This Data Processing Addendum (“Addendum”) is entered into by and between Deeto, Inc. (“Deeto”) and the organization identified in the Enrollment (“Customer”).
WHEREAS, Customer and Deeto have engage in an agreement (the “Agreement”) pursuant to which Deeto provides Customer access to Deeto’s software as a service platform that helps businesses to improve their selling process to prospects and connect between prospects and references (the “Platform”);
WHEREAS, the Platform involves processing certain personal data and the parties wish to regulate Deeto’s processing of such personal data, through this Addendum, which will be attached to and become an integral part of the Agreement.
THEREFORE, the parties have agreed to this Addendum, consisting of two parts:
Parts One, Two, and Three apply only to Deeto’s processing personal data or personal information as a Processor (as defined in the GDPR or state privacy laws in the U.S.), or a Service Provider (as defined in the CCPA), acting on behalf of the Customer and under the Customer’s instructions. Deeto is a Processor or Service Provider for the processing of the following information about the representatives of Customer, representatives of Customer’s prospects and representatives of Customer’s references: (a) the Platform’s fields of personal data or personal information configurable by the Customer, (b) information of surveys submitted by representatives of Customer’s prospects and references, and (c) credit point earnings for users engaging in certain activities on the Platform, as determined by the Customer.
Parts One, Two, and Three do not apply to Deeto’s processing personal data or personal information necessary for the operation of the Platform, for which Deeto is a Controller (as defined in the GDPR). Deeto is a Controller for the processing of the information explained in Deeto's privacy policy for the Platform.
In the event of any conflicting provisions between this Addendum and the terms or any other agreement in place between the parties, the provisions of this Addendum prevail, except where explicitly agreed otherwise in writing.
1. Scope. This Part One applies to the processing of personal information or personal data by Deeto within the scope identified in the preamble of this Addendum.
2. Definitions
3. Deeto’s Obligations. The Parties acknowledge and agree that Deeto is a ‘service provider’ and ‘processor’ within the meaning of the terms in Applicable State Privacy Laws. To that end, and unless otherwise requires by law:
4. Subcontracting to suppliers. Customer authorizes Deeto to subcontract any of its Platform-related activities which involve the Processing of Personal Information or requiring Personal Information to be Processed by any third party supplier, provided that Deeto ensures that the third party is bound by obligations consistent with this Part One.
5. Return or deletion of information. Upon Customer’s written request where no subsequent further Processing is required, Deeto shall, at the instruction of Customer, either delete, or return to Customer, some or all (however instructed) of the of the personal information that it and its third party suppliers Process for Customer.
6. Assistance in responding to consumer requests. Deeto shall assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to requests for exercising the Consumer rights under Applicable State Privacy Laws.
7. Data security. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Deeto’s Processing of Personal Information for Customer, as well as the nature of personal information Processed for Customer, Deeto will implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure (including data breaches).
1. Customer commissions, authorizes, and requests that Deeto provide Customer access to use the Platform, which involves Processing Personal Data (as these capitalized terms are defined and used in the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), and in applicable national law implementing the GDPR, or in any subsequent superseding legislation; these shall collectively be referred to as “Data Protection Law”).
2. Customer shall: (a) establish, abide by, and communicate a privacy notice to its data subjects, as may be necessary under Data Protection Law; (b) substantiate the legal basis under Data Protection Law for obtaining and Processing the Personal Data as carried out by Deeto on behalf of the Customer; and (c) credit point earnings for users engaging in certain activities on the Platform, as determined by the Customer.
3. Customer and Deeto hereby assent to the Annex to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“SCCs”), in its MODULE TWO, as follows:
3.1. In Section II (Obligations of the Parties), Clause 9(a) for MODULE TWO: Transfer controller to processor: The data importer has the data exporter’s general authorisation for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub-processors at least 10 days in advance, thereby giving the data exporter sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the data exporter with the information necessary to enable the data exporter to exercise its right to object.
3.2. In Section IV (Final Provisions), Clause 17 for MODULE TWO: Transfer controller to processor: The Parties agree that this shall be the EU member state in which the Customer is established, or, if the Customer is not established in any EU member state, then the law of the Republic of Ireland.
3.3. In Section IV (Final Provisions), Clause 18(b) for MODULE TWO: Transfer controller to processor: The Parties agree that those shall be the courts of the EU member state’s town in which the Customer is established, or, if the Customer is not established in any EU member state, then the courts of Dublin, Ireland.
3.4. In Annex I, for MODULE TWO: Transfer controller to processor:
3.4.1. Data Exporter: Customer.
3.4.1. Data Exporter: Customer.
3.4.1.1 Activities relevant to the data transferred under these Clauses: a company using the Platform.
3.4.1.2 Role: Controller.
3.4.2. Data Importer: Deeto
3.4.2.1 Activities relevant to the data transferred under these Clauses: Developer, operator and provider of the Platform.
3.4.2.2 Role: Processor.
3.5. Description of Transfer:
3.5.1. Categories of data subjects whose personal data is transferred: representatives of the data exporter, representatives of data exporter’s prospects and representatives of data exporter’s references.
3.5.2. Categories of personal data is transferred: (a) the Platform’s fields of personal data or personal information configurable by the data exporter, and (b) information of surveys submitted by representatives of data exporter’s prospects and references.
3.5.3. Sensitive data transferred: None.
3.5.4. The frequency of the transfer: on a continuous basis.
3.5.5. Nature of the processing: uploading data to the Platform, storage on the Platform, retrieval, analytics reporting and derived insights.
3.5.6. Purpose(s) of the data transfer and further processing: the provision of a technology platform that that helps businesses to improve their selling process to prospects and connect between prospects and references.
3.5.7. The period for which the personal data will be retained: the period set out in the Agreement.
3.5.8. Transfers to (sub-) processors:
3.5.9. Competent Supervisory Authority: the data protection authority in the EU member state in which the Customer is established, or the Customer’s lead supervisory authority for GDPR purposes, but if the Customer is not established in any EU member state, then the supervisory authority of the EU member state in which the Customer’s EU representative pursuant to Article 27 of the GDPR is located.
3.6. In Annex II, for MODULE TWO (TECHNICAL AND ORGANIZATIONAL MEASURES INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA): Transfer controller to processor – See appendix below.
4. The Customer will comply with its obligations under the GDPR, in particular in the Processing instructions it issues to Deeto as per Clause 8.1 of the SCCs.
5. If Deeto’s assistance to Customer under Clause 10 of the SCCs entails material costs, expenses, or resources to Deeto, then the parties shall first discuss and agree on the fees payable to Deeto for such assistance.
6. Audit and inspections conducted under Clause 8.9 of the SCCs shall be conducted during ordinary business hours of Deeto and with minimal disruption to Deeto’s ordinary course of business, shall not extend to any activities of Deeto with other customers or parties, and if conducted by an independent auditor, such auditor shall be made subject to appropriate confidentiality undertakings satisfactory to Deeto. If such inspections or audits entail material costs, expenses or resources to Deeto, then the parties shall first discuss in good faith and agree on the fees payable to Deeto for such inspections or audits.
1. Customer and Deeto hereby assent to the Annex to the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses of 21 March 2022 issued under Section 119A of the UK Data Protection Act 2018, available at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf (“UK SCCs”), as follows: