Data Processing Agreement
Augmentt Technologies Inc. Data Processing Addendum
1. Relationship with the Agreement
This Data Processing Addendum (this “DPA”) is part of the Agreement between Company (defined in the signature block below) and Augmentt Technologies Inc., (“Augmentt”). Augmentt Technologies Inc. and Company are individually a “party” and, collectively, the “parties.”
This DPA applies only to the extent that Augmentt Technologies Inc. receives, stores, or Processes Personal Data in connection with the Services. Schedule 1 describes the Processing activities in-scope of this DPA.
The parties agree that this DPA will replace any existing data processing addendum the parties may have previously entered into in connection with the Services.
Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement, this DPA will prevail to the extent of that conflict.
Any claims brought under or in connection with this DPA will be subject to the Agreement.
Company further agrees that any regulatory penalties incurred by Augmentt Technologies Inc. in relation to the Company Data that arise as a result of, or in connection with, Company’s failure to comply with its obligations under this DPA or any applicable Data Protection Laws will count toward and reduce Augmentt Technologies Inc.’s liability under the Agreement as if it were liability to the Company under the Agreement.
No one other than a party to this DPA, its successors and permitted assignees will have any right to enforce any of its terms (except to the extent that individuals are able to enforce their rights through an International Data Transfer Mechanism).
This DPA will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by an International Data Transfer Mechanism or applicable Data Protection Laws.
In the event of a conflict between this DPA and the Agreement, the DPA will control to the extent necessary to resolve the conflict. In the event the parties use an International Data Transfer Mechanism and there is a conflict between the obligations in that International Data Transfer Mechanism and this DPA, the International Data Transfer Mechanism will control.
Augmentt Technologies Inc. may be required to update this DPA to comply with applicable law, and in such case Augmentt Technologies Inc. will provide reasonable notice of any such updates.
The following terms have the meanings set forth below. All capitalized terms not defined in this DPA will have the meanings set forth in the Agreement.
The following terms have the definitions given to them in the CCPA: “Business,” “Sale,” “Service Provider,” and “Third Party.”
“Agreement” means the agreement(s) entered into between the parties, which govern the provision of the Services to Company.
“Company Data” means any Personal Data that Augmentt Technologies Inc. Processes on behalf of Company as a Processor in the course of providing Services.
“Consent” means a Data Subject’s freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the Processing of Personal Data relating to him or her.
“Controller” means the entity that determines the purposes and means of the Processing of Personal Data. “Controller” includes equivalent terms in other Data Protection Law, such as the CCPA-defined term “Business” or “Third Party,” as context requires.
“Data Protection Law” means all data protection and privacy laws applicable to the processing of Personal Data under the Agreement, including Regulation 2016/679 (General Data Protection Regulation) (“GDPR”), and Cal. Civ. Code Title 1.81.5, § 1798.100 et seq. (California Consumer Privacy Act) (“CCPA”), and The Personal Information and Electronic Documents Act (PIPEDA)
“Data Subject” means an identified or identifiable natural person.
“De-identified Data” means a data set that does not contain any Personal Data. Aggregated data is De-identified Data. To “De-identify” means to create De-identified Data from Personal Data.
“EEA” means the European Economic Area.
“Personal Data” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a Data Subject. “Personal Data” includes equivalent terms in Data Protection Law, such as the CCPA-defined term “Personal Information,” as context requires.
“Personal Data Breach” means a breach of security of the Services leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Company Data.
“Process” or “Processing” any operation or set of operations that a party performs on Personal Data, including collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
“Processor” means an entity that processes Personal Data on behalf of another entity. “Processor” includes equivalent terms in other Data Protection Law, such as the CCPA-defined term “Service Provider,” as context requires.
“Sensitive Data” means the following types and categories of data: data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership; genetic data; biometric data; data concerning health, including protected health information governed by the Health Insurance Portability and Accountability Act; data concerning a natural person’s sex life or sexual orientation; government identification numbers (e.g., SSNs, driver’s license); payment card information; nonpublic personal information governed by the Gramm Leach Bliley Act; an unencrypted identifier in combination with a password or other access code that would permit access to a data subject’s account; and precise geolocation.
“Services” means any product or service provided by Augmentt Technologies Inc. to Company pursuant to the Agreement.
“Standard Contractual Clauses” means the European Union standard contractual clauses for international transfers from the European Economic Area to third countries, Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
“Subprocessor” means a Processor engaged by a party who is acting as a Processor.
3. Description of the Parties’ Personal Data Processing Activities and Statuses of the Parties
Schedule 1 describes the purposes of the parties’ Processing, the types or categories of Personal Data involved in the Processing, and the categories of Data Subjects affected by the Processing.
Schedule 1 lists the parties’ statuses under relevant Data Protection Law.
4. International Data Transfer
Some jurisdictions require that an entity transferring Personal Data to, or accessing Personal Data from, a foreign jurisdiction take extra measures to ensure that the Personal Data has special protections (an “International Data Transfer Mechanism”). The parties will comply with any International Data Transfer Mechanism that may be required by applicable Data Protection Law, including the Standard Contractual Clauses. Before either party transfers to the other party or permits the other party to access Personal Data located in a jurisdiction that requires an International Data Transfer Mechanism, the transferring party will notify the other party of the relevant requirement and the parties will work together in good faith to fulfill the requirements of that International Data Transfer Mechanism.
If the International Data Transfer Mechanism on which the parties rely is invalidated or superseded, the parties will work together in good faith to find a suitable alternative.
With respect to Personal Data of Data Subjects located in the EEA, Switzerland, or the United Kingdom that Company transfers to Augmentt Technologies Inc. or permits Augmentt Technologies Inc. to access, the parties agree that by executing this DPA they also execute the Standard Contractual Clauses, which will be incorporated by reference and form an integral part of this DPA. The parties agree that, with respect to the elements of the Standard Contractual Clauses that require the parties’ input, Schedules 1 and 2 contain the relevant information. The parties agree that, for Personal Data of Data Subjects in the United Kingdom and Switzerland, they adopt the modifications to the Standard Contractual Clauses listed in Schedule 1 to adapt the Standard Contractual Clauses to United Kingdom or Swiss law, as applicable.
5. Data Protection Generally
Compliance. The parties will comply with their respective obligations under Data Protection Law and their privacy notices.
Company Processing of Personal Data. Company represents and warrants that it has the Consent or other lawful basis necessary to collect and disclose Personal Data to Augmentt Technologies Inc. in connection with the Services.
Data Subject Requests.
Facilitation of Responses. The Services provide Company with a number of controls that Company may use to retrieve, correct, delete, or restrict Company Data, which Company may use to assist it in connection with its obligations under Data Protection Law, including its obligations relating to responding to requests from individuals or applicable data protection authorities. To the extent that Company is unable to independently access the relevant Company Data within the Services, Augmentt Technologies Inc. will (at Company’s expense) provide reasonable cooperation to assist Company to respond to any requests from individuals or applicable data protection authorities relating to the Processing of Company Data under the Agreement.
Requests Received by Augmentt Technologies Inc.. Should Augmentt Technologies Inc. receive any requests from individuals to exercise their rights, Augmentt Technologies Inc. will notify the individual of the need to submit the request directly to Company, and will promptly notify Company of the request, unless Augmentt Technologies Inc. is legally prohibited from providing such notification.
Governmental and Investigatory Requests. If a governmental authority (e.g., the Federal Trade Commission, the Attorney General of a U.S. state, or a European data protection authority) sends Augmentt Technologies Inc. a demand for Company Data (for example, through a subpoena or court order), Augmentt Technologies Inc. will attempt to redirect the law enforcement agency to request that data directly from Company. As part of this effort, Augmentt Technologies Inc. may provide Company’s basic contact information to the governmental authority. If compelled to disclose Company Data to a governmental authority, then Augmentt Technologies Inc. will give Company reasonable notice of the demand to allow Company to seek a protective order or other appropriate remedy unless Augmentt Technologies Inc. is legally prohibited from doing so.
Other Requirements of Data Protection Law. Upon request, the parties will provide relevant information to each other to fulfill their respective obligations (if any) to conduct data protection impact assessments or prior consultations with data protection authorities.
Confidentiality. The parties will ensure that their employees, independent contractors, and agents are subject to an obligation to keep Personal Data confidential.
6. Data Security
Security Controls. Augmentt Technologies Inc. will implement and maintain appropriate technical and organizational security measures to protect Company Data from Personal Data Breaches and to preserve the security and confidentiality of the Company Data, in accordance with Augmentt Technologies Inc.’s security standards described in this DPA and at https://augmenttstage.wpengine.com/security-privacy-compliance (“Security Measures”).
Updates to Security Measures. Company is responsible for reviewing the information made available by Augmentt Technologies Inc. relating to data security and making an independent determination as to whether the Services meet Company’s requirements and legal obligations under Data Protection Laws. Company acknowledges that the Security Measures are subject to technical progress and development and that Augmentt Technologies Inc. may update or modify the Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services purchased by the Company.
Company Responsibilities. Notwithstanding the above, Company agrees that except as provided by this DPA, Company is responsible for its secure use of the Services, including securing its account authentication credentials, protecting the security of Company Data when in transit to and from the Services and taking any appropriate steps to securely encrypt or backup any Company Data uploaded to the Services.
7. Augmentt Technologies Inc.’s Obligations as a Processor or Subprocessor
Augmentt Technologies Inc. will have the obligations set forth in this Section 7 if it Processes Personal Data in its capacity as Company’s Processor; for clarity, these obligations do not apply to Augmentt Technologies Inc. in its capacity as a Controller, Business, or Third party.
Scope of Processing. Augmentt Technologies Inc. will Process Company Data only for the purposes described in this DPA and only in accordance with Company’s documented, lawful instructions. The parties agree that this DPA and the Agreement set out the Company’s complete and final instructions to Augmentt Technologies Inc. in relation to the Processing of Company Data under the Agreement and Processing outside the scope of these instructions (if any) will require prior written agreement between Company and Augmentt Technologies Inc.. Augmentt Technologies Inc. is prohibited from: (i) Selling Company Data; (ii) retaining, using, or disclosing Company Data for any purpose other than for the specific purpose of performing the Services specified in the Agreement, including retaining, using, or disclosing the Company Data for a commercial purpose other than providing the Services specified in the Agreement; or (iii) retaining, using, or disclosing the Company Data outside of the direct business relationship between Company and Augmentt Technologies Inc.. Augmentt Technologies Inc. will promptly inform Company if following Company’s instructions would result in a violation of Data Protection Law or where Augmentt Technologies Inc. must disclose Company Data in response to a legal obligation, unless the legal obligation prohibits Augmentt Technologies Inc. from making such disclosure. Notwithstanding anything to the contrary in this Section , Augmentt Technologies Inc. may Process Company Data as necessary to detect data security incidents or protect against fraudulent or illegal activity and to build or improve the quality of its products and services, provided that in the course of these activities Augmentt Technologies Inc. will not (i) permit any third party (other than Augmentt Technologies Inc.’s service providers or except as instructed by Company) to access Company Data or (ii) use the Company Data to modify or add to Personal Information it collected from a source that is not Company. By signing this Addendum, Augmentt Technologies Inc. certifies that it understands and will comply with the obligations herein.
Data Subjects’ Requests to Exercise Rights. Augmentt Technologies Inc. will promptly inform Company if Augmentt Technologies Inc. receives a request from a Data Subject to exercise their rights with respect to their Personal Data under applicable Data Protection Law. Company will be responsible for responding to such requests. Augmentt Technologies Inc. will not respond to such Data Subjects except to acknowledge their requests. Augmentt Technologies Inc. will provide Company with commercially reasonable assistance, upon request, to help Company to respond to a Data Subject’s request.
Augmentt Technologies Inc.’s Subprocessors.
Existing Subprocessors. Company agrees that Augmentt Technologies Inc. may use the Subprocessors listed at Schedule 1.
Use of Subprocessors. Company grants Augmentt Technologies Inc. general authorization to engage Subprocessors if Augmentt Technologies Inc. and those Subprocessors enter into an agreement that requires the Subprocessor to meet obligations that are no less protective than this DPA.
Notification of Additions or Changes to Subprocessors. Augmentt Technologies Inc. will (i) provide an up-to-date list of the Subprocessors it has appointed upon written request from Company at https://augmenttstage.wpengine.com/sub-processors and (ii) notify Company (for which email will suffice) if it adds or changes Subprocessors at least then (10) calendar days prior to any such changes. Company may object in writing to Augmentt Technologies Inc.’s appointment of a new or changed Subprocessor within five (5) calendar days of such notice, provided that such objection is based on reasonable grounds relating to data protection. In such event, the parties will discuss such concerns in good faith with a view to achieving resolution. If this is not possible, Company may suspend or terminate the Agreement (without prejudice to any fees incurred by Company prior to suspension or termination).
Liability for Subprocessors. Augmentt Technologies Inc. will be liable for the acts or omissions of its Subprocessors to the same extent as Augmentt Technologies Inc. would be liable if performing the services of the Subprocessor directly under the DPA, except as otherwise set forth in the Agreement.
Personal Data Breach. Augmentt Technologies Inc. will notify Company without undue delay of a Personal Data Breach affecting Personal Data Augmentt Technologies Inc. processes in connection with the Services. Upon request, Augmentt Technologies Inc. will provide information to Company about the Personal Data Breach to the extent necessary for Company to fulfill any obligations it has to investigate or notify authorities, except that Augmentt Technologies Inc. reserves the right to redact information that is confidential or competitively sensitive. Company agrees that email notification of a Personal Data Breach is sufficient and Company will notify Augmentt Technologies Inc. if it changes its contact information. Company agrees that Augmentt Technologies Inc. may not notify Company of security-related events that do not result in a Personal Data Breach or affect Personal Data Augmentt Technologies Inc. Processes in connection with the Services.
Deletion and Return of Personal Data. Upon termination or expiration of the Agreement, Augmentt Technologies Inc. will (at Company’s election) delete (after providing Company the ability to download, pursuant to the Agreement) all Company Data (including copies) in its possession or control, save that this requirement will not apply to the extent Augmentt Technologies Inc. is required by applicable law to retain some or all of the Company Data, which Company Data Augmentt Technologies Inc. will securely isolate and protect from any further Processing, except to the extent required by applicable law.
Compliance Verification. Upon reasonable request, Augmentt Technologies Inc. will verify its compliance with this DPA, provided that Company will not exercise this right more than once per year.
- Schedule 1
Description of the Processing and Subprocessors
Augmentt Technologies Inc. uses the Subprocessors listed here: https://augmentt.com/sub-processors.
Company authorizes Augmentt Technologies Inc. to use these Subprocessors consistent with Section 7.4.
Information for International Transfers
-Frequency of Transfer:
Continuous for all Personal Data.
Augmentt Technologies Inc. retains Personal Data it collects as a Controller for as long as Augmentt Technologies Inc. has a business purpose for it or for the longest time allowable by applicable law.
Augmentt Technologies Inc. retains Personal Data it collects or receives from Company as a Processor for the duration of the Agreement and consistent with its obligations in this DPA.
Standard Contractual Clauses
Clause 7: The parties do not permit docking.
Clause 9, Module 2(a): The parties select Option 2. The time period is 5 days.
Clause 9, Module 3(a): The parties select Option 2. The time period is 5 days.
Clause 11(a): The parties do not select the independent dispute resolution option.
Clause 17: The parties agree that the governing jurisdiction is the Member State in which the data exporter is established.
Clause 18: For Modules 1-3, the parties agree that the forum is the Member State in which the data exporter is established.
Annex I(A): The data exporter is Company. The data importer is Augmentt Technologies Inc.. Contact details for the parties are part of the Agreement.
Annex I(B): The parties agree that Schedule 1 describes the transfer.
Annex I(C): The competent supervisory authority is the supervisory authority that has primary jurisdiction over the data exporter.
Annex II: The parties agree that Schedule 2 describes the technical and organizational measures applicable to the transfer.
Schedule 2: Technical and Organizational Security Measures
Augmentt Technologies Inc. implements the security measures described here: https://augmentt.com/security-privacy-compliance/.