Data Processing Addendum
This Data Processing Addendum consists of the terms and conditions set forth below, and in the Standard Contractual Clauses (as defined below) (the "Addendum") that defines how Wisq Inc. and Customer agree to treat personal data (as defined below) that is contained in Customer Data.
1. Definitions
Unless otherwise defined below, capitalized terms used in this Addendum shall have the meaning set forth in the Agreement.
a. "Agreement” means, as applicable, the Platform Service Terms, or similar commercial agreement by and between Wisq and Customer with respect to the Platform Service, exclusive of this Addendum.
b. "Applicable Privacy Laws" means all applicable laws concerning privacy, data protection and the cross border transfer of data, including, where applicable, the California Consumer Privacy Act, the California Privacy Rights Act (together, the “CCPA”), the EU General Data Protection Regulation (Regulation (EU) 2016/679) (the “GDPR”), and 2002/58/EC, each as amended, superseded, or replaced. The term “Applicable Privacy Laws” excludes any laws of the Russian Federation or the People's Republic of China.
c. “controller” has the meaning set forth in the GDPR and other Applicable Privacy Laws using such terminology, and also means “business” as defined in the CCPA or other Applicable Privacy Laws using such terminology.
d. "Customer Personal Data" means the personal data that is contained in Customer Data.
e. “IDTA” means the then-current International Data Transfer Addendum to the EU Commission Standard Contractual Clauses that was issued by the UK ICO, a current version found at https://ico.org.uk/media/for-organisations/documents/4019538/international-data-transfer-agreement.pdf.
f. "personal data" means (a) any information relating to an identified or identifiable natural person where an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier or (b) is defined as “Personal Information” or “Personal Data” by Applicable Privacy Laws (e.g., CCPA § 1798.140(o) or GDPR Art.
g. "processing" has the meaning given to it in the Applicable Privacy Laws, and "process" will be interpreted accordingly.
h. “processor” and “subprocessor” have the meaning set forth in the GDPR and other Applicable Privacy Laws using such terminology, and also mean “service provider” to the relevant party as defined in the CCPA or other Applicable Privacy Laws using such terminology.
i. "Standard Contractual Clauses" or “SCC” means (A) where the GDPR applies, the standard contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council ("EU SCCs") and (b) where the UK GDPR applies, the EU SCCs as amended by the IDTA (“UK SCCs”). incorporated into this Addendum as described in Attachment 1.
j. “UK ICO” means the United Kingdom Information Commissioners Office.
k. UK GDPR” means the GDPR as implemented by the UK.
2. Scope and Application
This Addendum shall apply when Customer Personal Data is transferred to Wisq from any Customer or Customer affiliates who are subject to the Applicable Privacy Laws. In this context, Customer acts as controller and Wisq acts as processor respectively with respect to the Customer Personal Data. Customer shall act as the "data exporter," and Wisq shall act as the "data importer" for the purposes of (and as defined in) the Standard Contractual Clauses.
3. Data Processing
a. No Sale of Personal Information under CCPA. Wisq will not “sell”. any “personal information” (as those terms are defined in the CCPA) Wisq processes on Customer’s behalf.
b. Instructions for Data Processing. Wisq will process Customer Personal Data only in accordance with Customer's lawful instructions and in compliance with the Agreement, and will not process Customer Personal Data for any purpose other than as set forth in the Agreement. Processing outside of the scope of the Agreement will require the prior written agreement of the parties on the additional instructions for processing.
c. Customer Responsibility.
(i) Customer’s instructions for the Processing of Personal Data shall comply with Applicable Privacy Laws, and where applicable, any other laws concerning privacy, data protection and the cross border transfer of data to which Customer is subject. Customer shall have sole responsibility for the accuracy, quality, and legality of Customer Personal Data and the means by which Customer acquired Customer Personal Data. Customer represents and warrants that it has obtained and/or will obtain all necessary consents and permissions required for the transfer of Customer Personal Data to, and processing of Customer Personal Data by, Wisq in accordance with the Agreement.
(ii) Customer shall not use the Platform Service to collect or process any personal data in the “special categories of personal data” under the GDPR except in compliance with the conditions for such processing set forth in the GDPR (e.g., explicit consent by the individual, or the individual has made the relevant personal data manifestly public).
(iii) Customer shall not use the Platform Service to collect or process other personal data that is subject to heightened restrictions relating to the transmission or processing of data for the jurisdictions in which Wisq and Customer operate, such as (by way of example only) the Health Insurance Portability and Accountability Act, the Children’s Online Privacy Protection Act, any personal data regarding children under 16, and the standards promulgated by the PCI Security Standards Council.
d. Compliance with Laws. Each party will comply with all applicable laws, rules, and regulations (including all Applicable Privacy Laws) in its performance of this Addendum. For the avoidance of doubt, Wisq expressly disclaims any compliance with any laws of the Russian Federation or the People's Republic of China.
4. Wisq Security Responsibilities
a. Security Measures. Wisq shall implement and maintain appropriate technical and organizational security measures designed to protect and preserve the security, integrity and confidentiality of the Customer Personal Data described in Attachment 2 to this Addendum.
b. Disclosure. Wisq will not disclose the Customer Personal Data to any third party except (a) as directed by Customer, (b) if such disclosure is made by Wisq in response to a court order, subpoena or other legal process, and provided that Wisq has given Customer reasonable notice of such court order, subpoena or other legal process if permitted by such process, or (c) to subprocessors.
c. Wisq Personnel. Wisq shall restrict access by Wisq personnel to Customer Personal Data (i) to only those personnel who need to access the Customer Personal Data in order to provide the Service and (ii) as set out in the Attachment 2 to this Addendum.
d. Records. Wisq shall maintain relevant records with respect to Wisq’s information security practices and shall provide copies of such records as reasonably required by Customer to verify Wisq's compliance with this Addendum.
e. Audit by Customer. Customer (or its third party independent auditors) may audit Wisq's compliance with the security measures set out in Attachment 2 to this Addendum. Any such audit: (i) will be subject to Customer giving reasonable prior written notice to Wisq; (ii) will be performed at Customer's sole expense; and (iii) will be carried out by Customer in such a way as to mitigate any disruption to Wisq's business.
f. Security Breach Notification. If Wisq becomes aware of any unauthorized access to any Customer Personal Data stored on Wisq's equipment or in Wisq's facilities, then Wisq shall promptly notify Customer of such access and provide to Customer timely information and cooperation, as Customer may be required to address Customer’s reporting obligations under the Applicable Privacy Law. Any such notification shall not be construed as an acknowledgment by Wisq of any fault or liability with respect to the unauthorized access.
5. Subprocessors
a. Authorized Subprocessors. Customer agrees that Wisq may use subprocessors to fulfill its obligations under the Agreement. The currently authorized by Wisq to process Customer Personal Data are listed here: http://www.wisq.com/Legal/subprocessors.html. Customer hereby consents to Wisq's use of subprocessors as described in this Section 5.
b. New or Different Subprocessors. Wisq shall make available to Customer a mechanism to subscribe to notifications of new subprocessors for the Platform Service, to which Customer may subscribe, and if Customer subscribes to such mechanism, Wisq shall provide notification of a new subprocessor before authorizing such new subprocessor to process Customer Personal Data in connection with the provision of the applicable Platform Service. If Customer has a reasonable objection to such new subprocessor, Customer may object by notifying Wisq in writing within ten (10) days after the date of Wisq’s notice, explaining the grounds for the objection. Upon receipt of such notice, Wisq will use reasonable efforts to make available to Customer a change in the Platform Service or recommend a commercially reasonable change to Customer’s configuration or use of the Platform Service to avoid processing of Customer Personal Data by the rejected new sub-processor. If Wisq is unable to make such a change available within a reasonable period of time, which shall not exceed sixty (60) days, either Customer or Wisq may by written notice terminate the applicable Agreement with respect only to those elements of the Platform Service which cannot be provided by without the use of the rejected new sub-processor. Upon such termination, Wisq will refund any unused prepaid fees covering the remainder of the then-current subscription period.
c. Subprocessor Obligations. Where Wisq authorizes a subprocessor to process Customer Personal Data as described in this Section 5, Wisq will enter into a written agreement with each such subprocessor consistent with the Applicable Privacy Laws. Except as set forth in this Addendum or as otherwise authorized in writing by Customer, Wisq will not permit any subprocessors to process Customer Personal Data. Wisq shall be liable for the acts and omissions of its subprocessors to the same extent it would be liable if performing the services of each subprocessor directly under the terms of the Agreement and this Addendum.
6. Cooperation
a. Individual Data Requests. Wisq shall notify Customer of any requests received directly by Wisq from individuals regarding the Customer Personal Data and shall provide to Customer such reasonable assistance as is required for Customer to comply with such requests. Wisq shall only respond directly to such requests on receiving Customer's written request and consent.
b. Cooperation Specific to GDPR. To the extent required under Article 28(3) GDPR, Wisq will assist Customer to comply with Articles 35 & 36 of the GDPR; in particular, Wisq will promptly notify Customer if it believes that its processing of Customer Personal Data is likely to result in a high risk to the privacy rights of data subjects, and upon reasonable request, will assist Customer to carry out data protection impact assessments and to consult where necessary with data protection authorities.
c. Return or Destruction. Following Customer’s request, Wisq shall destroy or return to Customer all Customer Personal Data in its possession. This requirement shall not apply to the extent that Wisq is required by any applicable law to retain some or all of the Customer Personal Data, in which case, Wisq shall use reasonable efforts to isolate and protect the Customer Personal Data from any further processing except to the extent required by such law.
7. Standard Contractual Clauses
To the extent any personal data of European Economic Area (“EEA”) or United Kingdom (“UK”), or Swiss data subjects is processed, the Standard Contractual Clauses (“SCC”) as detailed in Attachment 1 of this Addendum apply, provided that for Swiss data subjects the SCC extends protection to the personal data of legal entities and personality profiles. For the avoidance of doubt, with respect to transfers of EEA, UK and Swiss personal data for processing by Wisq in a jurisdiction other than an EU member state, Wisq agrees to comply with Applicable Privacy Laws in connection with that cross-border transfer of data (e.g., Art. 46 of the GDPR).
8. Limitation of Liability
Each party's liability arising out of or in relation to this Addendum (whether in contract, tort, or under any other theory of liability) is subject to the limitations of liability set forth in the Agreement.
8. General
a. Compensation. To the extent legally permitted, Customer shall be responsible for any costs arising from Wisq’s provision of any assistance and cooperation required to be provided by Wisq hereunder, including any fees associated with the provision of additional functionality; provided, however, that this paragraph shall not apply to activities undertaken by Wisq under Section 4(e) if the relevant security breach was caused by Wisq.
b. Termination. This Addendum will terminate automatically upon termination of the Agreement; provided however that the provisions of this Addendum shall survive any termination or expiration of the Agreement for so long as Wisq or its sub-processors have custody, control or possession of Customer Personal Data.
c. Conflict. In the event of a conflict between the Agreement (other than this Addendum) and this Addendum, the terms of this Addendum will take precedence to the extent of the conflict. In the event of a conflict between the Standard Contractual Clauses and the remaining terms of this Addendum, the Standard Contractual Clauses will take precedence to the extent of the conflict. Nothing in this Addendum modifies the Standard Contractual Clauses or affects any third party's rights under the Standard Contractual Clauses.
Attachment 1 to the Data Processing Addendum
Applicable Standard Contract Clauses and Supplemental Terms
- The Parties agree that the SCCs are hereby incorporated by reference into this Addendum as follows: Module 2: Transfer controller to processor, as to Customer Personal Data originating in the EEA, UK, or Switzerland.
- Cross-Border Transfers Mechanisms – EU and Switzerland. If the Agreement requires the transfer of personal data of data subjects who reside in or based out of the EU or Switzerland to countries that are not recognized by the European Commission as providing an adequate level of protection of Personal Data, then such transfers will be made pursuant to the transfer mechanisms outlined in Module Two (Transfer controller to processor) of the EU SCCs. Where the EU SCCs identify optional provisions (or provisions with multiple options) the following shall apply in the following manner:
a. In Clause 7 (Docking Clause) (Module 2) – the Optional provision shall not apply;
b. In Clause 9(a) (Use of subprocessors) (Module 2) – Option 2 shall apply with the specified time period being 10 business days.
c. In Clause 11(a) (Redress) (Module 2) – the Optional provision shall NOT apply;
d. In Clause 17 (Governing Law) (Module 2) – Option 1 shall apply with the laws of Ireland shall govern; and
e. In Clause 18 (Choice of forum and jurisdiction) (Module 2) – the courts of Ireland shall have jurisdiction.
- Cross-Border Transfers Mechanisms–UK. If the Agreement requires the transfer of personal data of data subjects who reside in the UK to countries that are not recognized by the UK ICO as providing an adequate level of protection of personal data, then such transfers will be made pursuant to the EU SCCs detailed in Sections 1 and 2 of this Attachment and as amended by the IDTA. With respect to Table 1 of the IDTA, the “Exporter” is the Data Exporter and the “Importer” is the Data Importer, as both are identified in Annex I of the SCC (below)). By entering and signing the Agreement, Addendum or Order Form, Importer and Exporter are deemed to have signed the IDTA.
- With respect to Table 2 of the IDTA:
- the optional provisions of Clause 7 (Docking Clause) (Module 2) shall apply;
- Option 2 in Clause 9(a) (Use of subprocessors) (Module 2) shall apply with the specified time period being 10 business days;
- and Clause 11(a) (Redress) (Module 2) shall NOT apply.
- the optional provisions of Clause 7 (Docking Clause) (Module 2) shall apply;
- With respect to Table 3 of the IDTA, the information is provided in Section 2 of this Attachment.
- With respect to Table 4 of the IDTA, only Exporter (aka Subscriber) may end the IDTA as is detailed in Section 19 of the IDTA if the UK ICO issues new changes to IDTA.
- With respect to Table 2 of the IDTA:
Annex 1 to the SCCs is appended to this Attachment 1.
In Annex 2 to the SCCs, Data Importer will at a minimum institute the technical and organizational measures set forth in Attachment 2 to the Addendum.
- Supplementary Terms:
This Addendum and the Agreement are Customer’s complete and final instructions for the processing of Customer Personal Data as of the date of entry into the current version of the Agreement and the current version of this Addendum. Any different instructions must be consistent with the current version of this Agreement and the current version of this Addendum. For the purposes of clause 8.1(a) of the SCC, the instructions for the processing of personal data include onward transfers to third parties located outside of Europe for the provision of the Platform Service.
For the purposes of clause 8.6(a) of the SCC, Customer is solely responsible for determining whether the technical and organizational measures set forth in Attachment 2 to this Addendum and as otherwise described to Customer by Wisq meet Customer’s requirements, and agrees that such technical and organizational measures provide an appropriate level of security, taking due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing the Customer Personal Data and the risks to individuals.
For the purposes of clause 8.6 of the SCC, Wisq shall delete Customer Personal Data in accordance with respective data deletion and certification of deletion provisions set out in the Agreement. For the avoidance of doubt, if no such provisions are set out in the Agreement, Wisq shall delete all Customer Personal Data within 30 days of termination of the Agreement. Any certification of deletion of Customer Personal Data from Wisq as described in the SCC shall be provided only upon Customer’s written request.
For the purposes of clause 8.6(c) of the SCC, personal data breaches will be addressed in accordance with Section 4(f) of this Addendum.
The audits permitted to be carried out under clause 8.9 of the SCC shall be conducted in accordance with Section 4(e) of this Addendum.
For the purposes of clause 9 of the SCC, Customer grants Wisq a general authorization to engage subprocessors, subject to the procedures set forth in Section 5 of this Addendum, and further grants such subprocessors a general authorization to engage further sub-processors, and the authority to add or replace such further sub-processors.
For the purposes of clause 11 of the SCC, Wisq will without undue delay inform Customer if it received a complaint by or on behalf of an individual concerning Customer Personal Data, and shall not otherwise have any obligation to address such request except as agreed between Wisq and Customer.
Wisq’s liability under the SCC under clause 12 shall be limited to any damage caused by its processing of Customer Personal Data only where it has not complied with obligations of the GDPR specifically directed to processors or where it has acted outside or contrary to of Customer’s lawful instructions, and to the extent permitted under the SCC, each party’s liability under the SCC shall be subject to the provisions of the Agreement concerning limitation of liability.
For notices required under clause 15.1(a), Wisq will provide notice only to Customer, and Customer shall be responsible for notifying any affected individuals.
The Parties acknowledge and agree that where Wisq is required by the SCCs to notify the competent Supervisory Authority, Wisq shall first provide Customer with the details of the notification, permitting Customer to have prior written input into the relevant notification, where Customer so desires and is able to do so without delaying the timing of the notification unduly.
Enforcement. The Data Exporter may enforce the terms of the SCCs against the Data Importer (and vice versa).
Signatories. Notwithstanding the fact that the SCCs are incorporated herein by reference without the signature page of the SCCs actually being signed by the parties, it is agreed that the execution of the Agreement is deemed to constitute each party’s execution of the SCCs as Data Exporter or Data Importer (as applicable), and that it is duly authorized to do so on behalf of, and to contractually bind, the Data Exporter or Data Importer (as applicable) accordingly.
The provisions in this Addendum shall be without prejudice to the parties’ ability to rely on any other legally valid international data transfer mechanism for the transfer of data out of the EEA.
ANNEX I to the SCC
A. List of Parties
Data exporter(s):
- Name: As set forth in the Order Form between Customer and Wisq.
Address: As set forth in the Order Form between Customer and Wisq.
Contact person’s name, position and contact details: As set forth in the Order Form between Customer and Wisq.
Activities relevant to the data transferred under these Clauses: Provision of the Platform Service pursuant to the Agreement.
Signature and date: As set forth in the Order Form between Customer and Wisq.
Role (controller/processor): Controller
Data importer(s):
- Name: Wisq Inc.
Address: 85 Main Street, Redwood City CA 94063, USA
Contact person’s name, position and contact details: Chih-Po Wen, CTO;
Activities relevant to the data transferred under these Clauses: Provision of the Platform Service pursuant to the Agreement.
Signature and date: As set forth in the Order Form between Customer and Wisq.
Role (controller/processor): Processor
B. Description of Transfer
Categories of data subjects whose personal data is transferred
Customer personnel, individual contractors, individual consultants
Categories of personal data transferred
Any personal data within the Customer Data, as contemplated in the Agreement.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
Customer has agreed not to provide any sensitive data.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Continuous basis during Customer use of Platform Service.
Nature of the processing
Provision of the Platform Service to Customer
Purpose(s) of the data transfer and further processing
In order to allow Wisq to provide the Platform Service to Customer pursuant to the Agreement, and as otherwise instructed by Customer consistent with the Agreement.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
Wisq will retain and process personal data for the duration of the Agreement, unless agreed in writing.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
Subprocessors will process personal data in order to allow Wisq to provide the Platform Service to Customer pursuant to the Agreement, and as otherwise instructed by Customer consistent with the Agreement and will process personal data for the duration of the Agreement, unless agreed in writing.
C. Competent Supervisory Authority
Identify the competent supervisory authority/ies in accordance with Clause 13
Where the data exporter is established in an EU Member State, the supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C, shall act as competent supervisory authority.
Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679, the supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority.
Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679, the supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, as indicated in Annex I.C, shall act as competent supervisory authority.
Attachment 2 to the Data Processing Addendum
Wisq Security and Privacy Standard
Technical and Organizational Security Measures
Wisq will adopt and maintain appropriate security, organizational and technical measures prior to and during processing of any Customer Personal Data in order to protect against (i) unauthorized or accidental access, loss, alteration, disclosure or destruction of such data and (ii) all other unlawful forms of processing.
Wisq will implement at least the following security measures:
Wisq will have access management controls commensurate with industry-standard practices to prevent unauthorized use or abuse of Customer Personal Data and systems.
Wisq will have network security controls commensurate with industry-standard practices to ensure Customer Personal Data remains secure, available to authorized entities, and is protected against deliberate or unintentional alteration.
Wisq will ensure that Customer Personal Data remains secure throughout the lifecycle of the engagement.
Wisq will ensure that all devices that access Customer Personal Data are secured.
Wisq will have formal personnel security and organizational security policies commensurate with industry-standard best practices.
Wisq will conduct periodic internal and external security assessments against their physical and logical environment commensurate with industry-standard best practices.
Wisq will use industry-standard and commercially-reasonable organizational and technical safeguards to protect Customer Personal Data