Data Processing Addendum
This Data Processing Addendum consists of the terms and conditions set forth below, and in the Standard Contractual Clauses (as defined below) (the "Addendum") that defines how Wisq Inc. and Customer agree to treat personal data (as defined below) that is contained in Customer Data.
Data Processing Addendum with Standard Contractual Clauses
Last modified: October 29, 2023
Prior Versions: None
This Data Processing Addendum with Standard Contractual Clauses (the "DPA") form a part of the Wisq Platform Agreement, or other written or electronic agreement that expressly references this DPA ("Agreement") Generative AI management guide and development platform and related services (“Services”). All capitalized terms not defined in this DPA will have the meaning set forth in the Agreement.
This DPA forms part of the agreement between the parties.
Definitions. Unless otherwise defined below, capitalized terms used in this DPA will have the meaning set forth in the Agreement.
"Affiliate" means any entity, directly or indirectly, controlling, controlled by, or under common control by a party, where control may be by either management authority, contract or equity interest.
"Authorized Affiliate" means any of Customer’s Affiliate(s) that is permitted to use the Services pursuant to the Agreement between Customer and Wisq but has not signed its own Order Form with Wisq.
“CCPA” means California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100, et. seq. and its implementing regulations.
"Controller" means the entity which determines the purposes and means of the processing of Personal Data.
“Customer” means if not defined in the Agreement is the party that entered into the Order Form and/or Agreement with Wisq to receive the Services. For the purposes of this DPA, the term "Customer" will also include Customer’s Authorized Affiliates if Wisq processes the Personal Data of Customer’s Authorized Affiliates.
“Data Privacy Laws” means applicable national, federal, state and provincial laws relating to data privacy, the protection of Personal Data, and the cross-border transfer of Personal Data including, where applicable, the CCPA, the California Privacy Rights Act, the GDPR, FADP and the EU ePrivacy Directive (2002/58/EC), each as amended, superseded, or replaced. The term “Data Privacy Laws” excludes any law that requires data to be stored in a specific country, as well as the laws of the Russian Federation and the People’s Republic of China.
“Data Subject Request” means a request from a data subject to exercise the data subject's right under Data Privacy Laws, including, as applicable, rights to data rectification, data portability, access data, data erasure (“the right to be forgotten”), not to be subject to automated decision making, not to have Personal Data sold, to request for information, not to be discriminated against for exercising rights, restriction or objection to processing, and the applicable rights under CCPA §§ 1798.100(d), 1798.105, 1798.110, 1798.120, 1798.130(a)(2), 1798.140(y), 1798.145(g) and GDPR Art. 12-23.
“FADP” means the Swiss Federal Act on Data Protection.
“GDPR” means the General Data Protection Regulation, (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.
“IDTA” means the then-current International Data Transfer Addendum to the EU Commission Standard Contractual Clauses that was issued by the UK ICO, a current version found at https://ico.org.uk/media/for-organisations/documents/4019538/international-data-transfer-agreement.pdf
“Personal Data” means (i) any information relating to an identified or identifiable natural person where an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier or (ii) is defined as “Personal Information” or “Personal Data” by applicable Data Privacy Laws (e.g., CCPA § 1798.140(o) or GDPR Art. 4).
"process" and its cognates mean any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
"Processor" means the entity which processes Personal Data on behalf of the Controller, including, as applicable, any "service provider" as that term is defined by the CCPA.
“Standard Contractual Clauses” or “SCCs” means (A) where the GDPR applies, the standard contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council ("EU SCCs") and B) where the UK GDPR applies, the EU SCCs as amended by the IDTA (“UK SCCs”), in each case incorporated into this DPA as described in Schedule 1 of this DPA.
“subprocessor” means any Processor engaged by Wisq to process Customer’s Personal Data.
“Supervisory Authority” means an independent public authority which is (i) established by a European Union member state pursuant to Article 51 of the GDPR; or (ii) the public authority governing data protection, which has authority and jurisdiction over Customer.
“UK ICO” means the United Kingdom Information Commissioners Office.
“UK GDPR” means the United Kingdom Data Protection Act of 2018 and any successor legislation thereto.
Scope and Application. This DPA will apply when Customer Personal Data is transferred to Wisq from any Customer or Customer’s Authorized Affiliates who are subject to the Data Privacy Laws. In this context, Customer acts as the Controller and Wisq acts as Processor with respect to the Personal Data. Customer will act as the "data exporter," and Wisq will act as the "data importer" for the purposes of (and as defined in) the Standard Contractual Clauses.
- Data Processing.
No Sale of Personal Information under CCPA. Wisq will not “sell” any “personal information” (as those terms are defined in the CCPA) Wisq processes on Customer’s behalf or “share” such information for purposes of “cross-context behavioral advertising” (as those terms are defined in the California Privacy Rights Act or “CPRA”).
Instructions for Data Processing. Wisq will process Personal Data only in accordance with Customer's lawful instructions and in compliance with the Agreement and will not process Personal Data for any purpose other than as set forth in the Agreement. Processing outside of the scope of the Agreement will require the prior written agreement of the parties on the additional instructions for processing.
- Wisq Security Responsibilities.
Security Measures. Wisq will implement and maintain appropriate technical and organizational security measures designed to protect and preserve the security, integrity and confidentiality of the Personal Data described in Schedule 2 to this DPA.
Notice of Investigation, Complaint or Subpoena. Wisq will, to the extent legally permitted, promptly inform Customer if it (i) receives any notice or inquiry from a Supervisory Authority relating to the processing of Personal Data, (ii) any complaint by a data subject regarding the processing of Personal Data, or (iii) any legally binding request for disclosure of Personal Data by a law enforcement authority unless. Additional provisions relating to government demands for Personal Data are found in Schedule 1 of this DPA, paragraph “E” (“Additional Safeguards for the Transfer and Processing of Personal Data from the EEA, Switzerland, and the United Kingdom”).
Disclosure. Wisq will not disclose the Personal Data to any third party except (a) as directed by Customer, (b) if such disclosure is made by Wisq in response to a court order, subpoena or other legal process, and provided that Wisq has given Customer reasonable notice of such court order, subpoena or other legal process if permitted by such process, or (c) to subprocessors.
Wisq Personnel. Wisq will restrict access by Wisq personnel to Personal Data (i) to only those personnel who need to access the Personal Data in order to provide the Service and (ii) as set out in the Schedule 2 to this DPA.
Records. Wisq will maintain relevant records with respect to Wisq’s information security practices and will provide copies of such records as reasonably required by Customer to verify Wisq's compliance with this DPA.
Data Subject Requests. Wisq will promptly notify Customer if Wisq receives a Data Subject Request relating to a data subject’s Personal Data that is being processed for Customer and provide Customer with reasonable assistance that is required for Customer to comply with such requests. Wisq will only respond directly to such requests on receiving Customer's written request and consent.
Security Incident Notification. Wisq will notify Customer within forty-eight (48) hours after discovery of any unauthorized disclosure of or access to Personal Data while in the possession or control of Wisq or its subprocessors (“Security Incident”). Any such notification will not be construed as an acknowledgement by Wisq of any fault or liability with respect to the unauthorized access. Wisq will promptly provide Customer with relevant information in its possession or control in relation to the Security Incident, including a description of the nature of the Security Incident; the categories and approximate number of data subjects concerned and the records of Personal Data affected; the name and contact details of Wisq’s point of contact from whom further information can be obtained; a description of the expected consequences of the Security Incident and the measures taken or proposed to be taken by Wisq to address the Security Incident; and with all reasonable assistance and cooperation as is necessary in order for Customer to seek to mitigate the effects of the Security Incident and comply with its own obligations under the Data Privacy Laws with respect to the Security Incident. Except as may be required by applicable law, Wisq will not make any public announcement or notify any data subject about the Security Incident unless expressly authorized by Customer.
Data Protection Impact Assessments. To the extent required under Article 28(3) GDPR, Wisq will assist Customer to comply with Articles 35 and 36 of the GDPR; in particular, Wisq will promptly notify Customer if it believes that its processing of Personal Data is likely to result in a high risk to the privacy rights of data subjects, and upon reasonable request, will assist Customer to carry out data protection impact assessments and to consult where necessary with data protection authorities.
Cooperation. On request, Wisq will provide Customer with a summary of its security and privacy policies. On request, Wisq will cooperate with the Supervisory Authority and promptly provide Customer with all information in Wisq’s possession or control in relation to the processing of the Personal Data under this DPA.
- Customer Responsibility.
Lawful Right to Permit Wisq’s Processing. Customer’s instructions for the Processing of Personal Data will comply with Data Privacy Laws, and where applicable, any other laws concerning privacy, data protection and the cross border transfer of data to which Customer is subject. Customer will have sole responsibility for the means by which Customer acquired Personal Data and for the accuracy, quality, and legality of the Personal Data. Customer will provide Wisq with contact information of Users that it wants to use the Services. Customer represents and warrants that it has obtained and/or will obtain all necessary consents and permissions required for (a) the transfer of Personal Data to Wisq and (b) Wisq’s processing of Personal Data by in accordance with the Agreement.
No Special Categories of Personal Data. Customer will not use Service to collect or process any “special categories of personal data” as defined under Article 9(1) of the GDPR except in compliance with the conditions for such processing set forth in Article 9(2) of GDPR (e.g., explicit consent by the individual, the individual has made the relevant Personal Data manifestly public, etc.).
No Data Subject to Heightened Restrictions. Customer will not use the Service to collect or process other personal data that is subject to heightened restrictions relating to the transmission or processing of data for the jurisdictions in which Wisq and Customer operate, such as (by way of example only) the Health Insurance Portability and Accountability Act, the Children’s Online Privacy Protection Act, any personal data regarding children under 16, and the standards promulgated by the PCI Security Standards Council.
Compliance with Laws. Each party will comply with all applicable laws, rules, and regulations (including all Data Privacy Laws) except that Wisq expressly disclaims any compliance with any laws of the Russian Federation or the People’s Republic of China. Wisq will promptly inform Customer if (i) it can no longer meet its obligations under Data Privacy Laws; (ii) it has breached this DPA and will cooperate to remediate such breach; or (iii), in its opinion, a processing instruction from Customer violates Data Privacy Laws. Customer retains the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Data, including any use of Personal Data not expressly authorized in this DPA.
Supervisory Authority Audit. If a Supervisory Authority requires an audit of the data processing facilities from which Wisq processes Personal Data in order to ascertain or monitor Customer’s compliance with Data Privacy Laws, Wisq will cooperate with such audit. Customer is responsible for all costs and fees related to such audit, including all reasonable costs and fees for any and all time Wisq expends for any such audit, in addition to the rates for services performed by Wisq.
Customer’s Audits. On request, Wisq will provide to Customer each year an opinion or Service Organization Control report provided by an accredited, third-party audit firm under the Statement on Standards for Attestation Engagements (SSAE) No. 18 (“SSAE 18”) (Reporting on Controls at a Service Organization) or the International Standard on Assurance Engagements (ISAE) 3402 (“ISAE 3402”) (Assurance Reports on Controls at a Service Organization) standards applicable to the services under the Agreement (each such report, a “Report”). If a Report does not provide, in Customer’s reasonable judgment, sufficient information to confirm Wisq’s compliance with the terms of this DPA, then Customer or an accredited third-party audit firm agreed to by both Customer and Wisq may audit Wisq’s compliance with the terms of this DPA during regular business hours, with reasonable advance notice to Wisq and subject to reasonable confidentiality procedures. Customer is responsible for all costs and fees related to such audit, including all reasonable costs and fees for any and all time Wisq expends for any such audit, in addition to the rates for services performed by Wisq. Before the commencement of any such audit, Customer and Wisq will mutually agree upon the scope, timing, and duration of the audit. Customer will promptly notify Wisq with information regarding any non-compliance discovered during the course of an audit. Except to the extent required by applicable law, Customer may not audit Wisq more than once annually unless there is a Security Incident.
Authorized Subprocessors. Customer agrees that Wisq may use subprocessors to fulfill its obligations under the Agreement. The currently authorized by Wisq to process Personal Data are listed here: http://www.wisq.com/legal/subprocessors. Customer hereby consents to Wisq's use of subprocessors as described in this Section.
New or Different Subprocessors. Wisq will make available to Customer a mechanism to subscribe to notifications of new subprocessors for the Service, and if Customer subscribes to such mechanism, Wisq will provide notification of a new subprocessor before authorizing such new subprocessor to process Personal Data in connection with the provision of the applicable Service. If Customer has a reasonable objection to such new subprocessor, Customer may object by notifying Wisq in writing within ten (10) days after the date of Wisq’s notice, explaining the grounds for the objection. Upon receipt of such notice, Wisq will use reasonable efforts to make available to Customer a change in the Service or recommend a commercially reasonable change to Customer’s configuration or use of the Service to avoid processing of Personal Data by the rejected new sub-processor. If Wisq is unable to make such a change available within a reasonable period of time, which will not exceed sixty (60) days, either Customer or Wisq may by written notice terminate the applicable Agreement with respect only to those elements of the Service which cannot be provided by without the use of the rejected new sub-processor. Upon such termination, Wisq will refund any unused prepaid fees covering the remainder of the then-current subscription period.
Subprocessor Obligations. Where Wisq authorizes a subprocessor to process Personal Data as described in this Section, Wisq will enter into a written agreement with each such subprocessor consistent with the Data Privacy Laws. Except as set forth in this DPA or as otherwise authorized in writing by Customer, Wisq will not permit any subprocessors to process Personal Data. Wisq will be liable for the acts and omissions of its subprocessors to the same extent it would be liable if performing the services of each subprocessor directly under the terms of the Agreement and this DPA.
Standard Contractual Clauses. To the extent any Personal Data of European Economic Area (“EEA”) or United Kingdom (“UK”), or Swiss data subjects is processed, the Standard Contractual Clauses set forth in Schedule 1 apply. For the avoidance of doubt, with respect to transfers of EEA, UK and Swiss Personal Data for processing by Wisq in a jurisdiction outside of the EEA, UK or Switzerland, Wisq agrees to comply with applicable Data Privacy Laws in connection with that cross-border transfer of data (e.g., Art. 46 of the GDPR).
Data Destruction. Wisq will destroy all Personal Data within sixty (60) days following either the expiration/termination of this Agreement or receipt of a destruction request from Customer and will cause its subprocessors to do the same unless Data Privacy Laws prevent Wisq from destroying all or part of Customer’s Personal Data disclosed. For clarity, Wisq may continue to process Personal Data that has been permanently anonymized and/or aggregated in a manner that does not identify individuals and is incapable of reidentification to improve Wisq’s systems and services and data without identifying Customer as the source of the data. Wisq will return and/or destroy Customer Data as provided in the Agreement.
Limitation of Liability. Each party's liability arising out of or in relation to this DPA (whether in contract, tort, or under any other theory of liability) is subject to the limitations of liability set forth in the Agreement.
Compensation. To the extent legally permitted, Customer will be responsible for any costs arising from Wisq’s provision of any assistance and cooperation required to be provided by Wisq hereunder, including any fees associated with the provision of additional functionality; provided, however, that this paragraph will not apply to activities undertaken by Wisq under Section 4.7 (“Security Incident Notification”) if the Security Incident was caused by Wisq.
Termination. This DPA will terminate automatically upon termination of the Agreement; provided however that the provisions of this DPA will survive any termination or expiration of the Agreement for so long as Wisq or its sub-processors have custody, control or possession of Personal Data.
Conflict. In the event of a conflict between the Agreement (other than this DPA) and this DPA, the terms of this DPA will take precedence to the extent of the conflict. In the event of a conflict between the Standard Contractual Clauses and the remaining terms of this DPA, the Standard Contractual Clauses will take precedence to the extent of the conflict. Nothing in this DPA modifies the Standard Contractual Clauses or affects any third party's rights under the Standard Contractual Clauses.
Schedule 1 to the DPA
Applicable Standard Contract Clauses and Supplemental Terms
SCC Incorporated. The Parties agree that the SCCs are hereby incorporated by reference into this DPA as follows: Module 2: Transfer controller to processor, as to Personal Data of residents or citizens of the EEA, the UK, or Switzerland.
- EEA Cross-Border Transfers Mechanisms. To the extent legally required, by entering into this DPA, Customer and Wisq are deemed to have signed the European Union (“EU”) SCCs, which form part of this DPA and (except as described in Section 7(c) and (d) below) will be deemed completed as follows:
Module 2 of the EU SCCs applies to transfers of Personal Data from Customer (as a controller) to Wisq (as a processor);
Clause 7 (the optional docking clause) is included;
Under Clause 9 (Use of sub-processors), the Parties select Option 2 (General written authorization). The initial list of subprocessors is set forth in Section 5(a) of this DPA and Wisq will update that list and provide a notice to Customer in advance of any intended additions or replacements of subprocessors as provided in Section 5(b).
Under Clause 11 (Redress), the optional language requiring that Data Subjects be permitted to lodge a complaint with an independent dispute resolution body will not be deemed to be included;
Under Clause 17 (Governing law), the Parties choose Option 1 (the law of an EU Member State that allows for third-Party beneficiary rights). The Parties select the laws of Ireland;
Under Clause 18 (Choice of forum and jurisdiction), the Parties select the courts of Ireland;
Annex I(A) and I(B) (List of Parties) is completed as set forth in Schedule 2 of this DPA (“Annex I of the SCC”) below;
Under Annex I(C) (Competent supervisory authority), the Parties will follow the rules for identifying such authority under Clause 13 and, to the extent legally permissible, select the Irish Data Protection Commission.
Annex II (Technical and organizational measures) is completed as set forth in Schedule 3 of this DPA (“Annex II of the SCC) below and
Annex III (List of Subprocessors) is not applicable as the Parties have chosen General Authorization under Clause 9, however a list of Wisq’s Subprocessors is available in Section 5 of the DPA (“Subprocessors”) above.
C. UK Cross-Border Transfers Mechanisms. With respect to Personal Data transferred from the United Kingdom for which United Kingdom law (and not the law in any European Economic Area jurisdiction or Switzerland) governs the international nature of the transfer, the UK SCCs form part of this DPA and takes precedence over the rest of this DPA as set forth in the UK SCCs. To the extent legally required, by entering into this DPA, the Parties are deemed to be signing the UK SCCs Undefined capitalized terms used in this provision will mean the definitions in the UK SCCs. For purposes of the UK SCCs, they will be deemed completed as follows:
i. Table 1 of the UK SCCs: The Parties’ details will be the Parties and their affiliates to the extent any of them is involved in such transfer. The Key Contacts are the contacts set forth in Schedule 2 of this DPA (“Annex 1 of the SCC”),below.
ii. Table 2 of the UK SCCs: The Approved EU SCCs referenced in Table 2 will be the EU SCCs as executed by the Parties.
iii. Table 3 of the UK SCCs: Annex 1A, 1B, II, and III will be set forth in Schedule 2 of this DPA (“Annex I of the SCC”) below, Schedule 3 of this DPA (“Annex II of the SCC) below, and Section 5 of the DPA (“Subprocessors”) above.
vi. Table 4 of the UK SCCs: Either Party may end this DPA as set out in Section 19 of the UK SCCs.
D. Switzerland Cross-Border Transfers Mechanisms. For transfers of Personal Data that are subject to the FADP, the EU SCCs form part of this DPA as set forth in this Section 7(b), but with the following differences to the extent required by the FADP (as modified the “Swiss SCC”): (1) references to the GDPR in the EU SCCs are to be understood as references to the FADP insofar as the data transfers are subject exclusively to the FADP and not to the GDPR; (2) references to Personal Data in the EU SCCs also refer to data about identifiable legal entities until the entry into force of revisions to the FADP that eliminate this broader scope; (3) the term “member state” in EU SCCs will not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the EU SCCs; and (4) the relevant supervisory authority is the Swiss Federal Data Protection and Information Commissioner (for transfers subject to the FADP and not the GDPR), or both such Commissioner and the supervisory authority identified in the EU SCCs (where the FADP and GDPR apply, respectively). Annex 1A, 1B, II, and III of the SCC will be set forth in Schedule 2 of this DPA (“Annex I of the SCC”) below, Schedule 3 of this DPA (“Annex II of the SCC) below, and Section 5 of the DPA (“Subprocessors”) above.
E. Additional Safeguards for the Transfer and Processing of Personal Data from the EEA, Switzerland, and the United Kingdom. To the extent that Wisq Processes Personal Data of Data Subjects located in or subject to the Data Privacy Laws of the EEA, Switzerland, or the United Kingdom, Wisq agrees to the following safeguards to protect such data to an equivalent level as Data Privacy Laws:
i. Wisq will use all reasonably available legal mechanisms to challenge any demands for Personal Data access through national security process it receives as well as any non-disclosure provisions attached thereto.
ii. Wisq will promptly notify Customer of any government demands for Customer’s Personal Data, unless prohibited under applicable law. To the extent Wisq is prohibited by law from providing such notification, Wisq will: (i) review each request on a case-by-case basis; (ii) use best efforts to request that the confidentiality requirement be waived to enable Wisq to notify Customer and/or the appropriate Supervisory Authority competent for Customer; and (iii) maintain evidence of any such attempt to have a confidentiality requirement waived.
iii. Upon Customer’s request, Wisq will provide a transparency report indicating the types of binding legal demands for the Personal Data it has received, if any, including national security orders and directives.
iv. Wisq will promptly notify Customer if Wisq can no longer comply with the applicable clauses in this Section. Wisq will not be required to provide Customer with specific information about why it can no longer comply, if providing such information is prohibited by applicable law. Such notice will entitle Customer to terminate the Agreement (or, at Customer’s option, affected statements of work, order forms, and like documents thereunder) and receive a prompt pro-rata refund of any prepaid amounts thereunder. This is without prejudice to Customer’s other rights and remedies with respect to a breach of the Agreement.
F. Supplementary Terms:
This DPA and the Agreement are Customer’s complete and final instructions for the processing of Personal Data as of the date of entry into the current version of the Agreement and the current version of this DPA. Any different instructions must be consistent with the current version of this Agreement and the current version of this DPA. For the purposes of clause 8.1(a) of the SCC, the instructions for the processing of personal data include onward transfers to third parties located outside of Europe for the provision of the Service.
For the purposes of clause 8.6(a) of the SCC, Customer is solely responsible for determining whether the technical and organizational measures set forth in Schedule 3 to this DPA and as otherwise described to Customer by Wisq meet Customer’s requirements, and Customer agrees that such technical and organisational measures provide an appropriate level of security, taking due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing the Personal Data and the risks to individuals.
For the purposes of clause 8.6(c) of the SCC, personal data breaches will be addressed in accordance with Section 4.7 of this DPA.
The audits permitted to be carried out under clause 8.9 of the SCC will be conducted in accordance with Section 7 of this DPA.
For the purposes of clause 11 of the SCC, Wisq will without undue delay inform Customer if it received a complaint by or on behalf of an individual concerning Personal Data and will not otherwise have any obligation to address such request except as agreed between Wisq and Customer.
Wisq’s liability under the SCC under clause 12 will be limited to any damage caused by its processing of Personal Data only where it has not complied with obligations of the GDPR, FADP, or the UK GDPR, as applicable, specifically directed to processors or where it has acted outside or contrary to of Customer’s lawful instructions, and to the extent permitted under the SCC, each party’s liability under the SCC will be subject to the provisions of the Agreement concerning limitation of liability.
For notices required under clause 15.1(a), Wisq will provide notice only to Customer, and Customer will be responsible for notifying any affected individuals.
The Parties acknowledge and agree that where Wisq is required by the SCCs to notify the competent Supervisory Authority, Wisq will first provide Customer with the details of the notification, permitting Customer to have prior written input into the relevant notification, where Customer so desires and is able to do so without delaying the timing of the notification unduly.
The Data Exporter may enforce the terms of the SCCs against the Data Importer (and vice versa).
Notwithstanding the fact that the SCCs are incorporated herein by reference without the signature page of the SCCs actually being signed by the parties, it is agreed that the execution of the Agreement is deemed to constitute each party’s execution of the SCCs as Data Exporter or Data Importer (as applicable), and that it is duly authorized to do so on behalf of, and to contractually bind, the Data Exporter or Data Importer (as applicable) accordingly.
The provisions in this DPA will be without prejudice to the parties’ ability to rely on any other legally valid international data transfer mechanism for the transfer of data out of the EEA.
ANNEX I to the SCC
A. LIST OF PARTIES
Name: As set forth in the Order Form between Customer and Wisq.
Address: As set forth in the Order Form between Customer and Wisq.
Contact person’s name, position and contact details: As set forth in the Order Form between Customer and Wisq.
Activities relevant to the data transferred under these Clauses: Provision of the Service pursuant to the Agreement.
Signature and date: As set forth in the Order Form between Customer and Wisq.
Role (controller/processor): Controller
Name: Wisq Inc.
Address: 833 Main Street, Redwood City, CA 94063 USA
Contact person’s name, position and contact details: Chih-Po Wen, CTO;
Activities relevant to the data transferred under these Clauses: Provision of the Service pursuant to the Agreement.
Signature and date: As set forth in the Order Form between Customer and Wisq.
Role (controller/processor): Processor
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred
Customer’s employees, individual contractors, individual consultants
Categories of personal data transferred
Any personal data within the Customer Data, as contemplated in the Agreement.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
Customer has agreed not to provide any sensitive data.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Continuous basis during Customer use of Service.
Nature of the processing
Provision of the Service to Customer
Purpose(s) of the data transfer and further processing
In order to allow Wisq to provide the Service to Customer pursuant to the Agreement, and as otherwise instructed by Customer consistent with the Agreement.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
Wisq will retain and process personal data for the duration of the Agreement, unless agreed in writing.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
Subprocessors will process personal data in order to allow Wisq to provide the Service to Customer pursuant to the Agreement, and as otherwise instructed by Customer consistent with the Agreement and will process personal data for the duration of the Agreement, unless agreed in writing.
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13
Where the data exporter is established in an EU Member State, the supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C, will act as competent supervisory authority.
Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679, the supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, will act as competent supervisory authority.
Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679, the supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, as indicated in Annex I.C, will act as competent supervisory authority.
ANNEX II to the SCC
Wisq Security Standard
Technical and Organizational Security Measures
Wisq will adopt and maintain appropriate security, organizational and technical measures prior to and during processing of any Personal Data in order to protect against (i) unauthorized or accidental access, loss, alteration, disclosure or destruction of such data and (ii) all other unlawful forms of processing.
Wisq will implement at least the following security measures:
Wisq and Customer will encrypt all transfers of the Personal Data between them, and Wisq will encrypt any onward transfers it makes of such Personal Data, to prevent the acquisition of such data by third parties.
Wisq will have access management controls commensurate with industry-standard practices to prevent unauthorized processing of Personal Data and accidental or unlawful disclosure, access, alteration or loss of Personal Data.
Wisq will have network security controls commensurate with industry-standard practices to ensure Personal Data remains secure, available to authorized entities, and is protected against deliberate or unintentional alteration.
Wisq will ensure that Personal Data remains secure throughout the lifecycle of the engagement.
Wisq will ensure that all devices that access Personal Data are secured.
Wisq will have formal personnel security and organizational security policies commensurate with industry-standard best practices. These policies and procedures cover: (1) measures, standards, norms, procedures, and rules to address the appropriate level of security, (2) the meaning and importance of Personal Data and the need to keep it secure, confidential, and accessed only on a need to know basis, (3) staff functions, obligations and access rights, (4) procedures for reporting, managing and responding to security incidents and (5) procedures for making backup copies and recovering Personal Data.
Wisq will conduct periodic internal and external security assessments against their physical and logical environment commensurate with industry-standard best practices.
Wisq will use industry-standard and commercially-reasonable organizational and technical safeguards to protect Personal Data.