(Last Updated on: March 2021)
WHEREAS, pursuant to the Terms of Service, Sighteer Ltd. (the “Company”) provides the user of the Services (the “Customer“) access to use the Services
WHEREAS, the Service involves processing certain personal data of employees and other data subjects of Customer, and the Parties wish to regulate Company’s processing of such personal data, through this Data Processing Addendum (“DPA”).
THEREFORE, the Parties have agreed as follows:
1. The following terms shall have the following meaning:
1.1. Customer’s Personal Data means personal data of the users of the Service on behalf of Customer.
1.2. “Output Data” means the various reports, alerts, analytics, recommendations, notices, and other types of information and data that the Service may generate, provide or make available to Customer.
1.3. “Service Data” means the data collected and processed in the course of providing the Service, about the use of the Service, including de-identified data, bandwidth utilization, and statistical or aggregated information about Customer’s use of the Service and all pertinent information at Customer’s disposal concerning bugs, errors and malfunctions in the Service, performance of the Service, its compatibility and interoperability.
1.4. Customer’s Data means Customer’s Personal Data, Service Data and Output Data collectively.
2. Customer acknowledges and agrees that the Company may collect and process Customers’ Personal Data for the provision of the Services. Where Customer’s Personal Data is subject to the EU General Data Protection Regulations (the “GDPR”) or to the California Consumer Privacy Act of 2018 (the “CCPA”), the Company shall process such Consumer Personal Data in accordance with its DPA.
3. Customer further acknowledges and agrees that Company will handle and use (by itself or by using trusted third-party service providers such as cloud service providers) the Customer’s Service Data, Output Data and Feedback as follows:
3.1. To provide the Services to Customer, conduct administrative and technical activities necessary to maintain and provide the Services and to improve and customize the Services;
3.2. To conduct analysis or generate metrics related to the Services;
3.3. For commercial and marketing purposes, publication of case studies and white papers (only in a form not identifying the Customer or its users);
3.4. To bill and collect fees, enforce these Terms and take any action in any case of dispute, or legal proceeding of any kind involving Customer with respect to the Services;
3.5. To prevent fraud, misappropriation, infringements, and other illegal activities and misuse of the Services;
3.6. To develop new products and services, for research and testing and for any other purpose.
Customer will not be entitled to any remuneration from Company for all such uses.
4. Customer hereby states that it has obtained, and will maintain valid while using the Services, any and all authorizations, permissions and informed consents, including those of individuals about whom the Services may process personal data or personally identifiable information, as may be necessary under the law (including, the data protection laws and regulations), to allow Company to lawfully collect, handle, retain, process and use such data in the manners and for the purposes of this engagement. Subject to Company’s compliance with its obligations in this DPA, Customer shall defend, indemnify and hold harmless Company and its directors, officers, employees, and vendors, upon Company’s request and at Customer’s expense, from, and against, any damages, loss, costs, expenses and payments, including reasonable attorney’s fees and legal expenses, arising from Customer’s breach of the foregoing statement.
5. Customer commissions, authorizes and requests that Company provide Customer the Service, which involves Processing Personal Data (as these capitalized terms are defined and used in the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), referred to as “Data Protection Law”).
The terms “Processor”, “Controller”, “Personal Data”, “Data Subject”, “Process”, “Personal Data Breach” and any other capitalized terms not expressly defined in this DPA or in the Terms shall have the meaning ascribed to them in Data Protection Law.
6. The subject matter and purposes of the Processing activities are the provision of the Service, including maintenance, support, enhancement and deployment of the same. The Personal Data Processed may include, without limitation:
6.1. Names, titles and contact information of Customer’s employees, agents and anyone on Customer’s behalf who is authorized to use the Services.
6.2. Personal Data included in the content Customer uploads to the Services.
7. The Data Subjects about whom Personal Data is Processed are:
7.1. Customer’s employees, agents and anyone on Customer’s behalf who is authorized to use the Services;
7.2. Individuals whose Personal Data is included in the content uploaded to the Service.
8. Customer and Company are each responsible for complying with the Data Protection Law applicable to them in their roles as Controller and Processor, respectively. With respect to those activities of Company as a Processor, Company will Process the Personal Data only as set forth in this DPA or as per Customer’s documented instructions, only on Customer’s behalf and for as long as Customer instructs Company to do so.
9. Customer shall at a minimum –
9.1. Substantiate the legal basis of and legitimize the Processing of Personal Data through the Service, as necessary under Data Protection Law. Customer may only use the Service to process personal data pursuant to a recognized and applicable lawful basis under Data Protection Law, such as (by way of example only) consent or legitimate interest.
10. With respect to those activities of Company as a Processor, Company will Process the Personal Data only on documented instructions from Customer, unless Company is otherwise required to do so by law to which it is subject (and in such a case, Company shall inform Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest). Company shall immediately inform Customer if, in Company’ opinion, an instruction is in violation of Data Protection Law.
11. Customer is solely responsible for determining the lawfulness of the data Processing instructions it provides to Company and shall provide Company only instructions that are lawful under Data Protection Law.
12. Company will follow Customer’s instructions to accommodate Data Subjects’ requests to exercise their rights in relation to their Personal Data, including accessing their data, correcting it, restricting its processing or deleting it. Company will pass on to Customer requests that it receives from Data Subjects regarding their Personal Data Processed by Company.
13. Additional instructions of the Customer outside the scope of the Service’s control and configuration options require prior and separate agreement between Customer and Company, including agreement on additional fees (if any) payable to Company for executing such instructions.
14. Customer acknowledges and agrees that Company uses the sub-processors listed below to Process Personal Data:
14.1. Microsoft Corporation
14.2. Google, Inc.
14.3. MIXPANEL, Inc.
15. Customer authorizes Company to engage another sub-processor for carrying out specific processing activities of the Service, provided that Company informs Customer at least 14 days in advance of any new or substitute sub-processor, such as by posting an updated DPA on its website, in which case Customer shall have the right to object, on reasoned grounds, to that new or replaced sub-processor. If Customer so objects, and Company notifies Customer in writing that it nevertheless opts to use that new or replaced sub-processor, then Customer may terminate the Services for convenience, without liability to Company for such premature termination.
16. Company and its sub-processors will only Process the Personal Data in member states of the European Economic Area, in territories or territorial sectors recognized by an adequacy decision of the European Commission, as providing an adequate level of protection for Personal Data pursuant to Articles 45 or 46 of the GDPR, or using adequate safeguards as required under Data Protection Law governing cross-border data transfers (e.g., Model Clauses). To this end, Customer authorizes Company to enter on Customer’s behalf into Model Clauses agreements with sub-processors.
17. Company will procure that the sub-processors Process the Personal Data in a manner consistent with Company’ obligations under this DPA and Data Protection Law, particularly Article 28 of the GDPR, with such obligations imposed on that sub-processor by way of law or contract, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR.
18. In Processing Personal Data, Company will implement appropriate technical and organizational measures to protect the Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access.
19. Company will ensure that its staff authorized to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
20. Company shall provide Customer will all information necessary and will allow for and contribute to audits, including carrying out inspections on Company’ business premises conducted by Customer or another auditor mandated by Customer during normal business hours and subject to a prior notice to Company of at least 30 days as well as appropriate confidentiality undertakings by Customer covering such inspections and in order to establish Company’ compliance with its obligations under this DPA and Data Protection Law as regards the Personal Data that Company processes on behalf of Customer. If such audits entail material costs or expenses to Company, the parties shall first come to agreement on Customer’s reimbursement to Company for such costs and expenses.
21. Company shall without undue delay notify Customer of any Personal Data Breach that it becomes aware of regarding Personal Data of Data Subjects that Company Processes. Company will use commercial efforts to mitigate the breach and prevent its recurrence. Customer and Company will cooperate in good-faith on issuing any statements or notices regarding such breaches, to authorities and Data Subjects.
22. Company will assist Customer with the eventual preparation of data privacy impact assessments and prior consultation as appropriate, provided, however, that if such assistance entails material costs or expenses to Company, the parties shall first come to agreement on Customer reimbursing Company for such costs and expenses.
23. Company will provide Customer prompt notice of any request it receives from authorities to produce or disclose Personal Data it has Processed on Customer’s behalf, so that Customer may contest or attempt to limit the scope of production or disclosure request, unless Company is prohibited by law to provide this notice.
24. In the event that Customer’s Personal Information processed by Company is subject to the California Consumer Privacy Act of 2018 (CCPA), Cal. Civ. Code §1798.140; the following will apply (any capitalized terms in this Section that were not defined in this Addendum shall have the meaning ascribed to them in the CCPA):
24.1. The Parties acknowledge and agree that Company is a Service Provider.
24.2. Company is prohibited from retaining, using or disclosing Customer’s Personal Information for: (a) any purpose other than the purpose of properly performing, or for any commercial purpose other than as reasonably necessary to provide, the technical support for Company’ product and/or services or as otherwise permitted under 11 CCR §999.314(c); (b) Selling the Customer’s Personal Information; and (c) retaining, using or disclosing the Customer’s Personal Information outside of the direct business relationship between the parties, except as permitted under 11 CCR §999.314(c).
24.3. If Company receives a request from a California Consumer of the Customer, about his or her Personal Information, Company shall not comply with the request itself, inform the consumer that Company is merely a Service Provider that follows Customer’s instruction, and inform the Consumer that they should submit the request directly to the Customer and provide the Consumer with the Customer’s contact information.
24.4. Section 10 shall not apply to the processing of Customer’s Personal Information that is subject only to the CCPA and not to any other Data Protection Law. Any other terms in this DPA will apply to Company’ Processing of Customer’s Personal Information, mutatis mutandis.
25. All notices required or contemplated under this Addendum to be sent by Company will be sent either by electronic mail to Customer to the email address that Company has on file for the Customer’s main contact person.
26. Upon Customer’s request, Company will delete the Personal Data it has Processed on Customer’s behalf under this DPA from its own and its sub-processor’s systems, or, at Customer’s choice, use the Service’s tools to obtain the data before its deletion, and upon Customer’s request, will furnish written confirmation that the Personal Data has been deleted pursuant to this section.
27. The duration of Processing that Company performs on the Personal Data is for the duration of the Services. This DPA shall prevail in the event of inconsistencies between it and the Terms of Service, except where explicitly agreed otherwise in writing.
28. The Parties’ liability under this DPA shall be pursuant to the liability clauses in the Terms of Service.