DPA
Introduction
This Trellus Privacy and Security Addendum (“Addendum”), is made part of and is incorporated by reference into the current applicable Order(s) and/or Master Service Agreement or equivalent agreement for Trellus Services (“Agreement”) between Trellus Corporation (“Trellus”) and the customer entity identified in the Agreement (“Customer”) (each referred to as a “Party” and collectively as the “Parties”).
This Addendum will be effective, and will supersede and replace in its entirety any existing data processing addendum the parties may have previously entered into in connection with the Trellus Services, from the date on which Customer signed the Agreement (“EffectiveDate”).
Your Data
This Addendum governs the manner in which Trellus shall process Customer Personal Data (as defined below) and only applies to the extent Trellus Processes such Customer Personal Data in its role as a data processor. Except for the changes made by this Addendum, the Agreement remains unchanged and in full force and effect. In the event of a conflict between the Agreement, including Orders and Exhibits, and this Addendum, the provision imposing the stricter data protection requirements of any conflicting provision shall control. Capitalized terms have the meaning given to them in the Agreement, unless otherwise defined below.
1. Definitions
For the purposes of this Addendum, the following terms and those defined within the body of this Addendum apply. “
a. Applicable Data Protection Law(s)” means the relevant data protection and data privacy laws, rules and regulations applicable to the Processing of Customer Personal Data under this Addendum including any binding laws or regulations ratifying, implementing, adopting, supplementing or replacing the foregoing; in each case, to the extent in force, and as such are updated, amended or replaced from time to time.
b) “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
c) “Customer Personal Data” means Personal Data that Trellus Processes in its role as a data processor (or any substantially similar terms) under Applicable Data Protection Laws , as further specified in Schedule 1.
d) “Processor” means a natural or legal person, public authority, agency or other body which Processes Customer Personal Data subject to this Addendum. e) “Security Incident(s)” means (i) a breach in security leading to any unauthorized interference with the availability of, or any unauthorized, unlawful or accidental access or damage to or loss, misuse, destruction, alteration, acquisition, disclosure of, Customer Personal Data that may adversely affect the privacy or security of individuals or Customer Personal Data; or (ii) as otherwise defined under Applicable Data Protection Laws. Security Incidents do not include unsuccessful attempts or activities that do not compromise the confidentiality, availability, or integrity of Customer Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other similar incidents. f) “Sensitive Personal Data” shall have the meaning assigned to the terms “sensitive data”, “sensitive information”, “special categories of personal data”, or similar term under Applicable Data Protection Law(s) and, as required by Applicable Data Protection Law(s), shall include Customer Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
g) “Standard Contractual Clauses” means the (i) the standard contractual clauses for international transfers published by the European Commission on June 4, 2021 governing the transfer of European Area Personal Data to Third Countries as adopted by the European Commission, and the Swiss Federal Data Protection and Information Commissioner (“Swiss FDPIC”) relating to data transfers to Third Countries (collectively “EU SCCs”); (ii) the international data transfer addendum (“UK Transfer Addendum”) adopted by the UK Information Commissioner’s Office (“UK ICO”) for data transfers from the UK to Third Countries; or (iii) any similar such clauses (as applicable) adopted by a data protection regulator relating to data transfers to Third Countries, including without limitation any successor clauses thereto.
h) “Third Country” means countries that, where required by Applicable Data Protection Laws, have not received an adequacy decision from an applicable authority relating to data transfers, including regulators such as the European Commission, UK ICO, or Swiss FDPIC relating to data transfers.
2. Data Handling and Access
a) Role of the Parties. The parties acknowledge and agree that with respect to Processing of Customer Personal Data, Trellus is a Processor and Customer is a Controller and/or a Processor in which case Trellus is a sub-processor.
b) General Compliance by Trellus. Customer Personal Data shall be Processed by Trellus in compliance with the terms of this Addendum and all Applicable Data Protection Law(s).
c) General Compliance by Customer. Customer represents and warrants that (i) it shall comply with its obligations under Applicable Data Protection Law(s) in respect of its Processing of Customer Personal Data and any Processing Instructions it issues to Trellus and (ii) it has provided notice and obtained (or shall obtain) all consents and rights necessary under Applicable Data Protection Law(s) for Trellus to Process Customer Personal Data and provide the Trellus Services pursuant to the Agreement and this Addendum.
d) Trellus and Sub-processors. Trellus agrees to (i) enter into a written agreement with Sub-processors regarding such Sub- processors’ Processing of Customer Personal Data that imposes on such Sub-processors data protection and security requirements for Customer Personal Data that are compliant with Applicable Data Protection Law(s); and (ii) remain responsible to Customer for Trellus’s Sub-processors’ (and their sub-processors if applicable) failure to perform their obligations with respect to the Processing of Customer Personal Data. e) Authorization to Use Sub-processors. Customer authorizes Trellus to use the Sub-processors described in Schedule 3. If Trellus engages new Sub-processors, Trellus will give Customer notice at least 30 calendar days in advance of providing that Sub- processor with access to Customer Personal Data. If Customer does not approve of a new Sub-processor on reasonable data protection grounds, Customer may terminate the applicable Order without penalty by providing, within 30 calendars days of notice of such new Sub-processor, written notice of termination that includes an explanation of the grounds for non-approval. Where Trellus engages a Sub-processor for carrying out specific processing activities on behalf of Customer, the same (or substantially similar) data protection obligations as set out in this Addendum shall be imposed on that Sub-processor by way of a written agreement. Where that Sub-processor fails to fulfil its data protection obligations, Trellus shall remain fully liable to Customer for the performance of its Sub-processor obligations.
f) Following Instructions. Trellus shall Process Customer Personal Data only in accordance with Customer’s Instructions. Trellus will, unless legally prohibited from doing so, inform Customer in writing if it reasonably believes that there is a conflict between Customer’s Instructions and applicable law or otherwise seeks to Process Customer Personal Data in a manner that is inconsistent with Customer’s Instructions.
g) Confidentiality. Any person authorized to Process Customer Personal Data on behalf of Trellus must be under an appropriate statutory or contractual obligation of that requires such person to maintain the confidentiality of the Customer Personal Data.
h) Personal Data Inquiries and Requests. Trellus agrees to comply with all reasonable instructions from Customer related to any requests from individuals exercising their rights in Customer Personal Data granted to them under Applicable Data Protection Law(s) (“Privacy Request”). At Customer’s request and without undue delay, Trellus agrees to assist Customer in answering or complying with any Privacy Request. The obligations under this provision shall apply solely where and to the extent required by Applicable Data Protection Law.
i) Processing of Sensitive Personal Data. Customer will not submit sensitive personal data to the Trellus Services without written consent from Trellus or agreement from Trellus to enter into a business associate agreement. In such cases, the parties acknowledge that limited special categories of personal data may incidentally be entered by Customer through Customer’s use of the Services in the regular course of business.
j) Sale of Customer Personal Data Prohibited. Trellus shall not sell Customer Personal Data as such terms are defined under the California Consumer Privacy Act of 2018 (as amended by the California Privacy Rights Act) or any substantially similar law, nor use, retain, or disclose Customer Personal Data outside of its direct business relationship with the Customer or for any other purpose except as required or permitted by such law.
3. International transfers
a) Onward Transfers. In connection with the provision of the Services to Customer, Trellus may (and may authorize its Sub- processors to) receive or transfer and Process Customer Personal Data from any country to Third Countries provided that Trellus and its Sub-processors take measures to adequately protect such data consistent with Applicable Data Protection Laws. Such measures may include to the extent available and applicable under such laws:
(i) Standard Contractual Clauses. The parties’ agreement to enter in to and comply with the Standard Contractual Clauses which are hereby incorporated into this Addendum and as further set forth in Schedule 1 and any successors or amendments to such clauses or such other applicable contractual terms adopted and approved under Applicable Data Protection Laws; or
(ii) Other Approved Transfer Mechanisms. Implementing any other data transfer mechanisms or certifications approved under Applicable Data Protection Laws, including, as applicable, any approved successor or replacement to the EU–US Privacy Shield framework, the Swiss–US Privacy Shield framework.
To the extent that any substitute or additional appropriate safeguards or mechanisms under any Applicable Data Protection Laws are required to transfer data to a Third Country the parties agree to implement the same as soon as practicable and document such requirements for implementation in an attachment to this Addendum.
4. Security Incident
a) Security Incident Procedure. Trellus will take appropriate action in line with best practices to, respond to, and otherwise address Security Incidents including procedures to (i) identify and respond to suspected or known Security Incidents, mitigate harmful effects of Security Incidents, document Security Incidents and their outcomes, and (ii) restore the availability or access to Customer Personal Data in a timely manner.
b) Notice. Trellus agrees to provide prompt written notice without undue delay and within the time frame required under Applicable Data Protection Law(s) to Customer’s Designated POC if it knows or suspects that a Security Incident has taken place. Such notice will include all available details required under Applicable Data Protection Law(s) for Customer to comply with its own notification obligations to regulatory authorities or individuals affected by the Security Incident.
5. Contact Information Trellus and the Customer agree to designate a point of contact for urgent security issues (a “Designated POC”). The Designated POC for both parties are:
Trellus Designated POC: founders@trellus.ai
Customer Designated POC: as identified in Agreement
Schedule 1 to the Addendum
DescriptionofProcessingandTransferDetails
1.Date Exporter (customer information as included in the applicable Order Form). Role: Controller
2.Data Importer
-Company: Outpost Labs Inc.
-Address: 28-07 Jackson Ave, Queens, NY 11101
-Contact email: founders@trellus.ai
-Role: Processor
3.Activities relevant to the data transferred under the SCCs
The activities relevant to the data transferred at the Services more fully described in the Agreement and applicable Orders
4. Details of Customer Personal Data
Categories of data subjects whose personal data is transferred
Includes the following: Prospects, customers, business partners and vendors of Customer (who are natural persons) Employees or contact persons of Customer’s prospects, customers, business partners and vendors Employees, agents, advisors, freelancers of Customer (who are natural persons) Customer’s users authorized by Customer to use the Trellus Services
Categories of personal data transferred
Includes the following: Identification Data (notably email addresses, usernames and phone numbers) Electronic identification data (notably IP addresses and mobile device IDs)
Sensitive Personal Data transferred
Customer will not submit Sensitive Personal Data to the Trellus Services without written consent from Trellus or agreement from Trellus to enter into a business associate agreement. In such cases, the parties acknowledge that limited special categories of personal data may incidentally be entered by Customer through Customer’s use of the Services in the regular course of business.
Frequency of the transfer
Continuous
Nature and purpose of the data transfer and further processing
The purpose of Processing of Customer Personal Data by Trellus is the performance of the Trellus Services pursuant to the Agreement.
Period for which the personal data will be retained or criteria used to determine that period
The period for which the personal data will be retained is more fully described in the Agreement, Addendum, and accompanying Order Forms.
Subprocessor transfers – subject matter, nature, and duration of processing
The subject matter, nature, and duration of the Processing as more fully described in the Agreement, Addendum, and accompanying Order Forms.
5. Signatures
The Parties agree that the EU SCCs and the UK Transfer Addendum are incorporated by reference and that by executing the Addendum, each party is deemed to have executed the SCCs and the UK Transfer Addendum.
6. European Area SCC and UK Transfer Addendum Information
SCC Clause GDPR Swiss DPA UK Data Protection Law Module in Operation: Module Two (Controller to Processor) and Module Three (Processor to Processor) Clause 7- Docking Clause An entity that is not a party to these Standard Contractual Clauses may, with the agreement of the parties, accede to these Standard Contractual Clauses at any time, either as a data exporter or as a data importer, by completing the Appendix and signing Annex 1.A of the Standard Contractual Clauses. Clause 9(a)- Use of Sub- processors GENERAL WRITTEN AUTHORISATION: The data importer has the data exporter’s general authorisation for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub-processors at least 30 calendar days in advance, thereby giving the data exporter sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the data exporter with the information necessary to enable the data exporter to exercise its right to object. Clause 11 (Redress) Optional language in Clause 11 shall not apply. Clause 17- Governing Law These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of Ireland. These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of Switzerland. These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of England and Wales. Clause 18 – Choice of Forum and Jurisdiction (b) The parties agree that those shall be the courts of Ireland. The parties agree that those shall be the competent courts of Switzerland. The parties agree that those shall be the competent courts of England and Wales. Annex 1A- List of Parties The name, address, and contact person’s name, position, and contact details, and each party’s role in processing Customer Personal Data are provided in Section 1, 2, and 3 above Annex 1B – Description of Transfer This information can be found in Section 4 above. Clause 13 and Annex 1C – Competent Supervisory Authority Identify the competent supervisory authority/ies in accordance with Clause 13: Irish Data Protection Commission Identify the competent supervisory authority/ies in accordance with Clause 13: FDPIC Identify the competent supervisory authority/ies in accordance with Clause 13: UK Informational Commissioner Annex II – Technical and Organizational Measures The description of technical and organization measures designed to ensure the security of Customer Personal Data is described more fully in Schedule 2 of this Addendum.
