Data Processing Addenum

This Data Processing Addendum (“DPA”), forms part of the Terms and Conditions (together with the Exhibits attached thereto, the “Agreement”) between Traackr, Inc. (“Traackr”) and the entity that has engaged Traackr to provide the Traackr Service (“Customer”). Capitalized terms used and not otherwise defined herein shall have the meanings ascribed to them in the Agreement. Each of Traackr and Customer is referred to in this DPA individually as a "party", collectively the "parties". By entering into the Agreement, the parties are deemed to have signed all Attachments, Exhibits, Annexes, Schedules, and Appendices to this DPA where applicable.

1. Defined Terms.

  1. “CCPA” means the California Consumer Privacy Act of 2018, together with any regulations promulgated thereunder.
  1. “Customer Data” means any information Processed by Traackr solely on behalf of Customer, including without limitation any EU Personal Data, UK Personal Data, and/or California Personal Data. Customer Data expressly excludes Traackr Influencer Data.
  1. “European Data Protection Laws” means, collectively, the GDPR and the UK Data Protection Laws, as applicable.
  1. “GDPR” means the General Data Protection Regulation (EU) 2016/679.
  1. “Personal Data” means any information relating to any identified or identifiable individual, household, or device.
  1. “Processing” (including any grammatically inflected forms thereof) means any operation or set of operations which is performed on data or on sets of data, whether or not by automated means, including without limitation collection, recording, organization, structuring, storage, adaptation or alteration, access, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
  1. “Sensitive Data” means any Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation, and/or Personal Data relating to criminal convictions and offenses.
  1. “UK” means the United Kingdom.
  1. “UK Data Protection Laws” means UK GDPR and the UK’s Data Protection Act 2018 (“UK DPA 2018”).
  1. “UK GDPR” means the UK equivalent of the GDPR, as defined in section 3(10) (and as supplemented by section 205(4)) of the UK DPA 2018.
  1. Capitalized terms used but not defined herein shall have the meanings ascribed to them in the Agreement.

2.

To the extent Traackr Processes Personal Data regulated by the GDPR solely on behalf of Customer (excluding, for the avoidance of doubt, any Traackr Influencer Data) (“EU Personal Data”), and to the extent Customer is a controller (as defined in the GDPR) and Traackr is a processor (as defined in the GDPR) on behalf of Customer with regard to such EU Personal Data, then to the extent required by the GDPR, the Standard Contractual Clauses for the Transfer of Personal Data as set out in European Commission Decision 2021/914/EC (attached hereto as Attachment A, the “Controller to Processor Standard Contractual Clauses”) will apply to the transfer of such EU Personal Data by Customer to Traackr, and the parties hereby agree to comply with such Controller to Processor Standard Contractual Clauses, which are hereby incorporated into the Agreement in their entirety. In the event of a conflict between the Agreement and the Controller to Processor Standard Contractual Clauses, the Controller to Processor Standard Contractual Clauses will control to the extent applicable to the EU Personal Data.

3.

To the extent Traackr Processes EU Personal Data, and to the extent Customer is a processor (as defined in the GDPR) on behalf of a third party with respect to EU Personal Data and Traackr is a processor on behalf of Customer with regard to such EU Personal Data, then to the extent required by the GDPR, the Standard Contractual Clauses for the Transfer of Personal Data as set out in European Commission Decision 2021/914/EC (attached hereto as Attachment B, the “Processor to Processor Standard Contractual Clauses”) will apply to the transfer of such EU Personal Data by Customer to Traackr, and the parties hereby agree to comply with such Processor to Processor Standard Contractual Clauses, which are hereby incorporated into the Agreement in their entirety. In the event of a conflict between the Agreement and the Processor to Processor Standard Contractual Clauses, the Processor to Processor Standard Contractual Clauses will control to the extent applicable to the EU Personal Data.

4.

To the extent Traackr Processes Personal Data regulated by the UK Data Protection Laws solely on behalf of Customer (excluding, for the avoidance of doubt, any Traackr Influencer Data) (“UK Personal Data”), then to the extent required by UK Data Protection Laws, the UK’s ‘International Data Transfer Addendum to the EU Commission Standard Contractual Clauses’ (attached hereto as Attachment C, the “UK Data Attachment”) will apply to the transfer of such UK Personal Data by Customer to Traackr, and the parties hereby agree to comply with such UK Data Attachment, which is hereby incorporated into the Agreement in its entirety. In the event of a conflict between the Agreement and the UK Data Attachment, the UK Data Attachment will control to the extent applicable to the UK Personal Data.

5.

To the extent Traackr Processes Personal Data regulated by the CCPA solely on behalf of Customer (excluding, for the avoidance of doubt, any Traackr Influencer Data) (“California Personal Data”), then to the extent required by the CCPA, the California Data Attachment (attached hereto as Attachment D, the “California Data Attachment”) will apply to Traackr’s Processing of such California Personal Data and the parties hereby agree to comply with such California Data Attachment, which is hereby incorporated into the Agreement in its entirety. In the event of a conflict between the Agreement and the California Data Attachment, the California Data Attachment will control to the extent applicable to the California Personal Data.

6.

Customer represents, warrants, and covenants that: (i) it has (and will have) Processed, collected, and disclosed all Customer Data in compliance with applicable law and provided any notice and obtained all consents and rights required by applicable law to enable Traackr to lawfully Process Customer Data as permitted by the Agreement and/or this DPA; (ii) it has (and will continue to have) full right and authority to make the Customer Data available to Traackr under the Agreement and this DPA; and (iii) Traackr's Processing of the Customer Data in accordance with the Agreement, this DPA, and/or Customer's instructions does and will not infringe upon or violate any applicable law or any rights of any third party. Customer shall indemnify, defend and hold Traackr harmless against any claims, actions, proceedings, expenses, damages and liabilities (including without limitation any governmental investigations, complaints and actions) and reasonable attorneys’ fees arising out of Customer’s violation of this Section 6. Notwithstanding anything to the contrary in the Agreement, Customer’s indemnification obligations under this Section 6 shall not be subject to any limitations of liability set forth in the Agreement.

7.

Notwithstanding anything to the contrary in the Agreement (including this DPA), Customer acknowledges that Traackr shall have a right to use and disclose data relating to the operation, support and/or use of the Traackr Service for its legitimate business purposes, such as product development and sales and marketing. To the extent any such data is considered personal data (as defined in, and regulated by the European Data Protection Laws), then, to the extent Traackr is subject to the European Data Protection Laws as a controller (as defined in the European Data Protection Laws), Traackr is the controller (as defined in the European Data Protection Laws) of such data and accordingly shall Process such data in accordance with the European Data Protection Laws. To the extent any such data is considered personal information (as defined in, and regulated by, the CCPA), then, to the extent Traackr is subject to the CCPA as a business (as defined in the CCPA), Traackr is the business (as defined in the CCPA) with respect to such data and accordingly shall Process such data in accordance with the CCPA.

8.

The parties acknowledge and agree that this DPA does not contemplate that any Sensitive Data will be disclosed or made available or accessible to Traackr by or on behalf of Customer. If Customer intends to disclose Sensitive Data under this DPA or otherwise in connection with the Agreement, Customer will provide prior written notice to Traackr. Customer shall not disclose or otherwise make available or accessible to Traackr any Sensitive Data without Traackr’s prior written consent in each instance.

Attachment A
STANDARD CONTRACTUAL CLAUSES (MODULE 2)
Controller to Processor
SECTION I

Clause 1

Purpose and scope

  1. The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (1) for the transfer of personal data to a third country.
  2. The Parties:
    (i)  the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter ‘entity/ies’) transferring the personal data, as listed in Annex I.A (hereinafter each ‘data exporter’), and
    (ii)  the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A (hereinafter each ‘data importer’)

    have agreed to these standard contractual clauses (hereinafter: ‘Clauses’).
  3. These Clauses apply with respect to the transfer of personal data as specified in Annex I.B.
  4. The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses.

(1) Where the data exporter is a processor subject to Regulation (EU) 2016/679 acting on behalf of a Union institution or body as controller, reliance on these Clauses when engaging another processor (sub-processing) not subject to Regulation (EU) 2016/679 also ensures compliance with Article 29(4) of Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39), to the extent these Clauses and the data protection obligations as set out in the contract or other legal act between the controller and the processor pursuant to Article 29(3) of Regulation (EU) 2018/1725 are aligned. This will in particular be the case where the controller and processor rely on the standard contractual clauses included in Decision 2021/915.

Clause 2

Effect and invariability of the Clauses

  1. These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46(2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Appendix. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a wider contract and/or to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects.
  2. These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679.

Clause 3

Third-party beneficiaries

  1. Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions:
    (i)     Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;
    (ii)    Clause 8.1(b), 8.9(a), (c), (d) and (e); 
    (iii)   Clause 9(a), (c), (d) and (e); 
    (iv)   Clause 12(a), (d) and (f)
    (v)    Clause 13;
    (vi)   Clause 15.1(c), (d) and (e);
    (vii)  Clause 16(e);
    (viii) Clause 18(a) and (b).
  2. Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679.

Clause 4

Interpretation

  1. Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.
  2. These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.
  3. These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679.

Clause 5

Hierarchy

In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.

Clause 6

Description of the transfer(s)

The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.

Clause 7

Docking clause

  1. An entity that is not a Party to these Clauses may, with the agreement of the Parties, accede to these Clauses at any time, either as a data exporter or as a data importer, by completing the Appendix and signing Annex I.A.
  2. Once it has completed the Appendix and signed Annex I.A, the acceding entity shall become a Party to these Clauses and have the rights and obligations of a data exporter or data importer in accordance with its designation in Annex I.A.
  3. The acceding entity shall have no rights or obligations arising under these Clauses from the period prior to becoming a Party.

SECTION II – OBLIGATIONS OF THE PARTIES

Clause 8

Data protection safeguards

The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations under these Clauses.

8.1 Instructions

  1. The data importer shall process the personal data only on documented instructions from the data exporter. The data exporter may give such instructions throughout the duration of the contract.
  2. The data importer shall immediately inform the data exporter if it is unable to follow those instructions.

8.2 Purpose limitation

The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I. B, unless on further instructions from the data exporter.

8.3 Transparency

On request, the data exporter shall make a copy of these Clauses, including the Appendix as completed by the Parties, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including the measures described in Annex II and personal data, the data exporter may redact part of the text of the Appendix to these Clauses prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand the its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information. This Clause is without prejudice to the obligations of the data exporter under Articles 13 and 14 of Regulation (EU) 2016/679.

8.4 Accuracy

If the data importer becomes aware that the personal data it has received is inaccurate, or has become outdated, it shall inform the data exporter without undue delay. In this case, the data importer shall cooperate with the data exporter to erase or rectify the data.

8.5 Duration of processing and erasure or return of data

Processing by the data importer shall only take place for the duration specified in Annex I.B. After the end of the provision of the processing services, the data importer shall, at the choice of the data exporter, delete all personal data processed on behalf of the data exporter and certify to the data exporter that it has done so, or return to the data exporter all personal data processed on its behalf and delete existing copies. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit return or deletion of the personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process it to the extent and for as long as required under that local law. This is without prejudice to Clause 14, in particular the requirement for the data importer under Clause 14(e) to notify the data exporter throughout the duration of the contract if it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under Clause 14(a).

8.6 Duration of processing and erasure or return of data

  1. The data importer and, during transmission, also the data exporter shall implement appropriate technical and organisational measures to ensure the security of the data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to that data (hereinafter ‘personal data breach’). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subjects. The Parties shall in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner. In case of pseudonymisation, the additional information for attributing the personal data to a specific data subject shall, where possible, remain under the exclusive control of the data exporter. In complying with its obligations under this paragraph, the data importer shall at least implement the technical and organisational measures specified in Annex II. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security.
  2. The data importer shall grant access to the personal data to members of its personnel only to the extent strictly necessary for the implementation, management and monitoring of the contract. It shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
  3. In the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the breach, including measures to mitigate its adverse effects. The data importer shall also notify the data exporter without undue delay after having become aware of the breach. Such notification shall contain the details of a contact point where more information can be obtained, a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), its likely consequences and the measures taken or proposed to address the breach including, where appropriate, measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide all information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.
  4. The data importer shall cooperate with and assist the data exporter to enable the data exporter to comply with its obligations under Regulation (EU) 2016/679, in particular to notify the competent supervisory authority and the affected data subjects, taking into account the nature of processing and the information available to the data importer.

8.7 Sensitive data

Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (hereinafter ‘sensitive data’), the data importer shall apply the specific restrictions and/or additional safeguards described in Annex I.B.

8.8 Sensitive data

The data importer shall only disclose the personal data to a third party on documented instructions from the data exporter. In addition, the data may only be disclosed to a third party located outside the European Union (2) (in the same country as the data importer or in another third country, hereinafter ‘onward transfer’) if the third party is or agrees to be bound by these Clauses, under the appropriate Module, or if:

(i)    the onward transfer is to a country benefitting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer;

(ii)   the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 Regulation of (EU) 2016/679 with respect to the processing in question;

(iii)  the onward transfer is necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings; or

(iv)  the onward transfer is necessary in order to protect the vital interests of the data subject or of another natural person.

Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.

2 The Agreement on the European Economic Area (EEA Agreement) provides for the extension of the European Union’s internal market to the three EEA States Iceland, Liechtenstein and Norway. The Union data protection legislation, including Regulation (EU) 2016/679, is covered by the EEA Agreement and has been incorporated into Annex XI thereto. Therefore, any disclosure by the data importer to a third party located in the EEA does not qualify as an onward transfer for the purpose of these Clauses.

8.9 Documentation and compliance

  1. The data importer shall promptly and adequately deal with enquiries from the data exporter that relate to the processing under these Clauses.
  1. The Parties shall be able to demonstrate compliance with these Clauses. In particular, the data importer shall keep appropriate documentation on the processing activities carried out on behalf of the data exporter.
  1. The data importer shall make available to the data exporter all information necessary to demonstrate compliance with the obligations set out in these Clauses and at the data exporter’s request, allow for and contribute to audits of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non- compliance. In deciding on a review or audit, the data exporter may take into account relevant certifications held by the data importer.
  1. The data exporter may choose to conduct the audit by itself or mandate an independent auditor. Audits may include inspections at the premises or physical facilities of the data importer and shall, where appropriate, be carried out with reasonable notice.
  1. The Parties shall make the information referred to in paragraphs (b) and (c), including the results of any audits, available to the competent supervisory authority on request.