Data Processing Addendum

Data Processing Addendum
‍This Data Processing Addendum (“DPA”) amends and forms part of the written agreement between Customer and Streamkap, Inc. (“Streamkap”) (collectively, “the parties”) for the provision of services to Customer (the “Agreement”). This DPA prevails over any conflicting term of the Agreement but does not otherwise modify the Agreement.

‍1. Definitions
‍
‍1.1. In this DPA:

a. “Data Protection Law” means all laws that apply to the Processing of Personal Data under the Agreement, including European Data Protection Law and the laws and regulations of the United States and its states, as amended from time to time, to the extent such laws and regulations apply to the relevant party.

b. “European Data Protection Law” means the General Data Protection Regulation (EU) 2016/679 ("GDPR") and all other privacy and data protection laws of the European Economic Area (“EEA”), and their respective Member States, Switzerland and the United Kingdom (“UK”) and all laws implementing or supplementing the foregoing.

c. “Personal Data” means any information that reasonably relates, directly or indirectly, to an identified or identifiable natural person that Streamkap may Process on Customer’s behalf in performing the services under the Agreement.

d. “Processing” (including its cognate "Process”) means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.e. “Security Incident” means a breach of security leading to the unauthorized or unlawful access by a third party, or confirmed accidental or unlawful destruction, loss or alteration, of Personal Data.

f. “Standard Contractual Clauses” means (i) Module 2 of the Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as currently set out at https://eurlex.europa.eu/eli/dec_impl/2021/914/oj (the “EU SCCs”), and (ii) where the UK GDPR applies, the EU SCCs as supplemented by the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the Commissioner under S119A(1) Data Protection Act 2018 (the “UK SCCs”).1.2 Capitalized terms used but not defined herein have the meaning given to them in the Agreement.

‍2. Scope and Roles

‍2.1 The subject matter, nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects are set out in Annex I.
‍
2.2 Streamkap agrees that it will Process Personal Data only in accordance with the Agreement and this DPA. To the extent applicable, Streamkap will Process Personal Data as a “processor” or “service provider” as such terms are defined under applicable Data Protection Law.

‍3. Data Protection
‍
‍3.1 When Streamkap Processes Personal Data, it will:a. Process the Personal Data in accordance with Customer's documented instructions as described in the Agreement or this DPA. Streamkap will notify Customer if it considers that an instruction from Customer is in breach of Data Protection Law, unless it is prohibited from doing so by law on important grounds of public interest;
b. assist Customer, taking into account the nature of the Processing and the information available to Streamkap, in complying with Customer's obligations to respond to requests concerning Personal Data from individuals under applicable Data Protection Law;
c. implement and maintain appropriate physical, technical and organizational measures to ensure a level of security appropriate to the risk, which include the technical and organizational measures required by applicable Data Protection Law;
d. only entrust the Processing of Personal Data to personnel who have undertaken to comply with confidentiality requirements; ande. upon termination of the Agreement, as instructed by Customer, to the extent that Streamkap retains Personal Data, permit Customer to delete or obtain copies of such Personal Data consistent with the functionality of the Services and applicable law.
‍
3.2 Streamkap certifies that it will not (a) “sell” (as defined in Data Protection Law) the Personal Data; (b) retain, use, or disclose the Personal Data for any purpose other than as permitted under this DPA and in accordance with the Agreement; or (c) retain, use, or disclose the Personal Data other than in the context of the direct relationship with Customer in accordance with the Agreement.

‍4. Customer Responsibilities

‍4.1 Customer is responsible for the lawfulness of Personal Data processing under or in connection with the services. Customer will (i) provide all required notices and obtain all required consents, permissions and rights necessary under applicable Data Protection Law for Streamkap to lawfully Process Personal Data for the purposes contemplated by the Agreement; (ii) make appropriate use of the services to ensure a level of security appropriate to the particular content of the Personal Data; (iii) comply with all Data Protection Law applicable to the collection of Personal Data and the transfer of such Personal Data to Streamkap; and (iv) ensure its processing instructions comply with applicable laws (including applicable Data Protection Law).

‍5. Subprocessing

‍5.1 Subcontracting. Customer agrees that Streamkap hosts the Service on Amazon Web Services and its affiliates as subcontractors to fulfill its contractual obligations under this DPA. Subject to the remainder of this clause 6, Customer permits Streamkap to appoint subcontractors to the extent required to fulfill its obligations under the Agreement.

5.2 Subcontractor Obligations. In the event that Streamkap authorizes any subcontractor to process the Customer Data, (i) Streamkap shall restrict the subcontractor’s access to Customer Data only to the extent necessary to provide the Service and not for any other purpose; (ii) Streamkap shall impose appropriate contractual obligations upon the subcontractor, including relevant contractual obligations regarding confidentiality, data protection, data security, and audit rights; and (iii) Streamkap remains responsible for its compliance with the DPA and for any acts or omissions of the subcontractor that cause Streamkap to breach any of Streamkap’s obligations under this DPA.

5.3 Objection Right to New Sub-Processors. Streamkap will maintain a list of sub-processors and will add the names of new and replacement sub-processors to the list prior to them starting sub-processing of Personal Data. If the Customer has a reasonable objection to any new or replacement sub-processor, it shall notify Streamkap of such objections in writing within ten (10) days of the notification and the parties will seek to resolve the matter in good faith. If Streamkap is able to provide the Services to the Customer in accordance with the Agreement without using the sub-processor and decides in its discretion to do so, then the Customer will have no further rights under this Section in respect of the proposed use of the sub-processor. If Streamkap requires to use the sub-processor and is unable to satisfy the Customer (acting reasonably) as to the suitability of the sub-processor or the documentation and protections in place between Streamkap and the sub-processor within sixty (60) days from the Customer’s notification of objections, the Customer may within thirty (30) days of the end of the sixty-day period referred to above terminate the Agreement only in relation to the Services to which the proposed new sub-processor’s processing of Personal Data relates or would relate by providing written notice to Streamkap having effect thirty (30) days after receipt by Streamkap. Streamkap will refund to the Customer any prepaid fees covering the remainder of the term of the Agreement following the date of termination.

‍6. Restricted Data Transfers

‍6.1 In the event that Customer is subject to European Data Protection Law and the transfer of Personal Data to Streamkap would be restricted in the absence of the Standard Contractual Clauses, the Parties agree that the Standard Contractual Clauses shall be incorporated into this DPA with Customer as the “data exporter” and Streamkap as the “data importer.” 6.2 The Standard Contractual Clauses are further completed as follows: the optional docking clause in Clause 7 is implemented; Clause 9(a) option 2 is implemented and the time period therein is specified as thirty (30) days; the optional redress clause in Clause 11(a) is struck; the governing law in Clause 17 is the law of the Republic of Ireland; the court in Clause 18(b) are the Courts of the Republic of Ireland; and Annex 1, 2 and 3 to the Standard Contractual Clauses are Paragraph 3, 4, and 5 of this DPA respectively. To the extent required by Data Protection Law in the UK, Part 1, tables 1, 2 and 3 of the UK SCCs will be deemed to be completed like its equivalent provisions in the EU SCCs. For the purpose of Part 1, Table 4, the party that may end the UK SCCs in accordance with Section 19 of the UK Addendum is the importer.

‍7. Assistance and Notifications

‍7.1 Upon Customer’s request, Streamkap will provide Customer with reasonable cooperation and assistance to the extent required to fulfill Customer’s obligation under European Data Protection Law to:a. reply to investigations and inquiries from data protection regulators; and b. carry out a data protection impact assessment related to the services, where Client does not otherwise have access to the relevant information necessary to perform such assessment. 7.2 Unless prohibited by Data Protection Law, Streamkap must inform Customer without undue delay if Streamkap: a. receives a request, complaint or other inquiry regarding the Processing of Personal Data; b. receives a binding or non-binding request to disclose Personal Data from law enforcement, courts or any government body; c. is subject to a legal obligation that requires Streamkap to Process Personal Data in contravention of Customer’s instructions; ord. is otherwise unable to comply with Data Protection Law or this DPA. 7.3 Upon becoming aware of a Security Incident, Streamkap will inform Customer without undue delay and will provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by Customer to allow Customer to fulfill its data breach reporting obligations under applicable Data Protection Law.

‍8. Audit

‍8.1 Streamkap will make available to Customer at Customer’s request information which is necessary to demonstrate compliance with this DPA and allow for any audits, including inspections, conducted by Customer or another auditor, as requested by Customer.

8.2 To the extent Streamkap makes available to Customer confidential summary reports ("Audit Report") prepared by third-party security professionals, Customer agrees to accept such Audit Report, subject to confidentiality requirements, in satisfaction of its audit right; however, if Customer can demonstrate that it requires additional information, beyond the Audit Report, then Customer may request, at Customer's cost, Streamkap to provide for an audit subject to reasonable confidentiality procedures, which will: (i) not include access to any information that could compromise confidential information relating to other Streamkap customers or suppliers, Streamkap's technical and organizational measures, or any trade secrets; and (ii) be performed upon not less than thirty (30) days’ notice, during regular business hours and in such a manner as not to unreasonably interfere with Streamkap’s normal business activities.

‍9. General

‍9.1 If there is any conflict between this DPA and the Agreement, this DPA will prevail to the extent of that conflict in connection with the Processing of Personal Data.

9.2 If any provision of this DPA is found by any court or administrative body of competent jurisdiction to be invalid or unenforceable, then the invalidity or unenforceability of such provision does not affect any other provision of this DPA and all provisions not affected by such invalidity or unenforceability will remain in full force and effect.

9.3 Notwithstanding anything to the contrary in the Agreement or this DPA, the liability of each party under this DPA is subject to the limitations of liability set out in the Agreement.

9.4 This DPA will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement.

‍ANNEX I

A. LIST OF PARTIESCustomer is the controller and the data exporter and Streamkap is the processor and the data importer.

‍B. DESCRIPTION OF TRANSFER

Subject Matter
‍Streamkap’s provision of the services to Customer.

‍Duration of the Processing
‍Personal Data will be retained only transiently or for a short duration to transmit the Personal Data from Customer’s chosen source to Customer’s chosen destination. Streamkap will process Customer Personal Data for the purposes of providing the services to Customer under the agreement.

‍Frequency of the Processing
‍As and when the services are used.

‍Categories of Data
Any Personal Data selected by Customer in connection with Customer’s use of the services.

‍Special Categories of Data Processed
‍The services are not intended to Process special categories of data.

‍Data Subjects
‍Any data subjects of the Personal Data selected by Customer.

‍Nature and Purpose of the Processing ‍

‍C. COMPETENT SUPERVISORY AUTHORITY

‍The competent supervisory authority is the Irish Data Protection Commission.

‍ANNEX II
‍
‍Streamkap shall implement and maintain the controls listed in this Annex II in accordance with industry standards generally accepted by information security professionals as necessary to reasonably protect Personal Data during storage, processing and transmission.

‍Physical access control

‍Technical and organizational measures to prevent unauthorized persons from gaining access to the data Processing systems available in premises and facilities (including databases, application servers and related hardware), where Personal Data are Processed, include: (a) establishing security areas, restriction of access paths; (b) establishing access authorizations for employees and third parties; (c) access control system (ID reader, magnetic card, chip card); (d) key management, card-keys procedures; (e) door locking (electric door openers etc.); (f) security staff, janitors; (g) surveillance facilities, video/CCTV monitor, alarm system; and (h) Securing decentralized data Processing equipment and personal computers.

‍Virtual access control

‍Technical and organizational measures to prevent data Processing systems from being used by unauthorized persons include: (a) user identification and authentication procedures; (b) ID/password security procedures (special characters, minimum length, change of password); (c) automatic blocking (e.g. password or timeout); (d) monitoring of break-in-attempts and automatic turn-off of the user ID upon several erroneous passwords attempts; (e) creation of one master record per user, user-master data procedures per data Processing environment; and (f) encryption of archived data media.

‍Data access control

‍Technical and organizational measures to ensure that persons entitled to use a data Processing system gain access only to such Personal Data in accordance with their access rights, and that Personal Data cannot be read, copied, modified or deleted without authorization, include: (a) internal policies and procedures; (b) control authorization schemes; (c) differentiated access rights (profiles, roles, transactions and objects); (d) monitoring and logging of accesses; (e) disciplinary action against employees who access Personal Data without authorization; (f) reports of access; (g) access procedure; (h) change procedure; (i) deletion procedure; and (j) encryption.

‍Disclosure control

‍Technical and organizational measures to ensure that Personal Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage on storage media (manual or electronic), and that it can be verified to which companies or other legal entities Personal Data are disclosed, include: (a) encryption/tunneling; (b) logging; and (c) transport security.

‍Entry control

‍Technical and organizational measures to monitor whether Personal Data have been entered, changed or removed (deleted), and by whom, from data Processing systems, include: (a) logging and reporting systems; and (b) audit trails and documentation.

‍Control of instructions

‍Technical and organizational measures to ensure that Personal Data are Processed solely in accordance with the instructions of the Controller include: (a) unambiguous wording of the contract; (b) formal commissioning (request form); and (c) criteria for selecting the Processor.

‍Availability control

‍Technical and organizational measures to ensure that Personal Data are protected against accidental destruction or loss (physical/logical) include: (a) backup procedures; (b) mirroring of hard disks (e.g. RAID technology); (c) uninterruptible power supply (UPS); (d) remote storage; (e) antivirus/firewall systems; and (f) disaster recovery plan.

‍Separation control

‍Technical and organizational measures to ensure that Personal Data collected for different purposes can be Processed separately include: (a) separation of databases; (b) “internal Customer” concept / limitation of use; (c) segregation of functions (production/testing); and (d) procedures for storage, amendment, deletion, transmission of data for different purposes.‍

Last Updated: August 14, 2023.

This Data Processing Addendum (“DPA”) forms part of the Subscription Agreement available at https://streamkap.com/terms (collectively, the “Agreement”) between the parties under which Streamkap will provide certain services (collectively, the “Services”) to Customer. This DPA consists of the main body and Schedules 1, 2, 3, and 4.

To complete this DPA, the Parties must sign and date in the provided signature region of the main body of this DPA and Schedules 1 and 2. Execution of this DPA by Customer shall be deemed to constitute signature and acceptance by Customer of the Standard Contractual Clauses (defined hereinafter) and their Appendices, which are incorporated herein by reference herein in their entirety. If the Customer entity signing this DPA is a party to the Agreement, this DPA is an addendum to and forms part of the Agreement. If the Customer entity signing the DPA is not a party to an Order Form nor an Agreement directly with Streamkap, but is instead a customer indirectly via an authorized reseller of Streamkap services, this DPA is not valid and is not legally binding. Such an entity should contact the authorized reseller to discuss whether any amendment to its agreement with that reseller may be required.

‍

HOW TO EXECUTE THIS DPA

‍

This DPA consists of two parts: the main body of the DPA, and Schedules 1 – 4.
This DPA has been pre-signed on behalf of Streamkap. Schedule 2 has been pre-signed by Streamkap, Inc. as the data importer.
To complete this DPA, Customer must:

3.1 Complete the information in the signature box of this DPA and sign this DPA.
3.2 Send the signed DPA to Streamkap by email to privacy@streamkap.com

Except as otherwise expressly provided in the Agreement, this DPA will become legally binding upon receipt by Streamkap of the validly completed DPA at the above email address. For the avoidance of doubt, signature of this DPA shall be deemed to constitute signature and acceptance of the Standard Contractual Clauses, including Schedule 2. Where Customer wishes to separately execute the Standard Contractual Clauses and its Appendix, Customer should also complete the information as the data exporter and sign Schedule 2.

‍

1. Definitions

For purposes of this DPA, the terms below have the meanings set forth below. Capitalized terms that are used but not defined in this DPA have the meanings given in the Agreement.

1.1. Authorized Affiliate means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity, where “control” refers to the power to direct or cause the direction of the subject entity, whether through ownership of voting securities, by contract or otherwise.
1.2. Applicable Data Protection Laws means the privacy, data protection and data security laws and regulations of any jurisdiction applicable to the Processing of Personal Data under the Agreement, including, without limitation, European Data Protection Laws and the CCPA.
1.3. CCPA means the California Consumer Privacy Act of 2018 and any regulations promulgated thereunder, in each case, as amended from time to time, including the California Privacy Rights Act of 2020, and any regulations promulgated thereunder.
1.4. EEA means the European Economic Area.
1.5. European Data Protection Laws means the GDPR and other data protection laws and regulations of the European Union, its Member States, Switzerland, Iceland, Liechtenstein, Norway and the United Kingdom, in each case, to the extent applicable to the Processing of Personal Data under the Agreement.
1.6. GDPR means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, as amended from time to time.
1.7. Information Security Incident means a breach of Streamkap’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data in Streamkap’s possession, custody or control. Information Security Incidents do not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems.
1.8. Personal Data means Customer Content that constitutes “personal data,” “personal information,” or “personally identifiable information” defined in Applicable Data Protection Laws, or information of a similar character regulated thereby, except that Personal Data does not include such information pertaining to Customer’s personnel or representatives who are business contacts of Streamkap, where Streamkap acts as a controller of such information.
1.9. Processing means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
1.10 Security Measures has the meaning given in Section 4(a) (Streamkap’s Security Measures).
1.11 Standard Contractual Clauses means Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as currently set out at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj.
1.12 Subprocessors means third parties that Streamkap engages to Process Personal Data in relation to the Services.
1.13 The terms controller, data subject, processor and supervisory authority as used in this DPA have the meanings given in the GDPR.

2. Duration and Scope of DPA

2.1. This DPA will remain in effect so long as Streamkap Processes Personal Data, notwithstanding the expiration or termination of the Agreement.
2.2 Schedules 1 and 2 to this DPA apply solely to Processing subject to European Data Protection Laws. Schedule 3 to this DPA applies solely to Processing subject to the CCPA to the extent Customer is a “business” (as defined in CCPA) with respect to such Processing.

3. Customer Instructions

Streamkap will Process Personal Data only in accordance with Customer’s instructions to Streamkap. This DPA is a complete expression of such instructions, and Customer’s additional instructions will be binding on Streamkap only pursuant to an amendment to this DPA signed by both parties. Customer instructs Streamkap to Process Personal Data to provide the Services and as authorized by the Agreement.

4. Security

4.1 Streamkap Security Measures. Streamkap will implement and maintain administrative, technical and physical safeguards designed to protect the security and integrity of Personal Data, prevent Information Security Incidents (the “Security Measures”). The Security Measures shall at a minimum include the measures described in Schedule 4 and any other measures required by Applicable Data Protection Laws. Streamkap may update the Security Measures from time to time, so long as the updated measures do not materially decrease the overall protection of Personal Data.
4.2 Information Security Incidents. Streamkap will notify Customer without undue delay of any Information Security Incident of which Streamkap becomes aware. Such notifications will describe available details of the Information Security Incident, including steps taken to mitigate the potential risks and steps Streamkap recommends the Customer take to address the Information Security Incident. Streamkap’s notification of or response to an Information Security Incident will not be construed as Streamkap’s acknowledgement of any fault or liability with respect to the Information Security Incident.
4.3. Reviews and Audits of Compliance
4.4 Customer may audit Streamkap’s compliance with its obligations under this DPA up to once per year and on such other occasions as may be required by European Data Protection Laws, including if mandated by Customer’s supervisory authority. Streamkap will contribute to such audits by providing Customer or Customer’s supervisory authority with the information and assistance reasonably necessary to conduct the audit. If a third party is to conduct the audit, Streamkap may object to the auditor if the auditor is, in Streamkap’s reasonable opinion, not independent, a competitor of Streamkap, or otherwise manifestly unsuitable. Such objection by Streamkap will require the Customer to appoint another auditor or conduct the audit itself. To request an audit, Customer must submit a proposed audit plan to Streamkap at least two weeks in advance of the proposed audit date and any third-party auditor must sign a customary non-disclosure agreement mutually acceptable to the parties (such acceptance not to be unreasonably withheld) providing for the confidential treatment of all information exchanged in connection with the audit and any reports regarding the results or findings thereof. The proposed audit plan must describe the proposed scope, duration, and start date of the audit. Streamkap will review the proposed audit plan and provide Customer with any concerns or questions (for example, any request for information that could compromise Streamkap security, privacy, employment or other relevant policies). Streamkap will work cooperatively with Customer to agree on a final audit plan. Nothing in this Section 2(b) shall require Streamkap to breach any duties of confidentiality. If the controls or measures to be assessed in the requested audit are addressed in an SOC 2 Type 2, ISO, NIST or similar audit report performed by a qualified third party auditor within twelve (12) months of Customer’s audit request and Streamkap has confirmed there have been no known material changes in the controls audited since the date of such report, Customer agrees to accept such report in lieu of requesting an audit of such controls or measures. The audit must be conducted during regular business hours, subject to the agreed final audit plan and Streamkap’s safety, security or other relevant policies, and may not unreasonably interfere with Streamkap business activities. Customer will promptly notify Streamkap of any non-compliance discovered during the course of an audit and provide Streamkap any audit reports generated in connection with any audit under this Section 2(b), unless prohibited by European Data Protection Laws or otherwise instructed by a supervisory authority. Customer may use the audit reports only for the purposes of meeting Customer’s regulatory audit requirements and/or confirming compliance with the requirements of this DPA. Any audits are at Customer’s sole expense. Customer shall reimburse Streamkap for any time expended by Streamkap and any third parties in connection with any audits or inspections under this Section 2(b) at Streamkap’s then-current professional services rates, which shall be made available to Customer upon request. Customer will be responsible for any fees charged by any auditor appointed by Customer to execute any such audit.
4.5 Impact Assessments and Consultations
4.6 Streamkap will (taking into account the nature of the Processing and the information available to Streamkap) reasonably assist Customer in complying with its obligations under Articles 35 and 36 of the GDPR, by (a) making available documentation describing relevant aspects of Streamkap’s information security program and the security measures applied in connection therewith and (b) providing the other information contained in the Agreement, including this DPA.
4.7. Customer’s Responsibilities 4.7.1. Customer Obligations. Without limitation of Customer’s obligations under the Agreement, Customer (a) agrees that Customer is solely responsible for its use of the Services, including (1) making appropriate use of the Services to ensure a level of security appropriate to the risk in respect of the Personal Data, (2) securing the account authentication credentials, systems and devices Customer uses to access the Services, (3) securing Customer’s systems and devices that Streamkap uses to provide the Services, and (4) backing up Personal Data; (b) shall comply with its obligations under Applicable Data Protection Laws; and (c) shall ensure (and is solely responsible for ensuring) that its instructions in Section 3 comply with Applicable Data Protection Laws, and that Customer has given all notices to, and has obtained all such notices from, individuals to whom Personal Data pertains and all other parties as required by applicable laws or regulations for Streamkap to Process Personal Data as contemplated by the Agreement. (d) Customer shall comply with its obligations under Applicable Data Protection Laws. 4.7.2. Prohibited Data. Customer represents and warrants to Streamkap that Customer Data does not and will not, without Streamkap’s prior written consent, contain any social security numbers or other government-issued identification numbers, protected health information subject to the Health Insurance Portability and Accountability Act (HIPAA) or other information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional; health insurance information; biometric information; passwords for online accounts; credentials to any financial accounts; tax return data; credit reports or consumer reports; any payment card information subject to the Payment Card Industry Data Security Standard; information subject to the Gramm-Leach-Bliley Act, Fair Credit Reporting Act or the regulations promulgated under either such law; information subject to restrictions under Applicable Data Protection Laws governing Personal Data of children, including, without limitation, all information about children under 16 years of age; or any information that falls within any special categories of data (as defined in GDPR).

‍

5. Data Subject Rights

5.1. Data Subject Request Assistance. Streamkap will (taking into account the nature of the Processing of Personal Data) provide Customer with assistance reasonably necessary for Customer to perform its obligations under Applicable Data Protection Laws to fulfill requests by data subjects to exercise their rights under Applicable Data Protection Laws (“Data Subject Requests”) with respect to Personal Data in Streamkap’s possession or control. Customer shall compensate Streamkap for any such assistance at Streamkap’s then-current professional services rates, which shall be made available to Customer upon request.
5.2. Customer’s Responsibility for Requests. If Streamkap receives a Data Subject Request, Streamkap will advise the data subject to submit the request to Customer and Customer will be responsible for responding to the request.

‍

6. Europe Specific Provisions.

6.1. Definitions. For the purposes of this section 12 and Schedule 1 these terms shall be defined as follows:
6.2. "EU C-to-P Transfer Clauses" means Standard Contractual Clauses sections I, II, III and IV (as applicable) to the extent they reference Module Two (Controller-to-Processor).
6.3. "EU P-to-P Transfer Clauses" means Standard Contractual Clauses sections I, II III and IV (as applicable) to the extent they reference Module Three (Processor-to-Processor).
6.4. GDPR. Streamkap will Process Personal Data in accordance with the GDPR requirements directly applicable to Streamkap’s provision of its Services.
6.5. Customer Instructions. Streamkap shall inform Customer immediately (i) if, in its opinion, an instruction from Customer constitutes a breach of the GDPR and/or (ii) if Streamkap is unable to follow Customer’s instructions for the Processing of Personal Data.
6.6. Transfer mechanisms for data transfers. If, in the performance of the Services, Personal Data that is subject to the GDPR or any other law relating to the protection or privacy of individuals that applies in Europe is transferred out of Europe to countries which do not ensure an adequate level of data protection within the meaning of the European Data Protection Laws, the transfer mechanisms listed below shall apply to such transfers and can be directly enforced by the Parties to the extent such transfers are subject to the European Data Protection Laws: 6.4.1. The EU C-to-P Transfer Clauses. Where Customer and/or its Authorized Affiliate is a Controller and a data exporter of Personal Data and Streamkap is a Processor and data importer in respect of that Personal Data, then the parties shall comply with the EU C-to-P Transfer Clauses, subject to the additional terms in Schedule 1; and/or 6.4.2. The EU P-to-P Transfer Clauses. Where Customer and/or its Authorized Affiliate is a Processor acting on behalf of a Controller and a data exporter of Personal Data and Streamkap is a Processor and data importer in respect of that Personal Data, the parties shall comply with the terms of the EU P-to-P Transfer Clauses, subject to the additional terms in Schedule 1.
‍
6.7. Impact of local laws. As of the Effective Date, Streamkap has no reason to believe that the laws and practices in any third country of destination applicable to its Processing of the Personal Data as set forth in the Infrastructure and Subprocessors Documentation, including any requirements to disclose Personal Data or measures authorizing access by a Public Authority, prevent Streamkap from fulfilling its obligations under this DPA. If Streamkap reasonably believes that any existing or future enacted or enforceable laws and practices in the third country of destination applicable to its Processing of the Personal Data ("Local Laws") prevent it from fulfilling its obligations under this DPA, it shall promptly notify Customer. In such a case, Streamkap shall use reasonable efforts to make available to the affected Customer a change in the Services or recommend a commercially reasonable change to Customer’s configuration or use of the Services to facilitate compliance with the Local Laws without unreasonably burdening Customer. If Streamkap is unable to make available such change promptly, Customer may terminate the applicable Order Form(s) and suspend the transfer of Personal Data in respect only to those Services which cannot be provided by Streamkap in accordance with the Local Laws by providing written notice in accordance with the “Notices” section of the Agreement. Customer shall receive a refund of any prepaid fees for the period following the effective date of termination for such terminated Services.

‍

7. Subprocessors

7.1 Consent to Subprocessor Engagement. Customer specifically authorizes the engagement of Streamkap’s Affiliates as Subprocessors and generally authorizes the engagement of other third parties as Subprocessors (“Subprocessors”).
7.2 Information about Subprocessors. Information about Subprocessors, including their functions and locations, is available at: https://trust.streamkap.com (as may be updated by Streamkap from time to time) or such other website address as Streamkap may provide to Customer from time to time (the “Subprocessor Site”).
7.3 Requirements for Subprocessor Engagement. When engaging any Subprocessor, Streamkap will enter into a written contract with such Subprocessor containing data protection obligations not less protective than those in this DPA with respect to Personal Data to the extent applicable to the nature of the services provided by such Subprocessor. Streamkap shall be liable for all obligations under the Agreement subcontracted to, the Subprocessor or its actions and omissions related thereto.
7.4 Opportunity to Object to Subprocessor Changes. When Streamkap engages any new Third Party Subprocessor after the effective date of the Agreement, Streamkap will notify Customer of the engagement (including the name and location of the relevant Subprocessor and the activities it will perform) by updating the Subprocessor Site or by other written means. If Customer objects to such engagement in a written notice to Streamkap within 15 days after being informed of the engagement on reasonable grounds relating to the protection of Personal Data, Customer and Streamkap will work together in good faith to find a mutually acceptable resolution to address such objection. If the parties are unable to reach a mutually acceptable resolution within a reasonable timeframe, Customer may, as its sole and exclusive remedy, terminate the Agreement and cancel the Services by providing written notice to Streamkap and pay Streamkap for all amounts due and owing under the Agreement as of the date of such termination.

‍

8. Miscellaneous

Except as expressly modified by the DPA, the terms of the Agreement remain in full force and effect. In the event of any conflict or inconsistency between this DPA and the other terms of the Agreement, this DPA will govern. Notwithstanding anything in the Agreement or any order form entered in connection therewith to the contrary, the parties acknowledge and agree that Streamkap’s access to Personal Data does not constitute part of the consideration exchanged by the parties in respect of the Agreement. Notwithstanding anything to the contrary in the Agreement, any notices required or permitted to be given by Streamkap to Customer under this DPA may be given (a) in accordance with any notice clause of the Agreement; (b) to Streamkap’s primary points of contact with Customer; or (c) to any email provided by Customer for the purpose of providing it with Services-related communications or alerts. Customer is solely responsible for ensuring that such email addresses are valid.

‍

SCHEDULE 1

‍

TRANSFER MECHANISMS FOR EUROPEAN DATA TRANSFERS

For the purposes of the EU C-to-P Transfer Clauses and the EU P-to-P Transfer Clauses, Customer is the data exporter and Streamkap is the data importer and the parties agree to the following. If and to the extent an Authorized Affiliate relies on the EU C-to-P Transfer Clauses or the EU P-to-P Transfer Clauses for the transfer of Personal Data, any references to ‘Customer’ in this Schedule include such Authorized Affiliate. Where this Schedule 1 does not explicitly mention EU C-to-P Transfer Clauses or EU P-to-P Transfer Clauses it applies to both of them.

‍

STANDARD CONTRACTUAL CLAUSES OPERATIVE PROVISIONS AND ADDITIONAL TERMS

Reference to the Standard Contractual Clauses. The relevant provisions contained in the Standard Contractual Clauses are incorporated by reference and are an integral part of this DPA. The information required for the purposes of the Appendix to the Standard Contractual Clauses are set out in Schedule 2.
‍
Docking clause. The option under clause 7 shall not apply.
Instructions. This DPA and the Agreement are Customer’s complete and final documented instructions at the time of signature of the Agreement to Streamkap for the Processing of Personal Data. Any additional or alternate instructions must be consistent with the terms of this DPA and the Agreement. For the purposes of clause 8.1(a), the instructions by Customer to Process Personal Data include onward transfers to a third party located outside Europe for the purpose of the performance of the Services.
Certification of Deletion. The parties agree that the certification of deletion of Personal Data that is described in clause 8.5 and 16(d) of the Standard Contractual Clauses shall be provided by Streamkap to Customer only upon Customer's written request.
Audits of the SCCs. The parties agree that the audits described in clause 8.9 of the Standard Contractual Clauses shall be carried out in accordance with section 4.3 of this DPA.
General authorization for use of Subprocessors. Option 2 under clause 9 shall apply. For the purposes of clause 9(a), Streamkap has Customer’s general authorization to engage Subprocessors in accordance with section 7 of this DPA. Streamkap shall make available to Customer the current list of Subprocessors in accordance with section 7 of this DPA. Where Streamkap enters into the EU P-to-P Transfer Clauses with a Subprocessor in connection with the provision of the Services, Customer hereby grants Streamkap and Streamkap’s Affiliates authority to provide a general authorization on Controller's behalf for the engagement of subprocessors by Subprocessors engaged in the provision of the Services, as well as decision making and approval authority for the addition or replacement of any such subprocessors.
Notification of New Subprocessors and Objection Right for new Subprocessors. Pursuant to clause 9(a), Customer acknowledges and expressly agrees that Streamkap may engage new Subprocessors as described in section 7 of this DPA. Streamkap shall inform Customer of any changes to Subprocessors following the procedure provided for in section 7 of this DPA.
Complaints - Redress. Streamkap shall inform Customer if it receives a Data Subject Request with respect to Personal Data and shall without undue delay communicate the complaint or dispute to Customer. Streamkap shall not otherwise have any obligation to handle the request (unless otherwise agreed with Customer). The option under clause 11 shall not apply.
Liability. Streamkap's liability under clause 12(b) shall be limited to any damage caused by its Processing where Streamkap has not complied with its obligations under the GDPR specifically directed to Processors, or where it has acted outside of or contrary to lawful instructions of Customer, as specified in Article 82 GDPR.
Supervision. Clause 13 shall apply as follows: 1.10.1. Where Customer is established in an EU Member State, the supervisory authority with responsibility for ensuring compliance by Customer with Regulation (EU) 2016/679 as regards the data transfer shall act as competent supervisory authority. 1.10.2. Where Customer is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679, the supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established shall act as competent supervisory authority. 1.10.3. Where Customer is established in the United Kingdom or falls within the territorial scope of application of UK Data Protection Laws, the Information Commissioner's Office shall act as competent supervisory authority. 1.10.4. Where Customer is established in Switzerland or falls within the territorial scope of application of Swiss Data Protection Laws, the Swiss Federal Data Protection and Information Commissioner shall act as competent supervisory authority insofar as the relevant data transfer is governed by Swiss Data Protection Laws.
Notification of Government Access Requests. For the purposes of clause 15(1)(a), Streamkap shall notify Customer (only) and not the Data Subject(s) in case of government access requests. Customer shall be solely responsible for promptly notifying the Data Subject as necessary.
Governing Law. The governing law for the purposes of clause 17 shall be the law that is designated in the section of the Agreement. If the Agreement is not governed by an EU Member State law, the Standard Contractual Clauses will be governed by either (i) the laws of Ireland; or (ii) where the Agreement is governed by the laws of the United Kingdom, the laws of the United Kingdom.
Choice of forum and jurisdiction. The courts under clause 18 shall be those designated in the Agreement. If the Agreement does not designate an EU Member State court as having exclusive jurisdiction to resolve any dispute or lawsuit arising out of or in connection with this Agreement, the parties agree that the courts of either (i) Ireland; or (ii) where the Agreement designates the United Kingdom as having exclusive jurisdiction, the United Kingdom, shall have exclusive jurisdiction to resolve any dispute arising from the Standard Contractual Clauses. For Data Subjects habitually resident in Switzerland, the courts of Switzerland are an alternative place of jurisdiction in respect of disputes.
Data Exports from the United Kingdom and Switzerland under the Standard Contractual Clauses. In case of any transfers of Personal Data from the United Kingdom and/or transfers of Personal Data from Switzerland subject exclusively to the Data Protection Laws and Regulations of Switzerland (“Swiss Data Protection Laws”), (i) general and specific references in the Standard Contractual Clauses to GDPR or EU or Member State Law shall have the same meaning as the equivalent reference in the Applicable Data Protection Laws of the United Kingdom (“UK Data Protection Laws”) or Swiss Data Protection Laws, as applicable; and (ii) any other obligation in the Standard Contractual Clauses determined by the Member State in which the data exporter or Data Subject is established shall refer to an obligation under UK Data Protection Laws or Swiss Data Protection Laws, as applicable. In respect of data transfers governed by Swiss Data Protection Laws, the Standard Contractual Clauses also apply to the transfer of information relating to an identified identifiable legal entity where such information is protected similarly as Personal Data under Swiss Data Protection Laws until such laws are amended to no longer apply to a legal entity.
Conflict. The Standard Contractual Clauses are subject to this DPA and the additional safeguards set out hereunder. The rights and obligations afforded by the Standard Contractual Clauses will be exercised in accordance with this DPA, unless stated otherwise. In the event of any conflict or inconsistency between the body of this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.

‍

ADDITIONAL TERMS FOR THE EU P-TO-P TRANSFER CLAUSES For the purposes of the EU P-to-P Transfer Clauses (only), the parties agree the following.

Instructions and notifications. For the purposes 8.1(a), Customer hereby informs Streamkap that it acts as Processor under the instructions of the relevant Controller in respect of Personal Data. Customer warrants that its Processing instructions as set out in the Agreement and this DPA, including its authorizations to Streamkap for the appointment of Subprocessors in accordance with this DPA, have been authorized by the relevant Controller. Customer shall be solely responsible for forwarding any notifications received from Streamkap to the relevant Controller where appropriate.
Security of Processing. For the purposes of clause 8.6(c) and (d), Streamkap shall provide notification of a personal data breach concerning Personal Data Processed by Streamkap to Customer.
Documentation and Compliance. For the purposes of clause 8.9, all enquiries from the relevant Controller shall be provided to Streamkap by Customer. If Streamkap receives an enquiry directly from a Controller, it shall forward the enquiry to Customer and Customer shall be solely responsible for responding to any such enquiry from the relevant Controller where appropriate.
Data Subject Rights. For the purposes of clause 10 and subject to section 3 of this DPA, Streamkap shall notify Customer about any request it has received directly from a Data Subject without obligation to handle it (unless otherwise agreed), but shall not notify the relevant Controller. Customer shall be solely responsible for cooperating with the relevant Controller in fulfilling the relevant obligations to respond to any such request.

‍

SCHEDULE 2

‍

DESCRIPTION OF PERSONAL DATA PROCESSING

‍

This Schedule forms part of the Standard Contractual Clauses and must be completed and signed by the parties. As evidenced by the signature of each party’s authorized representative below, the data Processing activities carried out by Streamkap under the Agreement may be described as follows:

Subject Matter
The parties acknowledge and agree that the subject matter of the Processing is data importer’s provision of the Services to data exporter as fully described in this DPA and/or the Agreement.
Duration
The duration of the Processing of Customer Personal Data is for the Term or until the disposal of all Personal Data, whichever is later.
Nature and Purpose
The nature and purpose of the Processing of Personal Data is for data importer’s provision of the Services to data exporter.
Data Categories
Categories of personal data are identification and contact data (for example, name, address, title, contact details), employment details (for example, employer, job title, geographic location and area of responsibility), and IT information (for example, IP addresses, usage data, cookies data, device specific information, connection data and location data) of the data subjects.
Special Data Categories
Data exporter is prohibited from providing data importer with sensitive personal information (such as financial, medical or other sensitive personal information such as government IDs, passport numbers or social security numbers), and data importer has no obligation to comply with the DPA with respect to such data.
Data Subjects
The employees of data exporter.

‍

SCHEDULE 3

‍

CALIFORNIA SCHEDULE

For purposes of this Schedule 2, the terms “business,” “commercial purpose,” “sell” and “service provider” shall have the respective meanings given thereto in the CCPA, and “personal information” shall mean Personal Data that constitutes personal information, the Processing of which is governed by the CCPA.
It is the parties’ intent that with respect to any personal information, Streamkap is a service provider. Streamkap shall (i) not “sell” (as defined in the CCPA) personal information; and (ii) not retain, use or disclose any personal information for any purpose other than for the specific purpose of providing the Services, including retaining, using or disclosing personal information for a commercial purpose (as defined in the CCPA) other than providing the Services. For the avoidance of doubt, the foregoing prohibits Streamkap from retaining, using or disclosing personal information outside of the direct business relationship between Streamkap and Customer. Streamkap hereby certifies that it understands the obligations under this section 2 and shall comply with them.
The parties acknowledge that Streamkap’s retention, use and disclosure of personal information authorized by Customer’s instructions documented in the DPA are integral to Streamkap’s provision of the Services and the business relationship between the parties.

‍

SCHEDULE 4

‍

Security Measures

Organizational management and dedicated staff responsible for the development, implementation and maintenance of the Streamkap’s information security program.
Audit and risk assessment procedures for the purposes of periodic review and assessment of risks to Streamkap’s organization, monitoring and maintaining compliance with the Streamkap’s policies and procedures, and reporting the condition of its information security and compliance to internal senior management.
Data security controls which include, at a minimum, logical segregation of data, restricted (e.g. role-based) access and monitoring, and utilization of commercially available industry standard encryption technologies for Personal Data that is transmitted over public networks (i.e. the Internet) or when transmitted wirelessly or at rest or stored on portable or removable media (i.e. laptop computers, CD/DVD, USB drives, back-up tapes).
Logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions, (e.g. granting access on a need-to-know and least privilege basis, use of unique IDs and passwords for all users, periodic review and revoking/changing access promptly when employment terminates or changes in job functions occur).
Password controls designed to manage and control password strength, expiration and usage including prohibiting users from sharing passwords and requiring that the Streamkap’s passwords that are assigned to its employees: (i) be at least eight (8) characters in length, (ii) not be stored in readable format on the Streamkap’s computer systems; (iii) must have defined complexity; (iv) must have a history threshold to prevent reuse of recent passwords; and (v) newly issued passwords must be changed after first use.
System audit or event logging and related monitoring procedures to proactively record user access and system activity.
Physical and environmental security of data centers, server room facilities and other areas containing Personal Data designed to: (i) protect information assets from unauthorized physical access, (ii) manage, monitor and log movement of persons into and out of the Streamkap’s facilities, and (iii) guard against environmental hazards such as heat, fire and water damage.
Operational procedures and controls to provide for configuration, monitoring and maintenance of technology and information systems, including secure disposal of systems and media to render all information or data contained therein as undecipherable or unrecoverable prior to final disposal or release from the Streamkap’s possession.
Change management procedures and tracking mechanisms designed to test, approve and monitor all material changes to the Streamkap’s technology and information assets.
Incident management procedures design to allow Streamkap to investigate, respond to, mitigate and notify of events related to the Streamkap’s technology and information assets.
Network security controls that provide for the use of enterprise firewalls and layered DMZ architectures, and intrusion detection systems and other traffic and event correlation procedures designed to protect systems from intrusion and limit the scope of any successful attack.
Vulnerability assessment, patch management and threat protection technologies, and scheduled monitoring procedures designed to identify, assess, mitigate and protect against identified security threats, viruses and other malicious code.
Business resiliency/continuity and disaster recovery procedures designed to maintain service and/or recovery from foreseeable emergencies or disasters.