Effective Date: 4/29/2019; Updated 09/12/2022
Table of Contents
1. Personal Information We Collect
2. How We Use Your Personal Information
3. How We Share your Personal Information
4. Your Choices
5. Cookies and Similar Technologies
6. Other Important Privacy Information
7. How to Contact Us
8. Notice to European Users
Personal Information We Collect
Information you give us. You may provide information to us when you interact with the Services, for example, by registering, establishing an account, requesting information or otherwise communicating with us via the Services. You may provide your personal and business information, such as your name, mailing and email address, telephone number, company and other details you may choose to share with us.
How We Use Your Personal Information
We use the information we collect for the following purposes:
To operate and improve the Services, including to:
• Establish and manage accounts and registrations;
• Communicate with you regarding the Services, including by sending you announcements, updates, security alerts, and support and administrative messages;
• Respond to your requests, questions and feedback related to the Services;
• Analyze our visitors’ and users’ needs and interests, and personalize experience with the Services; and
• Analyze use of the Services to study trends and users’ movements around the Services, improve the Services and develop new features and services.
To send you marketing and survey communications.
We may send you surveys, newsletters or other marketing communications, but you may opt out of receiving them as described in the Opt out of marketing section below.
For compliance, fraud prevention and safety.
We may use your personal information as we believe appropriate to (a) investigate violations of and enforce our Terms of Service; (b) protect our, your or others’ rights, privacy, safety or property (including by making and defending legal claims); and (c) protect, investigate and deter against fraudulent, harmful, unauthorized, unethical or illegal activity.
For compliance with law.
We may use your personal information as we believe appropriate to (a) comply with applicable laws, lawful requests and legal process, such as to respond to subpoenas or requests from government authorities; and (b) where permitted by law in connection with a legal investigation.
With your consent.
We may ask for your consent to collect, use or share your personal information, such as when we are required to do so by law.
How We Share your Personal Information
We do not share your personal information with third parties without your consent, except in the following circumstances:
Service providers. We may share your personal information with third parties that provide services that help us with our business activities (such as customer support, payment processing, hosting and storage, website analytics, email delivery and legal and other professional advice). We authorize these third parties to access your personal information to the extent reasonably necessary for them to provide their services.
For legal reasons. We may disclose your personal information as we believe appropriate to government or law enforcement officials or to private parties for the purposes described above under the following sections: For compliance, fraud prevention and safety and for compliance with law.
Business transfers. We may sell, transfer or otherwise share some or all of our business or assets, including your personal information, in connection with a business deal (or potential business deal) such as a corporate divestiture, merger, consolidation, acquisition, reorganization or sale of assets, or in the event of bankruptcy or dissolution.
Access or update your information. Service account holders may review or update information in their registration profile by logging into their account or contacting us at email@example.com.
Opt out of marketing emails. You may opt out of marketing-related emails by following the unsubscribe instructions in the email. You may continue to receive Services-related and other non-marketing emails.
Cookies and Similar Technologies
Other Important Privacy Information
Third party sites and services. The Services may contain links to other websites and services operated by third parties. These links are not an endorsement of, or representation that we are affiliated with, any third party. We do not control third party websites, applications or services, and are not responsible for their actions. Other websites and services follow different rules regarding their collection, use and sharing of your personal information. We encourage you to read their privacy policies to learn more.
Security practices. The security of your personal information is important to us. We employ a number of organizational, technical and physical safeguards designed to protect the personal information we collect.
How to Contact Us
4250 Executive Square
San Diego, CA 92037
Notice to European Users
The following applies to individuals in the European Economic Area.
Legal bases for processing. We describe the legal bases for our processing of your personal information in the table below. If you have questions about the legal basis of how we process your personal information, contact us at firstname.lastname@example.org.
Most browsers let you remove or reject cookies. To do this, follow the instructions in your browser settings. Many browsers accept cookies by default until you change your settings. Please note that if you set your browser to disable cookies, the Sites may not work properly.
For more information about cookies, including how to see what cookies have been set on your computer or mobile device and how to manage and delete them, visit http://www.allaboutcookies.org.
Information about the cookies we use may be updated from time to time, so please check back on a regular basis for any changes.
PRODUCT PRIVACY STATEMENT
Daasity, Inc. (“Daasity”) provides a platform that helps direct to consumer organizations (“Users”) make optimal use of the vast quantities of highly complex customer, order, product, marketing and supply chain data by integrating the data points into our platform and placing the data into a useful context.
This Services Privacy Statement explains how we collect, use, disclose, and otherwise process personal data that Users process via our platform. Daasity is the data processor with respect to the personal data, and Users are the data controllers or are otherwise authorized by data controllers to direct Daasity to process the personal data.
Daasity’s processing of personal data is governed by this Privacy Statement and our customer agreements. In the event of any conflict between this Privacy Statement and a customer agreement, the customer agreement will control to the extent permitted by applicable law.
Information We Collect
When Users upload data into our platform, the information they upload may include personal information, such as order history or marketing history that can be associated with individuals.
How We Use Information
Our platform allows Users to manipulate and analyze the information they upload into the platform. We use the personal data to facilitate the manipulation, analysis and other processing of data in the platform. We also use the information to provide customer support to our Users, to maintain and improve our platform, develop new services for our Users, comply with applicable law, enforce the terms and conditions that govern the platform, protect our rights, privacy, safety or property, and/or that of you or others, and protect, investigate and deter against fraudulent, harmful, unauthorized, unethical or illegal activity.
We may also use the information we process in the platform to generate de-identified or aggregate analytics, which cannot be associated with any User or the individuals to whom the information pertains.
How We Share Information
We may share personal data with third party service providers that provide services in connection with our platform. We authorize these third parties to access personal information only to the extent necessary for them to provide services to Daasity or Users.
We may also share personal information as required by law or legal process, enforce the terms and conditions that govern the platform, and protect, investigate and deter against fraudulent, harmful, unauthorized, unethical or illegal activity.
We may transfer the personal data as part of Daasity’s platform or other assets in connection with a business transaction, such as a merger, consolidation, acquisition, reorganization, or in the event of bankruptcy. In the event of such a transfer, we will require the transferee to continue to abide by the terms of this Privacy Statement and any customer agreements that govern our processing of the personal information, as specified in detail in the relevant customer agreements.
We employ a number of organizational, technical and physical safeguards designed to protect the personal information in our platform, as we further describe our Security Overview webpage.
Data Subject Rights
Users are responsible for responding to requests that individuals submit to exercise any privacy rights, to the extent such requests are submitted by or on behalf of individuals to whom the personal information the Users process using the platform pertains. Daasity will assist Users in responding to such requests as set forth in the customer contract.
Cross Border Data Transfer
We may transfer personal data outside of the country in which Users provide it, including to the United States. In this case, we will safeguard the data as described in this Privacy Statement and the relevant customer agreements.
Daasity retains personal data for as long as necessary to (a) facilitate User’s processing of personal data via the platform; (b) comply with legal obligations; (c) resolve disputes; and (d) enforce the terms of customer agreements, as described in the customer contracts.
Third Party Products and Services
The Services may integrate with or enable access to third party tools. Third party tools registered, installed, or accessed by end users are governed by those third party providers’ privacy notices. Please review those notices carefully, as Daasity does not control and cannot be responsible for these providers’ privacy or information security practices.
If you have any question about this Privacy Statement, you can contact our privacy team at email@example.com.
PRIVACY SHIELD STATEMENT
With respect to personal data received or transferred pursuant to the Privacy Shield Frameworks, Daasity is subject to the regulatory and enforcement powers of the U.S. Federal Trade Commission (FTC).
This Privacy Shield Statement explains how Daasity complies with the Privacy Principles in handling Personal Data.
The Privacy Shield Privacy Principles are:
• Accountability for Onward Transfer
• Data Integrity & Purpose Limitation
• Recourse, Enforcement & Liability
Our Privacy Shield certification and this Privacy Shield Statement apply to Personal Data – personal information that we process on our own behalf or on behalf of our clients through our platform, to the extent the information is transferred from the EEA to Daasity in the United States.
Daasity’s Role in Processing Personal Data
Daasity provides a platform that helps individuals and organizations in the direct to consumer community (“Users”) make optimal use of the vast quantities of highly complex customer, order, product, marketing and supply chain data data by integrating the data points into our platform and placing the data into a useful context (the “Services”).
Daasity acts as a processor for the Services. This means that Daasity is a vendor that processes Personal Data on behalf of and on the instructions of Users. The Users act as data controllers or have been authorized by data controllers to instruct Daasity. Users control the purposes for which Daasity processes Personal Data, and are responsible for the processing to individuals to whom the Personal Data pertains. See our Product Privacy Statement for more information.
When it acts as a processor, Daasity relies on its Users to provide notice to individuals regarding our privacy practices associated with the Services. Daasity has informed its Users that they are responsible for providing the notice. To assist Users in providing notice, we have provided Users with our Services Privacy Statement, which explains our privacy and security practices with respect to Personal Data.
Daasity has informed its Users that they are responsible for providing individuals with any required privacy choices regarding Daasity’s processing of Personal Data on behalf of the User. Daasity does not use Personal Data for purposes other than to provide our services, and as otherwise authorized by relevant customer agreements. We do not share Personal Data with third parties for those parties’ own purposes, except as follows:
We may share Personal Data with third party service providers that provide services in connection with our platform. We authorize these third parties to access Personal Data only to the extent necessary for them to provide services to Daasity or Users.
We may also share Personal Data as required by law or legal process, enforce the terms and conditions that govern the platform, and protect, investigate and deter against fraudulent, harmful, unauthorized, unethical or illegal activity.
We will provide an individual opt-out choice, or opt-in for sensitive data, before we share your data with third parties other than our agents, or before we use it for a purpose other than which it was originally collected or subsequently authorized. To request to limit the use and disclosure of your personal information, please submit a written request to firstname.lastname@example.org.
Accountability for Onward Transfer of Personal Data
Daasity may share Personal Data with third party services providers that perform services on behalf of Daasity. Daasity does not authorize these service providers to use or disclose the Personal Data except as necessary to perform services on behalf of Daasity or Daasity Users, or to comply with legal requirements. Daasity maintains contracts with these providers restricting their access, use and disclosure of Personal Data in compliance with the Privacy Principles, and requiring these providers to appropriately safeguard the privacy and security of the Personal Data they process. If Daasity has knowledge that a third party to which it has disclosed Personal Data subject to this Privacy Shield Statement is processing such Personal Data in a way that is inconsistent with the Principles, or if Daasity has knowledge that such third party is no longer capable of processing such Personal Data consistent with the Principles, Daasity will take reasonable and appropriate steps to prevent or stop and remediate such processing.
Daasity’s accountability for personal data that it receives in the United States under the Privacy Shield and subsequently transfers to a third party is described in the Privacy Shield Principles. In particular, Daasity remains responsible and liable under the Privacy Shield Principles if third-party agents that it engages to process personal data on its behalf do so in a manner inconsistent with the Principles, unless Daasity proves that it is not responsible for the event giving rise to the damage.
Daasity takes reasonable and appropriate measures to protect Personal Data from loss, misuse, and unauthorized access, disclosure, alteration and destruction, as further described in our Security Overview webpage.
Data Integrity and Purpose Limitation
Daasity limits the Personal Data it collects to the Personal Data that is relevant for the purpose(s) for which it is being processed. Daasity does not use Personal Data for purposes incompatible with the purpose(s) for which it was collected.
In addition, Daasity takes reasonable steps to ensure that the Personal Data it processes is reliable for its intended use and is accurate, complete and current. Daasity depends on its Users to provide accurate Personal Data to Daasity and to correct and keep such Personal Data up to date, or to instruct merchants and consumers to do so.
Users are responsible for responding to requests that individuals submit to exercise any privacy rights, to the extent such requests are submitted by or on behalf of individuals to whom the personal information the Users process using the platform pertains. Daasity will assist Users in responding to such requests as set forth in the customer contract.
Pursuant to the Privacy Shield Frameworks, EU individuals have the right to obtain our confirmation of whether we maintain personal information relating to you in the United States. Upon request, we will provide you with access to the personal information that we hold about you. You may also correct, amend, or delete the personal information we hold about you. An individual who seeks access, or who seeks to correct, amend, or delete inaccurate data transferred to the United States under Privacy Shield, should direct their query to email@example.com. If requested to remove data, we will respond within a reasonable timeframe.
Recourse, Enforcement and Liability
Daasity has established procedures for periodically reviewing and verifying the accuracy of this Privacy Shield Statement, for verifying the company’s implementation of and compliance with the Principles, and for remedying any issues identified during such reviews. Daasity conducts an annual self-assessment of its Personal Data practices to verify that the attestations and assertions the company makes about its privacy practices are true, that the company’s privacy practices have been implemented as represented, and that any identified issues have been remedied. Daasity personnel with access to the Personal Data covered by this policy are responsible for conducting themselves in accordance with the policies described in this Privacy Shield Statement, the failure of which may result in disciplinary action up to and including termination.
In compliance with the Privacy Shield Principles, Daasity commits to resolve complaints about your privacy and our collection or use of your personal information transferred to the United States pursuant to Privacy Shield. European Union individuals with Privacy Shield inquiries or complaints should first contact Daasity by email at firstname.lastname@example.org.
Daasity will respond to any such inquiries or complaints within forty-five (45) days.
Daasity has further committed to refer unresolved privacy complaints under the Privacy Shield Principles to an independent dispute resolution mechanism, the BBB EU PRIVACY SHIELD. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit http://www.bbb.org/EU-privacy-shield/for-eu-consumers for more information and to file a complaint. This service is provided free of charge to you.
If your Privacy Shield complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See Privacy Shield Annex 1 at https://www.privacyshield.gov/article?id=ANNEX-I-introduction.
US Federal Trade Commission Jurisdiction
Daasity’s commitments under the Principles are subject to the jurisdiction and the investigatory and enforcement authority of the United States Federal Trade Commission.
Daasity may be required to disclose Personal Data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
How to Contact Us
If you have any questions, comments or concerns about this Privacy Shield Statement, please contact us at email@example.com.
DATA PROCESSING ADDENDUM
This Data Processing Addendum (the Addendum) forms part of the underlying Terms of Service executed between Daasity, Inc. (Daasity) and the identified User, inclusive of any amendments thereto, pursuant to which Daasity provides the Services to User (the Agreement), to the extent the Processing of User Data is governed by Data Protection Laws and Regulations, and reflects the parties' agreement with regard to the Processing of Personal Data (as defined below) in accordance with the requirements of the applicable Data Protection Laws and Regulations. This Addendum is governed by and subject to the terms and conditions of the Agreement. All capitalized terms not defined herein shall have the meaning set forth in the Agreement.
In the course of providing the Services to User pursuant to the Agreement, Daasity only Processes Personal Data on behalf of User pursuant to the Instructions. The parties agree to comply with the following provisions with respect to any Personal Data contained in User Data. Nothing in this Addendum shall alter the parties' agreement, as set forth in the Agreement, with respect to representations, warranties, liability, indemnification, or any other commercial terms with respect to data protection or data security; in the event of any such conflict between this Addendum and the Agreement, the Addendum shall prevail only to the extent of such conflict.
User Data has the same meaning as in the Agreement (whether referred to as User Data or Partner Data).
Controller to Processor SCCs means the Module 2 of the EU Standard Contractual Clauses set out in the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as amended or replaced from time to time by a competent authority under the relevant Data Protection Laws;
Data Controller means the entity that determines the purposes and means of the Processing of Personal Data.
Data Processor means the entity that Processes Personal Data on behalf of the Data Controller.
Data Protection Laws and Regulations means all laws and regulations, including laws and regulations of the European Union, the European Economic Area and their member states, applicable to the Processing of Personal Data under the Agreement, and including the General Data Protection Regulation (Regulation (EU) 2016/679) (the GDPR) as of its effective date, and the UK Data Protection Laws.
Data Subject means the individual to whom Personal Data relates.
Data Subject Request means a Data Subject's request to access, correct, amend, transfer, block or delete that person's Personal Data consistent with that person's rights under Data Protection Laws and Regulations.
EU Restricted Transfer means, where the GDPR applies, a transfer of User Personal Data by User to Daasity (or any onward transfer), in each case, where such transfer would be prohibited by the GDPR in the absence of the protection for the transferred User Personal Data provided by the EU Standard Contractual Clauses;
EU Standard Contractual Clauses or SCCs means the standard contractual clauses set out in the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, including the Controller to Processor SCCs and the Processor to Processor SCCs, as amended or replaced from time to time by a competent authority under the relevant Data Protection Laws. Where the European Parliament and the Council adopt an updated set of EU standard contractual clauses, “EU Standard Contractual Clauses” will be taken to mean the most recent adaptation.
GDPR Assistance Materials means those materials Daasity provides to its general customer base as information on the Services' Processing of User's Personal Data and, where required under Data Protection Laws and Regulations, as assistance for User's data protection impact assessment(s) and/or prior consultations with Regulators. GDPR Assistance Materials will include, at a minimum, the Daasity Product Privacy Statement, our Security Overview webpage, Daasity's current security certifications and reports, such as Privacy Shield Certification.
Instructions means User's instructions to Daasity with respect to the Processing of Personal Data, comprising the Agreement and any written amendments to the Agreement, and any sale or work orders or amendments thereto.
Member State means a member state of the EU.
Personal Data has the meaning set forth in Data Protection Laws and Regulations, namely (and without limitation) any information relating to an individual Data Subject, including sensitive data, to the extent such data is contained in User Data.
Processor to Processor SCCs means the Module 3 of the EU Standard Contractual Clauses set out in the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as amended or replaced from time to time by a competent authority under the relevant Data Protection Laws.
Regulator means any supervisory authority with authority under Data Protection Laws and Regulations over all or any part of the provision or receipt of the Services or the Processing of Personal Data.
Subprocessor means any Data Processor engaged by Daasity to support delivering the Services.
Subprocessor List Page means Daasity's Subprocessors Page available at https://www.daasity.com/legal/subprocessors.
Supervisory Authority means (a) an independent public authority which is established by a Member State pursuant to Article 51 EU GDPR; and (b) any similar regulatory authority responsible for the enforcement of Data Protection Laws.
UK Data Protection Laws means the EU GDPR as transposed into United Kingdom national law by operation of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 ("UK GDPR"), together with the Data Protection Act 2018, the Privacy and Electronic Communications (EC Directive) Regulations 2003 (as amended) and other data protection or privacy legislation in force from time to time in the United Kingdom.
UK Restricted Transfer means, where the UK Data Protection Laws apply, a transfer of User Personal Data by User to Daasity (or any onward transfer), in each case, where such transfer would be prohibited by UK Data Protection Laws in the absence of the protection for the transferred User Personal Data provided by the UK IDTA.
UK IDTA means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner under section 119A (1) Data Protection Act 2018.
UK Supervisory Authority means the UK Information Commissioner’s Office.
2. Subject matter duration nature and purpose of the processing type of personal data and categories of data subjects
2.1 Subject-matter of the Processing. The Processing of Personal Data is carried out pursuant to the Agreement, including as described in the Daasity Services Privacy Notice and in Appendix 1 of this Addendum.
2.2 Duration of the Processing. The Processing begins and ends with performance of the Services for the User, as specified in the Instructions.
2.3 Nature and Purpose of the Processing. The purpose and object of the Processing of Personal Data by Daasity is to perform and provide the Services pursuant to the Instructions, as specified in the Appendix 1 of this Addendum.
2.4 Type of Personal Data and Categories of Data Subjects. The type of personal data and categories of affected Data Subjects are set out in Appendix 1 of this Addendum.
3. Instructions commitment to confidentiality
3.1 Daasity's Processor Role. Daasity shall only Process Personal Data on behalf of the User. The User is the Data Controller or otherwise provides Instructions to Daasity on behalf of and as specifically authorized by the Data Controller.
3.2 Instructions. Daasity shall only Process Personal Data on behalf of and in accordance with the Instructions and shall protect Personal Data as User Data and/or Confidential Information. User shall ensure that its Instructions to Daasity comply with Data Protection Laws and Regulations. The Instructions are User's complete and final instructions to Daasity for the Processing of Personal Data. Any additional or alternate instructions must be agreed upon separately with prior written agreement between User and Daasity.
3.3 Commitment to Confidentiality. Daasity shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have committed themselves to confidentiality. Daasity shall ensure that such confidentiality obligations survive the termination of the personnel engagement. Daasity restricts its personnel from Processing Data to those personnel who require such access to perform the Agreement.
4. Security of personal data
Security Controls. Daasity maintains appropriate administrative, organizational and technical controls as set out in Appendix 2 of this Addendum. Daasity may update or modify the stated security controls from time to time provided that such updates and modifications meet or exceed the stated security controls. User agrees that Daasity has no obligation to protect Personal Data that User elects to store outside of Daasity and its backup systems. User has assessed the level of security appropriate to the Processing of Personal Data in the context of its obligations under Data Protection Laws and Regulations and agrees that the security measures set out in Appendix 2 of this Addendum are consistent with such assessment.
5.1 Appointment of Subprocessors and User Consent. User acknowledges and specifically authorizes Daasity's use of its Subprocessors existing as of the Effective Date, including subprocessors listed on the Subprocessors Page. User hereby gives a general authorization to further Subprocessors, provided Daasity follows the following procedure:
(a) Daasity agrees to provide notice to User of any new or replacement Subprocessor that Processes Personal Data under the Agreement thereby giving the User the opportunity to object to such changes within ten (10) days from the date of receipt of notice (Subprocessor Notice). User agrees that it will not object to any Subprocessor with which Daasity has executed a written agreement that obligates the Subprocessor to:
(i) protect such Personal Data to the same extent as is required of Daasity by the Agreement and this Addendum;
(ii) be in compliance with applicable Data Protection Laws and Regulations;
(b) if User has reasonable grounds to object to Daasity's use of a new or replacement Subprocessor, User shall notify Daasity promptly in writing within ten (10) days after receipt of the Subprocessor Notice and specify those grounds. Such reasonable grounds (provided that such reason does not conflict with the Conditions above) may be that the new or replacement Subprocessor is unlikely to be able to comply with the terms of the Agreement so far as they relate to the protection of Personal Data, or other reasons that are at least as important. User acknowledges that Daasity provides a standardized service to all customers which does not allow using different Subprocessors for different customers and, therefore, that the inability to use a particular new or replacement Subprocessor for the Services to the User may result in delay in performing the Services, inability to perform the Services or increased fees. Daasity will notify User in writing of any change to Services or fees that would result from Daasity's inability to use a new or replacement Subprocessor to which User has objected. User may either execute a written amendment to the Agreement implementing such change or exercise its right to terminate the Agreement in accordance with the termination provisions thereof. Such termination shall not constitute termination for breach of the Agreement. This termination right shall be User's sole and exclusive remedy for such termination of the Agreement.
5.2 Processing Restrictions. Daasity will require Subprocessors to only access and use Personal Data in accordance with the terms of the Agreement (including this Addendum) and will bind the Subprocessors by written obligations:
(a)that require them to provide at least the level of data protection required by Data Protection Laws and Regulations and by the Agreement; and
(B)where applicable, that impose the level of data protection required by the Privacy Shied.
5.3 Liability. Daasity shall be liable for the acts and omissions of its Subprocessors to the same extent Daasity would be liable if performing the Services of each Subprocessor directly under the terms of this Addendum.
5.4 List of Current Subprocessors and Notification of New Subprocessors. A current list of Subprocessors as may be used for Processing Data is available to User without charge. Daasity will keep the Subprocessor list current and inclusive of any new Subprocessors and will make available to User the updated Subprocessor list upon request by User. Daasity shall notify User prior to using any Subprocessor not included in such list, in accordance with clause 5.1
6. Rights of data subjects and cooperation with regulators
6.1 Correction, Deletion and Blocking. To the extent User, in its use of the Services, does not have the ability to correct, amend, block or delete Personal Data as required by Data Protection Laws and Regulations, Daasity shall provide User with assistance to comply with any reasonable request by User to facilitate such actions to the extent Daasity is legally permitted to do so. User shall be responsible for any costs arising from Daasity's provision of such assistance.
6.2 Data Subject Requests. Daasity shall, to the extent legally permitted, promptly notify User if it receives a Data Subject Request. Daasity shall not respond to any such Data Subject request without User's prior written consent except to confirm that the request relates to User, unless the Data Subject request relates only to that Data Subject's registration data for accessing the Services. Daasity shall provide User with assistance in relation to handling of a Data Subject Request, to the extent legally permitted and to the extent User does not have access to such Personal Data through its use of the Services. If legally permitted, User shall be responsible for any costs arising from Daasity's provision of such assistance.
6.3 Daasity shall promptly notify User of all enquiries from a Regulator that Daasity receives which relate to the Processing of Personal Data or the provision to or receipt of the Services by User, unless prohibited from doing so by law or by the Regulator.
6.4 Unless a Regulator requests in writing to engage directly with Daasity or the parties (acting reasonably and taking into account the subject matter of the request) agree that Daasity shall handle a Regulator request itself, User shall:
(a) be responsible for all communications or correspondence with the Regulator in relation to the Processing of Personal Data and the provision or receipt of the Services; and
(b) keep Daasity informed of such communications or correspondence to the extent permitted by law.
7. Assistance and information for data protection impact assessment notifications
7.1 The information made available as GDPR Assistance Materials is intended to assist User in complying both with its obligations under the GDPR, such as data protection impact assessment(s), prior consultation with the Regulator and other Regulator inquiries, and with any requests by User with respect to Daasity's privacy practices, including any audit request (Privacy Inquiries). User agrees that Daasity's GDPR Assistance Materials will be used to fulfil User's Privacy Inquiries. Except as otherwise agreed to in the Agreement, in the event that User requires information in addition to the GDPR Assistance Materials, including to demonstrate compliance with this Addendum, such information shall be made available under a separately-executed audit support agreement. User shall be responsible for the costs on a time and materials basis for Daasity's provision of such assistance at Daasity's then-current Professional Services rates.
7.2 If Daasity becomes aware of a security incident which leads or is likely to lead to a material infringement of Data Protection Laws and Regulations, or of this Addendum, that compromises the security, confidentiality or integrity of Personal Data and that would require reporting to a regulatory authority (as defined under applicable Data Protection Laws and Regulations) (a Security Incident), Daasity will notify User of such Security Incident without undue delay. Daasity will take appropriate actions to contain, investigate and mitigate the Security Incident and work with User to provide information to User concerning the Security Incident, and will assist User with any required notifications to affected individuals, subject to any related limitations set forth in the Agreement. Notification of or response to a Security Incident under this section will not be construed as an acknowledgement by Daasity of any fault or liability with respect to the Security Incident.
7.3 Except as otherwise agreed to in the Agreement, to the extent that the Security Incident is the result of Daasity's failure to comply with the terms of the Agreement or this Addendum, Daasity shall bear the actual, reasonable costs of notifying affected individuals. Daasity and User shall mutually agree on the content and timing of any such notifications, in good faith and as needed to meet applicable legal requirements. Notwithstanding the preceding sentence, the parties agree that Daasity shall have no obligation to send notification letters or provide credit monitoring for User unless such letters are legally required or otherwise reasonably required to alert individuals of potential harm.
8. Deletion or return of personal data
8.1 Daasity shall return Personal Data to User or delete Personal Data in accordance with the terms of the Agreement and the policies and schedules set forth in Daasity's Record Retention Policy and Schedule, which Policy and Schedule adhere to limitations required by law and regulation, except as required by law or as required in order to defend any actual or possible legal claim.
8.2 User acknowledges and agrees that Daasity shall have no liability for any losses incurred by User arising from or in connection with Daasity's inability to perform the Services as a result of Daasity complying with a request to delete or return Personal Data made by User under this section 8.
9. Making available information to demonstrate compliance
Distribution of GDPR Assistance Materials. Daasity will make available upon User request its GDPR Assistance Materials (along with such additional information as the parties may agree to as part of an audit support agreement, described in section 7.1) to demonstrate compliance with this Addendum and Data Protection Laws and Regulations.
10. Privacy shield framework
The parties acknowledge that on July 16, 2020, the Court of Justice of the European Union issued a judgment declaring as “invalid” the European Commission’s Decision (EU) 2016/1250 of 12 July 2016 on the adequacy of the protection provided by the EU-U.S. Privacy Shield (“Privacy Shield”). As a result of that decision, the EU-U.S. Privacy Shield Framework is no longer a valid mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States. This decision does not relieve Daasity, as a participant in the EU-U.S. Privacy Shield Program, of its obligations under the EU-U.S. Privacy Shield Framework. Therefore, to the extent Daasity remains certified under Privacy Shield and receives in the United States User Data from the European Union, it will handle such User Data in accordance with the EU-US Privacy Shield Framework Principles (see https://www.privacyshield.gov/article?id=Requirements-of-Participation).
11. Transfers of User Data to the United States
11.1 In respect of any EU Restricted Transfer, User, (as "data exporter") and Daasity (as "data importer") with effect from the commencement of the relevant transfer hereby enter into the relevant and appropriate SCCs which are incorporated into this Addendum by reference. This may be the Controller to Processor SCCs or the Processor to Processor SCCs, or any module which is relevant and appropriate to the relationship between Daasity and the User, subject to the following changes:
(a) Annex 1 to the relevant and appropriate SCCs shall be deemed to be pre-populated with the relevant sections of Appendix 1 to this Addendum and the processing operations are deemed to be those described in the Agreement. Annex 2 to the relevant and appropriate SCCs shall be deemed to be pre-populated with the relevant sections of Appendix 2 (Technical and Organisational Measures) to this Addednum. Annex 3 to the relevant and appropriate SCCs shall be deemed to be pre-populated with the relevant sections of Appendix 3 to this Addendum (Subprocessors);
(b) in Clause 7, the optional docking clause will not apply;
(c) in Clause 9, option 2 will apply, and the time period for prior notice of Subprocessor changes will be in accordance with the notification process set out in section 5 of this Addendum;
(d) in Clause 11, the optional redress language will not apply;
(e) in Clause 17, Option 1 will apply, and the Standard Contractual Clauses will be governed by the law specified in the Master Services Agreement, provided that law is an EU Member State law recognizing third party beneficiary rights, otherwise, the laws of Ireland apply; and
(f) in Clause 18(b), disputes shall be resolved before the courts specified in the Agreement, provided these courts are located in an EU Member State, otherwise those courts shall be the courts of Ireland.
11.2 In respect of any UK Restricted Transfer, User (as "data exporter") and Daasity (as "data importer") with effect from the commencement of the relevant transfer hereby enter into the relevant and appropriate SCCs which are incorporated into this Addendum by reference, and which are read in accordance with, and deemed amended by, the provisions of Part 2 (Mandatory Clauses) of the UK IDTA, subject to the following changes:
(a) Clause 13(a) – Supervision. The following shall be inserted: The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, shall be the UK’s Information Commissioner’s Office;
(b) Clause 17 – Governing law. The following shall be inserted: “These Clauses shall be governed by the laws of England and Wales”;
(c) Clause 18(b) – Choice of forum and jurisdiction. The Member State shall be the courts of England and Wales;
(d) For the purposes of Table 4 in Part 1 (Tables) of the UK IDTA, the parties select the “neither party” option; and
(e) Part 1 (Tables) of the UK IDTA shall be deemed to be pre-populated with the relevant sections of Appendices of this Addendum.
12. 1 Nondisclosure
The terms of this Addendum are not publicly known and constitute Confidential Information under the Agreement. User may only disclose the terms of this Addendum to a data protection Regulator to the extent required by law or regulatory authority. User shall take reasonable steps to ensure that data protection Regulators do not make the terms of this Addendum public, including by marking any copies as "Confidential and Commercially Sensitive," requesting return of any copies, and requesting prior notice and consultation before any public disclosure.
This Addendum will terminate when Daasity ceases to Process Personal Data, except as otherwise agreed in writing between the parties.
Appendix 1 Subject matter and details of the data processing, and details of the data transfers.
A. LIST OF PARTIES
- Data exporter(s):
Name: The User, as defined in the Agreement.
Address: The User’s address, as defined in the Agreement.
Contact person’s name, position and contact details: The User’s contact details, as set out in the Agreement.
Activities relevant to the data transferred: Processing of User Personal Data in connection with the Services under the Agreement.
Role (controller/processor): Controller
- Data importer(s):
Name: Daasity, Inc.
Address: PO Box 9028, San Diego, CA 92169
Contact person’s name, position and contact details: [insert contact name]
Activities relevant to the data transferred: As set out in the Agreement.
Role (controller/processor): Processor/Subprocessor
B. DESCRIPTION OF PROCESSING/TRANSFER
This Part B of Appendix 1 to the Addendum contains the information concerning the Processing of User Personal Data by Daasity required for the purposes of: (i) describing various elements of the Processing of Personal Data as required by Article 28(3) of the EU GDPR; (ii) compliance with any other applicable Data Protection Laws; and (iii) populating the relevant appendices to the applicable Standard Contractual Clauses.
- Subject Matter and Duration of the Processing of the Personal Data
The subject matter and duration of the Processing of the User Personal Data are set out in the Agreement and this Addendum.
- The Nature and Purpose of the Processing of Personal Data
The User Data, including Personal Data, Processed by Daasity solely at the specific direction of the User, may include, but are not limited to, the following Processing operations:
3.1 collecting and recording the Personal Data;
3.2 hosting the Personal Data;
3.3 organizing the Personal Data;
3.4 adapting or altering the Personal Data;
3.5 analyzing the Personal Data;
3.6 consulting or retrieving the Personal Data; and
3.7 disclosing or transferring the Personal Data.
The User Data Processed by Daasity may be subject to, but is in no way limited to, the Processing operations as described above in 3.1 to 3.7.
- The Categories of Data Subjects
The categories of Data Subjects about whom the Parties may process Personal Data are dependent on User and may include, but are not limited to:
User’s customers, potential customers, and other end-user’s of its online services
- The Categories of Personal Data
User may submit Personal Data to the Services, the extent of which is determined and controlled by User in its sole discretion, and which may include, but is not limited to, the following categories of Personal Data:
Name, contact information, company, title
- Special Categories of Personal Data
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures:
- The obligations and rights of the Parties
The obligations and rights of the parties are set out in the Agreement and this Addendum.
- Frequency of Restricted Transfers (where applicable):
As necessary under the Agreement and determined by User in its sole discretion.
- Period for which Personal Data will be Retained (where applicable):
For the duration of the Agreement and otherwise in accordance with Daasity retention policy.
- Competent Supervisory Authority
This clause 10 is applicable to transfers taking place from the EEA and the UK to a third country. Where the Data Exporter is established in an EU Member State, the EU Member State(s) in which it is established shall act as competent Supervisory Authority.
For Daasity, this will be Ireland.
Where Data Exporter is not established in an EU Member State but falls within the territorial scope of application of the EU GDPR in accordance with Article 3(2) and has appointed a representative pursuant to Article 27(1) of the EU GDPR the Member State in which the representative within the meaning of Article 27(1) is established shall act as competent supervisory authority.
For Daasity, this will be Ireland.
Where Data Exporter is not established in an EU Member State, but falls within the territorial scope of application of the EU GDPR in accordance with Article 3(2) without however having to appoint a representative the supervisory authority of one of the Member States in which the data subjects whose personal data is transferred in relation to the offering of goods or services to them, or whose behavior is monitored, are located, shall act as competent supervisory authority.
Appendix 2 Security measures
Daasity will implement and maintain the Security Measures set out in this Appendix 2. Daasity may update or modify such Security Measures from time to time provided that such updates and modifications do not materially decrease the overall security of the Services.
1. Organizational management and dedicated staff responsible for the development, implementation and maintenance of Daasity's information security program.
2. Audit and risk assessment procedures for the purposes of periodic review and assessment of risks to Daasity's organization, monitoring and maintaining compliance with Daasity's policies and procedures, and reporting the condition of its information security and compliance to internal senior management.
3. Data security controls which include at a minimum, but may not be limited to, logical segregation of data, restricted (eg role-based) access and monitoring, and utilization of commercially available and industry standard encryption technologies for Personal Data that is: a. transmitted over public networks (ie the Internet).
4. Logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions, (eg granting access on a need-to-know basis, use of unique IDs and passwords for all users, periodic review and revoking/changing access when employment terminates or changes in job functions occur).
5. Password controls designed to manage and control password strength, expiration and usage and requiring that Daasity's passwords that are assigned to its employees:
5. 1 be at least eight (8) characters in length;
5. 2 not be stored in readable format on Daasity's computer systems;
5. 3 must be changed every ninety (90) days; must have defined complexity;
5. 4 must have a history threshold to prevent reuse of recent passwords; and
5. 5 newly issued passwords must be changed after first use.
6. Physical and environmental security of data center, server room facilities and other areas containing Personal Data designed to:
6. 1 protect information assets from unauthorized physical access;
6. 2 manage, monitor and log movement of persons into and out of Daasity facilities; and
6.3 guard against environmental hazards such as heat, fire and water damage.
7. Change management procedures and tracking mechanisms designed to test, approve and monitor all changes to Daasity's technology and information assets.
8. Incident / problem management procedures design to allow Daasity to investigate, respond to, mitigate and notify of events related to Daasity's technology and information assets.
9. Network security controls that provide for the use of enterprise firewalls, and intrusion detection systems and other traffic and event correlation procedures designed to protect systems from intrusion and limit the scope of any successful attack.
10. Vulnerability assessment and threat protection technologies and scheduled monitoring procedures designed to identify, assess, mitigate and protect against identified security threats, viruses and other malicious code.
11. Business resiliency/continuity and disaster recovery procedures designed to maintain service and/or recovery from foreseeable emergency situations or disasters.
Daasity may update or modify such Security Measures from time to time provided that such updates and modifications do not materially decrease the overall security of the Services.
Appendix 3 - Subprocessors List
- Google, Inc.
- Amazon Web Services.