Data Processing Addendum
Last Updated: 02-27-2022
This data processing addendum (“DPA”) supplements and modifies the End-User Licensing Agreement (“EULA”) governing the use of KARTRA Software. This DPA is pursuant to the General Data Protection Regulation (“GDPR”) and in particular addresses Article 28 (Processor Terms) and incorporates Standard Contractual Clauses for Controller to Processor transfers of Personal Data to third countries.
This Data Processing Addendum ("Addendum") forms an integral part of the End User License Agreement("EULA") governing the use of the KARTRA Software platform as between each KARTRA Software end-user or licensee ("CustomerlController") acting with respect to its own data and on behalf of data it controls for its own customers and leads; and (ii) Genesis Digital LLC (acting on its own behalf and as agent for any of its Affiliates) (”KARTRA” as defined in the EULA).
The terms used in this Addendum shall have the meanings set forth in this Addendum. Capitalized terms not otherwise defined herein shall have the meaning given to them in the EULA. Except as modified below, the terms of the EULA shall remain in full force and effect.
In consideration of the mutual obligations set out herein, the parties hereby agree that the terms and conditions set out below shall be added as an Addendum to the EULA. Except where the context requires otherwise, references in this Addendum to the EULA are to the EULA as amended by, and including, this Addendum.
1. Definitions
1 .1 "Commission", "Controller", "Data Subject", "Member State", "Personal Data", "Personal Data Breach", "Process/Processing", "Processor", “Special Categories of Data", and "Supervisory Authority" shall respectively have the meanings set forth in the GDPR with regard to the processing of Personal Data and the free movement of such data and their cognates shall be construed accordingly;
1 .2 In this Addendum, the following additional terms shall have the meanings set out below and cognate terms shall be construed accordingly:
- 1.2.1 "Applicable Laws" means (a) the laws of the European Union or any Member State with respect to any Personal Data in respect of which KARTRA is subject to EU Data Protection Laws; and (b) any other applicable law with respect to any Customer/Controller Personal Data in respect of which KARTRA is subject to any other Data Protection Laws;
- 1.2.2 "Affiliate" means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with a Party, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise;
- 1.2.3 "KARTRA" means Genesis Digital or any of its Affiliates;
- 1.2.4 "Customer/Controller Personal Data" means any Personal Data processed by KARTRA or a Contracted Processor on behalf of KARTRA pursuant to or in connection with the EULA or Customer/Controller’s use of KARTRA Software;
- 1.2.5 "Contracted Processor" means a Processor or a Subprocessor contracted by KARTRA;
- 1.2.6 "Data Exporter" means the party who transfers the Personal Data, as a Controller, or as a Processor on behalf of the Controller, in accordance with the terms of the Standard Contractual Clauses provided in Annex 2 or as amended;
- 1.2.7 “Data Importer" means the party who agrees to receive Personal Data from the Data Exporter, in accordance the terms of the Standard Clauses and instructions from the Data Exporter;
- 1.2.8 "Data Protection Laws" means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country;
- 1.2.9 "EEA" means the European Economic Area;
- 1.2.10 "EU Data Protection Laws"means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;
- 1.2.11 "GDPR" means EU General Data Protection Regulation 2016/679;
-
1.2.12 "Restricted Transfer" means:
- 12.12.1 a transfer of Customer/Controller Personal Data from KARTRA to a Contracted Processor; or
- 1.2.12.2 an onward transfer of Customer/Controller Personal Data from a Contracted Processor to a different Contracted Processor, or an intracompany transfer between two locations of a particular Contracted Processor,
- In each case, where such transfer would otherwise be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws) in the absence of the Standard Contractual Clauses provided herein below. For the avoidance of doubt: (a) without limitation to the generality of the foregoing, the parties to this Addendum intend that transfers of Personal Data from the UK to the EEA or from the EEA to the UK, following any exit by the UK from the European Union shall not be Restricted Transfers until such time as it is formally determined by an appropriate authority that such transfers are prohibited by Data Protection Laws of the UK or EU Data Protection Laws (as the case may be) in the absence of the Standard Contractual Clauses provided herein; and (b) where a transfer of Personal Data is of a type authorized by Data Protection Laws in the exporting country, for example in the case of transfers from within the European Union to a country (such as Switzerland) or under a scheme (such as the US Privacy Shield) which is approved by the Commission as ensuring an adequate level of protection or any transfer which falls within a permitted derogation, such transfer shall not be a Restricted Transfer.
- 1.2.13 "Services" means the services and other activities to be supplied to or carried out on behalf of Customer/Controller by KARTRA pursuant to the EULA;
- 1.2.14 "Standard Contractual Clauses" "Controller-To-Processor Clauses" means the Standard Contractual Clauses between controllers and processors for Data Transfers, as approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, and currently located at https://home.kartra.com/Controller_to_Processor_SCCs.pdf. and also set out in Annex 2, as amended in that Annex and/or under section 13.4;
- 1.2.15 "Subprocessor" means any person (excluding an employee of Customer/Controller or any of its sub-contractors) appointed by a Contracted Processor to Process Personal Data on behalf of KARTRA in connection with the EULA; and
1 .3 The word “include" shall be construed to mean include without limitation, and cognate terms shall be construed accordingly.
2. Authority and Representations In Connection Therewith
KARTRA warrants and represents that before any Contracted Processor processes any Customer/Controller Personal Data on behalf of KARTRA, KARTRA will use commercially reasonable efforts to ensure that Contracted Processor has been duly and effectively authorized (or subsequently ratified) to process such data in a manner compliant with the requirements of the GDPR. Customer/Controller warrants and represents that, Customer/Controller is lawfully in possession of such data and has a lawful basis for providing such data to KARTRA for processing or for authorizing KARTRA to process the Customer/Controller Personal Data on behalf of Customer/Controller under this Addendum.
3. Processing of Customer/Controller Personal Data
3.1 KARTRA shall and each Contracted Processor shall be obligated to:
- 3.1.1 comply with all applicable Data Protection Laws in the Processing of Customer/Controller Personal Data; and
- 3.1.2 not Process Customer/Controller Personal Data other than on the relevant Customer/Controller’s documented instructions unless Processing is authorized under / by Applicable Laws to which KARTRA or the Contracted Processor is subject. In the latter case KARTRA shall where reasonable or to the extent required by Applicable Laws inform the Customer/Controller before the relevant Processing of that Personal Data.
3.2 Customer/Controller:
-
3.2.1 shall instruct KARTRA (and authorizes KARTRA and each Contracted Processor to instruct each Subprocessor) to:
- 3.2.1.1 Process Customer/Controller Personal Data; and
- 3.2.1.2 in particular, transfer Customer/Controller Personal Data to or from any country or territory, as reasonably necessary for the provision of the Services and consistent with the EULA; and
- 3.2.2 shall obtain any and all required consents with respect to any data collected by it, or with respect to which it instructs KARTRA or any Contracted Processor to act on its behalf
- 3.2.3 warrants and represents that it is and will at all relevant times remain duly and effectively authorized to give the instruction set out in section 3.2.1 on behalf of itself and any Customer/Controller Affiliate.
3.3 Annex 1 to this Addendum sets out certain information regarding the Contracted Processors' Processing of the Customer/Controller Personal Data as required by article 28(3) of the GDPR (and, possibly, equivalent requirements of other Data Protection Laws). KARTRA may make reasonable amendments to Annex 1 by written notice to Customer/Controller from time to time, as KARTRA reasonably considers necessary to meet those requirements. Nothing in Annex 1 (including as amended pursuant to this section 3.3) confers any right or imposes any obligation on any party to this Addendum.
4. Customer/Controller and Customer/Controller Affiliate Personnel
KARTRA shall take reasonable steps to ensure the reliability of any of its employees, agents, or contractors, and those of any Contracted Processor who may have access to the Customer/Controller Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Customer/Controller Personal Data, as strictly necessary for the purposes of the EULA, or to carry out the Services in compliance with Applicable Laws in the context of that individual's duties to KARTRA or the Contracted Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
5. Security
5.1 Taking into account the state of the art, the costs of implementation, practicality, and the nature, scope, context, purposes of Processing as well as the risks to the rights and freedoms of natural persons, KARTRA shall in proportion thereto implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.
5.2 In assessing the appropriate level of security, KARTRA shall take account the likely risks that are presented by Processing, in particular from the perspective of a Personal Data Breach
6. Subprocessing
6.1 Customer/Controller authorizes KARTRA to appoint Subprocessors in accordance with this section 6 and any restrictions in the EULA, and to permit each Subprocessor duly appointed in accordance with this section 6 to appoint further Subprocessors.
6.2 KARTRA may continue to use those Subprocessors already engaged by KARTRA as at the date of this Addendum, subject to KARTRA in each case as soon as practicable meeting the obligations set out in section 6.4.
6.3 To the extent required under the GDPR, KARTRA shall give Customer/Controller prior written notice of the appointment of any new Subprocessor, including full details of the Processing to be undertaken by the Subprocessor. Such appointment shall be effective unless within 10 (ten) days of receipt of such notice, Customer/Controller provides KARTRA written objections (on reasonable grounds) to the proposed appointment. KARTRA shall not appoint (or disclose any Customer/Controller Personal Data to) that proposed Subprocessor until reasonable steps have been taken to address the objections raised by Customer/Controller and Customer/Controller has been provided\ with a reasonable written explanation of the steps taken.
6.4 With respect to each Subprocessor, KARTRA shall:
- 6.4.1 before the Subprocessor first Processes Customer/Controller Personal Data (or, where relevant, in accordance with section 6.2), carry out adequate due diligence under the circumstances to ensure that the Subprocessor is capable of providing the level of protection for Customer/Controller Personal Data required by the Applicable Law, this Addendum, or under the EULA;
- 6.4.2 ensure that the arrangement between on the one hand, KARTRA, or the relevant intermediate Subprocessor; and on the other hand the Subprocessor, is governed by a written contract including terms which offer at least the same level of protection for Customer/Controller Personal Data as those set out in this Addendum and meet the requirements of article 28(3) of the GDPR;
- 6.4.3 if that arrangement involves a Restricted Transfer, ensure that the Standard Contractual Clauses are at all relevant times incorporated into the agreement between on the one hand, KARTRA, or the relevant intermediate Subprocessor; and on the other hand the Subprocessor, or before the Subprocessor first Processes Customer/Controller Personal Data procure that it enters into an agreement incorporating the Standard Contractual Clauses with KARTRA, or the relevant intermediate Subprocessor; and
- 6.4.4 provide to Customer/Controller for review such copies of the Contracted Processors’ agreements with Subprocessors (which may be redacted to remove confidential commercial information not relevant to the requirements of this Addendum, or Applicable Law) as Customer/Controller may request from time to time.
6.5 Customer/Controller and each Customer/Controller Affiliate shall ensure that each Subprocessor performs the obligations under sections 3.1, 4, 5, 7.1, 8.2, 9 and 11.1, as they apply to Processing of Customer/Controller Personal Data carried out by that Subprocessor, as if it were party to this Addendum in place of Customer/Controller.
7. Data Subject Rights
7.1 Nothing herein shall relieve Customer/Controller from affording any required right to any Data Subject including any requirement to obtain adequate consent from a Data subject prior to collection of Personal Data.
7.2 Taking into account the nature of the Processing, KARTRA shall assist Customer/Controller by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Customer/Controller's obligations, as reasonably understood by KARTRA, to respond to requests to exercise Data Subject rights under the Data Protection Laws.
7.3 KARTRA shall:
-
7.3.1 promptly notify Customer/Controller if any Contracted Processor receives a request from a Data Subject under any Data Protection Law in respect of Customer/Controller Personal Data; and
- 7.3.2 ensure that the Contracted Processor does not respond to that request except on the documented instructions of Customer/Controller or as required by Applicable Laws to which the Contracted Processor is subject, in which case KARTRA shall to the extent permitted by Applicable Laws inform Customer/Controller of that legal requirement before the Contracted Processor responds to the request.
8. Personal Data Breach
8.1 KARTRA shall notify Customer/Controller without undue delay upon KARTRA, a Contracted Processor or any Subprocessor becoming aware of a Personal Data Breach affecting Customer/Controller Personal Data, providing Customer/Controller with sufficient information to allow Customer/Controller to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.
8.2 KARTRA shall co-operate with Customer/Controller and take such reasonable commercial steps as are directed by Customer/Controller to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
9. Data Protection Impact Assessment and Prior Consultation
To the extent required under Applicable Law, KARTRA shall provide reasonable assistance to Customer/Controller with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Customer/Controller reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Customer/Controller Personal Data by, and taking into account the nature of the Processing and information available to the Contracted Processors.
10. Deletion or return of Customer/Controller Personal Data
10.1 Customer/Controller Personal Data 10.1 Subject to sections 10.2 and 10.3 Customer/Controller and each Customer/Controller Affiliate shall promptly and in any event within 21 (twenty-one) days of the date of cessation of any Services involving the Processing of Customer/Controller Personal Data (the "Cessation Date"), delete and procure the deletion of all copies of those Customer/Controller Personal Data. For the sake of clarity, for purposes of this Section 10 "delete" means redacting, blocking or restricting access, permanently removing, or obliterating such that it cannot be recovered or reconstructed, as circumstances reasonably permit and Applicable Law permits.
10.2 Subject to section 10.3, Customer/Controller may in its discretion request, by written notice to KARTRA within 21 (twenty-one) days of the Cessation Date, that KARTRA (a) return a complete copy of all Customer/Controller Personal Data to KARTRA by secure file transfer in such format as is reasonably requested by Customer/Controller or in which the data are stored in the normal course of business; and (b) delete and procure the deletion of all other copies of Customer/Controller Personal Data Processed by any Contracted Processor. KARTRA shall comply with any such written request within 30 (thirty) days of the Cessation Date.
10.3 Each Contracted Processor may retain Customer/Controller Personal Data to the extent required by Applicable Laws and only to the extent and for such period as required by Applicable Laws. KARTRA shall reasonably ensure that such Customer/Controller Personal Data is only Processed or retained as provided herein as necessary for the purpose(s) specified in the Applicable Laws.
10.4 Where requested in writing, KARTRA shall provide written confirmation to Customer/Controller that it has fully complied with this section 10 within 30 (thirty) days of the Cessation Date.
11. Audit rights
11.1 Subject to the provisions of this Section, KARTRA shall make available to Customer/Controller on request all information reasonably necessary to demonstrate compliance with this Addendum, and shall allow for and contribute to audits, including inspections, by Customer/Controller or an auditor appointed by Customer/Controller in relation to the Processing of the Customer/Controller Personal Data by the Contracted Processors.
11.2 Information and audit rights of the Customer/Controller only arise under section 11.1 to the extent that the EULA does not otherwise give them information and audit rights meeting the relevant requirements of Data Protection Law (including, where applicable,
article 28(3)(h) of the GDPR).
11.3 A Customer/Controller may only mandate an auditor for the purposes of section 11.1 if the auditor is identified at least sixty (60) days in advance in writing and approved by KARTRA. KARTRA shall not unreasonably withhold or delay approval of an auditor. Reasonable grounds for refusing Customer/Controller's choice of auditor shall be provided in writing, after which a new auditor shall be identified.
11.4 Audits shall be conducted only by agreement on reasonable notice of any audit or inspection to be conducted hereunder and shall use best efforts (and ensure that each of its mandated auditors makes such efforts) to avoid causing (or, if it cannot avoid, to minimize) any damage, injury, delay, or disruption to the Contracted Processors' premises, equipment, personnel and business while its
personnel are on those premises in the course of such an audit or inspection. A Contracted Processor need not give access to its premises for the purposes of such an audit or inspection:
- 11.4.1 to any individual unless he or she produces reasonable evidence of identity and authority;
- 11.4.2 outside normal business hours at those premises, unless the audit or inspection needs to be conducted on an emergency basis and Customer/Controller has given notice to KARTRA that this is the case before attendance outside those hours begins; or
-
11.4.3 for the purposes of more than one audit or inspection, in respect of each Contracted Processor, in any year period, except for any additional audits or inspections which: o 11.4.3.1 Customer/Controller undertaking an audit reasonably considers necessary because of genuine concerns as to KARTRA's compliance with this Addendum; or o 11.4.3.2 Customer/Controller is required or requested to carry out by Data Protection Law, a Supervisory Authority or any similar regulatory authority
- responsible for the enforcement of Data Protection Laws in any country or territory, where Customer/Controller undertaking an audit has identified its concerns or the relevant requirement or request in its notice to KARTRA of the audit or inspection.
12. Restricted Transfers
12.1 Subject to section 12.3, Customer/Controller (as "Data Exporter") and KARTRA and each of its Contracted Processor, as appropriate, (as "Data Importer"); or KARTRA (as Data Exporter") and each Contracted Processor or Customer/Controller have entered and/or hereby enter into the Standard Contractual Clauses in respect of any Restricted Transfer from Customer/Controller to KARTRA or its Contracted Processor or from KARTRA to Customer/Controller or a Contracted Processor.
12.2 The Standard Contractual Clauses shall come into effect under section 12.1 on the later of:
- 12.2.1 the Data Exporter becoming a party to them;
- 12.2.2 the Data Importer becoming a party to them; and
- 12.2.3 commencement of the relevant Restricted Transfer.
12.3 Section 12.1 shall not apply to a Restricted Transfer unless its effect, together with other reasonably practicable compliance steps (which, for the avoidance of doubt, do not include obtaining further or additional consents from Data Subjects), is to allow the relevant Restricted Transfer to take place without breach of applicable Data Protection Law.
12.4 KARTRA warrants and represents that, before the commencement of any Restricted Transfer to a Subprocessor entry into the Standard Contractual Clauses under section 12.1, and agreement to variations to those Standard Contractual Clauses made under section 13.4.1, as agent for and on behalf of that Subprocessor will have been duly and effectively authorized (or subsequently ratified) by that Subprocessor.
13. General Terms
Governing law and jurisdiction
13.1 Without prejudice to clauses 7 (Mediation and Jurisdiction) and 9 (Governing Law) of the Standard Contractual Clauses:
- 13.1.1 the parties to this Addendum hereby submit to the choice of jurisdiction stipulated in the EULA with respect to any disputes or claims howsoever arising under this Addendum, including disputes regarding its existence, validity, or termination, or the consequences of its nullity; and
- 13.1.2 this Addendum and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the EULA.
Order of Precedence
13.2 Nothing in this Addendum alters either party's obligations under the EULA in relation to the protection of Personal Data or permits either party to Process (or to permit the Processing of) Personal Data in a manner which is prohibited by the EULA or Applicable Law. In the event of any conflict or inconsistency between this Addendum, and/or the EULA, and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
13.3 Subject to section 13.2, with regard to the subject matter of this Addendum, in the event of inconsistencies between the provisions of this Addendum and any other agreements between the parties, including the EULA and including (except where explicitly agreed otherwise in writing, signed on behalf of the parties) agreements entered into or purported to be entered into after the date of this Addendum, the provisions of this Addendum shall prevail.
Changes in Data Protection Laws
13.4 KARTRA may:
- 13.4.1 by at least 30 (thirty) calendar days' written notice to Customer/Controller from time to time make any variations to the Standard Contractual Clauses (including any Standard Contractual Clauses entered into under section 12.1), as they apply to Restricted Transfers which are subject to a particular Data Protection Law, which are required, as a result of any change in, or decision of a competent authority under, that Data Protection Law, to allow those Restricted Transfers to be made (or continue to be made) without breach of that Data Protection Law; and
- 13.4.2 propose any other variations to this Addendum which KARTRA reasonably considers to be necessary to address the requirements of any Data Protection Law.
13.5 If KARTRA gives notice under section 13.4.1:
- 13.5.1 The parties shall promptly co-operate (and ensure that any affected Contracted Processors and/or Subprocessors promptly co-operate) to ensure that equivalent variations are made to any agreement put in place under section 6.4.3; and
- 13.5.2 Customer/Controller shall not unreasonably withhold or delay agreement to any consequential variations to this Addendum proposed by KARTRA to protect the Contracted Processors against additional risks associated with the variations made hereunder.
13.6 If KARTRA gives notice under section 13.4.2, it shall propose reasonable variations with a view to implementing those or reasonable alternative variations designed to address the requirements identified in KARTRA's notice as soon as is reasonably practicable.
13.7 Neither KARTRA nor Customer/Controller shall require the consent or approval of any Affiliate to amend this Addendum pursuant to this section 13.5 or otherwise.
Severance
13.8 Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties' intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
ANNEX 1: DETAILS OF PROCESSING OF COMPANY PERSONAL DATA
This Annex 1 includes certain details of the Processing of Customer/Controller Personal Data as required by Article 28(3) GDPR.
Subject matter and duration of the Processing of Customer/Controller Personal Data
The subject matter and duration of the Processing of the Customer/Controller Personal Data are set out in the EULA and this Addendum and relate to KARTRA's obligations to provide the requested Services in connection with the KARTRA Software.
The nature and purpose of the Processing of Customer/Controller Personal Data
KARTRA processed Personal Data in order to provide the Services contemplated in the EULA in connection with the use of the KARTRA software. Among the purposes of processing are to monitor transactions (including purchases, payments, and refunds), to track helpdesk tickets and/or support requests as the case may be, and responses thereto, to provide access to memberships, associated lists, and associated sequences of actions, to enable communications in connection with any of the foregoing.
The types of Customer/Controller Personal Data to be Processed
The types of Personal Data to be processed by KARTRA include Name, Email, Phone, Address, Country, IP address, and Username
The categories of Data Subject to whom the Customer/Controller Personal Data relates
Categories to which the Personal Data to be processed relate include demographic/external data, financial data, historical data, internal data (including preferences and interests); and social data.
Except where specifically required for the provision of contracted services or as incidental to the above, KARTRA does not collect or track data racial or ethnic origin, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation or any other Special Category of Data.
The obligations and rights of KARTRA and Customer/Controller
The obligations and rights of KARTRA and KARTRA Affiliates are set out in the EULA and this Addendum.
ANNEX 2: STANDARD CONTRACTUAL CLAUSES
These Clauses shall be deemed to be amended from time to time, to the extent that they relate to a Restricted Transfer which is subject to the Data Protection Laws of a given country or territory, to reflect (to the extent possible without material uncertainty as to the result) any change (including any replacement) made in accordance with those Data Protection Laws (by the Commission to or of the equivalent contractual clauses approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 or the GDPR (in the case of the Data Protection Laws of the European Union or a Member State); or (ii) by an equivalent competent authority to or of any equivalent contractual clauses approved by it or by another competent authority under another Data Protection Law otherwise). A copy of the SCC can be found here: KARTRA - Standard Contractual Clauses
Standard Contractual Clause
For the purposes of this Addendum and the Directive, transfers of Personal Data from a party in one country to any party in another country shall be governed by these Standard Clauses unless other permissible on other grounds.
The Data Exporter and the Data Importer, each a "party"; together "the parties",
HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the Data Exporter to the Data Importer of the Personal Data specified in Annex 1.
KARTRA, as Processor currently uses the following Subprocessors:
Amazon (AWS)
DPO/Contact:
https://aws.amazon.com/
https://aws.amazon.com/compliance/eu-data-protection
Sendgrid, Inc.
DPO/Contact: Michael Tognetti, SVP & General Counsel
1801 California Street' Suite 500, Denver, CO 80202
https://sendgrid.com/
https://sendgrid.com/resource/general-data-protection-regulation/
Pusher Ltd.
DPO/Contact:
28 Scrutton Street, London, EC2A 4RP
https://pusher.com/
https://pusher.com/legal/data-protection
Stripe
DPO/Contact: Adi Gilad, dpo@stripe.com
510 Townsend street, San Francisco, CA 94103
PayPal
DPO/Contact: Gareth Jones
2211 North First street, San Jose, CA 95131
https://www.linkedin.com/in/ghvjones/
Mailgun
DPO/Contact:
privacy@mailgun.com
112 E Pecan St. #1135
San Antonio, TX 78205
The Data Exporter has entered into a data processing addendum ("DPA") with the Data Importer. Pursuant to the terms of the DPA, it is contemplated that services provided by the Data Importer will involve the transfer of Personal Data to Data Importer. Data importer is located in a country not ensuring an adequate level of data protection. To ensure compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 and applicable data protection law, the controller agrees to the provision of such Services, including the processing of Personal Data incidental thereto, subject to the Data Importer's execution of, and compliance with, the terms of these Clauses.
Clause 1
Definitions
For the purposes of the Clauses:
(a) 'Personal Data', 'Special Categories of Data', 'Process/Processing', 'Controller', 'Processor', 'Data Subject' and 'Supervisory Authority' shall have the same meaning as with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of Personal Data and on the free movement of such data; with the proviso where permitted by Applicable Law, if these Clauses govern a transfer of data relating to identified or identifiable corporate (as well as natural) persons, the definition of "Personal Data" is expanded to include those data
(b) 'Data Exporter' means the party who transfers the Personal Data in accordance with the terms of these Standard Clauses;
(c) 'Data Importer' means the party who agrees to receive Personal Data from the Data Exporter in accordance with instructions from the Data Exporter and the terms of these Clauses;
(d) 'Subprocessor' means any processor engaged by the Data Importer or by any other Subprocessor of the Data Importer who agrees to receive from the Data Importer or from any other Subprocessor of the Data Importer Personal Data exclusively intended for processing activities to be carried out on behalf of the Data Exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;
(e) 'Applicable Data Protection Law' means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of Personal Data applicable to a data controller in the jurisdiction in which the Data Exporter is established;
(f) 'Technical and Organizational Security Measures' means those measures aimed at protecting Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
Clause 2
Details of the transfer
The details of the transfer and in particular the special categories of Personal Data where applicable are specified in Annex 1 which forms an integral part of the Clauses.
Clause 3
Third-party beneficiary clause
1. The data subject can enforce against the Data Exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.
2. The data subject can enforce against the Data Importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the Data Exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the Data Exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the Data Exporter, in which case the data subject can enforce them against such entity.
3. The data subject can enforce against the Subprocessor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the Data Exporter and the Data Importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the Data Exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the Data Exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the Subprocessor shall be limited to its own processing operations under the Clauses.
4. The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.
Clause 4
Obligations of the Data Exporter
The Data Exporter agrees and warrants:
(a) that the processing, including the transfer itself, of the Personal Data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the jurisdiction where the Data Exporter is established) and does not violate the relevant provisions of that jurisdiction;
(b) that it has instructed and throughout the duration of the Personal Data processing services will instruct the Data Importer to process the Personal Data transferred only on the Data Exporter's behalf and in accordance with the applicable data protection law and the Clauses;
(c) that the Data Importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;
(d) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
(e) that it will ensure compliance with the security measures;
(f) that, if the transfer involves Special Categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection of the data;
(g) to forward any notification received from the Data Importer or any Subprocessor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the Data Exporter decides to continue the transfer or to lift the suspension;
(h) to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for subprocessing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
(i) that, in the event of subprocessing, the processing activity is carried out in accordance with Clause 11 by a Subprocessor providing at least the same level of protection for the Personal Data and the rights of data subject as the Data Importer under the Clauses; and
(j) that it will ensure compliance with Clause 4(a) to (i).
Clause 5
Obligations of the Data Importer
The Data Importer agrees and warrants:
(a) to process the Personal Data only on behalf of the Data Exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the Data Exporter of its inability to comply, in which case the Data Exporter is entitled to suspend the transfer of data and/or terminate the contract;
(b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the Data Exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the Data Exporter as soon as it is aware, in which case the Data Exporter is entitled to suspend the transfer of data and/or terminate the contract;
(c) that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the Personal Data transferred; ata transferred;
(d) that it will promptly notify the Data Exporter about:
- (i) any legally binding request for disclosure of the Personal Data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation,
- (ii) any accidental or unauthorised access, and
- (iii) any request received directly from the data subjects without responding to that request, unless it has been otherwise authorized to do so;
(e) to deal promptly and properly with all inquiries from the Data Exporter relating to its processing of the Personal Data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;
(f) at the request of the Data Exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the Data Exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the Data Exporter, where applicable, in agreement with the supervisory authority;
(g) to make available to the data subject upon request a copy of the Clauses, or any existing contract for subprocessing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the Data Exporter;
(h) that, in the event of subprocessing, it has previously informed the Data Exporter and obtained its prior written consent; (0 that the processing services by the Subprocessor will be carried out in accordance with Clause 11;
(j) to send promptly a copy of any Subprocessor agreement it concludes under the Clauses to the Data Exporter.
Clause 6
Liability
1. The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or Subprocessor is entitled to receive compensation from the Data Exporter for the damage suffered
2. If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the Data Exporter, arising out of a breach by the Data Importer or his Subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the Data Exporter has factually disappeared or ceased to exist in law or has become insolvent, the Data Importer agrees that the data subject may issue a claim against the Data Importer as if it were the Data Exporter, unless any successor entity has assumed the entire legal obligations of the Data Exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity. The Data Importer may not rely on a breach by a Subprocessor of its obligations in order to avoid its own liabilities.
3. If a data subject is not able to bring a claim against the Data Exporter or the Data Importer referred to in paragraphs 1 and 2, arising out of a breach by the Subprocessor of any of their obligations referred to in Clause 3 or in Clause 11 because both the Data Exporter and the Data Importer have factually disappeared or ceased to exist in law or have become insolvent, the Subprocessor agrees that the data subject may issue a claim against the data Subprocessor with regard to its own processing operations under the Clauses as if it were the Data Exporter or the Data Importer, unless any successor entity has assumed the entire legal obligations of the Data Exporter or Data Importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the Subprocessor shall be limited to its own processing operations under the Clauses.
Clause 7
Mediation and jurisdiction
1. The Data Importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the Data Importer will accept the decision of the data subject:
- (a) to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;
- (b) to refer the dispute to the courts in the jurisdiction in which the Data Exporter is established.
2. The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.
Clause 8
Cooperation with supervisory authorities
1. The Data Exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
2. The parties agree that the supervisory authority has the right to conduct an audit of the Data Importer, and of any Subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the Data Exporter under the applicable data protection law.
3. The Data Importer shall promptly inform the Data Exporter about the existence of legislation applicable to it or any Subprocessor preventing the conduct of an audit of the Data Importer, or any Subprocessor, pursuant to paragraph 2. In such a case the Data Exporter shall be entitled to take the measures foreseen in Clause 5 (b).
Clause 9
Governing Law
The Clauses shall be governed by the law of the jurisdiction in which the Data Exporter is established.
Clause 10
Variation of the contract
The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.
Clause 11
Subprocessing
1. The Data Importer shall not subcontract any of its processing operations performed on behalf of the Data Exporter under the Clauses without the prior written consent of the Data Exporter. Where the Data Importer subcontracts its obligations under the Clauses, with the consent of the Data Exporter, it shall do so only by way of a written agreement with the Subprocessor which imposes the same obligations on the Subprocessor as are imposed on the Data Importer under the Clauses. Where the Subprocessor fails to fulfil its data protection obligations under such written agreement the Data Importer shall remain fully liable to the Data Exporter for the performance of the Subprocessor's obligations under such agreement.
2. The prior written contract between the Data Importer and the Subprocessor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the Data Exporter or the Data Importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the Data Exporter or Data Importer by contract or by operation of law. Such third-party liability of the Subprocessor shall be limited to its own processing operations under the Clauses.
3. The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1 shall be governed by the law of the jurisdiction in which the Data Exporter is established.
4. The Data Exporter shall keep a list of subprocessing agreements concluded under the Clauses and notified by the Data Importer pursuant to Clause 5 (j), which shall be updated at least once a year. The list shall be available to the Data Exporter's data protection supervisory authority.
Clause 12
Obligation after the termination of Personal Data processing services
1. The parties agree that on the termination of the provision of data processing services, the Data Importer and the Subprocessor shall, at the choice of the Data Exporter, return all the Personal Data transferred and the copies thereof to the Data Exporter or shall destroy all the Personal Data and certify to the Data Exporter that it has done so, unless legislation imposed upon the Data Importer prevents it from returning or destroying all or part of the Personal Data transferred. In that case, the Data Importer warrants that it will guarantee the confidentiality of the Personal Data transferred and will not actively process the Personal Data transferred anymore.
2. The Data Importer and the Subprocessor warrant that upon request of the Data Exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.