Data Processing Agreement
This Data Processing Agreement (“DPA”) forms part of the Master Subscription Agreement (the “Agreement”) between Customer and Spekit Inc. (”Spekit” or “Company”).
1. SUBJECT MATTER AND DURATION
1.1 Subject Matter. This DPA is intended to govern Customer’s provision and Company’s Processing of Customer Personal Data pursuant to the Agreement. All capitalized terms that are not expressly defined in this DPA will have the meanings given to them in the Agreement. If and to the extent language in this DPA or any of its attachments conflicts with the Agreement, this DPA shall control.
1.2 Duration and Survival. This DPA will become binding upon the effective date of the Agreement and shall survive until expiration or termination of the Agreement or the return or deletion of Customer Personal Data in accordance with Section 9, whichever later.
“California Consumer Privacy Act” or “CCPA” means Cal. Civ. Code Title 1.81.5, §§ 1798.100 et seq. and “CPRA” means California Privacy Rights Act of 2020, codified at Cal. Civ. Code § 1798.100 et seq. All references to the CCPA shall include the amendments to the CCPA by the CPRA.
“Customer Personal Data” means any “personal data” (as defined under the Data Protection Legislation) within the Customer Data supplied by Customer for analysis using the Services that is processed by Company on behalf of Customer pursuant to or in connection with the Agreement.
“Data Protection Legislation” means all worldwide data protection and privacy laws and regulations applicable to the Customer Personal Data in question, including, where applicable, EU Data Protection Law and CCPA.
“EU Data Protection Law” means (a) General Data Protection Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, and any amendment or replacement to it (“EU GDPR”); (b) any United Kingdom law replacing or succeeding the EU GDPR (“UK GDPR”); (c) the Federal Data Protection Act of 19 June 1992 (Switzerland); (d) the EU e-Privacy Directive (Directive 2002/58/EC); and (e) any national data protection laws made under or pursuant to (a).
“Security Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Data transmitted, stored or otherwise processed.
“Standard Contractual Clauses” or “SCCs” means the standard contractual clauses (processor to controller), as agreed by the European Commission, for the transfer of personal data to processors established in third countries which do not ensure an adequate level of protection as set out in Commission Decision C(2010) 593, as updated, amended replaced or superseded from time to time by the European Commission, the approved version of which in force at present is that set out in the European Commission’s Decision 2021/914 of 4 June 2021, available at: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32021D0914.
“Sub-processor” means any third party (including any Company’s Affiliate) engaged directly or indirectly by Company to process any Customer Personal Data relating to this DPA and/or the Services. The term “Sub-processor” shall also include any third party appointed by a Sub-processor to process any Personal Data relating to this DPA and/or the Services.
The terms “controller”, “processing”, “processor”, and “supervisory authority” as used in this DPA will have the meanings ascribed to them in the EU GDPR and the terms “Business,” “sell,” and “Service Provider” as used in this DPA will have the meanings ascribed to them in the CCPA.
3. PROCESSING OF DATA
3.1 Purpose of Processing. The purpose of data processing under this DPA is the provision of the Services. Company is a service provider with respect to Customer Personal Data and will process Customer Personal Data solely for the purpose of performing the Services and will not collect, use, disclose, release, disseminate, transfer, or otherwise communicate or make available to a third party any Customer Personal Data except as necessary to perform the Services. Under no circumstances will Company (a) rent or sell Customer Personal Data (as such term is defined under the CCPA); or (b) retain, use, or disclose the Customer Personal Data for a commercial purpose other than providing the Services.
3.2 Processor and Controller Responsibilities. The parties acknowledge and agree that: (a) Company is a processor of Customer Personal Data and Customer’s Service Provider under the Data Protection Legislation; (b) Customer is a controller or processor, as applicable, of Customer Personal Data and a Business under the Data Protection Legislation; and (c) each party will comply with the obligations applicable to it under the Data Protection Legislation with respect to the processing of Customer Personal Data. The parties agree that Company does not receive any Personal Information as consideration for any Services provided by Company.
3.3 Customer Instructions. Customer instructs Company to process Customer Personal Data: (a) in accordance with the Agreement, any applicable order form or statement of work, and Customer’s use of the Services; and (b) to comply with other reasonable written instructions provided by Customer where such instructions are consistent with the Services. The subject matter, nature, purpose, and duration of this Processing, as well as the types of Customer Personal Data collected and categories of data subjects, are described in Annex A to this DPA. Customer shall have sole responsibility for the accuracy, quality, and legality of Customer Personal Data and the means by which Customer obtained the Customer Personal Data.
3.4 Company’s Compliance With Customer Instructions. Company may process Customer Personal Data other than on the written instructions of Customer if it is required under applicable law to which Company is subject. In this situation, Company shall inform Customer of such requirement before Company processes the Customer Personal Data unless prohibited by applicable law.
3.5 Company’s Notification Obligations Regarding Customer Instructions. Company shall promptly notify Customer in writing, unless prohibited from doing so under the Data Protection Legislation, if (a) it becomes aware or believes that any data processing instruction from Customer violates the Data Protection Legislation; (b) it is unable to comply with Customer’s data processing instructions for any reason; and/or (c) it is unable to comply with the terms of the underlying Services agreement (including this DPA) as they relate to or govern the processing of Customer Personal Data and/or the security of Customer Data for any reason.
3.6 No Rights for Company. Except as expressly set forth to the contrary in this DPA and the underlying Services agreement, Company acknowledges that it has no right, title or interest in the Customer Data (including all Customer Personal Data, intellectual property or proprietary information).
4. SECURITY; PRIVACY IMPACT ASSESSMENTS.
4.1 Company Personnel. Company shall ensure that its personnel engaged in the processing of Customer Personal Data (a) are informed of the confidential nature of the Customer Personal Data; (b) process the Personal Data only for the purpose of delivering the Services; and (c) are subject to a strict duty of confidentiality with respect to the processing Customer Personal Data and such obligations survive the termination of that individual’s engagement with Company. Company shall ensure that Company’s access to Customer Personal Data is limited to those personnel performing Services in accordance with this DPA.
4.2 Security. Company will implement appropriate technical and organizational measures to safeguard Customer Personal Data from Security Breaches and to preserve the security, integrity and confidentiality of such data (the “Security Measures”) taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. At a minimum, Company agrees to the Security Measures identified at Annex B.
4.3 Data Privacy Impact Assessments. Company will reasonably cooperate and assist Customer in conducting a data protection impact assessment and related consultations with any supervisory authority, if Customer is required to do so under Data Protection Legislation.
5. DATA SUBJECT RIGHTS AND COOPERATION.
5.1 Assistance with Customer’s Obligations. To the extent Customer, in its use or receipt of the Services, does not have the ability to correct, amend, restrict, block or delete Customer Personal Data, as required by Data Protection Legislation, Company shall promptly comply with reasonable requests by Customer to facilitate such actions to the extent Company is legally permitted and able to do so. Company will: (a) provide information requested by Customer about Company’s use of the Customer Personal Data; and (b) provide the specific pieces of Customer Personal Data that Company has collected or otherwise obtained about a consumer on behalf of Customer. If specific pieces of Customer Personal Data are requested, and if the Customer Personal Data is maintained in an electronic format, the Customer Personal Data shall be made available in a readily usable format that allows the consumer to obtain the information.
5.2 Notification Obligations. Company shall, to the extent legally permitted, promptly notify Customer if it receives a request from a Data Subject for access to, correction, amendment, deletion of or objection to the processing of Customer Personal Data relating to such individual. Company shall not respond to any such Data Subject request relating to Customer Personal Data without Customer’s prior written consent except to confirm that the request relates to Customer. Company shall provide Customer with commercially reasonable cooperation and assistance in relation to handling of requests, complaints or other communications from Data Subjects and regulatory or judicial bodies relating to the processing of Customer Personal Data, including requests from Data Subjects seeking to exercise their rights under the Data Protection Legislation.
5.3 Subpoenas and Court Orders. If Company receives a subpoena, court order, warrant or other legal demand from a third party (including law enforcement or other public or judicial authorities) seeking the disclosure of Customer Personal Data, Company shall not disclose any information but shall immediately notify Customer in writing of such request, and reasonably cooperate with Customer if it wishes to limit, challenge or protect against such disclosure, to the extent permitted by applicable laws.
6.1 Authorized Sub-Processors. Customer hereby authorizes Company to engage Affiliates and other Sub-processors to process Customer Personal Data in accordance with the provisions within this DPA and Data Protection Legislation. Customer consents to Company engaging its current Sub-processors as detailed here (“Subprocessor List”). Customer acknowledges and agrees that Company’s use of such sub-processors satisfies the requirements of this DPA. Company agrees to (i) enter into a written agreement with Sub-processors regarding such Sub-processors’ processing of Customer Personal Data that imposes on such Sub-processors data protection requirements for Customer Personal Data that are consistent with this DPA; and (ii) remain responsible to Customer for Company’s Subprocessors’ failure to perform their obligations with respect to the processing of Customer Personal Data.
6.2 Objection Right for New Sub-Processors. Company shall maintain an up-to-date list of its Sub-processors in its Subprocessor List. Customer should refer to the Subprocessor List regularly. Customer may object to the appointment or replacement of a Sub-processor within 20 days after Customer first receives prior notice of such change, provided such objection is based on reasonable grounds relating to data protection. In such event, the parties shall discuss in good faith commercially reasonable alternative solutions. If the parties cannot reach resolution within a reasonable period of time, which shall not exceed 30 days, Company will either not appoint or replace the Sub-processor or, if this is not possible, Customer may terminate the underlying Services agreement (in whole or in part), by providing written notice to Company.
7. DATA TRANSFERS
7.1 Cross-Border Transfers of Customer Personal Data. Customer authorizes Company and its Sub-processors to transfer Customer Personal Data across international borders, including from the EEA, Switzerland, and/or the United Kingdom to the United States.
7.2 Standard Contractual Clauses. The parties agree that, when the transfer of Customer Personal Data from Customer to Company is a Restricted Transfer, it shall be subject to the appropriate SCCs as follows:
7.2.1 In relation to Customer Personal Data that is protected by the EU GDPR, the SCCs will apply completed as follows:
- Module Two will apply (where Customer is the controller of Customer Personal Data), otherwise Module Three will apply (where Customer is a Processor of Customer Personal Data), as appropriate;
- in Clause 7, the optional docking clause will apply;
- in Clause 9, Option 2 will apply, and the time period for prior notice of subprocessor changes shall be as set out in Section 6 of this DPA;
- in Clause 11, the optional language will not apply;
- in Clause 17, Option 1 will apply, and the EU SCCs will be governed by the laws of Ireland;
- in Clause 18(b), disputes shall be resolved before the courts of Ireland;
- Annex I of the EU SCCs shall be deemed completed with the information set out in Annex I to this DPA;
- Annex II of the EU SCCs shall be deemed completed with the information set out in Annex II to this DPA;
7.2.2 In relation to Restricted Transfers of Customer Personal Data protected by UK GDPR, the UK IDTA will apply completed as follows:
- the IDTA will apply the EU SCCs to Restricted Transfers of Customer Personal Data from the UK;
- Tables 1 – 3 of the UK IDTA shall be deemed completed with the relevant information set out in this DPA and the EU SCCs;
- Table 1 of the UK IDTA shall be deemed signed by Customer and Company upon the entry into force of this DPA, and the start date specified in Table 1 of the UK DPA shall be deemed completed with the date of entry into force of this DPA;
- In Table 4, the option “Importer” shall be deemed selected.
7.2.3. In relation to Customer Personal Data that is protected by the EU Data Protection Laws of Switzerland, then the EU SCCs will apply with the following modifications: the competent supervisory authority in Annex 1.C under Clause 13 will be the Federal Data Protection and Information Commissioner; references to a “Member State” and “EU Member State” will not be read to prevent data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland); and references to “GDPR” in the EU SCCs will be understood as references to EU Data Protection Laws of Switzerland.
7.2.4 In the event that any provision of this DPA contradicts the SCCs (directly or indirectly), the SCCs shall prevail.7.2.5. The parties agree that, in the event where Data Protection Legislation no longer allows the lawful transfer of Customer Personal Data to Company and/or requires an alternative transfer solution that complies with Applicable Privacy Law(s), Company will make an amendment to this DPA available to Customer to remedy such non-compliance and/or cease processing of Customer Personal Data without penalty.
8. SECURITY BREACHES
8.1 Notification Obligations. In the event of a Security Breach, Company shall promptly (and in no event later than 72 hours of becoming aware of such Security Breach) inform Customer and provide written details of the Security Breach, including the type of data affected and the identity of affected person(s) as soon as such information becomes known or available to Company. The obligations in this Section do not apply to incidents that are caused by Customer or Customer’s personnel or end users or to unsuccessful attempts or activities that do not compromise the security of Customer Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.
8.2 Manner of Notification. Notification(s) of Security Breaches, if any, will be delivered to one or more of Customer’s business, technical or administrative contacts by any means Company selects, including via email.
8.3 Company’s Obligations Following Security Breach. In the event of a Security Breach, Company shall: (a) provide timely information and cooperation as Customer may reasonably require to fulfill Customer’s data breach reporting obligations under the Data Protection Legislation or to comply with or respond to any inquiries by a data protection authority or any lawsuit arising from the Security Breach, including without limitation collecting and preserving all evidence pertaining to the Security Breach and the investigation conducted by Company; and (b) take such measures and actions as are appropriate to remedy or mitigate the effects of the Security Breach and shall keep Customer up-to-date about all developments in connection with the Security Breach.
9. DATA DELETION
Upon Customer’s request, or upon termination or expiry of this DPA, Company shall return to Customer or securely destroy all Customer Personal Data (including copies) in its possession or control (including any Customer Personal Data processed by its Sub-processors) in accordance with Company’s automated deletion schedule and back-up policy. This requirement shall not apply to the extent that Company is required by any applicable law to retain some or all of the Customer Personal Data, in which event Company shall isolate and protect the Customer Personal Data from any further processing except to the extent required by such law.
Upon Customer’s written request, Company will provide a copy of its then most recent third-party audits or certifications, as applicable, or any summaries thereof, in order that Customer may reasonably verify Company’s compliance with the technical and organizational measures as required under this DPA. If Customer is not satisfied with the above certifications and audits, Company will allow a mutually agreed upon independent auditor appointed by Customer and approved by Company to conduct an audit (including inspection) no more than once per calendar year upon four weeks’ notice sent to the above address complete with a detailed audit plan describing the proposed scope, duration, and start date of the audit. Company will contribute to such audits whose sole purpose will be to verify Company’s compliance with its obligations under this DPA. The auditor must execute a written confidentiality agreement acceptable to Company before conducting the audit. The audit must be conducted during regular business hours and may not unreasonably interfere with Company’s business activities. Any audits are at Customer’s sole cost and expense.
11. PROCESSING DETAILS
11.1 Subject Matter. The subject matter of the processing is the Services pursuant to the Agreement.
11.2 Duration. Customer Personal Data will be processed for the duration of the Agreement, including any post-termination retention period specified therein, subject to Section 9 of this DPA.
11.3 Categories of Data Subjects. Data subjects whose Customer Personal Data will be processed pursuant to the Agreement may include Customer’s end users, employees, agents, contractors, collaborators, prospects, suppliers and subcontractors.
11.4 Nature and Purpose of the Processing. The nature and purpose of the Processing of Customer Personal Data by Company is the performance of the Services pursuant to the Agreement. Customer acknowledges and agrees that it will not use the Services for any purposes deemed a “High Risk AI System” under the proposed EU Artificial Intelligence Act.
11.5 Types of Customer Personal Data. Customer represents and warrants to Company that Customer Personal Data does not and will not contain, and Customer has not and will not otherwise provide or make available to Company for processing any sensitive personal data, including but not limited to credentials to any financial accounts; health information (e.g. protected health information subject to the Health Insurance Portability and Accountability Act (HIPAA) or other information regarding an individual’s medical history, mental, or physical condition, or medical treatment or diagnosis by a health care professional, health insurance information, or genetic information); biometric information; government IDs or other government-issued identifiers (e.g. social security numbers); passwords for online accounts (other than passwords necessary to access the Services); credit reports or consumer reports; any payment card information or cardholder data subject to the Payment Card Industry Data Security Standard; information subject to the Gramm-Leach-Bliley Act, Fair Credit Reporting Act, or similar laws, or the regulations promulgated thereunder; information subject to restrictions under applicable law governing personal data of children, including, without limitation, all information about children under 16 years of age; or any information that falls within any special categories of data (as defined under the EU/UK Data Protection Law or otherwise interpreted under the implementing laws of the EEA member states).
If any part of this DPA is held unenforceable, the validity of all remaining parts will not be affected. In the event of any conflict or inconsistency between this DPA and any data privacy provisions set out in the underlying Agreement, the parties agree that the terms of this DPA shall prevail. This DPA will be governed by and construed in accordance with governing law and jurisdiction provisions set forth in the underlying Agreement, unless otherwise required by the Data Protection Legislation.
ANNEX I – Data Processing Description
This Annex I forms part of the DPA and describes the processing that Company (as the processor or Sub-processor, as applicable) will perform on behalf of the Customer (as the controller or processor, as applicable).
A. LIST OF PARTIES
Controller(s) / Data exporter(s): [Identity and contact details of the controller(s) /data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union]
Name: Customer listed in the applicable Order Form.
Address: Address listed in the applicable Order Form.
Contact person’s name, position and contact details: Contact person listed in the applicable Order Form.
Activities relevant to the data transferred under these Clauses: Processing to carry out the Services pursuant to the Agreement entered into between Customer and Company.
Signature and date: This Annex I shall automatically be deemed executed when Customer agrees to the Agreement.
Role (controller/processor): Controller or Processor, as applicable
Processor(s) / Data importer(s): [Identity and contact details of the processor(s) /data importer(s), including any contact person with responsibility for data protection]
Name: Spekit Inc.
Address: 3301 Lawrence Street, Suite 1, Denver Colorado 80205 USA
Contact person’s name, position and contact details: Jeffrey R. Madrak, Head of Legal, firstname.lastname@example.org
Activities relevant to the data transferred under these Clauses: Processing to carry out the Services pursuant to the Agreement entered into between Customer and Company.
Signature and date: This Annex I shall automatically be deemed executed when Customer agrees to the Agreement.Role (controller/processor):Controller or Processor, as applicable
В. DESCRIPTION OF PROCESSING/ TRANSFER
EU SCC Module: C2P (Module 2)
Categories of Data Subjects: The personal data transferred may concern the following categories of data subjects set forth in Section 11 of the DPA:
Customer’s end users, employees, agents, contractors, collaborators, prospects, suppliers and subcontractors.
Purpose(s) of the data transfer and further processing/ processing operations: The purpose of the transfer is the performance of the Services pursuant to the Agreement.
Categories of Personal Data: The personal data transferred concerns any category of personal data submitted by Customer to Company pursuant to the Agreement, except for any personal data covered by Section 11 of the DPA.
Sensitive data transferred (if applicable) and applied restrictions or safeguards: As set forth in Section 11 of the DPA, sensitive data are expressly excluded from the scope of the Services.
Frequency of the transfer: Continuous
Subject matter of the processing: The subject matter of the Processing is Company’s processing of Customer Personal Data to provide the Services pursuant to the Agreement.
Nature and subject matter of the processing: The nature and purpose of the transfer is the performance of the Services pursuant to the Agreement.
Duration of the processing: The duration of the data processing under this DPA is until the termination of the Agreement in accordance with its terms.Retention period (or, if not possible to determine, the criteria used to determine the period):For the duration of the Agreement. Upon termination of the Agreement, Customer Personal Data shall be returned or destroyed in accordance with Section 9 of the DPA.
C. COMPETENT SUPERVISORY AUTHORITY
Where the EU GDPR applies, the supervisory authority is the EU member state in which the Customer (or, if the Customer does not have an establishment in the EU, its representative) is established. Otherwise, if the Customer does not have an EU establishment nor an EU representative, the Irish Data Protection Commission.
Where the UK GDPR applies, the UK Information Commissioner’s Office.