Data Processing Addendum

Last Updated: March 31, 2021

DATA PROCESSING ADDENDUM

  1. Subject Matter and Duration.
    1. Subject Matter. This Addendum reflects the parties’ commitment to abide by Data Protection Laws concerning the Processing of Customer Personal Data in connection with Sisu’s execution of the Agreement. If and to the extent language in this Addendum conflicts with the Agreement, this Addendum shall control to the extent that such conflict relates to data protection.
    2. Duration and Survival. This Addendum will become legally binding upon the effective date of the Agreement or upon the date that the parties sign this Addendum if it is completed after the effective date of the Agreement. Sisu will Process Customer Personal Data until the relationship terminates as specified in the Agreement.
  2. Definitions.
    For the purposes of this Addendum, the following terms and those defined within the body of this Addendum apply.

    1. “Customer Personal Data” means Personal Data Processed by Sisu on behalf of Customer.
    2. “Data Protection Laws” means all applicable data privacy, data protection, and cybersecurity laws, rules and regulations to which the Customer Personal Data are subject. “Data Protection Laws” shall include, but not be limited to, the California Consumer Privacy Act of 2018 (“CCPA”) and the EU General Data Protection Regulation 2016/679 (“GDPR”).
    3. “Personal Data” shall have the meaning assigned to the terms “personal data” or “personal information” under applicable Data Protection Laws.
    4. “Process” or “Processing” means any operation or set of operations which is performed on Personal Data or sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.
    5. “Security Incident(s)” means the breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data attributable to Sisu.
    6. “Services” means the services that Sisu performs under the Agreement.
    7. “Subprocessor(s)” means Sisu’s authorized vendors and third-party service providers that Process Customer Personal Data.
  3. Data Use and Processing.
    1. Documented Instructions. Sisu shall Process Customer Personal Data in accordance with the Agreement, this Addendum, any applicable Statement of Work, and any instructions agreed upon by the parties. Sisu will, unless legally prohibited from doing so, inform Customer in writing if it reasonably believes that there is a conflict between Customer’s instructions and applicable law or otherwise seeks to Process Customer Personal Data in a manner that is inconsistent with Customer’s instructions.
    2. Authorization to Use Subprocessor. To the extent necessary to fulfill Sisu’s contractual obligations under the Agreement, Customer hereby authorizes Sisu to engage Subprocessors. Sisu’s current Subprocessors are listed in Exhibit A.
    3. Sisu and Subprocessor Compliance. Sisu agrees to (i) enter into a written agreement with Subprocessors regarding such Subprocessors’ Processing of Customer Personal Data that imposes on such Subprocessors data protection requirements for Customer Personal Data that are consistent with this Addendum; and (ii) remain responsible to Customer for Sisu’s Subprocessors’ failure to perform their obligations with respect to the Processing of Customer Personal Data in accordance with the requirements of Data Protection Laws.
    4. Right to Object to Subprocessors. Where required by Data Protection Laws, Sisu will notify Customer via email prior to engaging any new Subprocessors that Process Customer Personal Data and allow Customer ten (10) days to object. If Customer has legitimate objections to the appointment of any new Subprocessor, the parties will work together in good faith to resolve the grounds for the objection.
    5. Confidentiality. Any person authorized to Process Customer Personal Data must contractually agree to maintain the confidentiality of such information or be under an appropriate statutory obligation of confidentiality.
    6. Personal Data Inquiries and Requests. Where required by Data Protection Laws, Sisu agrees to provide reasonable assistance and comply with reasonable instructions from Customer related to any requests from individuals exercising their rights in Customer Personal Data granted to them under Data Protection Laws.
    7. Sale of Customer Personal Data Prohibited. Sisu shall not sell Customer Personal Data as the term “sell” is defined by the CCPA.
    8. Data Protection Impact Assessment and Prior Consultation. Where required by Data Protection Laws, Sisu agrees to provide reasonable assistance at Customer’s expense to Customer where, in Customer’s judgement, the type of Processing performed by Sisu requires a data protection impact assessment and/or prior consultation with the relevant data protection authorities.
    9. Demonstrable Compliance. Sisu agrees to provide information reasonably necessary to demonstrate compliance with this Addendum upon Customer’s reasonable request.
  4. Cross-Border Transfers of Personal Data.
    1. Cross-Border Transfers of Personal Data. Customer authorizes Sisu to transfer Customer Personal Data across international borders, including from the European Economic Area to the United States.
    2. Standard Contractual Clauses. Where required, Customer and Sisu will use the European Commission Decision C(2010)593 Standard Contractual Clauses for Controllers to Processors (“Model Clauses”) to support the transfer of Customer Personal Data originating in the European Economic Area, Switzerland, and/or the United Kingdom, the terms of which are herein incorporated by reference. The parties agree that: (i) the audits described in Clause 5(f) and Clause 12(2) of the Model Clauses shall be carried out in accordance with Section 7 of this Addendum; (ii) pursuant to Clause 5(h) of the Model Clauses, Sisu may engage new Subprocessors in accordance with Section 3(b) – (d) of this Addendum; (iii) the Subprocessor agreements referenced in Clause 5(j) and certification of deletion referenced in Clause 12(1) of the Model Clauses shall be provided only upon Customer’s written request; and (iv) the optional clauses are expressly not included. Each party’s signature to this Addendum shall be considered a signature to the Model Clauses to the extent that the Model Clauses apply hereunder. If required by the laws or regulatory procedures of any jurisdiction, the parties shall execute or re-execute the Model Clauses as separate documents.
  5. Information Security Program.
    1. Security Measures. Sisu will use commercially reasonable efforts to implement and maintain reasonable administrative, technical, and physical safeguards designed to protect Customer Personal Data in accordance with Data Protection Laws.
  6. Security Incidents.
    1. Notice. Upon becoming aware of a Security Incident, Sisu agrees to provide written notice without undue delay and within the time frame required under Data Protection Laws to Customer’s Designated POC. Where possible, such notice will include all available details required under Data Protection Laws for Customer to comply with its own notification obligations to regulatory authorities or individuals affected by the Security Incident.
  7. Audits.
    1. Audit. Where Data Protection Laws afford Customer an audit right, Customer (or its appointed representative) may, no more than once annually, carry out an audit of Sisu’s policies and procedures with respect to the Processing of Customer Personal Data. Customer must provide Sisu forty-five (45) days written notice of such intention to audit, conduct its audit during normal business hours, and take reasonable measures necessary to prevent unnecessary disruption to Sisu’s operations. Any such audit shall be subject to reasonable confidentiality procedures. Customer shall be responsible for any costs arising from such audit.
  8. Data Deletion.
    1. Data Deletion. At the expiry or termination of the Agreement, Sisu will, at Customer’s option, delete or return all Customer Personal Data (excluding any back-up or archival copies which shall be deleted in accordance with Sisu’s data retention schedule), except where Sisu is required to retain copies under applicable laws, in which case Sisu will isolate and protect that Customer Personal Data from any further Processing except to the extent required by applicable laws.
  9. Processing Details.
    1. Subject Matter. The subject matter of the Processing is the Services pursuant to the Agreement.
    2. Duration. The Processing will continue until the expiration or termination of the Agreement.
    3. Categories of Data Subjects. Data subjects whose Customer Personal Data will be Processed pursuant to the Agreement.
    4. Nature and Purpose of the Processing. The purpose of the Processing of Customer Personal Data by Sisu is the performance of the Services.
    5. Types of Customer Personal Data. Customer Personal Data that is Processed pursuant to the Agreement.
  10. Contact Information.
    1. For urgent privacy and security issues the Sisu designated point of contact (“Designated POC”) is [email protected]

 

Exhibit A

List of Sisu Data Subprocessors

Subprocessor Name: Snowflake Inc.

Subprocessing Activities: data hosting and analysis

Processing Location (Country): United States

 

Subprocessor Name: Twilio Inc. (aka SendGrid)

Subprocessing Activities: email delivery

Processing Location (Country): United States