Data Processing
Addendum
Last Updated: May 7, 2024
This Data Processing Addendum (this “DPA”) is entered into between Reality Defender Inc. (“Provider”) and the counterparty listed in the Agreement (“Customer” or “Controller”). This DPA supplements and is hereby incorporated into any agreement between Provider and Customer pursuant to which Provider provides Services to Customer (“Agreement”). This DPA will be effective as of the earliest effective date of the Agreement (“Effective Date”).
1. DEFINITIONS; CONTROL, CONFLICTS
1.1. Definitions. In addition to terms defined elsewhere in the DPA, capitalized terms are defined in Attachment 1 of this DPA. Capitalized terms used but not defined in this DPA will have the meanings set forth in the Agreement.
1.2. Conflicts. If there is any inconsistency or conflict amongst this DPA, the Agreement, and the EU SCCs, regardless of any language to the contrary in the Agreement, the conflict will be resolved by giving precedence to the documents in the following order: (a) EU SCCs; (b) this DPA; and (c) the Agreement. The provisions of this DPA may not be amended, except by an agreement to specifically amend this DPA in writing signed by Provider and Customer.
2. DATA PROCESSING AND PROTECTION
2.1. Roles. With respect to the Processing of Personal Data: (a) Customer is acting a Controller; and (b) Provider is acting as Customer’s Service Provider.
2.2. General Use Limitations. To the extent required by Data Protection Law or for Provider’s designation as a Service Provider under applicable Data Protection Law, Provider will not: (a) Process the Personal Data for any purpose other than as a Service Provider on behalf of Customer for the specific purpose of performing the Services for Customer in accordance with this DPA; (b) Process the Personal Data for a commercial purpose other than as necessary to provide the Services to Customer; (c) sell or share (as such terms are defined under the CCPA) any Personal Data; (d) Process the Personal Data outside of the direct business relationship between Provider and Customer; or (e) combine Personal Data with any other personal data or information it collects (directly or via any third party) other than as expressly permitted under Data Protection Law for Service Providers.
2.3. Instructions. To the extent required by Data Protection Law, Provider will Process Personal Data only: (a) in a manner consistent with documented instructions from Customer, including with regard to transfers of Personal Data to a third country, which will include Processing (i) as authorized or permitted under the Agreement, including as specified in Attachment 1 to this DPA, and (ii) consistent with other reasonable instructions of Customer; and (b) as required by Data Protection Law, provided that Provider will, to the extent required by Data Protection Law, inform Customer of the applicable legal requirement before Processing pursuant to such Data Protection Law. Customer is solely responsible for the accuracy, quality, and legality of (i) the Personal Data provided to Provider by or on behalf of Customer, (ii) the means by which Customer acquired any such Personal Data, and (iii) the instructions it provides to Provider regarding the Processing of such Personal Data. Customer shall not provide or make available to Provider any Personal Data in violation of the Agreement or Data Protection Law or otherwise inappropriate for the nature of the Services.
2.4. Compliance. In connection with its Processing of any Personal Data as a Service Provider under the Agreement, Provider will comply with all obligations applicable to it as a Service Provider under Data Protection Law and provide the same level of privacy protection as is required by Data Protection Law. If Provider determines it can no longer meet its obligations under this DPA or in its opinion, an obligation under this DPA infringes a Data Protection Law, Provider will promptly notify Customer. To the extent required by Data Protection Law, Customer reserves the right, upon notice to Provider, to take reasonable and appropriate steps to ensure that Provider uses Personal Data in a manner that is consistent with Customer’s obligations under Data Protection Law.
2.5. Confidentiality. Personal Data will be deemed the confidential information of Customer. Provider will ensure that persons authorized by Provider to Process any Personal Data are subject to appropriate confidentiality obligations.
2.6. Security. Provider will secure Personal Data in accordance with requirements under Data Protection Law and the requirements specified in Attachment 2 to this DPA.
2.7. Return or Disposal. Upon the earlier of any request by Customer or immediately following termination of the Agreement, Provider will (or will enable Customer itself via the Services to) delete or return (and will delete existing copies of) all Personal Data in its possession or control, unless retention of the Personal Data is required or authorized by applicable law. If return or destruction is impracticable or prohibited by law, rule or regulation, Provider shall take measures to block such Personal Data from any further Processing (except to the extent necessary for its continued hosting or Processing required by law, rule or regulation) and shall continue to appropriately protect the Personal Data remaining in its possession, custody, or control. If Provider believes retention is required by applicable law, Provider will notify Customer.
3. DATA PROCESSING ASSISTANCE
3.1. Data Subjects and Data Subject’s Rights Assistance. Provider will, to the extent permitted by law, notify Customer upon receipt of a request by a Data Subject to exercise the Data Subject’s rights (“Data Subject Request(s)”). If Provider receives a Data Subject Request in relation to Customer’s data, Provider will direct the Data Subject to submit their request to Customer and Customer will be responsible for responding to such request. Provider will promptly provide assistance as reasonably requested by Customer (at Customer’s expense) for the fulfilment of Customer’s obligations to respond to such Data Subject Requests. Controller is solely responsible for ensuring that a record of consent to Processing is maintained with respect to each Data Subject.
3.2. Other Compliance Assistance. Where required by applicable Data Protection Law, Provider will provide assistance to Customer as reasonably requested by Customer (at Customer’s expense) to facilitate Customer’s compliance with requirements under Data Protection Law in connection with Provider’s Processing of any Personal Data, including any requirements related to data retention, data minimization, data protection assessments, and consultations with supervisory authorities.
3.3. Personal Data Breach Notice and Assistance. Provider will notify Customer without undue delay after becoming aware of a Personal Data Breach. In any such notice, Provider will include, to the extent the information is reasonably obtainable to it: (a) a description of the Personal Data Breach, including the number and categories of individuals affected, categories and number of records concerned, types of Personal Data affected, likely consequences of the Personal Data Breach, and date and time of such incident, (b) a summary of the incident that caused the Personal Data Breach and any ongoing risks that the Personal Data Breach poses, (c) a description of the measures proposed or taken by Provider to address the Personal Data Breach, (d) any other information required under Data Protection Law, and (e) any other information reasonably requested by Customer relating to the Personal Data Breach. If and solely to the extent it is not possible to provide the above information at the same time, the information may be provided in phases without undue delay. Provider will provide reasonable assistance to Customer as may be necessary for Customer to satisfy any of its notification obligations imposed under Data Protection Law in connection with any Personal Data Breach.
4. AUDITS
Where required by applicable Data Protection Law, Provider will make available to Customer all information necessary to demonstrate compliance with the Technical and Organizational Measures in this DPA. Provider shall permit the Customer (or third-party auditors reasonably acceptable to Provider) to audit Provider's processing of the Personal Data under this Agreement following a Security Incident suffered by Provider, when instructed by a competent data protection authority. Unless otherwise required by a supervisory authority, Customer will provide no less than thirty (30) days' advance notice of its request for any such audit and will cooperate in good faith with Provider to schedule any such audit on a mutually agreed upon date and time (such agreement not to be unreasonably withheld by either party). Any such audit must be tailored to what is reasonably necessary to verify Provider’s compliance with the Technical and Organizational Measures in this DPA. In connection with any such audit, the auditor will: (a) observe reasonable on-site access and other restrictions reasonably imposed by Provider; (b) comply with reasonable and applicable on-site policies and procedures provided by Provider; and (c) not unreasonably interfere with Provider’s business activities. The results of the audit will be the confidential information of Provider.
5. SUBPROCESSORS
Customer provides Provider with general authorization to use subcontractors to Process Personal Data in connection with the provision of Services to Customer (each, a “Subprocessor”). Provider provides Customer with notice of Subprocessors in existence as of the Effective Date via Attachment 1. Where required by applicable Data Protection Law, Provider will provide Customer with reasonable notice prior to a Subprocessor change. Customer may object to a new Subprocessor based on reasonable grounds relating to protection of Personal Data by providing written notice to Provider within ten (10) calendar days of Provider’s new Suprocessor notice. If Customer objects to a new Subprocessor, Provider will make commercially reasonable efforts to alleviate Customer’s grounds for an objection. Provider will impose equivalent data protection obligations upon any Subprocessor as apply to Provider under this DPA.
6. DATA TRANSFER
6.1. Generally. Any transfer of Personal Data subject to the GDPR (or any Other Country’s Data Protection Law) that is or has been transferred from a member state of the European Economic Area (“EEA”) or any Other Country to any jurisdiction not subject to an adequacy decision from the applicable data protection authority, including any onward transfer of such data, (such processing, collectively a “Transfer”) will be conducted pursuant to Module 2 of EU SCCs, which is hereby incorporated by reference and will be deemed executed by the parties as of the Effective Date and populated pursuant to this Section 6.
6.2. Details for EU SCCs.
6.2.1. For the purposes of the elections in the EU SCCs, the parties elect: (a) to retain Clause 7; (b) option 2 in Clause 9 and specify 10 calendar days as the notice period for additions or replacements of new sub-processors; (c) to omit the optional language in Clause 11(a); (d) option 1 of Clause 17 and to specify the law as indicated in Attachment 1; and (e) for Clause 18(b), to specify the courts in which disputes will be resolved as indicated in Attachment 1;
6.2.2. Any audits required under EU SCCs will be conducted pursuant to Section 4 of this DPA;
6.2.3. Customer will be referred to as the “Data Exporter” or “Exporter” and Provider will be referred to as the “Data Importer” or “Importer” in EU SCCs with details in the Agreement used to complete the relevant company name, contact person details, and address details in the EU SCCs;
6.2.4. Details in Section 2.1, this Section 6, and Attachment 1 of this DPA will be used to complete Annex I of EU SCCs and Tables 1, 2, 3, and 4 of the UK Addendum (as applicable);
6.2.5. Details of Attachment 2 of this DPA will be used to complete Annexes I and II of EU SCCs and Table 3 of the UK Addendum (as applicable); and
6.2.6. For Transfers originating from or relating to individuals in any Other Country:
6.2.6.1. References in EU SCCs to a “Member State” or “EU Member State” will be replaced with references to the applicable Other Country and will not be read to prevent data subjects in the Other Country from the possibility of suing for their rights in their place of habitual residence;
6.2.6.2. Notwithstanding anything to the contrary in Attachment 1, the competent supervisory authority in Annex I.C under Clause 13 of EU SCCs shall be the local data protection authority of the applicable Other Country (for example, for Switzerland, this shall be the Federal Data Protection and Information Commissioner insofar as the data transfer is governed by the FADP); and
Attachment 1: Definitions; Subprocessors; Description of Processing
1. Definitions
For purposes of this DPA, the following terms will have the meaning ascribed below:
“Controller” means a “controller” or “business,” as such terms (or analogous variations thereof) are defined under Data Protection Law, that, alone or jointly with others, determines the purposes for and means of Processing.
“Data Protection Law” means the applicable data protection legislation that apply to the Personal Data Processed by Provider under the Agreement.
“EU SCCs” means the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (the text of which is available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX%3A32021D0914&locale=en). For purposes of the UK only, references to EU SCCs will be interpreted to mean the standard contractual clauses referenced in the preceding sentence in tandem with the UK Addendum.
“Other Country” means any country other than a country in the EEA in which the applicable data protection authority has approved the use of EU SCCs for data transfers, including Switzerland and the UK.
“Personal Data” means any data Provider Processes in connection with the Services that is deemed “personal data” or “personal information” (or other analogous variations of such terms) under Data Protection Law.
“Personal Data Breach” means any accidental or unlawful destruction, loss, or alteration of Personal Data, or any unauthorized use or disclosure of, or access to, Personal Data where Data Protection Law requires Controller to notify Data Subjects or applicable data protection authorities.
“Process” or “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, retaining, adaptation or alteration, retrieval, consultation, use, analysis, disclosure, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Service Provider” means a “service provider” or “processor,” as such terms (or analogous variations thereof) are defined under Data Protection Law, that Process personal data or information on behalf of another company.
“Services” means the services provided by Provider pursuant to the Agreement, which include deepfake detection, antifraud and misinformation protection services.
“UK Addendum” refers to the UK’s International Data Transfer Addendum, available at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf.
2. Description of Processing
(a) Subject Matter, Nature and Purpose: Provider Processes the Personal Data to perform the Services, as further described in the Agreement.
(b) Categories of Data Subjects: Data subjects include the individuals about whom data is provided to data importer via the Services by (or at the discretion of) the data exporter. This may include, but is not limited to, Personal Data relating to the data exporter customers and employees.
(c) Types of Personal Data: Data exporter may submit Personal Data to the Services, the extent of which is determined and controlled by data exporter. Personal Data submitted to, stored on, or sent via the Services may include, without limitation, the following categories of data: first and last name, title, position, IP addresses, browser agents, email addresses, user names, passwords, browser and operating system identifiers, and any other personal data that data exporter chooses to send to data importer during the course of data importer’s provision of the Services and technical support.
(d) Duration of Processing: The Processing will continue for the duration of the term of the Agreement.
(e) Retention Period: The Personal Data will be retained for the period of time needed for Provider to complete its obligations under the Agreement.
(f) Safeguards for Sensitive Data/Special Categories of Data (as applicable): The information in Attachment 2 will be used to complete the applied restrictions or safeguards for sensitive data/special categories of data.
(g) Activities Relevant to the Data Transferred (EU SCCs Only): Provider may transfer Personal Data to perform the Services on behalf of Customer, as further described in the Agreement.
(h) Frequency of Transfer (EU SCCs Only): As set forth and for the duration of the Agreement.
3. Competent Supervisory Authority, Governing Law, and Location for Disputes (EU SCCs Only): Ireland
4. Description of Technical and Organizational Measures: The technical and organizational measures implemented by the Processor (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the Processing, are described in Attachment 2.
5. Approved Sub processors (if applicable) and Description of Their Processing: Controller acknowledges and agrees that the entities listed below are authorized Sub-Processors that may Process Personal Data pursuant to this DPA.
6. Table 4 of the UK Addendum:
☐ Data Importer
☐ Data Exporter
✔ NeitherParty
Attachment 2 - Data Security Attachment
• Measures designed for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services
• Measures designed for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
• Processes designed for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing
• Measures designed for user identification and authorization
• Measures designed for the protection of data during transmission
• Measures designed for the protection of data during storage
• Measures designed for ensuring physical security of locations at which personal data are processed
• Measures designed for ensuring events logging
• Measures designed for ensuring system configuration, including default configuration
• Measures designed for internal IT and IT security governance and management
• Measures designed for certification/assurance of processes and • products
• Measures designed for ensuring data minimization
• Measures designed for ensuring data quality
• Measures designed for ensuring limited data retention
• Measures designed for ensuring accountability
• Measures designed for allowing data portability and ensuring erasure