Data Processing Addendum

This Data Processing Addendum with its appendices (together, this “DPA”) is incorporated into the subscription or services Agreement, or terms of service in the absence of a signed agreement, between Update Technologies, Inc. (“Update.ai”) and the customer (the “Agreement”).  This DPA forms a part of the Agreement. The parties have agreed to enter into this DPA to ensure that appropriate safeguards are in place to protect Personal Data in accordance with applicable Data Protection Laws.

1. Data Processing

   1. Scope and Roles. This DPA applies when Update.ai Processes Customer Personal Data in providing the Services under the Agreement with the Customer. The Parties agree that Update.ai is a Processor with respect to the Processing of Customer Personal Data.

   2. Processing Details. Update.ai will only Process Customer Personal Data following the Agreement and this DPA (together, the “Documented Instructions”). A party will promptly inform the other party if it becomes aware that the Documented Instructions conflict with or violate Data Protection Laws.

   3. Customer Obligations. The Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which the Customer acquired Personal Data Customer is responsible for ensuring that no special categories of Personal Data (including under GDPR Article 9), Personal Data relating to criminal convictions and offenses (under GDPR Article 10), or similarly sensitive Personal Data (defined in Data Protection Laws) is submitted to Update.ai for Processing.

   4. Compliance with Laws. Each Party will comply with the Data Protection Laws applicable to its performance under this DPA.

2. Duration

This DPA remains in effect until the later of (a) the expiration or termination of the Agreement, and (b) the return or deletion of Customer Personal Data in accordance with Section 6.

3. Security and Confidentiality

Update.ai will implement and maintain commercially reasonable technical and organizational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, and unauthorized disclosure or access, as described in Appendix A (the “Technical and Organizational Measures”). Customer acknowledges that the Technical and Organization Measures are subject to technical progress and development and that Update.ai may update or modify the Security Measures from time to time, provided that such updates and modifications do not degrade or diminish the overall security of the Service;

4. Subprocessors

   1. Subprocessor Authorization. Customer generally authorizes Update.ai to engage Subprocessors in accordance with this Section 4. Update.ai will publish and update its list at https://www.update.ai/sub-processors and Customer should review such list from time to time. 

   2. Objections to Subprocessors. Customer may object to a new Subprocessor on reasonable grounds relating to the protection of Customer Personal Data by sending an email to security@update.ai describing its legitimate, good-faith objection within 15 days of a Change Notice (an “Objection Notice”), in which case Update.ai may satisfy the objection by (a) not using the new Subprocessor to Process Customer Personal Data; (b) taking corrective steps requested by Customer in its Objection Notice; or (c) ceasing to provide the parts of the Services that involve the new Subprocessor Processing Customer Personal Data, subject to a mutual agreement of the Parties to adjust the remuneration for the Services considering their reduced scope. If none of the options outlined above are reasonably available and Customer’s objection has not been resolved to the Parties’ mutual satisfaction within 15 days of Update.ai’s receipt of the Objection Notice, either Party may terminate the affected Order and Update.ai will refund to Customer a pro rata share of any unused amounts prepaid by Customer under the applicable Order for the Services on the basis of the remaining portion of the current terms of the Order. If Customer does not provide a timely Objection Notice, Customer will be deemed to have authorized Update.ai’s use of the Subprocessor and to have waived its right to object.

   3. Subprocessor Requirements. Update.ai will enter into a written agreement with each Subprocessor that contains data protection obligations equivalent to those in this DPA. Update.ai will be liable for the actions and omissions of its Subprocessors undertaken in connection with Update.ai’s performance under this DPA to the same extent Update.ai would be liable if performing the Services directly.

5. Data Subject Requests

To the extent Update.ai is able to verify that a data subject is associated with the Customer, promptly notify the Customer if it receives a request from a data subject to exercise any data protection rights (including rights of access, rectification or erasure) in respect of that data subject’s Personal Data (a “Data Subject Request”). Update.ai shall not respond to a Data Subject Request without the Customer’s prior written consent except to confirm that such request relates to the Customer.

To the extent Update.ai is able, and in line with applicable law, provide reasonable assistance to Customer in responding to a data subject request to exercise any data protection rights under applicable Data Protection Laws (including rights of access, rectification or erasure) in respect of that data subject’s Personal Data if the Customer cannot address a Data Subject Request without Update.ai’s assistance. The Customer is responsible for verifying that the requestor is the data subject in respect of whose Personal Data the request is made. Update.ai bears no responsibility for information provided in good faith to Customer in reliance on this section. To the extent permitted by applicable law, Customer will be responsible for any costs arising from Update.ai’s assistance.

6. Data Deletion

Following the effective date of termination of the Agreement, Update.ai will initiate a process on Customer’s written request that deletes Customer Personal Data retained in production within 90 days. Any Customer Personal Data archived in backups will be isolated and protected from any further Processing, except as otherwise required by Applicable Laws. Notwithstanding the foregoing, to the extent Update.ai is required by Applicable Laws to retain some or all Customer Personal Data, Update.ai will not be obligated to delete the retained Customer Personal Data,. Customer acknowledges that it is responsible for exporting any Customer Personal Data that Customer wants to retain prior to expiration of the 30-day period referenced in this Section 6 pursuant to the Agreement.

7. Personal Data Breaches

   1. Breach Notification. Update.ai will notify Customer promptly upon becoming aware of a Personal Data Breach. Update.ai’s notification to Customer will describe (a) the nature of the Personal Data Breach, including, if known, the categories and approximate number of Data Subjects and Personal Data records concerned; (b) the measures Update.ai has taken, or plans to take, to respond to and mitigate the Personal Data Breach; (c) any measures Update.ai recommends that Customer take to address the Personal Data Breach. If Update.ai cannot provide all the information above in the initial notification, Update.ai will provide the information to Customer as soon as it is available.

   2. Breach Response. Update.ai will promptly take actions relating to its Technical and Organizational Measures that it deems necessary and advisable to identify and remediate the cause of a Personal Data Breach.

   3. General. Update.ai’s notification of or response to a Personal Data Breach will not constitute an acknowledgment of fault or liability with respect to the Personal Data Breach. The obligations in this Section 7 do not apply to Personal Data Breaches that are caused by Customer, Authorized Users, or providers of Customer Components. Except as may otherwise be required by Applicable Law (including any mandated deadlines under Data Protection Laws), if Customer decides to notify a Supervisory Authority, Data Subjects, or the public of a Personal Data Breach, Customer will make reasonable efforts to provide Update.ai with advance copies of the notice(s) and allow Update.ai an opportunity to provide any clarifications or corrections to them.

8. Audits

   1. Update.ai’s Audit Reports. On Customer’s request, and subject to the confidentiality provisions of the Agreement, Update.ai will make available to Customer copies of, or extracts from, Update.ai’s audit reports related to the security of the Services, including, for example, its ISO 27001 certification, SOC 2 Type 2 report, and Consensus Assessments Initiative Questionnaire (CAIQ).

   2. Customer’s Audit Rights. Customer may request an audit of Update.ai to verify Update.ai’s compliance with the terms of this DPA if such an audit is required by Data Protection Laws and Update.ai’s compliance cannot be demonstrated by means that are less burdensome on Update.ai (including under Section 8.1). Any audit under this section must meet the following requirements: (a) audit will be performed by an independent reputable third-party auditor subject to written confidentiality obligations; (b) Customer must provide Update.ai at least 30 days’ prior written notice of a proposed audit unless otherwise required by a competent supervisory authority or Data Protection Laws; (c) Customer may not perform more than one audit in any 12-month period, except where required by a competent supervisory authority; (d) Customer and Update.ai must mutually agree on the time, scope, and duration of the audit in advance; (e) Customer must reimburse Update.ai for its time expended in connection with an audit at Update.ai’s reasonable professional service rates, which will be made available to Customer on request; (f) Customer must ensure that its representatives performing an audit protect the confidentiality of all information obtained through the audit in accordance with the Agreement, execute an enhanced mutually agreeable nondisclosure agreement if requested by Update.ai, and abide by Update.ai’s security policies while on Update.ai’s premises; and (g) Customer must promptly disclose to Update.ai any written audit report created, and any findings of noncompliance discovered, as a result of the audit.

9. Impact Assessments and Prior Consultation

Taking into account the nature of the Processing and the information available to Update.ai, Update.ai will, when required by Data Protection Laws, assist Customer with its obligations related to data protection impact assessments (where related to the Services, and only to the extent that Customer does not otherwise have access to the relevant information) and prior consultation with supervisory authorities, including by providing the information outlined in Section 8.1 above.

10. Data Transfers

The parties acknowledge that transfers of Customer Personal Data to Update.ai that are subject to an applicable adequacy decision do not require a separate approved transfer mechanism. If a transfer of Customer Personal Data to Update.ai is not subject to an applicable adequacy decision (a “Restricted Transfer”), the Restricted Transfer is made in accordance with the following.

1. Transfers from the EEA. Where a Restricted Transfer is made from the EEA, the SCCs are incorporated into this DPA and apply to the transfer as follows:

   • (a) Module Two applies where Customer is a Controller and Update.ai is a Processor, and Module Three applies where both Customer and Update.ai are Processors;

   • (b) in Clause 7, the optional docking clause does not apply;

   • (c) in Clause 9(a) of Modules Two and Three, Option 2 applies, and the period for prior notice of Subprocessor changes is set forth in Section 4 of this DPA;

   • (d) in Clause 11(a), the optional language does not apply;

   • (e) in Clause 17, Option 1 applies with the governing law being that of Ireland;

   • (f) in Clause 18(b), disputes will be resolved before the courts in Dublin, Ireland;

   • (g) Annex I of the SCCs is completed with the information when applicable and required;

   • (h) Annex II of the SCCs is completed with the information in Appendix A to this DPA; and

   • (i) Annex III of the SCCs is completed with the information in the Subprocessors List.

2. Transfers from Switzerland. Where a Restricted Transfer is made from Switzerland, in relation to Personal Data that is protected by UK GDPR (as amended or replaced), the SCCs are incorporated into this DPA and apply to the transfer as modified in Section 10.1, except that:

   • (a) in Clause 13, the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner;

   • (b) references to “Member State” in the SCCs refer to Switzerland, and data subjects located in Switzerland may exercise and enforce their rights under the SCCs in Switzerland; and

   • (c) references to the “General Data Protection Regulation,” “Regulation 2016/679,” and “GDPR” in the SCCs refer to the Swiss Federal Act on Data Protection (as amended or replaced).

3. Transfers from the UK. Where a Restricted Transfer is made from the UK, in relation to Personal Data that is protected by the Swiss FADP (as amended or replaced), the UK Transfer Addendum is incorporated into this DPA and applies to the transfer. The UK Transfer Addendum is completed with the information in Section 10.1, the Subprocessors List, and Appendices A and B to this DPA; and both “Importer” and “Exporter” are selected in Table 4.

4. Specific application of the SCCs. The following terms apply to the SCCs:

   • (a) Customer may exercise its audit rights under the SCCs as set out in Section 8 above.

   • (b) Update.ai may appoint Subprocessors under the SCCs as set out in Section 4 above.

   • (c) With respect to Restricted Transfers made to Update.ai, Update.ai may neither participate in, nor permit any Subprocessor to participate in, any further Restricted Transfer unless the further Restricted Transfer is made in full compliance with Data Protection Laws and in accordance with applicable SCCs or an alternative legally compliant transfer mechanism.

   • (d) If any provision of this Section 10 is inconsistent with any terms in the SCCs, the SCCs prevail.

11. Limitation of Liability

Each Party’s liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitation of liability provisions of the Agreement.

12. Conflict

In the event of a conflict or inconsistency between the Agreement and this DPA, the terms of the following documents will prevail (in order of precedence):  this DPA; and then the Agreement.

13. Modifications

Update.ai may change this DPA where (a) the change is required to comply with an Applicable Law; or (b) the change is commercially reasonable and does not materially reduce the security of the Services and does not have a material adverse impact on Customer’s rights under this DPA.

14. General.

Except where and to the extent expressly provided in the EU SCCs or required as a matter of Applicable Data Protection Laws, this DPA does not confer any third-party beneficiary rights; it is intended for the benefit of the parties hereto and their respective permitted successors and assigns only, and is not for the benefit of, nor may any provision hereof be enforced by, any other person.

This DPA and any action related thereto shall be governed by and construed in accordance with the laws as specified in the Main Agreement, without giving effect to any conflicts of laws principles. The parties consent to the personal jurisdiction of, and venue in, the courts specified in the Main Agreement.

If any provision of this DPA is, for any reason, held to be invalid or unenforceable, the other provisions of the DPA will remain enforceable. Without limiting the generality of the foregoing, Customer agrees that clause 8.2 (Limitation of Liability) will remain in effect notwithstanding the unenforceability of any provision of this DPA. This DPA is the exclusive agreement of the parties with respect to the subject matter hereof and supersedes all prior discussions and agreements between the parties with respect to such subject matter.

15. Definitions

Capitalized terms not otherwise defined in this DPA or the Agreement have the meanings assigned to them below.

“Controller” means the entity that determines the purposes and means of Processing Personal Data.

“Customer Data” if not defined in the Agreement, means data submitted to the Services for Processing by or on behalf of Customer. We also refer to this as User Content.

“Customer Personal Data” means the Personal Data contained within Customer Data.

“Data Protection Laws” means data protection or privacy laws and regulations directly applicable to a Party’s Processing of Personal Data under the Agreement, which includes European Data Protection Laws and U.S. federal and state privacy laws.

“Data Subject” means the identified or identifiable natural person to whom Personal Data relates.

“EEA” means the European Economic Area.

“European Data Protection Laws” means the GDPR; the UK GDPR; and any national data protection laws, implementing regulations, or binding decisions made under the GDPR or the UK GDPR.

“GDPR” means the General Data Protection Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons regarding the processing of personal data and on the free movement of such data, and repealing of Directive 95/46/EC.

“Personal Data” means the data which is defined as ‘personal data’, ‘personal information’, or ‘personally identifiable information’ (or analogous term) under applicable Data Protection Laws..

“Personal Data Breach” means a breach of Update.ai’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data.

“Process” and “Processing” mean any operation or set of operations which is performed on Personal Data, such as collection, recording, storage, a, use, disclosure by transmission, dissemination or otherwise making available.

“Processor” means the entity that Processes Personal Data on behalf of a Controller.

“SCCs” means the standard contractual clauses for international transfers annexed to the European Commission’s commission implementing decision on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679, published on June 4, 2021, including as incorporated into the UK Transfer Addendum, if applicable.

“Subprocessor” means any Processor engaged by Update.ai or a Update.ai Affiliate to Process Customer Personal Data on Update.ai’s or its Affiliate’s behalf while providing the Services.

“UK” means the United Kingdom.

“UK GDPR” means the EU GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018.

“UK Transfer Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, published by the UK Information Commissioner’s Office.

Appendix A – Technical and Organizational Measures

As of the date of this DPA, Update.ai’s technical and organizational measures can be found at: https://security.update.ai/

Appendix B – CCPA Terms

These CCPA Terms apply when the California Consumer Privacy Act of 2018, Cal. Civ. Code §§1798.100–1798.199.100, as amended, and the CCPA regulations, Cal. Code Regs. §§7000–7304 (together, the “CCPA”) apply to Customer’s use of the Services to process the Personal Information contained in Customer Data (“Covered Information”). For the purpose of these CCPA Terms, the terms “Commercial Purpose”, “Consumer”, “Personal Information”, “Sell”, “Service Provider”, and “Share” have the meanings given to them in the CCPA.

Update.ai’s Obligations. To the extent that Update.ai is processing Personal Data on behalf of the Customer within the scope of the CCPA, Update.ai makes the following additional commitments to Customer: Update.ai will not retain, use, or disclose that Personal Data for any purposes other than the purposes set out in the Agreement and this DPA and as permitted under the CCPA, including under any “sale” exemption. Update.ai will not “sell” or “share” such Personal Data, as those terms are defined in the CCPA. This clause 3.2 does not limit or reduce any data protection commitments Update.ai makes to Customer in the Agreement.

Customer’s Obligations and Rights. Customer may(a) only disclose Covered Information to Update.ai for the limited purpose of using the Services in accordance with the Agreement; (b) audit Update.ai’s compliance with its obligations under these CCPA terms by requesting and reviewing (i) copies of or extracts from Update.ai’s audit reports related to the security of the Services, or (ii) other information Update.ai deems is reasonably necessary to demonstrate Update.ai’s compliance; and (c) upon notice to Update.ai, take reasonable and appropriate steps to stop and remediate any unauthorized use of Covered Information by Update.ai.