vianai systems, inc.
data processing addendum
This Data Processing Addendum (“DPA”) forms part of the Master Subscription Agreement (“MSA”) between you and Vianai. This DPA applies to the extent that Vianai Processes Personal Data on your behalf in providing Services.
1. Definitions.
Capitalized terms used but not defined in this DPA will have the meanings set forth in the MSA.
(a) “Controller” means the entity which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
(b) “Data Protection Laws” means all laws applicable to the Processing of Personal Data under this DPA.
(c) “Data Subject” means the individual to whom Personal Data relates.
(d) “Personal Data” means Customer Content that relates to an identified or identifiable natural person.
(e) “Personal Data Breach” means a breach of security of the Services leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, Personal Data.
(f) “Processor” means the entity which Processes Personal Data on behalf of the Controller.
(g) “Process” or “Processing” means any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction of Personal Data.
2. Roles of the Parties.
You will act as the Controller and Vianai will act as the Processor with respect to the Processing of Personal Data pursuant to this DPA. You will be solely responsible for complying with your obligations under Data Protection Laws with respect to the Processing of Personal Data, including with respect to providing any necessary notices to, and obtaining any necessary consents from, Data Subjects or other persons with respect to the Processing of Personal Data.
3. Limitations on Use.
Vianai will Process Personal Data solely in accordance with the MSA or other documented instructions that you may provide (whether in written or electronic form) in accordance with the MSA, or as otherwise required by applicable law. For clarity, Vianai will not (a) retain, use, or disclose Personal Data for any purpose other than providing Services to you pursuant to the MSA, or as required by applicable law; or (b) sell such Personal Data to any third party, as “sale” is defined under applicable Data Protection Laws. Vianai certifies that it understands and will comply with the foregoing restrictions. The duration, scope, and details of the Processing are described in the MSA.
4. Confidentiality.
Vianai will require its personnel to protect the confidentiality of Personal Data.
5. Security.
Vianai maintains administrative, physical, and technical safeguards for the Services which are designed to protect Personal Data against unauthorized loss, destruction, alteration, access, or disclosure, as further described in the Data Security Addendum
6. Personal Data Breach.
Vianai will notify you without undue delay in the event Vianai discovers that a Personal Data Breach has occurred, unless otherwise prohibited by law or otherwise instructed by a law enforcement agency or regulator. At your request, and taking into account the nature of the Processing and the information available to Vianai, Vianai will provide you with reasonable assistance and cooperation at your expense with respect to any notifications that you are required to provide to affected Data Subjects or regulators under applicable Data Protection Laws with respect to the Personal Data Breach.
7. Data Subject Requests.
Vianai will promptly notify you, unless prohibited by applicable law, if Vianai receives: (a) any requests from a Data Subject with respect to Personal Data Processed by Vianai pursuant to the MSA, including but not limited to opt-out requests, requests for access and/or rectification, blocking, erasure, requests for data portability, and similar requests under Data Protection Laws; or (b) any complaint related to the Processing of Personal Data by Vianai pursuant to the MSA, including any allegations that such Processing infringes on a Data Subject’s rights. You will be responsible for responding to any such requests or complaints. At your request and taking into account the nature of the Processing, Vianai will assist you by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of obligations you may have under applicable Data Protection Laws to respond to such Data Subject requests.
8. Subprocessors.
You agree that Vianai may disclose Personal Data to its subcontractors for purposes of providing the Services to you (“Subprocessors”), provided that Vianai will impose obligations on its Subprocessors that are at least as protective of Personal Data as those set forth in this DPA. Vianai will (a) make available to you upon request a list of its Subprocessors and provide you with a mechanism to receive notice of any changes to this list and (b) notify you of the intended addition of any new Subprocessor, to allow you an opportunity to object to the addition. If you have not provided a written objection within seven days of such notice, such Subprocessor will be deemed to be accepted by you. If you make such an objection, and the parties have failed to agree upon an alternative arrangement within thirty days of your objection, either party may terminate the MSA in relation to the Services that involve use of the new Subprocessor. Vianai will be liable for any acts or omissions by its Subprocessors in breach of this DPA to the same extent as if such breach was committed directly by Vianai.
9. Data Transfers.
In connection with the performance of the MSA, Vianai may transfer Personal Data to any jurisdiction, subject to Vianai’s compliance with this DPA. To the extent such transfer involves a transfer by you of Personal Data from the European Economic Area (“EEA”), the UK, or Switzerland, to Vianai in a jurisdiction outside of the EEA, the UK, or Switzerland that has not been recognized by the applicable supervisory authority as providing an adequate level of protection for Personal Data, the parties agree that Module Two (Controller to Processor) of the Standard Contractual Clauses for the transfer of Personal Data to third countries ((EU) 2021/914), which is hereby incorporated into this DPA by reference, will apply to such transfer, and such transfer is further described in Appendix 1. For purposes of the EU Standard Contractual Clauses, the parties agree that (a) in Clause 7, the docking clause is incorporated; (b) in Clause 9, Option 2 is incorporated with a specified time period of sixty (60) days; (c) in Clause 11(a), the Optional clause is not incorporated; (d) in Clause 17, Option 1 is incorporated and the governing law is the law of the state of the Netherlands; (e) in Clause 18, the courts will be those of the Member State identified for Clause 17; and (f) the Annexes set forth in Appendix 1 will apply to those EU Standard Contractual Clauses. Upon your request, Vianai also will enter into a UK equivalent of the EU Standard Contractual Clauses with you to the extent necessary to facilitate such transfers from the UK.
10. Audit.
Upon your request, Vianai will make available to you up to once per calendar year (a) a summary of a third-party assessment or comparable report of the Platform Services (“Third Party Report”) or (b) if Vianai has not obtained a Written Report, responses to any written questions that you may reasonably submit for purposes of verifying Vianai’s compliance with this DPA (“Written Responses”). Any such Third-Party Reports and Written Responses will be subject to the confidentiality obligations in the MSA. If Vianai responds to your request by providing Written Responses rather than a Third-Party Report, and you reasonably determine that further assessment is required, Vianai will enable you upon your request, no more than annually and with at least thirty (30) days’ prior written notice, to review Vianai’s relevant policies, procedures, and systems as reasonably appropriate to audit Vianai’s compliance with its obligations under this DPA, to the extent that such review does not compromise confidentiality obligations to any of Vianai’s other customers.
11. DPIAs and Prior Consultations.
To the extent required by applicable Data Protection Laws, upon reasonable notice and at your sole cost and expense, Vianai will provide reasonably requested information regarding the Platform Services to enable you to carry out data protection impact assessments (“DPIAs”) and/or prior consultations with supervisory authorities.
12. Return or Disposal.
Upon termination or expiration of the MSA for any reason, Vianai will promptly return or delete Personal Data from its systems (within 30 days), except to the extent applicable law requires storage of the Personal Data.
Appendix 1
DETAILS
FOR
EU STANDARD CONTRACTUAL CLAUSES
ANNEX 1
to
Appendix 1
Details for
EU Standard Contractual Clauses
A. LIST OF PARTIES
|
|
Data Exporter(s) |
Data Importer(s) |
|
Name: |
The customer identified in the Order Form. |
Vianai Systems, Inc. |
|
Address: |
As set forth in the Order Form. |
As set forth in the MSA. |
|
Contact person’s
name, position |
As set forth in the Order Form. |
privacy@vian.ai |
|
Activities relevant to the data transferred under these Clauses: |
Data exporter has engaged data importer to perform services in accordance with the MSA, which may involve processing of personal data. |
Data importer has been engaged by data exporter to perform services in accordance with the MSA, which may involve processing of personal data by data importer on behalf of data exporter. |
|
Role: |
Controller. |
Processor. |
B. DESCRIPTION OF TRANSFER
|
Categories of data subjects whose personal data is transferred: |
The personal data relates to the following categories of data subjects: Customer’s customers, end users or other individuals to whom Customer Personal Data pertains. |
|
Categories of personal data transferred: |
The personal data transferred includes the following categories of personal data: such categories as Customer has authorized Vianai to process pursuant to the MSA. |
|
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures: |
None. |
|
The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis): |
Continuous unless otherwise specified in the MSA. |
|
Nature of the processing: |
Data importer will process the personal data in connection with its provision of services to data exporter in accordance with the MSA. |
|
Purpose(s) of the data transfer and further processing: |
Data importer will process the personal data for the purpose of providing services to data exporter in accordance with the MSA. |
|
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: |
Term of the MSA or as otherwise required by applicable law. |
|
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: |
Data importer may transfer personal data to subprocessors in connection with its provision of services to data exporter, in accordance with the Data Processing Addendum. |
C. COMPETENT SUPERVISORY AUTHORITY
The competent supervisory authority in the EU Member State in which the data exporter is established and, in the event that the data exporter is not established in an EU Member State, the data protection authority of the Netherlands.
ANNEX 2
to
Appendix 1
TECHNICAL AND ORGANISATIONAL MEASURES,
INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES
TO ENSURE THE SECURITY OF THE DATA
|
Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons. |
Security measures set forth in the Data Security Addendum |
|
For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter. |
Subprocessors are required to safeguard personal data consistent with the level of protection provided in the Data Processing Addendum, and to provide assistance to data importer consistent with applicable law. |