – Governing law. The following shall be inserted: “These Clauses shall be governed by the laws of England and Wales”;

      (c) Clause 18(b) – Choice of forum and jurisdiction. The Member State shall be the courts of England and Wales;

      (d) For the purposes of Table 4 in Part 1 (Tables) of the UK IDTA, the parties select the “neither party” option; and

      (e) Part 1 (Tables) of the UK IDTA shall be deemed to be pre-populated with the relevant sections of Appendices of this Addendum. 

11. Miscellaneous

11. 1 Nondisclosure

The terms of this Addendum are not publicly known and constitute Confidential Information under the Agreement. User may only disclose the terms of this Addendum to a data protection Regulator to the extent required by law or regulatory authority. User shall take reasonable steps to ensure that data protection Regulators do not make the terms of this Addendum public, including by marking any copies as "Confidential and Commercially Sensitive," requesting return of any copies, and requesting prior notice and consultation before any public disclosure.

11.2 Termination

This Addendum will terminate when Daasity ceases to Process Personal Data, except as otherwise agreed in writing between the parties.

Appendix 1 - Subject matter and details of the data processing, and details of the data transfers

A. LIST OF PARTIES

  1. Data exporter(s): 

      Name: The User, as defined in the Agreement.

      Address: The User’s address, as defined in the Agreement.

      Contact person’s name, position and contact details: The User’s contact details, as set out in the Agreement. 

      Activities relevant to the data transferred: Processing of User Personal Data in connection with the Services under the Agreement.

      Role (controller/processor): Controller

  1. Data importer(s):

Name: Daasity, Inc.

Address: PO Box 9028, San Diego, CA  92169

      Contact person’s name, position and contact details: [insert contact name]

      Activities relevant to the data transferred: As set out in the Agreement.

      Role (controller/processor): Processor/Subprocessor

B. DESCRIPTION OF PROCESSING/TRANSFER

  1. Scope

This Part B of Appendix 1 to the Addendum contains the information concerning the Processing of User Personal Data by Daasity required for the purposes of: (i) describing various elements of the Processing of Personal Data as required by Article 28(3) of the EU GDPR; (ii) compliance with any other applicable Data Protection Laws; and (iii) populating the relevant appendices to the applicable Standard Contractual Clauses. 

  1. Subject Matter and Duration of the Processing of the Personal Data

The subject matter and duration of the Processing of the User Personal Data are set out in the Agreement and this Addendum. 

  1. The Nature and Purpose of the Processing of Personal Data 

The User Data, including Personal Data, Processed by Daasity solely at the specific direction of the User, may include, but are not limited to, the following Processing operations:

      3.1 collecting and recording the Personal Data;

      3.2 hosting the Personal Data;

      3.3 organizing the Personal Data;

      3.4 adapting or altering the Personal Data;

      3.5 analyzing the Personal Data;

      3.6 consulting or retrieving the Personal Data; and

      3.7 disclosing or transferring the Personal Data.

The User Data Processed by Daasity may be subject to, but is in no way limited to, the Processing operations as described above in 3.1 to 3.7.

  1. The Categories of Data Subjects

The categories of Data Subjects about whom the Parties may process Personal Data are dependent on User and may include, but are not limited to:

User’s customers, potential customers, and other end-user’s of its online services

  1. The Categories of Personal Data

User may submit Personal Data to the Services, the extent of which is determined and controlled by User in its sole discretion, and which may include, but is not limited to, the following categories of Personal Data:

Name, contact information, company, title

  1. Special Categories of Personal Data

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures:

None.

  1. The obligations and rights of the Parties

The obligations and rights of the parties are set out in the Agreement and this Addendum. 

  1. Frequency of Restricted Transfers (where applicable):

As necessary under the Agreement and determined by User in its sole discretion. 

  1. Period for which Personal Data will be Retained (where applicable): 

For the duration of the Agreement and otherwise in accordance with Daasity retention policy. 

  1. Competent Supervisory Authority

This clause 10 is applicable to transfers taking place from the EEA and the UK to a third country. Where the Data Exporter is established in an EU Member State, the EU Member State(s) in which it is established shall act as competent Supervisory Authority.

For Daasity, this will be Ireland.

Where Data Exporter is not established in an EU Member State but falls within the territorial scope of application of the EU GDPR in accordance with Article 3(2) and has appointed a representative pursuant to Article 27(1) of the EU GDPR the Member State in which the representative within the meaning of Article 27(1) is established shall act as competent supervisory authority. 

For Daasity, this will be Ireland.

Where Data Exporter is not established in an EU Member State, but falls within the territorial scope of application of the EU GDPR in accordance with Article 3(2) without however having to appoint a representative the supervisory authority of one of the Member States in which the data subjects whose personal data is transferred in relation to the offering of goods or services to them, or whose behavior is monitored, are located, shall act as competent supervisory authority.

Appendix 2 - Security measures

Daasity will implement and maintain the Security Measures set out in this ‎Appendix 2. Daasity may update or modify such Security Measures from time to time provided that such updates and modifications do not materially decrease the overall security of the Services.

1. Organizational management and dedicated staff responsible for the development, implementation and maintenance of Daasity's information security program.

2. Audit and risk assessment procedures for the purposes of periodic review and assessment of risks to Daasity's organization, monitoring and maintaining compliance with Daasity's policies and procedures, and reporting the condition of its information security and compliance to internal senior management.

3. Data security controls which include at a minimum, but may not be limited to, logical segregation of data, restricted (eg role-based) access and monitoring, and utilization of commercially available and industry standard encryption technologies for Personal Data that is: a. transmitted over public networks (ie the Internet).

4. Logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions, (eg granting access on a need-to-know basis, use of unique IDs and passwords for all users, periodic review and revoking/changing access when employment terminates or changes in job functions occur).

5. Password controls designed to manage and control password strength, expiration and usage and requiring that Daasity's passwords that are assigned to its employees:

      5. 1 be at least eight (8) characters in length;

      5. 2 not be stored in readable format on Daasity's computer systems; 

      5. 3 must be changed every ninety (90) days; must have defined complexity;

      5. 4 must have a history threshold to prevent reuse of recent passwords; and 

      5. 5 newly issued passwords must be changed after first use.

6. Physical and environmental security of data center, server room facilities and other areas containing Personal Data designed to: 

      6. 1 protect information assets from unauthorized physical access;

      6. 2 manage, monitor and log movement of persons into and out of Daasity facilities; and 

      6.3 guard against environmental hazards such as heat, fire and water damage.

7. Change management procedures and tracking mechanisms designed to test, approve and monitor all changes to Daasity's technology and information assets.

8. Incident / problem management procedures design to allow Daasity to investigate, respond to, mitigate and notify of events related to Daasity's technology and information assets.

9. Network security controls that provide for the use of enterprise firewalls, and intrusion detection systems and other traffic and event correlation procedures designed to protect systems from intrusion and limit the scope of any successful attack.

10. Vulnerability assessment and threat protection technologies and scheduled monitoring procedures designed to identify, assess, mitigate and protect against identified security threats, viruses and other malicious code.

11. Business resiliency/continuity and disaster recovery procedures designed to maintain service and/or recovery from foreseeable emergency situations or disasters.

Daasity may update or modify such Security Measures from time to time provided that such updates and modifications do not materially decrease the overall security of the Services.

Appendix 3 - Subprocessors List

  1. Google, Inc.
  2. Amazon Web Services.
  3. Snowflake.
  4. Heroku.
  5. Mailchimp.
  6. Hubspot.
  7. Slack.
  8. Harvest.