DITTOLIVE DATA PROCESSING ADDENDUM
This Data Processing Addendum (this "DPA") forms part of the applicable software license, cloud service, or other written or electronic agreement between DittoLive Incorporated ("Ditto") and the Customer (as defined below) (the "Agreement") that includes a link or express reference incorporating this DPA into the terms of the Agreement. This DPA sets forth each party's respective obligations with respect to the processing of Personal Data in connection with the Services provided pursuant to the Agreement. This DPA is effective on the effective date of the Agreement, unless this DPA is separately executed in which case it is effective on the date of the last signature. Capitalized terms not defined in this DPA shall have the meaning set forth in the Agreement.
1. Definitions
In addition to terms defined elsewhere in this DPA, the following terms have the following meanings:
"Anonymous Data" means Personal Data that has been Processed in such a manner that it can no longer be attributed to an identified or identifiable Data Subject and cannot be re-identified, including "aggregate consumer information," as such term is defined in the CPRA or other Applicable Data Laws.
"Applicable Data Laws" means any state, federal, local and/or foreign data protection and privacy laws, rules or regulations that are applicable to the parties' Processing of Personal Data under the Agreement and this DPA, including, but not limited to, (to the extent applicable): (i) EU Data Laws, and (ii) the California Privacy Rights Act, together with any implementing regulations, as may be amended, superseded, or replaced from time to time (collectively, "CPRA").
"Authorized Sub-Processor" means another Processor engaged by Ditto, and who is: (i) a third-party sub-Processor engaged by Ditto as of the effective date of the Agreement, (ii) an Affiliate of Ditto, or (iii) a new third-party sub-Processor engaged by Ditto after the effective date of the Agreement that is approved authorized by Customer as set forth in Section 5 of this DPA.
"Controller" means the entity which determines the purposes and means of the Processing of Personal Data, including as applicable any "business" as defined under the CPRA.
"Customer" means the person or entity identified as the "Customer" in the Agreement.
"Customer Personal Data" means Personal Data specified in Annex A to this DPA which Ditto Processes on behalf of Customer in connection with the provision of the Services.
"Data Subject" means an identified or identifiable person to whom Personal Data relates, including as applicable any "consumer" as defined under the CPRA or other Applicable Data Laws.
"Data Subject Request" means a request by a Data Subject to exercise any of the Data Subject's rights provided for under Applicable Data Laws, including, but not limited to, the right of: access, rectification, restriction of Processing, erasure, data portability, restriction of or objection to Processing, withdrawal of consent to Processing, or objection to being subject to Processing that constitutes automated decision-making.
"De-Identified Data" has the meaning provided for under the relevant Applicable Data Law.
"EU Data Laws" means, individually and collectively, the laws of the European Union, the European Economic Area, their member states, and the United Kingdom, including, but not limited to, Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 ("GDPR"), the UK Data Protection Act 2018, the Swiss Federal Data Protection Act or any other applicable data protection laws, rules or regulations of Switzerland ("Swiss Data Laws"), and the EU e-Privacy Directive (Directive 2002/58/EC), each as applicable and as amended, repealed, consolidated or replaced from time to time.
"Instruction" means a direction or instruction with respect to the Processing of Customer Personal Data, either in writing, in textual form (e.g., by e-mail) or by using a software or online tool, issued by or on behalf of Customer to Ditto.
"Personal Data" means information defined as personal data, personal information, or a similar term by Applicable Data Laws, and any other information that identifies, relates to, describes, or is capable of being associated with, directly or indirectly, an individual or household. Personal Data does not include Anonymous Data and/or De-Identified Data, as provided for under Applicable Data Law.
"Security Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to unencrypted Personal Data.
"Process" or "Processing" means any operation or set of operations which is performed upon the Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure, or destruction.
"Processor" means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller, including, as applicable, any "service provider" as defined under the CPRA or other Applicable Data Laws.
"Services" means all services provided by Ditto to Customer as specified under the terms of the Agreement and an Order Form and may include Support, the Cloud Service, Managed Services, and other services.
"Standard Contractual Clauses" has the meaning given to such term in Section 10.1 of this DPA.
"Supervisory Authority" means an independent public authority which is established by a member state of the European Economic Area and the United Kingdom.
2. Term of DPA
Unless earlier terminated as set forth in this DPA or the Agreement, this DPA shall commence as of the Effective Date and continue until for the duration of the Agreement.
3. Roles of the Parties
The parties acknowledge and confirm that with respect to the Processing of Customer Personal Data, Customer is the Controller or Processor, and Ditto is the Processor.
4. Processing Activities
4.1. Customer Processing Obligations
The rights and obligations of the Customer with respect to the Processing of Customer Personal Data are described herein. Customer shall, in its use of the Services, at all times Process Customer Personal Data, and provide Instructions for the Processing of Customer Personal Data, in compliance with the Applicable Data Laws. Customer shall ensure that its Instructions comply with all laws, rules and regulations applicable in relation to the Customer Personal Data, and that the Processing of Customer Personal Data in accordance with Customer's Instructions shall not cause Ditto to be in breach of the Applicable Data Laws. Customer is solely responsible for the accuracy, quality, and legality of (i) the Customer Personal Data provided to Ditto by or on behalf of Customer, (ii) the means by which Customer acquired any such Customer Personal Data, and (iii) the Instructions it provides to Ditto regarding the Processing of such Customer Personal Data. Customer shall not provide or make available to Ditto any Customer Personal Data other than as specified in Annex A hereto, unless otherwise mutually agreed upon in writing by the parties.
To the extent required by Applicable Data Laws, Customer is responsible for ensuring that any necessary Data Subject consents to this Processing are obtained and for ensuring that a record of such consents is maintained. Should such a consent be revoked by the Data Subject, Customer shall promptly notify Ditto of such revocation.
Where Customer is a Processor, Customer warrants that its Processing Instructions as set out in the Agreement and this DPA, including its authorizations to Ditto for the appointment of Subprocessors in accordance with this DPA, have been authorized by the relevant Controller. Customer shall be solely responsible for forwarding any notifications received from Ditto to the relevant Controller where appropriate.
4.2. Customer Affiliate Controllers
Where an Affiliate of Customer is the Controller over any Customer Personal Data processed by Ditto under this DPA, Customer shall ensure that any relevant Affiliate complies with the obligations of Customer under the Applicable Data Laws and this DPA in respect of such Customer Personal Data. Customer shall remain responsible for its Affiliates' performance under this DPA.
4.3. Ditto Processing Obligations
Ditto shall treat Customer Personal Data as Confidential Information and shall Process Customer Personal Data on behalf of and only in accordance with Customer's Instructions for the following purposes: (i) Processing in accordance with the Agreement, any applicable Statement(s) of Work, and this DPA, including Annex A hereto, including, as necessary to perform the Services; and (ii) Processing initiated by or on behalf of Customer in the use of the Services. Customer hereby instructs Ditto to Process Customer Personal Data in accordance with the foregoing. If Ditto is unable to Process Customer Personal Data pursuant to the Instructions due to legal requirements under applicable laws, Ditto will inform the Customer of that legal requirement before Processing, unless otherwise prohibited by Applicable Data Laws. Ditto agrees to promptly inform the Customer if, in its reasonable opinion, an Instruction infringes any Applicable Data Laws. In such case, Ditto will cease all Processing of the affected Customer Personal Data (other than merely storing and maintaining the security of the affected Customer Personal Data) until such time as the Customer issues new Instructions with which Ditto is able to comply, and Ditto shall not be liable to Customer under the Agreement for failure to perform the Services until such time as Customer issues such Instructions.
4.4. Details of Processing
The subject matter, nature, purpose, and duration of Processing, as well as the types of Customer Personal Data and categories of Data Subjects that may be Processed by Ditto, are described in Annex A hereto.
4.5. Security Measures
Ditto shall implement and maintain industry-standard technical and organizational security measures that are reasonably designed to prevent unauthorized access to and disclosure of Customer Personal Data, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of Ditto's Processing of Customer Personal Data as well as the risks to individuals, including, but not limited to, those measures set forth on Annex B hereto.
Without prejudice to Ditto's obligations under this DPA, and elsewhere in the Agreement, Customer is responsible for its secure use of the Services, including, without limitation: (i) protecting account authentication credentials; (ii) protecting the security of Customer Personal Data using third party tools not operated or controlled by Ditto when in transit to and from the Services; (iii) implementing measures to allow Customer to backup and archive appropriately in order to restore availability and access to Customer Personal Data in a timely manner in the event of a physical or technical incident; and (iv) taking any appropriate steps to securely encrypt or pseudonymize any Customer Personal Data uploaded to the Services.
For the avoidance doubt, where Customer has purchased Managed Services pursuant to which the Cloud Service will be hosted in a Customer-controlled cloud environment: (1) Customer is responsible for the security of the Customer's cloud environment, and for implementing and maintaining industry-standard technical and organizational security measures to protect Customer Personal Data Processed by Customer through the Cloud Service; and (2) Ditto agrees to comply with Customer's security and IT policies that have been provided by Customer to Ditto while performing the Managed Services.
4.6. Ditto Personnel
Ditto shall ensure that all employees, contractors and personnel (collectively, "Personnel") that have access to Customer Personal Data are made aware of the confidential nature of Customer Personal Data and have executed confidentiality agreements with, or are otherwise bound by, confidentiality obligations at least as protective as those herein. Ditto shall remain responsible and liable for its Personnel's performance under, and compliance with, this DPA.
4.7. Deletion and Return
Following completion of the Services, Ditto will delete the Customer Personal Data in accordance with the provisions of the Agreement, except as required to be retained by the Applicable Data Laws or other applicable laws.
4.8. Disclosure Requests
If Ditto receives any order, demand, warrant, or any other document requesting or purporting to compel the production of Personal Data Processed on behalf of Customer ("Disclosure Request"), Ditto will notify Customer without undue delay, except to the extent otherwise required by laws applicable to Ditto. Ditto will exercise commercially reasonable efforts to prevent and limit any such disclosure and to otherwise preserve the confidentiality of the Personal Data and will cooperate with Customer upon Customer's reasonable request, with respect to any action taken in response to a Disclosure Request, to the extent it is commercially reasonable for Ditto to do so.
4.9. CPRA Processing
To the extent Ditto's Processing of Customer Personal Data is subject to the CPRA, Ditto shall not (1) retain, use, or disclose Customer Personal Data for any purpose (commercial or otherwise) other than the business purposes expressly stated in this DPA or outside the direct business relationship between Customer and Ditto, unless expressly permitted in the CPRA; (2) "sell" or "share" Customer Personal Data, as such terms are defined under the CPRA; or (3) combine the Customer Personal Data received with Personal Data received from another business or that Ditto collects itself (unless such combination is necessary for certain business purposes identified in the CPRA).
5. Engaging Sub-Processors
5.1. General Authorization
Customer acknowledges and agrees that Ditto may engage Authorized Sub-Processors to Process Customer Personal Data in connection with the Services. Ditto's current list of Sub-Processors will be provided to Customer upon Customer's written request.
5.2. New Engagements
Ditto will provide Customer reasonable prior notice, as required under Applicable Data Laws, before enabling any additional third-party Sub-Processors (other than Authorized Sub-Processors) to Process any Customer Personal Data in connection with the provision of the Services, Ditto will notify Customer of such updates via email. Customer may object to the use of such third-party Sub-Processor in writing within 10 days of receipt of Customer's receipt of the notice.
If Customer reasonably objects to an engagement in accordance with this Section 5.2 of this DPA, Ditto may provide Customer with a written description of commercially reasonable alternative(s), if any, to such engagement, including without limitation modification to the Services. If Ditto does not provide or is unable to make available any such alternative(s) within a reasonable period of time (which shall not exceed 30 days), or if Customer does not agree to any such alternative(s), either party may terminate this DPA and the Agreement, without penalty, upon written notice to the other party. In which case, Ditto will refund Customer any prepaid and unused fees covering the remainder of the Service Term of any then-current Statement(s) of Work following the effective date of termination.
If Customer does not object to the engagement of a third-party Sub-Processor in accordance with this Section 5.2 of this DPA within 10 days of notice by Ditto, that third-party Sub-Processor shall be deemed an Authorized Sub-Processor for the purposes of this DPA.
5.3. Subprocessor Responsibility
Each Authorized Sub-Processor shall be bound by a written agreement which subjects the Authorized Sub-Processor to obligations regarding the Processing of Customer Personal Data that are no less protective than those to which Ditto is subject under this DPA and to the extent applicable to the nature of the services provided by the Sub-Processors. Ditto shall remain responsible and liable for its Authorized Sub-Processors' performance under, and compliance with, this DPA.
6. Security Incidents
Ditto will inform Customer without unreasonable delay (but in no event, less than 48 hours), as soon as it has become aware of a Security Breach involving Customer Personal Data (a "Customer Security Incident"). Ditto will provide all reasonable information in Ditto's possession concerning such Customer Security Incident insofar as it affects Customer, including the following, to the extent then known: (i) the possible cause and consequences for the Data Subjects of the Customer Security Incident; (ii) the categories of Customer Personal Data involved; (iii) a summary of the possible consequences for the relevant Data Subjects; (iv) a summary of the unauthorized recipients of the Customer Personal Data; and (v) the measures taken by Ditto to mitigate any damage. Ditto will use reasonable efforts to provide Customer updates of further developments concerning a Customer Security Incident.
7. Data Subjects Requests
As between the parties, Customer is responsible for handling and responding to all Data Subject Request relating to Customer Personal Data under Applicable Data Laws, including, but not limited to, communicating with the Data Subject who is the subject of the applicable Data Subject Request. If Ditto receives a Data Subject Request in relation to Customer Personal Data, Ditto will (i) promptly notify Customer of the request and provide a copy of the request to Customer; and (ii) advise the Data Subject to submit their request to Customer. Ditto will use commercially reasonable efforts to assist Customer with responding to any such request upon Customer's written request for assistance; provided that, (i) Customer is itself unable to respond without Ditto's assistance and (ii) Ditto is able to do so in accordance with all applicable laws, rules, and regulations, including, any Applicable Data Laws.
8. Compliance Assistance
Ditto shall, taking into account the nature of the Processing and the information available to Ditto, provide Customer with reasonable cooperation and assistance where necessary for Customer to comply with obligations applicable to it under the Applicable Data Laws, including, but not limited to: (i) any requirements to conduct a data protection or transfer impact assessment, provided that Customer does not otherwise have access to the relevant information, or (ii) Customer's cooperation or prior consultation with any Supervisory Authority, where necessary or where required by the Applicable Data Laws.
Ditto shall be entitled to be reimbursed by Customer, to the extent legally permitted, for reasonable costs and expenses actually incurred by Ditto in Ditto's performance of its obligations under Sections 7 and 8 of this DPA.
9. Audits
During the Term, upon prior written request by Customer (not less than 30 days), Ditto shall cooperate and within a reasonable time provide Customer with: (i) a summary of the audit reports available to Ditto that demonstrate Ditto's material compliance with its obligations under Applicable Data Laws and this DPA with respect to Customer Personal Data, after redacting any confidential and commercially sensitive information; and (ii) confirmation that such audit has not revealed any material vulnerability in Ditto's systems, or to the extent that any such vulnerability was revealed, that Ditto has taken steps to remediate such vulnerability (collectively, the "Audit Report"). If the above measures are insufficient to confirm Ditto's material compliance with Applicable Data Laws or this DPA with respect to Customer Personal Data, then subject to Ditto's reasonable confidentiality and security procedures, Ditto will permit Customer, or an independent third party auditor that is mutually agreed upon by the parties, at Customer's sole cost and expense, to audit Ditto's data protection compliance program ("Customer Audit"). Any Customer Audit must be conducted during Ditto's normal business hours, and the parties must mutually agree upon the scope, timing, and duration of a Customer Audit in advance of a Customer Audit. In addition, Customer acknowledges that Ditto operates a multi-tenant cloud environment. Accordingly, Ditto shall have the right to reasonably adapt the scope of any Customer Audit to avoid or mitigate risks with respect to, and including, service levels, availability, and confidentiality of Ditto's other customers' information.
The Audit Reports and results of any Customer Audit, which may include the results of any written reports in connection with a Customer Audit, shall be deemed Ditto's Confidential Information. Customer may only request an Audit Report (and any related Customer Audit) once per consecutive 12 month period; provided that, in the event of a Customer Security Incident, Customer may request a supplementary Audit Report, and if applicable a Customer Audit, in accordance with this Section.
10. Transfers of EU Personal Data
10.1. Transfer Mechanism -- SCCs
For any transfers of Customer Personal Data to Ditto subject to EU Data Protection Law ("EU Personal Data") to countries (or territories or sectors within a country) or international organizations which do not benefit from an adequacy decision under EU Data Protection Law, the parties hereby agree to, and incorporate herein, the standard contractual clauses set out in the Annex to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj) ("Standard Contractual Clauses"). The relevant provisions contained in the Standard Contractual Clauses are incorporated by reference and are an integral part of this DPA.
10.2. Operative Provisions and Additional Terms
Module: Module Two shall apply where Customer is the Controller, and Module Three shall apply where Customer is the Processor.
Docking: In Clause 7 of the Standard Contractual Clauses the optional docking clause shall not apply.
Instructions and Notifications: For the purposes of Clause 8.1(a) of the Standard Contractual Clauses, the instructions by Customer to Process Personal Data are set out in Section 4.3 of this DPA and include onward transfers to a third party located outside Europe for the purpose of the performance of the Services. In addition, where Module Three applies, for the purposes of Clause 8.1(a) of the Standard Contractual Clauses, Customer hereby informs Ditto that it acts as Processor under the instructions of the relevant Controller in respect of Personal Data. Customer shall be solely responsible for forwarding any notifications received from Ditto to the relevant Controller where appropriate.
Certification and Deletion: The parties agree that Ditto will provide the certification of deletion of Customer Personal Data that is described in Clauses 8.5 and 16(d) of the Standard Contractual Clauses to Customer only upon Customer's written request.
Security of Processing: For the purposes of Clause 8.6(c) of the Standard Contractual Clauses, personal data breaches will be handled in accordance with Section 6 of this DPA. In addition, where Module Three applies, for the purposes of Clause 8.6(c) and (d) of the Standard Contractual Clauses, Ditto shall provide notification of a personal data breach concerning Personal Data Processed by Ditto to Customer.
Documentation and Compliance -- Module Three: For the purposes of Clause 8.9 of the Standard Contractual Clauses, all enquiries from the relevant Controller shall be provided to Ditto by Customer. If Ditto receives an enquiry directly from a Controller, it shall forward the enquiry to Customer and Customer shall be solely responsible for responding to any such enquiry from the relevant Controller where appropriate.
Audits: The parties agree that the audits described in Clause 8.9 of the Standard Contractual Clauses shall be carried out in accordance with Section 9 of this DPA.
Subprocessors: In Clause 9 of the Standard Contractual Clauses (Use of sub-processors), Option 2 will apply and the time period for prior notice of subprocessor change shall be as set forth in Section 5.2 of this DPA. The parties agree that: (i) the authorizations in Section 5.1 of this DPA shall constitute Customer's prior written consent to Ditto's subcontracting the Processing of Customer Personal Data if such consent is required under the Standard Contractual Clauses; and (ii) the parties agree that the copies of the agreements with Authorized Sub-Processors that must be provided by Ditto to Customer pursuant to Clause 9(c) of the Standard Contractual Clauses may have commercial information, or information unrelated to the Standard Contractual Clauses or their equivalent, removed by Ditto beforehand, and that such copies will be provided by Ditto only upon request by Customer.
Data Subject Rights - Module Three: For the purposes of Clause 10 of the Standard Contractual Clauses and subject to Section 7 of this DPA, Ditto shall notify Customer about any request it has received directly from a Data Subject without obligation to handle it (unless otherwise agreed), but shall not notify the relevant Controller. Customer shall be solely responsible for cooperating with the relevant Controller in fulfilling the relevant obligations to respond to any such request.
Complaints -- Redress: For the purposes of Clause 11 of the Standard Contractual Clauses, and subject to Section 7 of this DPA, Ditto shall inform data subjects on its website of a contact point authorized to handle complaints. The optional language in Clause 11(a) of the Standard Contractual Clauses shall not apply.
Government Requests: For the purposes of Clause 15(1)(a) of the Standard Contractual Clauses, Ditto shall notify Customer (only) and not the Data Subject(s) in case of government access requests and Customer shall be solely responsible for promptly notifying the affected Data Subjects as necessary.
Liability: Ditto's liability under Clause 12(b) of the Standard Contractual Clauses shall be limited to any damage caused by its Processing where Ditto has not complied with its obligations under the GDPR specifically directed to Processors, or where it has acted outside of or contrary to lawful instructions of Customer, as specified in Article 82 GDPR.
Governing Law: In Clause 17 of the Standard Contractual Clauses, Option 1 will apply, and the member state will be Ireland.
Choice of Forum/Jurisdiction: In Clause 18 of the Standard Contractual Clauses, the member state will be Ireland.
Appendix:
-
Annex I is completed as follows:
-
List of Parties: Customer is the data exporter and Ditto is the data importer. The address, contact details and activities relevant to the transfer for the data exporter and data importer are set out in the Agreement and this DPA. By signing the Agreement, the data exporter and data importer will be deemed to have signed Annex I.
-
Description of Transfer: The required information is set out in Annex A hereto.
-
Competent Supervisory Authority: The data exporter's competent supervisory authority will be determined in accordance with EU Data Protection Law.
-
Annex II is completed as follows: The required information is set out in Annex B hereto.
10.3. UK Addendum
Where applicable, the parties agree to and incorporate by reference the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses available at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf ("UK Addendum").
-
Table 1 is completed using the information set out in "List of Parties" above.
-
Table 2 is completed using the version of the Standard Contractual Clauses available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj and the relevant information set out in Section 10.2 of this DPA.
-
Table 3 is completed using the information set out in "List of Parties" and "Description of Transfer" above and in Annex A.
-
Table is 4 is completed so that either the data importer or data exporter may end the UK Addendum when the approved UK Addendum changes.
10.4. Data Exports from Switzerland
For data transfers where Customer is established in Switzerland or falls within the territorial scope of application of Swiss Data Laws, the Standard Contractual Clauses also apply to the transfer of information relating to an identified or identifiable legal entity where such information is protected similarly as Personal Data under Swiss Data Laws until such laws are amended to no longer apply to a legal entity. In such circumstances, general and specific references in the Standard Contractual Clauses to GDPR or EU or other applicable EU Data Laws shall have the same meaning as the equivalent reference in Swiss Data Laws.
10.5. Conflicts
The Standard Contractual Clauses are subject to this DPA and the additional safeguards set out hereunder. The rights and obligations afforded by the Standard Contractual Clauses will be exercised in accordance with this DPA, unless stated otherwise. In the event of any conflict or inconsistency between the body of this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail with respect to EU Personal Data.
11. Amendments to this DPA
Notwithstanding any provisions to the contrary in this DPA, if any change in Applicable Data Laws may require or result in any variation to this DPA, Ditto shall modify this DPA as necessary to incorporate such change(s) and provide a copy of the modified DPA to Customer. Customer shall notify Ditto of any objection to such modifications of the DPA within 30 days of Ditto's delivery of such modified DPA to Customer. If Ditto does not receive any objection from Customer within this 30 day period, Customer shall be deemed to have accepted such modifications and such modifications shall become binding and enforceable as part of this DPA. Should Customer submit objections to Ditto within the above-referenced 30 days, Customer and Ditto agree to discuss and negotiate in good faith any such necessary modifications to this DPA to address the changes with a view to agreeing and implementing modifications as mutually agreeable to both Customer and Ditto as soon as is reasonably practicable but no later than 30 days following Ditto's receipt of Customer's objections. If Customer and Ditto are unable to reach agreement on modifications to this DPA within such 30 day time period and do not mutually agree in writing to extend the negotiation period prior to expiration of such 30 day period, either party may terminate the Agreement upon written notice to the other party, and Ditto will issue a pro rata refund for any Fees paid and unused under any then-current Statement(s) of Work corresponding to the time period between the effective date of termination and the expiration of the Agreement.
Except as stated above or as otherwise expressly set forth in this DPA, this DPA may be modified or amended only in writing signed by both Ditto and Customer.
12. Order of Precedence
In the event of any conflict between this DPA and the Agreement or any Statement(s) of Work, the following order of precedence shall apply (in descending order): (1) this DPA, (2) the Agreement, and (3) the Statement of Work. There shall be no force or effect to any different terms of any related statement of work, purchase order, online terms of service, or similar form even if signed by the parties after the Effective Date. For the avoidance of doubt, each party's liability and remedies under this DPA are subject to the aggregate liability limitations and damages exclusions set forth in the Agreement.
13. Governing Law
This DPA will be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless required otherwise by Applicable Data Laws.
14. Severability
Should any provision of this DPA be held invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties' intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
ANNEX A
Details of Processing
A. LIST OF PARTIES
Data exporter(s): [*Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union]*
The Data Exporter is the Customer, as identified in the Agreement and the DPA.
Data Exporter's name, address, and contact person information shall be as set out under the Agreement and the DPA.
Activities relevant to the data transferred under these Clauses: Transferring and otherwise Processing the Customer Personal Data identified and described in this Annex A related to receipt of the Services described in the Agreement.
Signature and date: ...The Data Exporter's signature to the Agreement shall constitute the signature for the Standard Contractual Clauses, including Annex I. The date shall be the DPA Effective Date.
Role (controller/processor): ... For purposes of Module 2 of the Standard Contractual Clauses, Data Exporter is the Data Controller. For purposes of Module 3 of the Standard Contractual Clauses, Data Exporter is a Data Processor.
Data importer(s): [Identity and contact details of the data importer(s), including any contact person with responsibility for data protection]
Data Importer is DittoLive Incorporated.
Data Importer's name, address, and contact person information shall be as set out under the Agreement and the DPA.
Activities relevant to the data transferred under these Clauses: Processing related to the Services, as described in the Agreement between Data Exporter and Data Importer, including the DPA.
Signature and date: The Data Importer's signature to the Agreement shall constitute the signature for the Standard Contractual Clauses, including Annex I. The date shall be the DPA Effective Date.
Role (controller/processor): For purposes of Module 2 and Module 3 of the Standard Contractual Clauses, Data Importer is a Data Processor.
B. DESCRIPTION OF TRANSFER
Categories of data subjects & personal data transferred
Service Offering | Categories of Data Subjects | Categories of Personal Data |
---|---|---|
Ditto SDK | - Data Exporter's internal business contacts (“Business Contacts”) - Data Exporter's end users of the Services (employees, contractors, personnel, and customers, who are natural persons) (“End Users”) | - Contact data such as name and email address (“Contact Data”) |
Ditto Hosted Cloud Service | - Business Contacts - End Users | - Contact Data - Identifiers for End Users, such as user ID, IP address - Usage analytics and activity data (“Usage Data”) - Content of messages and communications transmitted by End Users through the Cloud Service (“Communications”). |
Managed Services (Cloud Service hosted in a Customer-controlled cloud environment) | - Business Contacts - End Users | - Contact Data - Usage Data |
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures
None, unless otherwise specified on the applicable Order Form, in which case, any additional restrictions or safeguards applicable to Data Importer's Processing shall be as specified in the applicable Order Form.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Continuous while using the Services.
Nature of the processing
Data Importer will Process the Personal Data as necessary to perform the Services pursuant to the Agreement, including the DPA.
Purpose(s) of the data transfer and further processing
The provision of the Services to Customer pursuant to the Agreement, including the DPA.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
Personal Data will be retained for the duration of the Agreement between Data Exporter and Data Importer or for the duration specified under Applicable Data Laws or other applicable laws.
For transfers to (sub-) processors, also specify the subject matter, nature and duration of the processing
Sub-processors Process Personal Data for purposes of providing services to Data Importer pursuant to the DPA.
Sub-processors Process Personal Data for the duration of the agreement between the Data Importer and Sub-processor, unless otherwise agreed with such Sub-processor in writing.
C. COMPETENT SUPERVISORY AUTHORITY
As set forth in Section 10.2 of the DPA.
ANNEX B
Technical and Organisational Security Measures
Taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of Ditto's Processing, as well as the risks to individuals, Ditto will implement and maintain the following industry-standard technical and organizational security measures:
1. Physical Access Controls
Physical access control measures to prevent unauthorized access to data processing systems (e.g., access ID cards, card readers, desk officers, alarm systems, motion detectors, burglar alarms, video surveillance, and exterior security). The Cloud Service is hosted by Ditto in AWS. Physical Access Control with respect to is provided by AWS and is ensured in section 1.2.1 Physical Access Controls of the AWS Data Processing Addendum.
2. Electronic Access Controls
The AWS Shared Responsibility Model ensures that there is no unauthorized access to data processing and storage systems utilized by Ditto through AWS. AWS also provides encryption of all data carriers and storage media.
3. Internal Access Controls
A role-based access control approach is used for ensuring access to read/copy/modify/remove data is allowed only to users who have been granted access to do so. The organization follows the principle of least privilege for granting access to users and administrators. Access requests follow a formal, documented, and audited process.
4. Isolation Controls
Logical separation of data is employed for isolation among tenants. Company data are processed separately from customer data. Production and testing environments are separated and organizational controls are in place to ensure that data does not flow between them.
5. Data Transfer Controls
All data are encrypted in transport using TLS 1.2+. AWS Session Manager is used to access internal systems. All data are encrypted at rest. Unauthorized access attempts are logged and reviewed.
6. Data Entry Controls
Changes to data in the system are logged and traceable to the individual user performing the action. Strict authorization controls are used to determine which users are authorized to enter, change, and delete data. Data destruction responsibilities are clearly defined and communicated and access follows the principle of least privilege.
7. Availability and Recovery Controls
Data center protections such as fire and smoke detection systems, environmental monitoring, power redundancy, and protections from hardware failure are provided by AWS under the Shared Responsibility Model. The organization makes use of AWS services for frequent backup of critical data and systems. These backups are also replicated to a secondary AWS region for additional availability in the event of a catastrophic failure. Regular data recovery tests are conducted as part of our Business Continuity Plan testing.
Rapid recovery of hardware, infrastructure, and internet access is ensured by AWS as part of the Shared Responsibility Model. The organization ensures its ability to rapidly recover by regularly reviewing backup logs and conducting Business Continuity test exercises at least annually.
8. Data Protection Management; Training
A Data Protection Officer (DPO) is appointed by the organization. All employees are trained on proper data handling and protection. They are also bound by confidentiality agreements. A process is in place to handle and track information requests from data subjects. Regular awareness training is provided to all staff at least annually.
9. Incident Response Management
Multiple layers of security are used to help identify, research, and respond to incidents. The application is covered by a Web Application Firewall (WAF), Intrusion Detection System (IDS), and firewalls to reduce unwanted traffic. A formal process for responding to incidents and data breaches is established and regularly tested.
10. Data Protection by Design and Default; Assessments
Data protection and security settings are enabled by default. Quarterly vulnerability scanning of the external network surface are conducted and any issues remediated according to a formal process outlined in policy. Applications undergo penetration testing by a qualified 3rd party which include manual testing by an appropriately skilled tester. These tests are conducted at least annually.