This DATA PROCESSING ADDENDUM (the “DPA”) is an addendum to, and is hereby incorporated into, the Master Agreement between Fiddler Labs, Inc. (“Provider”) and the entity identified in the applicable Order Form (“Customer”), including the Master Terms and other Addenda incorporated therein (collectively, the “Agreement”).
For purposes of this DPA, the terms below have the meanings set forth below. Capitalized terms that are used but not defined in this DPA have the meanings given in the Agreement.
- Affiliate means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity, where “control” refers to the power to direct or cause the direction of the subject entity, whether through ownership of voting securities, by contract or otherwise.
- Applicable Data Protection Laws means European Data Protection Laws and the CCPA, in each case, to the extent applicable to the relevant Personal Data or Processing thereof under the Agreement.
- CCPA means the California Consumer Privacy Act of 2018 and any binding regulations promulgated thereunder.
- Customer Data means information provided or made available to Provider for Processing on Customer’s behalf to perform the Services.
- EEA means the European Economic Area.
- European Data Protection Laws means the GDPR and other data protection laws of the European Union, its Member States, Switzerland, Iceland, Liechtenstein, Norway and the United Kingdom, in each case, to the extent applicable to the Processing of Personal Data under the Agreement.
- GDPR means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, as amended from time to time.
- Information Security Incident means a breach of Provider’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data in Provider’s possession, custody or control. Information Security Incidents do not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems.
- Personal Data means Customer Data that constitutes “personal data,” “personal information,” or similar information governed by Applicable Data Protection Laws, except that Personal Data does not include such information pertaining to Customer’s business contacts who are Customer personnel where Provider acts as a controller of such information.
- Processing means any operation or set of operations which is performed on Personal Data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- Security Measures has the meaning given in Section 4(a) (Provider’s Security Measures).
- Service has the meaning given in the Agreement and includes the Hosted Services.
- Standard Contractual Clauses means the mandatory provisions of the standard contractual clauses for the transfer of personal data to processors established in third countries in the form set out by European Commission Decision 2010/87/EU.
- Subprocessors means third parties that Provider engages to Process Personal Data in relation to the Service.
- Third Party Subprocessors has the meaning given in Section 5 (Subprocessors) of Annex 1.
- The terms controller, data subject, processor and supervisory authority as used in this DPA have the meanings given in the GDPR.
Duration and Scope of DPA
- This DPA will remain in effect so long as Provider Processes Personal Data, notwithstanding the expiration or termination of the Agreement.
- Annex 1 (EU Annex) to this DPA applies only to the Processing of Personal Data subject to European Data Protection Laws. Annex 2 (California Annex) to this DPA applies only to the Processing of Personal Data subject to the CCPA with respect to which Customer is a Business (as defined in CCPA).
- Provider will Process Personal Data only in accordance with Customer’s instructions. By entering into this DPA, Customer instructs Provider to Process Personal Data to provide the Service and to perform its other obligations and exercise its rights under the Agreement, including without limitation to (i) carry out any benefits, rights and obligations relating to the Service; (iii) maintain records relating to the Service; or (iv) comply with any legal or self-regulatory obligations relating to the Service. Customer acknowledges and agrees that Provider may create and derive from Processing related to the Service, anonymized and/or aggregated data that does not identify Customer or any natural person and use, publicize, or share with third parties such data to improve Provider’s products and services and for its other legitimate business purposes.
Data Subject Rights
- Provider’s Data Subject Request Assistance. Provider will (taking into account the nature of the Processing of Personal Data) provide Customer with assistance reasonably necessary for Customer to perform its obligation under Applicable Data Protection Laws to fulfill requests by data subjects to exercise their rights under Applicable Data Protection Laws (“Data Subject Requests”) with respect to Personal Data in Provider’s possession or control. Customer shall compensate Provider for any such assistance at Provider’s then-current professional services rates, which shall be made available to Customer upon request.
- Customer’s Responsibility for Requests. If Provider receives a Data Subject Request, Provider will advise the data subject to submit the request to Customer and Customer will be responsible for responding to any such request.
- Liability Cap. The total combined liability of either party and its Affiliates towards the other party and its Affiliates, whether in contract, tort or any other theory of liability, under or in connection with Agreement, this DPA and the Standard Contractual Clauses if entered into as described in Annex 1, Section 4 (Transfers out of the EEA, Switzerland or United Kingdom) combined will be limited to the limitations on liability or other liability caps agreed to by the parties in the Agreement, subject to Section 7(b) (Liability Cap Exclusions).
- Liability Cap Exclusions. Nothing in Section 7(a) (Liability Cap) will affect any party’s liability to data subjects under the third-party beneficiary provisions of the Standard Contractual Clauses to the extent limitation of such rights is prohibited by European Data Protection Laws, where applicable.
- Conflict. Except as expressly modified by the DPA, the terms of the Agreement remain in full force and effect. To the extent of any conflict or inconsistency between this DPA and the other terms of the Agreement, this DPA will govern.
- General. Notwithstanding anything in the Agreement or any order form entered in connection therewith to the contrary, the parties acknowledge and agree that Provider’s access to Personal Data does not constitute part of the consideration exchanged by the parties in respect of the Agreement. Notwithstanding anything to the contrary in the Agreement, any notices required or permitted to be given by Provider to Customer under this DPA may be given (a) in accordance with any notice clause of the Agreement; (b) to Provider’s primary points of contact with Customer; or (c) to any email provided by Customer for the purpose of providing it with Service-related communications or alerts. Customer is solely responsible for ensuring that such email addresses are valid.