This Data Processing Agreement (“DPA”) forms a part of the Agreement entered into by and between Spatial Networks, Inc. (“SNI”) and Customer (collectively, the “Parties”). The purpose of the DPA is to ensure such processing is conducted in accordance with applicable Data Protection Laws (defined below).
This DPA is supplemental to the Agreement and sets out the terms that apply when: (i) Personal Information (defined below) is processed by Customer, who acts as Data Controller, under the Agreement; (ii) SNI acts as Data Processor of Customer Data; (iii) The Customer wishes to contract the Services as set forth in the Agreement, which imply the processing of Personal Information by the Data Processor. Further details of the Processing are set out in Exhibit 1 to this DPA.
1. Definitions. All capitalized terms not defined in Section 1 of this DPA or otherwise defined in other sections of this DPA, shall have the meanings set forth in the Agreement or SNI Privacy Policy, as applicable.
1.1 “CCPA” means the California Consumer Privacy Act, as amended by the California Privacy Rights Act.
1.2 “Customer Data” means all data (including Personal Information) that relates to Customer’s relationship with SNI. Customer Data includes any data SNI may need to collect for the purpose of managing its relationship with Customer, or as otherwise required by applicable laws and regulations.
1.3 “Data Exporter” means Customer.
1.4 “Data Importer” means SNI.
1.5 “Data Protection Laws” means all data protection legislation and regulations applicable to the processing of the Customer’s Personal Information under this DPA and the Agreement, including supplementing national legislation, in each case as updated, amended, repealed, consolidated, or replaced from time to time. Data Protection Laws includes the GDPR and the CCPA. The terms “processing,” “processor,” “controller,” and “supervisory authority” shall have the meanings set forth under applicable Data Protection Laws.
1.6 “Data Subject” means an individual that is protected under any applicable Data Protection Law.
1.7 “DPA” means this Data Processing Agreement and all sub-Exhibits.
1.8 “EU SCCs” or “Standard Contractual Clauses” means the standard contractual clauses approved by the European Commission in Commission Decision 2021/914 dated 4 June 2021, for transfers of Personal Information to countries not otherwise recognized as offering an adequate level of protection for Personal Information by the European Commission (as amended and updated from time to time).
1.9 “ex-EEA Transfer” means the transfer of Personal Information, which is processed in accordance with the GDPR, from the Data Controller to the Data Processor (or its premises) outside the European Economic Area (the “EEA”), and such transfer is not governed by an adequacy decision made by the European Commission in accordance with the relevant provisions of the GDPR.
1.10 “ex-UK Transfer” means the transfer of Personal Information, which is processed in accordance with the UK GDPR and the Data Protection Act 2018, from the Data Controller to the Data Processor (or its premises) outside the United Kingdom (the “UK”), and such transfer is not governed by an adequacy decision made by the Secretary of State in accordance with the relevant provisions of the UK GDPR and the Data Protection Act 2018.
1.11 “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Information and on the Free Movement of Such Data, and all supplementing legislation, in each case as may be amended, repealed, consolidated, or replaced from time to time.
1.12 “Personal Information” or any such variation of the term (such as “Personal Data” or “Personally Identifiable Information”) shall have the meaning set forth in the Agreement or under applicable Data Protection Laws.
1.13 “Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Data, stored or otherwise processed by SNI.
1.14 “Sensitive Information” or any such variation of that term (such as “Sensitive Data,” “Sensitive Personal Information,” or “Special Category of Data”) shall have the meaning set forth in the Agreement or under applicable Data Protection Laws.
1.15 “Sub-Processor” means any person appointed by or on behalf of Data Processor to process Customer Personal Information on behalf of the Customer in connection with the DPA.
2. Processing of Customer Data.
2.1 SNI shall not process Personal Information (i) for purposes other than those set forth in the Agreement, (ii) in a manner inconsistent with the terms and conditions set forth in this DPA or any other documented instructions provided by Customer, or (iii) in violation of Data Protection Laws. Customer hereby instructs SNI to process Personal Information in accordance with the foregoing and as part of any processing initiated by Customer in its use of the Services.
2.2 Customer shall, in its use of the Services, at all times process Personal Information, and provide instructions for the processing of Personal Information, in compliance with Data Protection Laws. Customer shall ensure that the processing of Personal Information in accordance with Customer’s instructions will not cause SNI to be in breach of the Data Protection Laws. Customer is solely responsible for the accuracy, quality, and legality of (i) the Personal Information provided to SNI by or on behalf of Customer, (ii) the means by which Customer acquired any such Personal Information, and (iii) the instructions it provides to SNI regarding the processing of such Personal Information. Customer shall not provide or make available to SNI any Personal Information in violation of the Agreement or otherwise inappropriate for the nature of the Services and shall indemnify SNI from all claims and losses in connection therewith.
2.3 The Parties agree that the details of the data processing subject to this DPA are outlined in Exhibit 1.
2.4 CCPA. The Parties acknowledge that their relationship under the CCPA is governed by the CCPA Addendum to this DPA, listed in Exhibit 5.
3. Deletion or Return of Customer Data.
3.1 Following completion of the Services, at Customer’s choice, SNI shall securely delete Customer Data (including Customer Content), unless further storage of such Customer Data is required or authorized by applicable Data Protection Laws. If return or destruction is impracticable or prohibited by law, rule, or regulation, SNI shall take measures to block such Customer Data from any further processing (except to the extent necessary for its continued hosting or processing required by law, rule, or regulation) and shall continue to appropriately preserve the confidentiality of the Customer Data remaining in its possession, custody, or control. By agreeing to this DPA, Customer authorizes SNI, in accordance with this agreement, to delete information when not reasonably needed for SNI’s Services.
4. Data Processor Personnel and Confidentiality.
4.1 SNI shall take commercially reasonable steps to ensure that: (i) persons employed by SNI; and (ii) other persons engaged at SNI’s place of business who may have access to the Customer Data (including Customer Content), are aware of and comply with the terms set forth in this DPA, ensuring in each case that access is limited to those individuals who need to know or access the relevant Customer Data, as necessary for the purposes of the Agreement.
5. Security of Customer Data; Security Incidents.
5.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, SNI shall maintain reasonable technical and organizational security measures to ensure a level of security appropriate to the risk of processing Personal Information. Exhibit 3 sets forth additional information about SNI’s technical and organizational security measures.
5.2 SNI shall notify Customer without undue delay upon becoming aware of a Security Incident affecting Customer Data and will provide Customer with sufficient information to allow the Customer to meet any obligations to notify, report, or inform Data Subjects and Supervisory Authorities of the Security Incident under the Data Protection Laws.
5.3 SNI shall cooperate with the Customer and take reasonable commercial steps as are directed by Customer to assist in the investigation, mitigation, and remediation of each such Security Incident. The obligations described in 5.1 and 5.2 do not apply to Security Incidents experienced by Customer, nor does compliance with such obligations acknowledge liability on the part of SNI.
6. Sub-Processing of Customer Data.
6.1 Customer acknowledges and agrees that SNI may (1) engage or delegate Sub-Processors on the List (defined below) to access and process Personal Information in connection with the Services and (2) from time to time engage additional third parties for the purpose of providing the Services, including without limitation the processing of Personal Information. For purposes of this Section, Customer consents to SNI engaging Sub-Processors reasonably required to assist SNI for the purposes of providing the Services.
6.2 SNI maintains and provides Customer with a list of Sub-Processors (the “List”) which can be found online here: https://help.fulcrumapp.com/en/articles/7896802-fulcrum-third-party-subprocessors. SNI will inform Customer of changes in Sub-Processors in accordance with the procedure for modifying the Agreement as described in Section 2.2 of the Agreement. Customer may object to the modification of Sub-Processors used by SNI by contacting SNI at privacy@fulcrumapp.com. However, Customer acknowledges that certain Sub-Processors are essential to providing the Services and that objecting to the use of a Sub-Processor may prevent SNI from offering the Services to Customer.
6.3 When SNI does engage Sub-Processors, it will enter into a written agreement with such Sub-Processor imposing on the Sub-Processor data protection obligations comparable to those imposed on SNI under this DPA, with respect to the protection of Customer Data. In case a Sub-Processor fails to fulfill its data protection obligations under such written agreement with SNI, SNI will remain liable to Customer for the performance of the Sub-Processor’s obligations under such agreement.
6.4 If Customer and SNI have entered into Standard Contractual Clauses as described in Section 7 (Transfers of Personal Information), (i) the above authorizations will constitute Customer’s prior written consent to the subcontracting by SNI of the processing of Personal Information if such consent is required under the Standard Contractual Clauses, and (ii) the Parties agree that the copies of the agreements with Sub-Processors that must be provided by SNI to Customer pursuant to Clause 9(c) of the EU SCCs or the UK IDTA or UK Addendum (as applicable) may have commercial information, or information unrelated to the Standard Contractual Clauses or their equivalent, removed by SNI beforehand, and that such copies will be provided by SNI only upon request by Customer.
7. Transfers of Personal Information.
7.1 The Parties agree that SNI may transfer Personal Information processed under this DPA outside the EEA, the UK, or Switzerland as necessary to provide the Services. Customer acknowledges that SNI’s primary processing operations take place in the United States, and that the transfer of Customer Data to the United States is necessary for the provision of the Services to Customer. If SNI transfers Personal Information protected under this DPA to a jurisdiction for which the European Commission has not issued an adequacy decision, SNI will ensure that appropriate safeguards have been implemented for the transfer of Personal Information in accordance with Data Protection Laws.
7.2 Ex-EEA Transfers. The Parties agree that ex-EEA Transfers are made pursuant to the EU SCCs, which are deemed entered into (and incorporated into this DPA by this reference) and completed as follows:
7.2.1 Module Two (Controller to Processor) of the EU SCCs applies when Customer is a controller and SNI is processing Personal Information for Customer as a processor pursuant to Section 2 of this DPA.
7.2.2 Module Three (Processor to Sub-Processor) of the EU SCCs applies when Customer is a processor and SNI is processing Personal Information on behalf of Customer as a Sub-Processor.
7.3 For each module, where applicable the following applies:
7.3.1 The optional docking clause in Clause 7 does not apply.
7.3.2 In Clause 9, Option 2 (general written authorization) applies, and the minimum time period for prior notice of Sub-Processor changes shall be as set forth in Section 6.2 of this DPA;
7.3.3 In Clause 11, the optional language does not apply;
7.3.4 All square brackets in Clause 13 are hereby removed;
7.3.5 In Clause 17 (Option 1), the EU SCCs will be governed by Irish law;
7.3.6 In Clause 18(b), disputes will be resolved before the courts of Ireland;
7.3.7 Exhibit 2 to this DPA contains the information required in Annex I of the EU SCCs;
7.3.8 Exhibit 3 to this DPA contains the information required in Annex II of the EU SCCs; and
7.3.9 By entering into this DPA, the Parties are deemed to have signed the EU SCCs incorporated herein, including their Annexes.
7.4. Ex-UK Transfers. The Parties agree that ex-UK Transfers are made pursuant to the provisions in this Section or the UK International Data Transfer Agreement (“IDTA”) set forth in Exhibit 4, whichever applies.
7.4.1 Data Exports from the United Kingdom under the Standard Contractual Clauses. For ex-UK Transfers where the EU SCCs also apply, the Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the UK Information Commissioner’s Office (“ICO”) and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as revised under Section 18 of those Mandatory Clauses (“Approved Addendum“) shall apply. The information required for Tables 1 and 3 of Part One of the Approved Addendum is set out in Exhibits 1, 2, and 3 of this DPA (as applicable). The information required for Table 2 is set out in Section 7 of this DPA. For the purposes of Table 4 of Part One of the Approved Addendum, the importer may end the Approved Addendum when it changes.
7.5 Transfers from Switzerland. The Parties agree that transfers from Switzerland are made pursuant to the EU SCCs with the following modifications:
7.5.1 The terms “General Data Protection Regulation” or “Regulation (EU) 2016/679” as utilized in the EU SCCs shall be interpreted to include the Federal Act on Data Protection of 19 June 1992 (the “FADP,” and as revised as of 25 September 2020, the “Revised FADP”) with respect to data transfers subject to the FADP.
7.5.2 The terms of the EU SCCs shall be interpreted to protect the data of legal entities until the effective date of the Revised FADP.
7.5.3 Clause 13 of the EU SCCs is modified to provide that the Federal Data Protection and Information Commissioner (“FDPIC”) of Switzerland shall have authority over data transfers governed by the FADP and the appropriate EU supervisory authority shall have authority over data transfers governed by the GDPR. Subject to the foregoing, all other requirements of Clause 13 shall be observed.
7.5.4 The term “EU Member State” as utilized in the EU SCCs shall not be interpreted in such a way as to exclude Data Subjects in Switzerland from exercising their rights in their place of habitual residence in accordance with Clause 18(c) of the EU SCCs.
7.6 Supplementary Measures. In respect of any ex-EEA Transfer or ex-UK Transfer, the following supplementary measures shall apply:
7.6.1 As of the date of this DPA, SNI has not received any formal legal requests from any government intelligence or security service/agencies in the country to which the Personal Information is being exported, for access to (or for copies of) Customer Data (“Government Agency Requests”);
7.6.2 If, after the date of this DPA, SNI receives any Government Agency Requests, SNI shall attempt to redirect the law enforcement or government agency to request that data directly from Customer. As part of this effort, SNI may provide Customer’s basic contact information to the government agency. If compelled to disclose Customer Data to a law enforcement or government agency, SNI shall give Customer reasonable notice of the demand and cooperate to allow Customer to seek a protective order or other appropriate remedy unless SNI is legally prohibited from doing so. SNI shall not voluntarily disclose Customer Data to any law enforcement or government agency. The Parties shall (as soon as reasonably practicable) discuss and determine whether all or any transfers of Personal Information pursuant to this DPA should be suspended in light of such Government Agency Requests; and
7.6.3 The Parties will meet as needed to consider whether:
(i) the protection afforded by the laws of the country of SNI (Data Importer) to Data Subjects whose Personal Information is being transferred is sufficient to provide broadly equivalent protection to that afforded in the EEA or the UK, whichever the case may be;
(ii) additional measures are reasonably necessary to enable the transfer to be compliant with the Data Protection Laws; and
(iii) it is still appropriate for Personal Information to be transferred to SNI (Data Importer), taking into account all relevant information available to the Parties, together with guidance provided by the supervisory authorities.
8. Data Subject Rights.
8.1 Taking into account the nature of the Processing, SNI shall assist the Customer by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Customer’s obligations, as reasonably understood by Customer, to respond to requests to exercise Data Subject rights under the Data Protection Laws.
8.2 SNI has provided Customer with the tools necessary to correct, amend, or delete inaccurate data, and Customer may use these tools to comply with Data Subject requests related to the right to correct, amend, or delete inaccurate data.
8.3 SNI shall:
8.3.1 promptly notify Customer if it receives a request from a Data Subject under any Data Protection Law in respect to Customer Data.
8.3.2 advise the Data Subject to submit their request to Customer and Customer will be responsible for responding to such request, including, where necessary, by using the functionality of the Services. Customer is solely responsible for ensuring that Data Subject Requests for erasure, restriction or cessation of processing, or withdrawal of consent to processing of any Personal Information are communicated to SNI, and, if applicable, for ensuring that a record of consent to processing is maintained with respect to each Data Subject.
8.3.3 ensure that it does not respond to that request except on the documented instructions of Customer or as required by applicable laws to which Customer is subject, in which case SNI shall to the extent permitted by applicable laws inform Customer of that legal requirement before SNI responds to the request.
9. Actions and Access Requests; Audits.
9.1 SNI shall maintain records sufficient to demonstrate its compliance with its obligations under this DPA.
9.2 Upon Customer’s written request at reasonable intervals (no more than every 12 months), and subject to reasonable confidentiality controls, SNI shall either (i) make available for Customer’s review copies of certifications or reports demonstrating SNI’s compliance with prevailing data security standards applicable to the processing of Customer’s Personal Information, or (ii) if the provision of reports or certifications pursuant to (i) is not reasonably sufficient under Data Protection Laws, allow Customer’s independent third party representative to conduct an audit or inspection of SNI’s data security infrastructure and procedures that is sufficient to demonstrate SNI’s compliance with its obligations under Data Protection Laws, provided that (a) Customer provides reasonable prior written notice of any such request for an audit and such inspection shall not be unreasonably disruptive to SNI’s business; (b) such audit shall only be performed during business hours and occur no more than once per calendar year; and (c) such audit shall be restricted to data relevant to Customer. Customer shall be responsible for the costs of any such audits or inspections, including without limitation a reimbursement to SNI for any time expended for on-site audits. The scope of such an audit will be agreed in advance and shall not involve physical access to the servers on which Customer Content and Personal Information is hosted.
9.3 SNI shall, taking into account the nature of the processing and the information available to SNI, provide Customer with reasonable cooperation and assistance where necessary for Customer to:
9.3.1 Comply with its obligations under Data Protection Laws to conduct a data protection impact assessment and/or to demonstrate such compliance, provided that Customer does not otherwise have access to the relevant information.
9.3.2 Cooperate and/or consult with any supervisory authority where necessary and where required by Data Protection Laws.
9.3.3 Customer shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance provided by SNI as described in 9.3.1 and 9.3.2.
Exhibit 1: Details of Processing
Nature and Purpose of Processing: SNI will process Customer Data as necessary to provide the Services under the Agreement, for the purposes specified in the Agreement and this DPA, and in accordance with Customer’s instructions as set forth in this DPA.
Duration of Processing: SNI will process Customer Data as long as required (i) to provide the Services to Customer under the Agreement; (ii) for SNI’s legitimate business needs; or (iii) by applicable law or regulation. Customer Data will be processed and stored as set forth in SNI’s Privacy Policy.
Categories of Data Subjects: Customer may submit Personal Information to SNI for the provision of the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to Personal Information relating to the following categories of Data Subjects:
- Employees
- Consultants
- Contractors
- Trainees
- Any other individual whose Personal Information Customer processes through the Services
Categories of Personal Information: Customer may submit Customer Data, which includes Personal Information, to SNI for the provision of the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to the following categories of Personal Information:
- First and last name
- Physical address
- IP address
- Geo-location
- Bandwidth
- ISP
- Proxy
- Domain
- Demographic data
Sensitive Information: Customer shall not process or transfer any Sensitive Information through the Services.
Exhibit 2
Exhibit 3
SNI-Fulcrum required information pursuant to Annex II of EU SCCs and Appendix 2 of UK SCCs
Exhibit 4
Exhibit 5 – CCPA Addendum
This CCPA Addendum is incorporated as part of the DPA and sets out the terms that apply when Personal Information regulated by the CCPA is processed by SNI under the DPA.
1. Definitions. Any capitalized terms in this Addendum shall have the meanings set forth in the Agreement or the CCPA. If there is any conflict between the capitalized terms in the Agreement and those in this Addendum, the terms in the CCPA shall prevail.
2. Representations and Warranties
2.1. SNI represents and warrants that it is a Service Provider or Contractor for the purposes of the services it provides to Customer pursuant to the DPA.
3. SNI Processing of Customer Data (including Personal Information)
3.1. SNI shall process Personal Information it receives pursuant to the Agreement only for the limited and specified purposes of providing the agreed upon services to Customer (as outlined in Exhibit 1) and is prohibited from using Personal Information for any other purpose.
3.2. SNI shall comply with all applicable sections of the CCPA, including by providing the same level of protection to Personal Information as required to be provided by Customer under the law.
3.3 SNI agrees that Customer has the right to take reasonable and appropriate steps to ensure that SNI uses Personal Information that it receives from or processes on behalf of Customer in a manner consistent with Customer’s obligations under the CCPA.
3.4. SNI agrees that Customer has the right to take reasonable and appropriate steps to stop and remediate SNI’s unauthorized use of Personal Information.
3.5. SNI shall notify Customer as soon as possible after SNI determines that it can no longer meet its obligations under the CCPA.
3.6. If SNI engages Sub-Processors in relation to providing services to Customer pursuant to the Agreement, SNI shall have a contract with the Sub-Processor that complies with the CCPA and has the same restrictions on the processing of Personal Information as outlined in this Addendum.
4. Restrictions on SNI’s Use of Customer Data (includes Personal Information)
4.1. SNI shall not Sell or Share Personal Information it receives from or processes on behalf of Customer, for purposes outside of those outlined in the DPA and exhibits incorporated by reference in the DPA.
4.2. SNI shall not retain, use, or disclose Personal Information it receives from or processes on behalf of Customer for any purpose (including any Commercial Purpose) other than for the purposes specified in the Agreement, DPA, and except as otherwise permitted by the CCPA.
4.3. SNI shall not retain, use, or disclose Personal Information it receives from or processes on behalf of Customer outside of the direct business relationship between SNI and Customer, except as otherwise permitted under the CCPA.
4.4. SNI shall not combine the Personal Information it receives from or processes on behalf of Customer with Personal Information it receives from or on behalf of another person or which it collects from its own interaction with another individual, provided that SNI may combine Personal Information to perform any Business Purpose, such as to analyze how users interact with Services, or as otherwise permitted under the CCPA.
5. Consumer Requests
5.1. Customer agrees to: (i) inform SNI of any consumer request made pursuant to the CCPA that they must assist Customer to comply with and (ii) provide the information necessary for SNI to comply with the request.