Data Processing Addendum
In this DPA, “Data Protection Legislation” means any and all governmental laws, rules, directives, regulations or orders that are applicable to a particular Party’s performance under this DPA, which may include, as applicable, EU Data Protection Law, the California Consumer Privacy Act of 2018, sections 1798.100 through 1798.199 of the California Civil Code (“CCPA”), and the Brazilian Federal Law 13,709 (“LGPD”). EU Data Protection Law includes (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (the “GDPR”) and (ii) the GDPR as incorporated into United Kingdom domestic law pursuant to Section 3 of the European Union (Withdrawal) Act 2018 (the “UK GDPR”).
In the course of providing the Application Services to Customer pursuant to the Agreement, Superwall may process Customer Personal Data. “Customer Personal Data” means any data which is defined as ‘personal data’ or ‘personal information’ under applicable Data Protection Legislation processed by Superwall pursuant to the Agreement. Superwall agrees to comply with the following provisions with respect to Customer Personal Data. Any capitalized but undefined terms herein shall have the meaning set forth in the Agreement.
By entering into this DPA, Customer instructs Superwall to Process Customer Personal Data: (a) to provide the Application Services in accordance with the features and functionality of the Application Services and related documentation; (b) to enable Customer’s authorized user-initiated actions on and through the Application Services; (c) as set forth in the Agreement and applicable order; and (d) as further documented by written instructions given by Customer. Notwithstanding the foregoing, Superwall will inform Customer promptly if it becomes aware that Customer’s instructions may violate applicable Data Protection Legislation.
Data Processing Terms
The parties agree that Customer is the data controller and that Superwall is its data processor in relation to Customer Personal Data. Customer shall comply at all times with Data Protection Legislation in respect of all Personal Data it provided to Superwall pursuant to the Agreement. The subject matter of the data processing covered by this DPA is the Application Services ordered by Customer either through Superwall’s website or through an order and provided by Superwall to Customer via www.superwall.me, or as additionally described in the Agreement or the DPA. The processing will be carried out for the term of the Agreement or until the term of Customer’s ordering of the Application Services ceases. Further details of the data processing are set out in the following Annexes.
In Paragraphs 1 through 11 below, (a) “data controller”, “data processor”, “Data Subject”, “Personal Data”, “processing”, “Supervisory Authority”, and “appropriate technical and organizational measures” shall be interpreted in accordance with applicable EU Data Protection Law and (b) “Customer Personal Data” shall refer to Customer Personal Data comprising of personal data of data subjects located in the European Economic Area (“EEA).
In respect of Customer Personal Data, Superwall:
- shall process the Customer Personal Data only in accordance with the documented instructions from Customer (as set out in this DPA or the Agreement or as otherwise notified by Customer to Superwall from time to time). If Superwall is required to process the personal data for any other purpose provided by applicable law to which it is subject, Superwall will inform Customer of such requirement prior to the processing unless that law prohibits this on important grounds of public interest
- shall notify Customer without undue delay if, in Superwall's opinion, an instruction for the processing of personal data given by Customer infringes applicable EU Data Protection Law.
- shall, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects, implement and maintain appropriate technical and organizational measures designed to protect Customer Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorized or unlawful processing, accidental loss, destruction, damage or theft of Customer Personal Data and having regard to the nature of Customer Personal Data which is to be protected. Superwall may make such changes to the Security Measures as Superwall deems necessary or appropriate from time to time, including without limitation to comply with applicable law, provided no such changes will materially reduce the overall level of protection for Customer Personal Data.
- may hire other companies or persons for the purposes of providing the Application Services (“Sub-Processors”), provided that Superwall complies with the provisions of this DPA. Any such Sub-Processors will be permitted to process Customer Data only to deliver the Application Services Superwall has retained them to provide, and they shall be prohibited from using Customer Data for any other purpose. Superwall is not responsible for its Sub-Processors’ compliance with the obligations of this DPA.
- shall take appropriate steps to ensure that all Superwall personnel required to access the Customer Personal Data are informed of the confidential nature of the personal data and comply with the appropriate technical and organizational measures, including ensuring that all persons authorized to Process Customer Personal Data have agreed to appropriate obligations of confidentiality.
- Superwall shall provide information reasonably requested by Customer to demonstrate compliance with the obligations set out in this DPA
- If Customer Data comprises Personal Data subject to the LGPD (“LGPD Covered Data”), then Customer Personal Data, as the term is used in this DPA, shall be deemed to include LGPD Covered Data.
- As used in this Paragraph 13, “Commercial Purpose”, “Consumer”, “Personal Information”, “Sell”, and “Service Provider” have the meanings assigned to them in the CCPA.
- If Customer Data comprises Personal Data subject to the CCPA (“CCPA Covered Data”), Superwall is the Service Provider and, consistent with the requirements of the CCPA, shall not sell the CCPA Covered Data: (i) for any purpose, including any Commercial Purpose, other than for the specific purpose of providing and supporting the Application Services or (ii) outside of the Parties’ direct business relationship. Superwall certifies that it understands these restrictions and will comply with them. Customer acknowledges nothing in this Paragraph removes or lessens Customer’s obligations with respect to Personal Data under the Agreement or this DPA.
- Customer will be responsible for responding to Consumer requests in relation to CCPA Covered Data (each, a “Consumer Request”). If Superwall receives a Consumer Request then, to the extent legally permissible, Superwall will advise the Consumer to submit the Consumer Request to Customer, and Customer agrees that Superwall may confirm to a Consumer that the Consumer Request relates to Customer. To the extent Customer is unable through its use of the Application Services to address a particular Consumer Request, Superwall will, upon Customer’s request and taking into account the nature of the CCPA Covered Data, provide reasonable assistance in addressing the Consumer Request (provided Superwall is legally permitted to do so and that Customer has verified the request in accordance with the CCPA).
Without limiting its responsibilities under the Agreement, Customer is solely responsible for: (a) Customer Data, subject to Superwalls Processing obligations under the Agreement and this DPA; (b) providing any notices required by Data Protection Legislation to, and receiving any required consents and authorizations required by Data Protection Legislation from, persons whose Personal Data may be included in Customer Data; and (c) ensuring no special categories of Personal Data (GDPR Article 9) or Personal Data relating to criminal convictions and offenses (GDPR Article 10) are submitted for Processing by the Application Services. Further, no provision of this DPA includes the right to, and Customer shall not, directly or indirectly, enable any person or entity other than its authorized users to access and use the Application Services or use (or permit others to use) the Application Services other than as described in the applicable Ordering Document, the Agreement and this DPA, or for any unlawful purpose.
Each Party’s (and each of its affiliate’s) liability taken together in the aggregate, arising out of or related to this DPA, including without limitation under the Standard Contractual Clauses, whether in contract, tort, or under any other theory of liability, is subject to the limitation of liability provisions of the Agreement, except to the extent such liability cannot be limited under Data Protection Legislation.
Term and Termination
Unless earlier terminated as provided herein, this DPA shall terminate automatically together with termination or expiry of the Agreement.
LIST OF PARTIES
Name: The Customer entity identified in the Agreement or on an applicable Ordering Document.
Address: The Customer’s address specified on the Ordering Document.
Contact person’s name, position and contact details: The Customer’s contact nominated for receiving notifications, as set forth above in the DPA.
Activities relevant to the data transferred under the Standard Contractual Clauses: The data exporter is a customer of the data importer and utilizing the data importer’s services as described in more detail in the Agreement.
Role (controller/processor): Controller and/or Processor.
Name: Nest 22, Inc.
Address: 2093 PHILADELPHIA PIKE #5307 CLAYMONT, DE 19703
Contact person’s name, position and contact details: Brian Anglin, Chief Technology Officer, [email protected]
Activities relevant to the data transferred under these Clauses: The data importer is providing certain services to the data exporter, as described in more detail in the Agreement.
Role (controller/processor): Processor.
DESCRIPTION OF THE TRANSFER
Categories of data subjects:
Individuals about whom data is uploaded to the Application Services by (or at the direction of) the data exporter or by its authorized users, subsidiaries, and other participants whom the data exporter has granted the right to access the Application Services in accordance with the provisions of the Agreement.
Categories of personal data:
The Personal Data transferred may include but is not limited to the following categories of data:
- Any data uploaded to the Application Services by (or at the direction of) the data exporter or by its authorized users, subsidiaries and other participants whom the data exporter has granted the right to access the Application Services in accordance with the provisions of the Agreement.
- Sensitive data transferred (if applicable) and applied restrictions or safeguards: Not Applicable.
- Frequency of the transfer:At data exporter’s discretion in using the Application Services, during the term of the Agreement.
- Nature of the processing: Customer Personal Data transferred will be processed in accordance with the Agreement and any Ordering Document, and may be subject to the following basic processing activities:Customer Personal Data will be processed to the extent necessary to provide the Services in accordance with both the Agreement and the data exporter’s instructions. The data importer processes Personal Data only on behalf of the data exporter. Processing operations include, but are not limited to the provision of the Application Services – this operation relates to all aspects of Personal Data processed. Technical support, issue diagnosis and error correction to ensure the efficient and proper running of the systems and to identify, analyze and resolve technical issues both generally in the provision of the Application Services and specifically in answer to a data exporter query. This operation may relate to all aspects of Personal Data processed but will be limited to metadata where possible. URL scanning for the purposes of the provision of targeted threat protection and similar service which may be provided under the Agreement. This operation relates to attachments and links in emails and will relate to any Personal Data within those attachments or links which could include all categories of Personal Data. Disclosures in accordance with the Agreement, as compelled by Data Protection Legislation.
- Purpose(s) of the data transfer and further processing: Personal Data is processed for the purposes of providing the Application Services in accordance with the Agreement and any applicable Ordering Document.
- Period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period: Personal Data will be retained until a deletion request in made by the customer to Superwall.
TECHNICAL AND ORGANIZATIONAL MEASURES
Superwall considers protection of Customer Data a top priority. As further described in this Superwall Information Security Policy, Superwall uses commercially reasonable organizational and technical measures designed to prevent unauthorized access, use, alteration or disclosure of Customer Data stored on systems under Superwalls control.
- Customer Data and Management. Superwall limits its personnel’s access to Customer Data as follows:
- Requires unique user access authorization through secure logins and passwords
- Limits the Superwall Data available to Superwall personnel on a “need to know” basis
- Restricts access to Superwall’s production environment by Superwall personnel on the basis of business need
- Encrypts user security credentials for production access
- Prohibits Superwall personnel from storing Customer Data on electronic portable storage devices such as computer laptops, portable drives and other similar devices
- Incident Response. If Superwall becomes aware of unauthorized access or disclosure of Customer Data under its control (a “Breach”), Superwall will:
- Take reasonable measures to mitigate the harmful effects of the Breach and prevent further unauthorized access or disclosure
- Upon confirmation of the Breach, notify Customer in writing of the Breach without undue delay. Notwithstanding the foregoing, Superwall is not required to make such notice to the extent prohibited by Laws, and Superwall may delay such notice as requested by law enforcement and/or in light of Superwalls legitimate needs to investigate or remediate the matter before providing notice
- Each notice of a Breach will include:
- The extent to which Customer Data has been, or is reasonably believed to have been, used, accessed, acquired or disclosed during the Breach
- A description of what happened, including the date of the Breach and the date of discovery of the Breach, if known
- The scope of the Breach, to the extent known
- A description of Superwalls response to the Breach, including steps Superwall has taken to mitigate the harm caused by the Breach
- Business Continuity Management
- Superwall maintains an appropriate business continuity and disaster recovery plan
- Superwall maintains processes to ensure failover redundancy with its systems, networks and data storage
- Personnel Management
- Superwall performs employment verification, including proof of identity validation and criminal background checks for all new hires, including contract employees, in accordance with applicable law
- Upon employee termination, whether voluntary or involuntary, Superwall immediately disables all access to Superwall systems, including Superwall’s physical facilities