DATA PROCESSING ADDENDUM
This Data Processing Addendum (“DPA”) reflects the parties’ agreement on the Processing of Personal Information that Privacy Laws and Regulations apply in regard thereof. For the purpose of this Annex A, you will be addressed as a “Customer”.
All capitalized terms not defined herein will have the meaning set forth in the Agreement. All terms under the Agreement apply to this DPA, except that the terms of this DPA will supersede any conflicting terms under the Agreement.
In the course of providing the service to Customer pursuant to the Agreement (the “Service“), Tidok may Process Personal Information on behalf of Customer. The parties agree to comply with the following provisions under this DPA with respect to Customer’s Personal Information processed by Tidok on behalf of Customer as part of the Services.
2.1. “Affiliate” means any legal entity directly or indirectly controlling, controlled by or under common control with a party to the Agreement, where “control” means the ownership of a majority share of the voting stock, equity, or voting interests of such entity.
2.2. “Tidok” means Tidok Media Inc. and its Affiliates.
2.3. “Tidok Information Security Policy” means the information security documentation applicable to the specific Service purchased by Customer, as updated from time to time, and made available by Tidok upon request.
2.4. “Individual” means a natural person to whom Personal Information relates, also referred to as “Data Subject” pursuant to EU data protection laws and regulations.
2.5. “Personal Information ” means information about an identified or identifiable Individual, also referred to as “Personal Data ” pursuant to EU data protection laws and regulations, which Tidok Processes under the terms of the Agreement.
2.6. “Personnel” means the employees, agents, consultants, and contractors of Customer and Customer’s Affiliates.
2.7. “Privacy Laws and Regulations” means Regulation (EU) 2016/679 (GDPR), when it takes effect, as applicable to the Processing of Personal Information under the Agreement.
2.8. “Privacy Shield” means the EU-US Privacy Shield Framework, as administered by the U.S. Department of Commerce and approved by the European Commission pursuant to Decision C(2016)4176 of July 12, 2016.
2.9. “Privacy Shield Principles” mean the Privacy Shield Principles, as supplemented by the Supplemental Principles and contained in Annex II to the European Commission Decision C(2016)4176 of July 12, 2016, as may be amended, superseded or replaced.
2.10. “Process” or “Processing” means any operation or set of operations which is performed upon Personal Information, whether or not by automatic means, such as collection, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, blocking, erasure or destruction.
3.1. Scope and Roles. This DPA applies when Personal Information is Processed by Tidok as part of Tidok’s provision of the Service, as further specified in the Agreement and the applicable order form. In this context, to the extent that provisions under the GDPR apply to Personal Information that Tidok processes for Customer under the Agreement, Customer is the Data Controller and Tidok and applicable Affiliates are the Data Processor under such laws and regulations.
3.2. Instructions for Tidok’s Processing of Personal Information. Tidok will only Process Personal Information on behalf of and in accordance with Customer’s instructions. Customer instructs Tidok to Process Personal Information for the following purposes: (i) Processing in accordance with the Agreement and applicable order forms, including, without limitation to provide the Service, and for back-up and disaster recovery, cyber security, operations, control, improvements and development of Tidok’s Service, fraud and service misuse prevention and legal and administrative proceedings; and (ii) Processing to comply with other reasonable instructions provided by Customer where such instructions are consistent with the terms of the Agreement and comply with applicable Privacy Laws and Regulations. Processing outside the scope of this DPA (if any) will require prior written agreement between Tidok and Customer on additional instructions for processing, including agreement on any additional fees Customer will pay to Tidok for carrying out such instructions.
4.1. Customer undertakes to provide all necessary notices to Individuals and receive all necessary permissions and consents, as necessary for Tidok to process Personal Information on Customer’s behalf under the terms of the Agreement and this DPA, pursuant to the applicable Privacy Laws and Regulations.
4.2. To the extent required under the applicable Privacy laws and regulations, Customer will appropriately document the Individuals’ notices and consents.
5.1. Requests. Tidok will, to the extent legally permitted, promptly notify Customer if Tidok receives a request from an Individual, who’s Personal Information is included in Customer’s Personal Information, or a request by the Individual’s legal guardians, to exercise the right to access, correct, amend, or delete Personal Information related to the Individual, or to exercise such other personal right that the Individual is entitled to pursuant the applicable Privacy laws and regulations.
5.2. Assistance. Tidok will provide Customer with commercially reasonable cooperation and assistance in relation to handling the Individual’s request, to the extent legally permitted and to the extent Customer does not have access to such Personal Information through its use of the Service. Except if not permitted under the applicable Privacy laws and regulations, Customer will reimburse Tidok with any costs and expenses related to Tidok’s provision of such assistance.
5.3. Customer undertakes to direct individuals who wish to revoke their consent or to exercise their right to be forgotten to Tidok’s opt-out feature at: email@example.com
At Customer’s written request, Tidok will cooperate with and make commercially reasonable efforts to assist Customer in complying with Customer’s obligations pursuant to Articles 32 to 36 to the GDPR, taking into account the nature of processing and the information available to Tidok.
7.1. Limitation of Access. Tidok will ensure that Tidok’s access to Personal Information is limited to those personnel who require such access to perform the Agreement or provide its services.
7.2. Confidentiality. Tidok will impose appropriate contractual obligations upon its personnel engaged in the Processing of Personal Information, including relevant obligations regarding confidentiality, data protection, and data security. Tidok will ensure that its personnel engaged in the Processing of Personal Information are informed of the confidential nature of the Personal Information, have received appropriate training in their responsibilities, and have executed written confidentiality agreements. Tidok will ensure that such confidentiality agreements survive the termination of the employment or engagement of its personnel.
8.1. Affiliates. Some or all of Tidok’s obligations under the Agreement may be performed by Tidok Affiliates.
8.2. Agents. Customer acknowledges and agrees that Tidok and Tidok’s Affiliates respectively may engage third-party service providers in the performance of the Service on Customer’s behalf. All Affiliates and agents (also referred to as ‘other processors’ under the GDPR) to whom Tidok transfers Personal Information to provide the Service on behalf of Customer have entered into written agreements with Tidok or such other binding instruments that bind them by substantially the same material obligations under this DPA.
8.3. Liability. Tidok will be liable for the acts and omissions of its Affiliates and agents to the same extent that Tidok would be liable if performing the Service of each Affiliate or agent directly, under the terms of Agreement.
8.4. Objection. To ensure compliance with applicable Privacy Laws and Regulation, Customer may object to any engagement by Tidok with a new agent to Process Customer Personal Information on Customer’s behalf, within five (5) business days following Tidok’s notice to Customer of its engagement with the new agent. If Customer sends Tidok a written objection to the new agent, Tidok will make commercially reasonable efforts to provide Customer the same level of Service without the using the new agent to Process Customer Personal Information. Nothing in this section prejudices the parties’ rights and obligations under the Agreement.
9.1. Transfer of Personal Information related to Individuals within the EU to Tidok’s data hosting services in the US is made in accordance with such hosting services’ self-certification with the Privacy Shield. Transfer of Personal Information related to Individuals within the EU to Israel is made in accordance the EU Commission decision 2011/61/EU of January 31, 2011, on the adequate protection of Personal Information by the State of Israel regarding automated processing of Personal Information.
9.2. All Tidok Affiliates and agents to whom Tidok transfers Personal Information to provide the Service are certified to the Privacy Shield, or provide at least the same level of protection for the Personal Information as is required by the relevant principles of the Privacy Shield and comply with the requirements under the Privacy Shield for the onward transfer of Personal Information to agents, or have executed such other lawful instruments for lawfully transferring Personal Information related to Individuals within the EU to other territories, such as by executing the Standard Contractual Clauses in the form attached and incorporated by reference to this DPA as Exhibit A, or any successor thereof or an alternative lawful data transfer mechanism, or alternatively the Personal Information is transferred to a country with an adequacy recognition by the EU Commission.
10.1. Controls. Tidok will maintain administrative, physical and technical safeguards for the protection of the security, confidentiality and integrity of Customer’s Personal Information pursuant to the Tidok Information Security Policy. Tidok regularly monitors compliance with these safeguards. Tidok will not materially decrease the overall security of the Service during the term of the Agreement.
10.2. Policies and Audits.
Customer may audit Tidok’s compliance with its obligations under this Data Processing Addendum up to once per year (“Data Protection and Security Audit”), provided, however, that any Data Protection and Security Audit is subject to the following cumulative conditions: (i) The Data Protection and Security Audit will be pre-scheduled in writing with Tidok, at least 60 days in advance; (ii) All Customer personnel who perform the Data Protection and Security Audit, whether employed or contracted by Customer, will execute Tidok’s standard non-disclosure agreement prior to the initiation of the Data Protection and Security Audit, and a third party auditor will also execute a non-competition undertaking; (iii) Customer will take all necessary measures and verify that the auditors do not access, disclose or compromise the confidentiality and security of non-Customer data on Tidok’s information and network systems; (iv) Customer will take all measures to prevent any damage or interference with Tidok and its Affiliates’ information and network systems; (v) Customer will bear all costs and assume responsibility and liability for the Data Protection and Security Audit and for any failures or damage caused as a result thereof; (vi) Customer will keep the Data Protection and Security Audit results in strict confidentiality, will use them solely for the specific purposes of the Data Protection and Security Audit under this section, will not use the results for any other purpose, or share them with any third party, without Tidok’s prior explicit written confirmation; and (vii) If Customer is required to disclose the Data Protection and Security Audit results to a competent authority, Customer will first provide Tidok with a prior written notice, explaining the details and necessity of the disclosure, and will provide Tidok with all necessary assistance to prevent the disclosure thereof.
11.1. Breach prevention and management. Tidok will maintain security incident management policies and procedures and will, to the extent required by law, promptly notify Customer of any unauthorized access to, acquisition of, or disclosure of Customer Personal Information, by Tidok or its Affiliates or agents of which Tidok becomes aware of (a “Security Incident”).
11.2. Remediation. Tidok will promptly make reasonable efforts to identify and remediate the cause of such a Security Incident.
12.1. Data Deletion. After the end of the provision of the Service, Tidok will return Customer’s Personal Information to Customer or delete such data, including by de-identifying thereof.
12.2. Data Retention. Notwithstanding, Customer acknowledges and agrees that Tidok may retain copies of Customer Personal Information as necessary in connection with its routine backup and archiving procedures and to ensure compliance with its legal obligations and its continuing obligations under the applicable law, including to retain data pursuant to legal requirements and to use such data to protect Tidok, its Affiliates, agents, and any person on their behalf in court and administrative proceedings.
Tidok may disclose Personal Information (a) if required by a subpoena or other judicial or administrative order, stock exchange or if otherwise required by law; or (b) if Tidok deems the disclosure necessary to protect the safety and rights of any person, or the general public.
Tidok may process data based on extracts of Personal Information on an aggregated and non-identifiable forms, for Tidok’s legitimate business purposes, including for testing, development, controls, and operations of the Service, and may share and retain such data at Tidok’s discretion, provided that such data cannot reasonably identify an Individual.
This DPA will commence on the same date that the Agreement are effective and will continue until the Agreement are expired or terminated, pursuant to the terms therein.
16.1. Tidok’s compliance team is responsible to make sure that all relevant Tidok’s personnel adhere to this DPA.
16.2. Tidok’s compliance team can be reached at: firstname.lastname@example.org
Each Party will create an escalation process and provide a written copy to the other Party within five (5) business days of any dispute arising out of or relating to this DPA. The escalation process will be used to address disputed issues related to the performance of this DPA, including but not limited to technical problems. The Parties agree to communicate regularly about any open issues or process problems that require prompt and accurate resolution as set forth in their respective escalation process documentation. The Parties will attempt in good faith to resolve any dispute arising out of or relating to this DPA, before and as a prior condition for commencing legal proceedings of any kind, first as set forth above in the escalation process and next by negotiation between executives who have authority to settle the controversy and who at a higher level of management than the persons with direct responsibility for administration of this DPA. Any Party may give the other Party written notice of any dispute not resolved in the normal course of business. Within two (2) business days after delivery of the notice, the receiving Party shall submit to the other a written response. The notice and the response will include (a) a statement of each Party’s position and a summary of arguments supporting that position and (b) the name and title of the executive who will represent that Party and of any other person who will accompany the executive. Within five (5) business days after delivery of the disputing Party’s notice, the executives of both Parties shall meet at a mutually acceptable time and place, including telephonically, and thereafter as often as they reasonably deem necessary, to attempt to resolve the dispute. All reasonable requests for information made by one Party to the other will be honored. All negotiations pursuant to this clause are confidential and will be treated as compromise and settlement negotiations for purposes of applicable rules of evidence.
18.1. Any alteration or modification of this DPA is not valid unless made in writing and executed by duly authorized personnel of both parties.
18.2. Invalidation of one or more of the provisions under this DPA will not affect the remaining provisions. Invalid provisions will be replaced to the extent possible by those valid provisions which achieve essentially the same objectives.