Data Processing Addendum
This Data Processing Addendum (“DPA
”) amends and forms part of the written agreement between Customer and Streamkap, Inc. (“Streamkap
”) (collectively, “the parties
”) for the provision of services to Customer (the “Agreement
”). This DPA prevails over any conflicting term of the Agreement but does not otherwise modify the Agreement.
1.1. In this DPA:
a. “Data Protection Law
” means all laws that apply to the Processing of Personal Data under the Agreement, including European Data Protection Law and the laws and regulations of the United States and its states, as amended from time to time, to the extent such laws and regulations apply to the relevant party.
b. “European Data Protection Law
” means the General Data Protection Regulation (EU) 2016/679 ("GDPR
") and all other privacy and data protection laws of the European Economic Area (“EEA
”), and their respective Member States, Switzerland and the United Kingdom (“UK
”) and all laws implementing or supplementing the foregoing.
c. “Personal Data
” means any information that reasonably relates, directly or indirectly, to an identified or identifiable natural person that Streamkap may Process on Customer’s behalf in performing the services under the Agreement.
” (including its cognate "Process
”) means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.e. “Security Incident
” means a breach of security leading to the unauthorized or unlawful access by a third party, or confirmed accidental or unlawful destruction, loss or alteration, of Personal Data.
f. “Standard Contractual Clauses
” means (i) Module 2 of the Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as currently set out at https://eurlex.europa.eu/eli/dec_impl/2021/914/oj
(the “EU SCCs
”), and (ii) where the UK GDPR applies, the EU SCCs as supplemented by the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the Commissioner under S119A(1) Data Protection Act 2018 (the “UK SCCs
”).1.2 Capitalized terms used but not defined herein have the meaning given to them in the Agreement.
2. Scope and Roles
2.1 The subject matter, nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects are set out in Annex I
2.2 Streamkap agrees that it will Process Personal Data only in accordance with the Agreement and this DPA. To the extent applicable, Streamkap will Process Personal Data as a “processor” or “service provider” as such terms are defined under applicable Data Protection Law.
3. Data Protection
3.1 When Streamkap Processes Personal Data, it will:a. Process the Personal Data in accordance with Customer's documented instructions as described in the Agreement or this DPA. Streamkap will notify Customer if it considers that an instruction from Customer is in breach of Data Protection Law, unless it is prohibited from doing so by law on important grounds of public interest;
b. assist Customer, taking into account the nature of the Processing and the information available to Streamkap, in complying with Customer's obligations to respond to requests concerning Personal Data from individuals under applicable Data Protection Law;
c. implement and maintain appropriate physical, technical and organizational measures to ensure a level of security appropriate to the risk, which include the technical and organizational measures required by applicable Data Protection Law;
d. only entrust the Processing of Personal Data to personnel who have undertaken to comply with confidentiality requirements; ande. upon termination of the Agreement, as instructed by Customer, to the extent that Streamkap retains Personal Data, permit Customer to delete or obtain copies of such Personal Data consistent with the functionality of the Services and applicable law.
3.2 Streamkap certifies that it will not (a) “sell” (as defined in Data Protection Law) the Personal Data; (b) retain, use, or disclose the Personal Data for any purpose other than as permitted under this DPA and in accordance with the Agreement; or (c) retain, use, or disclose the Personal Data other than in the context of the direct relationship with Customer in accordance with the Agreement.
4. Customer Responsibilities
4.1 Customer is responsible for the lawfulness of Personal Data processing under or in connection with the services. Customer will (i) provide all required notices and obtain all required consents, permissions and rights necessary under applicable Data Protection Law for Streamkap to lawfully Process Personal Data for the purposes contemplated by the Agreement; (ii) make appropriate use of the services to ensure a level of security appropriate to the particular content of the Personal Data; (iii) comply with all Data Protection Law applicable to the collection of Personal Data and the transfer of such Personal Data to Streamkap; and (iv) ensure its processing instructions comply with applicable laws (including applicable Data Protection Law).
5.1 Subcontracting. Customer agrees that Streamkap hosts the Service on Amazon Web Services and its affiliates as subcontractors to fulfill its contractual obligations under this DPA. Subject to the remainder of this clause 6, Customer permits Streamkap to appoint subcontractors to the extent required to fulfill its obligations under the Agreement.
5.2 Subcontractor Obligations. In the event that Streamkap authorizes any subcontractor to process the Customer Data, (i) Streamkap shall restrict the subcontractor’s access to Customer Data only to the extent necessary to provide the Service and not for any other purpose; (ii) Streamkap shall impose appropriate contractual obligations upon the subcontractor, including relevant contractual obligations regarding confidentiality, data protection, data security, and audit rights; and (iii) Streamkap remains responsible for its compliance with the DPA and for any acts or omissions of the subcontractor that cause Streamkap to breach any of Streamkap’s obligations under this DPA.
5.3 Objection Right to New Sub-Processors. Streamkap will maintain a list of sub-processors and will add the names of new and replacement sub-processors to the list prior to them starting sub-processing of Personal Data. If the Customer has a reasonable objection to any new or replacement sub-processor, it shall notify Streamkap of such objections in writing within ten (10) days of the notification and the parties will seek to resolve the matter in good faith. If Streamkap is able to provide the Services to the Customer in accordance with the Agreement without using the sub-processor and decides in its discretion to do so, then the Customer will have no further rights under this Section in respect of the proposed use of the sub-processor. If Streamkap requires to use the sub-processor and is unable to satisfy the Customer (acting reasonably) as to the suitability of the sub-processor or the documentation and protections in place between Streamkap and the sub-processor within sixty (60) days from the Customer’s notification of objections, the Customer may within thirty (30) days of the end of the sixty-day period referred to above terminate the Agreement only in relation to the Services to which the proposed new sub-processor’s processing of Personal Data relates or would relate by providing written notice to Streamkap having effect thirty (30) days after receipt by Streamkap. Streamkap will refund to the Customer any prepaid fees covering the remainder of the term of the Agreement following the date of termination.
6. Restricted Data Transfers
6.1 In the event that Customer is subject to European Data Protection Law and the transfer of Personal Data to Streamkap would be restricted in the absence of the Standard Contractual Clauses, the Parties agree that the Standard Contractual Clauses shall be incorporated into this DPA with Customer as the “data exporter” and Streamkap as the “data importer.” 6.2 The Standard Contractual Clauses are further completed as follows: the optional docking clause in Clause 7 is implemented; Clause 9(a) option 2 is implemented and the time period therein is specified as thirty (30) days; the optional redress clause in Clause 11(a) is struck; the governing law in Clause 17 is the law of the Republic of Ireland; the court in Clause 18(b) are the Courts of the Republic of Ireland; and Annex 1, 2 and 3 to the Standard Contractual Clauses are Paragraph 3, 4, and 5 of this DPA respectively. To the extent required by Data Protection Law in the UK, Part 1, tables 1, 2 and 3 of the UK SCCs will be deemed to be completed like its equivalent provisions in the EU SCCs. For the purpose of Part 1, Table 4, the party that may end the UK SCCs in accordance with Section 19 of the UK Addendum is the importer.
7. Assistance and Notifications
7.1 Upon Customer’s request, Streamkap will provide Customer with reasonable cooperation and assistance to the extent required to fulfill Customer’s obligation under European Data Protection Law to:a. reply to investigations and inquiries from data protection regulators; and b. carry out a data protection impact assessment related to the services, where Client does not otherwise have access to the relevant information necessary to perform such assessment. 7.2 Unless prohibited by Data Protection Law, Streamkap must inform Customer without undue delay if Streamkap: a. receives a request, complaint or other inquiry regarding the Processing of Personal Data; b. receives a binding or non-binding request to disclose Personal Data from law enforcement, courts or any government body; c. is subject to a legal obligation that requires Streamkap to Process Personal Data in contravention of Customer’s instructions; ord. is otherwise unable to comply with Data Protection Law or this DPA. 7.3 Upon becoming aware of a Security Incident, Streamkap will inform Customer without undue delay and will provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by Customer to allow Customer to fulfill its data breach reporting obligations under applicable Data Protection Law.
8.1 Streamkap will make available to Customer at Customer’s request information which is necessary to demonstrate compliance with this DPA and allow for any audits, including inspections, conducted by Customer or another auditor, as requested by Customer.
8.2 To the extent Streamkap makes available to Customer confidential summary reports ("Audit Report
") prepared by third-party security professionals, Customer agrees to accept such Audit Report, subject to confidentiality requirements, in satisfaction of its audit right; however, if Customer can demonstrate that it requires additional information, beyond the Audit Report, then Customer may request, at Customer's cost, Streamkap to provide for an audit subject to reasonable confidentiality procedures, which will: (i) not include access to any information that could compromise confidential information relating to other Streamkap customers or suppliers, Streamkap's technical and organizational measures, or any trade secrets; and (ii) be performed upon not less than thirty (30) days’ notice, during regular business hours and in such a manner as not to unreasonably interfere with Streamkap’s normal business activities.
9.1 If there is any conflict between this DPA and the Agreement, this DPA will prevail to the extent of that conflict in connection with the Processing of Personal Data.
9.2 If any provision of this DPA is found by any court or administrative body of competent jurisdiction to be invalid or unenforceable, then the invalidity or unenforceability of such provision does not affect any other provision of this DPA and all provisions not affected by such invalidity or unenforceability will remain in full force and effect.
9.3 Notwithstanding anything to the contrary in the Agreement or this DPA, the liability of each party under this DPA is subject to the limitations of liability set out in the Agreement.
9.4 This DPA will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement.
A. LIST OF PARTIES
Customer is the controller and the data exporter and Streamkap is the processor and the data importer.
B. DESCRIPTION OF TRANSFER
Streamkap’s provision of the services to Customer.
Duration of the Processing
Personal Data will be retained only transiently or for a short duration to transmit the Personal Data from Customer’s chosen source to Customer’s chosen destination. Streamkap will process Customer Personal Data for the purposes of providing the services to Customer under the agreement.
Frequency of the Processing
As and when the services are used.
Categories of Data
Any Personal Data selected by Customer in connection with Customer’s use of the services.
Special Categories of Data Processed
The services are not intended to Process special categories of data.
Any data subjects of the Personal Data selected by Customer.
Nature and Purpose of the Processing
C. COMPETENT SUPERVISORY AUTHORITY
The competent supervisory authority is the Irish Data Protection Commission.
Streamkap shall implement and maintain the controls listed in this Annex II in accordance with industry standards generally accepted by information security professionals as necessary to reasonably protect Personal Data during storage, processing and transmission.
Physical access control
Technical and organizational measures to prevent unauthorized persons from gaining access to the data Processing systems available in premises and facilities (including databases, application servers and related hardware), where Personal Data are Processed, include: (a) establishing security areas, restriction of access paths; (b) establishing access authorizations for employees and third parties; (c) access control system (ID reader, magnetic card, chip card); (d) key management, card-keys procedures; (e) door locking (electric door openers etc.); (f) security staff, janitors; (g) surveillance facilities, video/CCTV monitor, alarm system; and (h) Securing decentralized data Processing equipment and personal computers.
Virtual access control
Technical and organizational measures to prevent data Processing systems from being used by unauthorized persons include: (a) user identification and authentication procedures; (b) ID/password security procedures (special characters, minimum length, change of password); (c) automatic blocking (e.g. password or timeout); (d) monitoring of break-in-attempts and automatic turn-off of the user ID upon several erroneous passwords attempts; (e) creation of one
master record per user, user-master data procedures per data Processing environment; and (f) encryption of archived data media.
Data access control
Technical and organizational measures to ensure that persons entitled to use a data Processing system gain access only to such Personal Data in accordance with their access rights, and that Personal Data cannot be read, copied, modified or deleted without authorization, include: (a) internal policies and procedures; (b) control authorization schemes; (c) differentiated access rights (profiles, roles, transactions and objects); (d) monitoring and logging of accesses; (e) disciplinary action against employees who access Personal Data without authorization; (f) reports of access; (g) access procedure; (h) change procedure; (i) deletion procedure; and (j) encryption.
Technical and organizational measures to ensure that Personal Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage on storage media (manual or electronic), and that it can be verified to which companies or other legal entities Personal Data are disclosed, include: (a) encryption/tunneling; (b) logging; and (c) transport security.
Technical and organizational measures to monitor whether Personal Data have been entered, changed or removed (deleted), and by whom, from data Processing systems, include: (a) logging and reporting systems; and (b) audit trails and documentation.
Control of instructions
Technical and organizational measures to ensure that Personal Data are Processed solely in accordance with the instructions of the Controller include: (a) unambiguous wording of the contract; (b) formal commissioning (request form); and (c) criteria for selecting the Processor.
Technical and organizational measures to ensure that Personal Data are protected against accidental destruction or loss (physical/logical) include: (a) backup procedures; (b) mirroring of hard disks (e.g. RAID technology); (c) uninterruptible power supply (UPS); (d) remote storage; (e) antivirus/firewall systems; and (f) disaster recovery plan.
Technical and organizational measures to ensure that Personal Data collected for different purposes can be Processed separately include: (a) separation of databases; (b) “internal Customer” concept / limitation of use; (c) segregation of functions (production/testing); and (d) procedures for storage, amendment, deletion, transmission of data for different purposes.