Data Processing Agreement

Effective Date: May 2023

This Data Protection Agreement (“DPA”) sets out the parties’ data protection obligations under Article 28 of the GDPR which arise from the Processor’s Processing of Personal Data on behalf of the Controller under the Principal Agreement in respect of the Services.

The Controller and Processor are parties to the Principal Agreement whereby the Controller procures certain products and services from the Processor, or a related entity of the Processor.

The Controller and Processor will become bound by this DPA only where so specified in the Principal Agreement, and at the same time the Principal Agreement is entered into. This DPA will form an addendum to the Principal Agreement. This DPA becomes effective without any further action by the parties from the date of the Principal Agreement. This DPA will take effect as and from the date that the Principal Agreement commences (even where this DPA is entered into after that date).

Alternatively, the Controller and Processor may execute a copy of this DPA where marked below, and will become bound by this Agreement at that time.

The parties agree as follows:

1. INTERPRETATION

1.1 In this DPA, unless otherwise indicated by the context:

 

“Commission”, “Data Subject”, “Mem-ber State”, “Personal Data”, “Personal Data Breach”, “Processing” and “Su-pervisory Authority” these terms shall have the same meaning as in the GDPR.
Applicable Laws means (a) European Union or Member State laws with respect to any Personal Data in respect of which the parties are subject to EU Data Protection Laws; and (b) any other applicable law with respect to the use, storage, collection or Processing of Personal Data including other Data Protection Laws
Business Day means a day that is not a Saturday, Sunday or public holiday or bank holiday in the city and state in which the Processor is incorporated
Contracted Processor means the Processor or a Subprocessor
Controller has the same meaning as in the GDPR, and includes the recipient of Services from the Processor, as named in the Principal Agreement, and who becomes bound under this DPA as the “Controller” party
Data Protection Laws means EU Data Protection Laws, and, to the extent applicable, the data protection or privacy laws of any other country
EU Data Protection Laws means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implem enting or supplementing the GDPR
GDPR means the EU General Data Protection Regulation 2016/679
Personal Data means any Personal Data Processed by a Contracted Processor on behalf of the Controller
Principal Agreement means the agreement whereby the Controller procures certain products and services from the Processor or a related entity of the Processor, and which incorporates this DPA by reference. The Principal Agreement will be the “Terms and Conditions for Influencers” or “Terms and Conditions for Brands” (or similar agreement) between the parties or the Processor’s end user licence agreement for its software
Processor means Atisfy Pte. Ltd UEN:20201433K, a company incorporated in Singapore
Restricted Transfer

means:

(a) a transfer of Personal Data from the Controller to a Contracted Processor; or

(b) an onward transfer of Personal Data from a Contracted Processor to another Contracted Processor, or between two establishments of a Contracted Processor, or to a Subprocessor,

in each case, where such transfer would be prohibited by Data Protec-tion Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws), in the absence of the Standard Contractual Clauses being in place between those parties
Services means any goods or services provided from time to time by the Pro-cessor to the Controller, or by a related entity of the Processor to the Controller, under the terms of the Principal Agreement
Standard Contractual Clauses means the contractual clauses referred to in Schedule 2, amended as indicated in those contractual clauses, and under clause 11
Subprocessor means any person (including any third party) appointed by or on behalf of the Processor to Process Personal Data on behalf of the Processor and includes the entities listed in Schedule 3
1.2 In this DPA, unless otherwise indicated by the context:

  1. words importing the singular include the plural and vice versa;
  2. headings are for convenience only and do not affect interpretation of this DPA;
  3. a reference to a clause, paragraph or schedule is a reference to a clause, paragraph or schedule of this DPA;
  4. where any word or phrase is given a definite meaning in this DPA, any part of speech or other grammatical form of that word or phrase has a corresponding meaning;
  5. an expression importing a natural person includes a body corporate, partnership, joint venture, association or other legal entity;
  6. a reference to a statute, statutory provisions or regulation includes all amendments, consolidations or replacements thereof;
  7. a reference to a party to a document includes that party ’s legal personal representatives, successors and permitted assigns;
  8. a covenant or agreement on the part of or for the benefit of two or more persons binds or benefits them jointly and severally; and
  9. reference to a body, whether statutory or not:
    1. which ceases to exist; or
    2. whose powers or functions are transferred to another body;
      1. is a reference to the body which replaces it or which substantially succeeds to its powers or functions.

2. PROCESSING OF COMPANY PERSONAL DATA

2.1 The Processor will:

  1. comply with all applicable Data Protection Laws in the Processing of Personal Data; and
  2. not Process Personal Data other than on the Controller’s documented instructions (including those instructions given under clause2.2) unless Processing is required by Applicable Laws to which the relevant Contracted Processor is subject, in which case the Contracted Processor, shall to the extent permitted by Applicable Laws inform the Controller of that legal requirement before the relevant Processing of that Personal Data.

2.2 PROCESSING OF COMPANY PERSONAL DATA2.1 The Processor will:2.2 The Controller instructs the Contracted Processor (and authorises them to instruct each Subprocessor) to:

  1. process the Personal Data; and
  2. transfer the Personal Data to any country or territory, as reasonably necessary for the provision of the Services.

2.3 Schedule 1 sets out certain information regarding the Contracted Processors’ Processing of the Personal Data as required by article 28(3) of the GDPR (and, where relevant, equivalent requirements of other Data Protection Laws). The parties may agree from time to time to amend Schedule 1 as necessary to meet those requirements.

3. PERSONNEL

The Processor shall take reasonable steps to ensure each employee, agent or contractor of any Contracted Processor who may have access to Personal Data, only has access to the Personal Data on a need to know basis, as strictly necessary for the purposes of providing the Services, and to comply with Applicable Laws in the context of that individual’s duties to the Contracted Processor. Each Contracted Processor shall also ensure that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

4. SECURITY

4.1 The Processor will, having considered the relevant solutions available, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, in relation to Personal Data, implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.

4.2 In assessing the appropriate level of security, the Processor shall take account of the risks that are presented by Processing, in particular in relation to a Personal Data Breach.

5. SUBPROCESSING

5.1 The Controller authorises the Processor to appoint (and permit each Subprocessor appointed in accordance with this clause 5 to appoint) Subprocessors in accordance with this clause 5.

5.2 The Controller may continue to use those Subprocessors already engaged by them as at the date of this DPA, subject to the Processor as soon as practicable meeting the obligations set out in clause 5.4. At the date of this DPA, the Processor uses the Subprocessors listed in Schedule 3 to provide the Services.

5.3 The Processor shall provide prior written notice of the appointment of any new Subprocessor, who may process the Personal Data, including full details of the Processing to be undertaken by the Subprocessor. Such notice may be given by the Processor from time to time, publishing the names of Subprocessors which it uses to process Personal Data, on the Processor’s website (and the Controller will be deemed to have been notified of the same at that time). If, within 5 Business Days of receipt of that notice, or date of publication on the Processor’s website, the Controller notifies the Processor in writing of any objection (on reasonable grounds) to the proposed appointment, then the Processor cannot make the appointment of the Subprocessor until reasonable steps have been taken to address the objections raised. However if the objections cannot be addressed then the Processor (or its related entity) may terminate the Principal Agreement if the failure to appoint the Subprocessor will inhibit or cause an unreasonable cost for the Processor (or its related entity) in providing the Services.

5.4 With respect to each Subprocessor appointed by the Processor, the Processor shall:

  1. before the Subprocessor first Processes any Personal Data (or where relevant, in accordance with clause 5.2), carry out adequate due diligence to ensure that the Subprocessor is capable of providing the level of protection for the Personal Data required by this DPA and for the due provision of the Services;
  2. take reasonable steps to ensure that the arrangement with the Subprocessor is governed by a written agreement including terms which offer at least the same level of protection for Personal Data as those set out in this DPA and which meet the requirements of articles 28(3) and 28(4) of the GDPR; and
  3. if that arrangement involves a Restricted Transfer, ensure that the Standard Contractual Clauses are at all relevant times incorporated into any agreement with the Subprocessor which involves the processing of Personal Data on behalf of the Controller, and make available copies of that agreement (which may be redacted to remove confidential commercial information not relevant to the requirements of this DPA) as reasonably requested by the Controller from time to time.

5.5 The Processor shall take reasonable steps to ensure that each Subprocessor observes each of the Processor’s obligations under this DPA in relation to the Processing of Personal Data, as if those obligations were the principal obligations of the Subprocessor.

6. DATA SUBJECT RIGHTS

6.1 The Processor shall assist the Controller by implementing appropriate technical and organisational measures (in the context of the nature of the Processing), as far as practicable, for the fulfilment of the Controller’s obligations, to respond to requests from a Data Subject to exercise their rights under Data Protection Laws.

6.2 The Processor shall:

  1. promptly notify the Controller if a Contracted Processor receives a request from a Data Subject to exercise any of their rights under a Data Protection Law in respect of their Personal Data; and
  2. ensure that the Contracted Processor does not respond to that request except on the documented instructions of the Controller, or as required by Applicable Laws to which the Contracted Processor is subject.

7. PERSONAL DATA BREACH

7.1 The Processor shall notify the Controller without undue delay upon the Processor or their Subprocessor becoming aware of a Personal Data Breach affecting the Personal Data disclosed by the Controller to the Processer, providing the Controller with sufficient information to allow the Controller to meet any obligations to report or inform Data Subjects, or relevant authorities, of the Personal Data Breach under the Data Protection Laws.

7.2 The Processor shall co-operate with the Controller and take such reasonable commercial steps as are directed by the Controller to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

8. DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION

The Processor will provide reasonable assistance to the Controller with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which the Controller reasonably considers to be required of it by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Personal Data by, and taking into account the nature of the Processing and information available to, the Contracted Processors.

9. DELETION OR RETURN OF GROUP MEMBER PERSONAL DATA

9.1 Subject to this clause, the Processor shall as soon as reasonably practicable following the completion of the Services involving the Processing of the Personal Data, upon written request from the Controller either:

    1. delete and procure the deletion of all copies of the Personal Data (as directed by the Controller); or
    2. deliver a copy of the Personal Data to the Controller,

or a combination of the above.

9.2 Each Contracted Processor may retain the Personal Data to the extent required by Applicable Laws and only to the extent and for such period as required by Applicable Laws and always provided that the Processor shall ensure the confidentiality of all such Personal Data and shall ensure that such Personal Data is only Processed as necessary for the purpose(s) specified in the Applicable Laws requiring its storage and for no other purpose.

10. AUDIT RIGHTS

10.1 The Processor shall make available to the Controller, following the Controller’s reasonable request, all information reasonably and solely necessary to demonstrate compliance with this DPA, and shall allow for and contribute to audits, including inspections, by the Controller or an auditor nominated by the Controller in relation to the Processing of Personal Data by the Contracted Processor. Any request for information, or request for an audit, by the Controller under this clause 10 shall only be made in good faith and for a bona fide purpose.

10.2 Information and audit rights of the Controller only arise under clause 10.1 to the extent that the Principal Agreement does not otherwise give it information and audit rights meeting the relevant requirements of Data Protection Law (including, where applicable, article 28(3)(h) of the GDPR).

10.3 The Controller may only mandate an auditor for the purposes of clause 10.1 if the auditor is approved by the Processor. The Processor shall not unreasonably withhold or delay its approval of the auditor.

10.4 The Controller shall give the Processor or the relevant Subprocessor reasonable notice of any audit or inspection to be conducted under clause 10.1 and shall make (and ensure that each of its mandated auditors makes) reasonable endeavours to avoid causing (or, if it cannot avoid, to minimise) any damage, injury or disruption to the Contracted Processors’ premises, equipment, personnel and business while its personnel are on those premises in the course of such an audit or inspection. A Contracted Processor need not give access to its premises for the purposes of such an audit or inspection:

  1. to any individual unless he or she produces reasonable evidence of identity and authority;
  2. outside normal business hours at those premises, unless the audit or inspection needs to be conducted on an emergency basis and the Controller has given notice to the Processor or the relevant Subprocessor that this is the case before attendance outside those hours begins; or
  3. for the purposes of more than one audit or inspection, in respect of each Contracted Processor, in any calendar year, except for any additional audits or inspections which:
    1. the Controller reasonably considers necessary because of genuine concerns as to the Processor’s compliance with this DPA; or
    2. the Controller is required or requested to carry out by Data Protection Law, a Supervisory Authority or any similar regulatory authority responsible for the enforcement of Data Protection Laws in any country or territory,

where the Controller has identified its concerns or the relevant requirement or request in its notice to the Processor or relevant Subprocessor of the audit or inspection.

10.5 The Controller will pay or reimburse the Processor for the Processor’s reasonable costs in complying with this clause 10.

10.6 The Controller will maintain the confidentiality of information disclosed to it under this clause 10 ( Confidential Information), and will ensure that its auditors and other agents or personnel of the Controller who have access to such information (Representatives), also maintain confidentiality. The Controller will, and will ensure that its Representatives, only use or disclose the Confidential Information solely for the purposes of complying with Applicable Laws, and will only disclose the Confidential Information where required by Applicable Laws. The Controller, and the Controller shall ensure its Representatives, do not use or disclose Confidential Information for any other purpose.

11. RESTRICTED TRANSFERS AND THE STANDARD CONTRACTUAL CLAUSES

11.1 Subject to clause 11.3, the Controller (as “dataexporter”) and each Contracted Processor, as appropriate, (as “dataimporter”) hereby enter into the Standard Contractual Clauses in respect of any Restricted Transfer from the Controller to that Contracted Processor.

11.2 The Standard Contractual Clauses shall come into effect under clause 11.1 on the later of:

  1. the data exporter becoming a party to them;
  2. the data importer becoming a party to them; and
  3. commencement of the relevant Restricted Transfer.

11.3 Clause 11.1 shall not apply to a Restricted Transfer unless its effect, together with other reasonably practicable compliance steps (which, for the avoidance of doubt, do not include obtaining consents from Data Subjects), is to allow the relevant Restricted Transfer to take place without breach of applicable Data Protection Law.

11.4 The Controller may:

  1. by at least 30 Business Days written notice to the Processor from time to time propose any variations to the Standard Contractual Clauses (including any Standard Contractual Clauses entered into under this clause), as they apply to Restricted Transfers which are subject to a particular Data Protection Law, which are required, as a result of any change in, or decision of a competent authority under, that Data Protection Law, to allow those Restricted Transfers to be made (or continue to be made) without breach of that Data Protection Law; and
  2. propose any other variations to this DPA which the Controller reasonably considers to be necessary to address the requirements of any Data Protection Law.

11.5 If the Controller gives notice under clause 11.4(a):

  1. the Processor shall promptly co-operate (and ensure that any affected Subprocessors promptly co-operate) to ensure that equivalent variations are made to any agreement put in place under clause 5.4(c); and
  2. the Controller shall not unreasonably withhold or delay agreement to any consequential variations to this DPA proposed by the Processor to protect the Contracted Processors against additional risks associated with the variations made under clauses 11.4(a) and 11.5(a).

11.6 If the Controller gives notice under clause 11.4(b), the parties shall promptly discuss the proposed variations and negotiate in good faith with a view to agreeing and implementing those or alternative variations designed to address the requirements identified in the Controller’s notice as soon as is reasonably practicable.

12. TERMINATION

12.1 Termination by mutual agreement

This DPA may be terminated at any time by a written document signed by all parties.

12.2 Termination by the Controller

This DPA may be terminated at any time by a written document signed by all parties.

  1. The Controller may terminate this DPA at any time, and for any reason, on the provision of written notice to the Processor.
  2. The Processor may terminate this DPA at any time by written notice to all other parties, provided that at the time such notice is given, the Processor:
    1. is no longer Processing any Personal Data on behalf of the Controller; and
    2. the Contracted Processor has complied with clause 9.

12.3 Automatic termination

This DPA will automatically terminate if the Processor or its related entity are no longer providing Services to the Controller, or if the Principal Agreement otherwise terminates.

12.4 Provisions which survive termination

Upon the termination of this DPA, the obligations under clauses 6, 7, 9, 10 and 11 will continue to apply following termination.

13. GENERAL

13.1 Assignment

A party must not assign or novate this DPA without each other party ’s prior written consent.

13.2 Variation

This DPA may only be amended or modified by a document in writing signed by the parties.

13.3 Notices

Any notice or demand to be given or made under this DPA must be in writing signed by a party ’s authorised representative. A notice will be deemed to be received (a) in the case of a notice given by hand, on delivery; (b) in the case of a notice sent by pre-paid post, 5 days following the date of postage; and (c) in the case of a notice sent by email to legal@atisfy.com, upon the recipient or their mail server confirming receipt of the email.

13.4 Entire agreement

It is expressly acknowledged, by and between the parties, that the terms set out in this DPA, together with the Principal Agreement, contain the entire agreement concluded between the parties, and that this DPA supersedes any and all prior agreements, representations, or understandings between the parties, whether written or oral, in respect of the same subject matter.

13.5 Waiver

Any waiver of a right or remedy under this DPA will only be valid if the waiver is given in writing and signed by the party giving the waiver.

13.6 Severance

If a provision of this DPA or part thereof is unenforceable, then that provision (or relevant part) may be severed without affecting the enforceability of any other provision of this DPA.

13.7 Further Assurance

Each party will from time to time do all things (including executing all documents) necessary or desirable to give full effect to this DPA.

13.8 Counterparts

This DPA may be executed in any number of counterparts each of which will be an original but such counterparts together will constitute one and the same instrument and the date of the DPA will be the date on which it is executed by the last party.

13.9 No merger

Nothing in this DPA merges, extinguishes, postpones, lessens or otherwise prejudicially affects any right, power or remedy that a party may have against another party or any other person at any time

13.10 Consents and approvals

Where this DPA gives any party a right or power to consent or approve in relation to a matter under this DPA, that party may withhold any consent or approval or give consent or approval conditionally or unconditionally. The party seeking consent or approval must comply with any conditions the other party imposes on its consent or approval.

13.11 Governing Law and Jurisdiction

  1. Subject to clause 13.11(b), this DPA is governed by the same laws as the same jurisdiction which governs the Principal Agreement.
  2. To the extent required to comply with the GDPR, and only in relation to matters relating to the compliance of this DPA or a party ’s actions under it in relation to GDPR, this DPA shall also be governed by the laws of each Member State where EU Data Protection Laws apply.
  3. Each party irrevocably submits to the jurisdiction described in clause 13.11(a) with respect to any disputes or claims howsoever arising under this DPA.

Executed as an agreement

(As indicated in the pre-amble to this DPA, the parties may become bound to this DPA either under the Principal Agreement, or by signing this DPA where marked below)

Date:
SIGNED by the authorised person named below for and on behalf of the Processor:
Name of the Processor Signature
Name of person signing
SIGNED by the authorised person named below for and on behalf of the Controller:
Name of the Controller
 Signature
  Name of person signing

Schedule 1

This Schedule 1 includes certain details of the Processing of Personal Data as required by article 28(3) GDPR.

Subject matter and duration of the Processing of the Personal Data

The Personal Data to be processed includes all Personal Data disclosed from time to time by the Controller pursuant to this DPA or in relation to the Services.

The nature and purpose of the Processing of Personal Data

The effective provision of the Services.
The nature of the Processing shall be agreed between each Contracted Processor and the Controller from time to time.

The types of Personal Data to be Processed

Personal Data may include personal information (first name, last name, date of birth, email address, contact information (including phone number), sexual orientation, gender, relationship status, family, date of birth, language), IT information (IP addresses, usage data, cookies data, location data, browser data), financial information (credit card details, account details, payment information), employment details (employer, job title, geographic location, area of responsibility).

The categories of Data Subject to whom the Personal Data relates
  • Potential and actual customers;
  • The Processor’s personnel;
  • Third parties that have, or may have, a commercial relationship with the data exporter (e.g. software providers, strategic partnerships, joint ventures and contractors); and
  • Employees and other personnel of the above entities.The obligations and rights of the ControllerThe obligations and rights of the Controller are as set out in the Principal Agreement and this DPA.
The obligations and rights of the Controller

The obligations and rights of the Controller are as set out in the Principal Agreement and this DPA.

Schedule 2

STANDARD CONTRACTUAL CLAUSES

[These Clauses are deemed to be amended from time to time, to the extent that they relate to a Restricted Transfer which is subject to the Data Protection Laws of a given country or territory, to reflect (to the extent possible without material uncertainty as to the result) any change (including any replacement) made in accordance with those Data Protection Laws (i) by the Commission to or of the equivalent contractual clauses approved by the Commission under EU Directive 95/46/EC or the GDPR (in the case of the Data Protection Laws of the European Union or a Member State); or (ii) by an equivalent competent authority to or of any equivalent contractual clauses approved by it or by another competent authority under another Data Protection Law (otherwise).]

[If these Clauses are not governed by the law of a Member State, the terms “Member State” and “State” are replaced, throughout, by the word “jurisdiction”.]

Standard Contractual Clauses (processors)

For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection [This opening recital is deleted if these Clauses are not governed by the law of a member state of the EEA.]

[The gaps below are populated with details of the relevant Data Exporter:]

Name of the data exporting organisation: The person identified as the Controller in the Data Processing Agreement to which these Standard Contractual Clauses are appended

………………………………………………………………………………………

(the data exporter)

And
ATISFY PTE. LTD UEN:202014337K, a company incorporated in Singapore of INSERT REGISTERED OFFICE ADDRESS

……………………………………………………………………………………….
(the data importer)
each a “party”; together “the parties”,

HAVE AGREED on the following Contractual Clauses (theClauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.

Background

The data exporter has entered into a Data Processing Agreement (“DPA”) with the data importer. Pursuant to the terms of the DPA, it is contemplated that services provided by the data importer will involve the transfer of personal data to data importer. Data importer is located in a country not ensuring an adequate level of data protection. To ensure compliance with Directive 95/46/EC and applicable data protection law, the controller agrees to the provision of such Services, including the processing of personal data incidental thereto, subject to the data importer’s execution of, and compliance with, the terms of these Clauses.

Clause 1
Definitions

For the purposes of the Clauses:

  1. ‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’ and ‘supervisory authority ’ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data; [If these Clauses are governed by a law which extends the protection of data protection laws to corporate persons, the words “except that, if these Clauses govern a transfer of data relating to identified or identifiable corporate (as well as natural) persons, the definition of “personal data” is expanded to include those data” are added.]
  2. ‘the data exporter’ means the controller who transfers the personal data;
  3. ‘the data importer’ means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country ’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC; [If these Clauses are not governed by the law of a Member State, the words “and who is not subject to a third country ’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC” are deleted.]
  4. ‘the subprocessor’ means any processor engaged by the data importer or by any other subprocessor of the data importer who agrees to receive from the data importer or from any other subprocessor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;
  5. ‘the applicable data protection law ’ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;
  6. ‘technical and organisational security measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

Clause 2
Details of the transfer

The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.

Clause 3
Third-party beneficiary clause

  1. The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.
  2. The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
  3. The data subject can enforce against the subprocessor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
  4. The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.

Clause 4
Obligations of the data exporter

The data exporter agrees and warrants:

  1. that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;
  2. that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses;
  3. that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;
  4. that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
  5. that it will ensure compliance with the security measures;
  6. that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC; [If these Clauses are not governed by the law of a Member State, the words “within the meaning of Directive 95/46/EC” are deleted.]
  7. to forward any notification received from the data importer or any subprocessor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;
  8. to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for subprocessing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
  9. that, in the event of subprocessing, the processing activity is carried out in accordance with Clause 11 by a subprocessor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and
  10. that it will ensure compliance with Clause 4(a) to (i).

Clause 5
Obligations of the data importer

The data importer agrees and warrants:

  1. to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
  2. that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
  3. that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;
  4. that it will promptly notify the data exporter about:
    1. any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation,
    2. any accidental or unauthorised access, and
    3. any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;
  5. to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;
  6. at the request of the data exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;
  7. to make available to the data subject upon request a copy of the Clauses, or any existing contract for subprocessing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;
  8. that, in the event of subprocessing, it has previously informed the data exporter and obtained its prior written consent;
  9. that the processing services by the subprocessor will be carried out in accordance with Clause 11;
  10. to send promptly a copy of any subprocessor agreement it concludes under the Clauses to the data exporter.

Clause 6
Liability

  1. The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or subprocessor is entitled to receive compensation from the data exporter for the damage suffered.
  2. If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity.
  3. The data importer may not rely on a breach by a subprocessor of its obligations in order to avoid its own liabilities.
  4. If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the subprocessor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the subprocessor agrees that the data subject may issue a claim against the data subprocessor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the subprocessor shall be limited to its own processing operations under the Clauses.

Clause 7
Mediation and jurisdiction

  1. The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:
    1. to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;
    2. to refer the dispute to the courts in the Member State in which the data exporter is established.
  2. The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.

Clause 8
Cooperation with supervisory authorities

  1. The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
  2. The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
  3. The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any subprocessor preventing the conduct of an audit of the data importer, or any subprocessor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5 (b).

Clause 9
Governing Law

The Clauses shall be governed by the law of the Member State in which the data exporter is established.

Clause 10
Variation of the contract

The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.

Clause 11
Subprocessing

  1. The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the subprocessor which impos es the same
    obligations on the subprocessor as are imposed on the data importer under the Clauses. Where the subprocessor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the subprocessor’s obligations under such agreement.
  2. The prior written contract between the data importer and the subprocessor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
  3. The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.
  4. The data exporter shall keep a list of subprocessing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5 (j), which shall be updated at least once a year. The list shall be available to the data exporter’s data protection supervisory authority.

Clause 12
Obligation after the termination of personal data processing services

  1. The parties agree that on the termination of the provision of data processing services, the data importer and the subprocessor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
  2. The data importer and the subprocessor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.

APPENDIX 1 TO THE STANDARD CONTRACTUAL CLAUSES

This Appendix forms part of the Clauses and must be completed and signed by the parties
The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix

Data exporter

The data exporter is the party named as the Controller in the Data Processing Agreement to which these Standard Contractual Clauses are attached to or refer to.

Data importer

The data importer is ATISFY PTE. LTD UEN:202014337K, a company incorporated in Singapore.

Datasubjects

The personal data transferred concern the following categories of data subjects:

Customers, potential customers, businesses, potential businesses, visitors to the Controller’s or Processor’s website, potential suppliers, suppliers, employees and contractors, potential employees and potential contractors, and any other Data Subjects from whom Personal Data may be collected as specified in the data exporter’s privacy policy.

Categories of data

The personal data transferred concern the following categories of data:

  • Direct identifying information (e.g., name, email address, telephone number).
  • Financial information (e.g., credit card details, account details, payment information).
  • Employee characteristics (eg: salary, position, job description, tenure).
  • Indirect identifying information (e.g., job title, gender, date of birth).
  • Device identification data and traffic data (e.g., IP addresses, MAC addresses, web logs).
  • Any personal data supplied by users of the Processor’s platform.
Special categories of data (if appropriate)</h5.
The personal data transferred concern the following special categories of data:
  • Sexual orientation
  • Relationship status
  • Relationship status
  • Family Status
  • Occupation
Processing operations

The personal data transferred will be subject to the following basic processing activities:The personal data will be analysed to determine underlying patterns and predictions. The results shall then be reported to the Controller and/or used by the Processor to improve its platform and services.

APPENDIX 2 TO THE STANDARD CONTRACTUAL CLAUSES

This Appendix forms part of the Clauses and must be completed and signed by the parties.

Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c):

1. Access control to premises and facilities

Measures must be taken to prevent unauthorized physical access to premises and facilities holding personal data. Measures shall include:

  • Access control system
  • ID reader, magnetic card, chip card
  • (Issue of) keys
  • Door locking (electric door openers etc.)
  • Surveillance facilities
  • Alarm system, video/CCTV monitor
  • Logging of facility exits/entries
2. Access control to systems

Measures must be taken to prevent unauthorized access to IT systems. These must include the following technical and organizational measures for user identification and authentication:

  • Password procedures (incl. special characters, minimum length, forced change of password)
  • No access for guest users or anonymous accounts
  • Central management of system access
  • Access to IT systems subject to approval from HR management and IT system administrators
3. Access control to data

Measures must be taken to prevent authorized users from accessing data beyond their authorized access rights and prevent the unauthorized input, reading, copying, removal modification or disclosure of data. These measures shall include:

  • Differentiated access rights
  • Access rights defined according to duties
  • Automated log of user access via IT systems
  • Measures to prevent the use of automated data-processing systems by unauthorized persons using data communication equipment
4. Disclosure control

Measures must be taken to prevent the unauthorized access, alteration or removal of data during transfer, and to ensure that all transfers are secure and are logged. These measures shall include:

  • Compulsory use of a wholly-owned private network for all data transfers
  • Encryption using a VPN for remote access, transport and communication of data.
  • Creating an audit trail of all data transfers

>

5. Input control

Measures must be put in place to ensure all data management and maintenance is logged, and an audit trail of whether data have been entered, changed or removed (deleted) and by whom must be maintained.
Measures should include:

    • Logging user activities on IT systems
    • That it is possible to verify and establish to which bodies personal data have been or may be transmitted or made available using data communication equipment
    • That it is possible to verify and establish which personal data have been input into automated data-processing systems and when and by whom the data have been input;
6. Job control

Measures should be put in place to ensure that data is processed strictly in compliance with the data importer’s instructions. These measures must include:

      • Unambiguous wording of contractual instructions
      • Monitoring of contract performance
7. Availability control

Measures should be put in place designed to ensure that data are protected against accidental destruction or loss.
These measures must include:

      • Installed systems may, in the case of interruption, be restoredSystems are functioning, and that faults are reported
      • Stored personal data cannot be corrupted by means of a malfunctioning of the system
      • Uninterruptible power supply (UPS)
      • Business Continuity procedures
      • Remote storage
      • Anti-virus/firewall systems
8. Segregation control

Measures should be put in place to allow data collected for different purposes to be processed separately.
These measures should include:

      • Restriction of access to data stored for different purposes according to staff duties.
      • Segregation of business IT systems
      • Segregation of IT testing and production environments

Schedule 3

LIST OF SUBPROCESSORS

Subprocessors engaged in the processing of personal data on behalf of the Controller in connection with the Processor’s provision of Services include the following entities:
These are third parties to whom you disclose data.

Subprocessor Country Purpose GDPR-compliant
Amazon Web Services Australia Pty Ltd Australia Platform Hosting Services Yes
HubSpot Australia Pty. Ltd. Australia Influencer and Brand Support Services Yes
Zendesk Australia Influencer and Brand Support Services Yes
Xero Australia Influencer and Brand Payment Management Services Yes
PayPal Australia Influencer Payment Services Yes
Australia Brand Payment Services Yes

Subprocessor Agreements

Subprocessor Country
Amazon Web Services Australia Pty Ltd https://docs.aws.amazon.com/whitepapers/latest/navigating-gdpr-compliance/aws-data-processing-addendum-dpa.html
HubSpot Australia Pty. Ltd. https://legal.hubspot.com/dpa
Zendesk https://www.zendesk.com/au/company/privacy-and-data-protection/
Xero https://www.xero.com/au/data/xero-and-gdpr/
PayPal https://www.paypal.com/us/webapps/mpp/ua/data-protection
Stripe https://support.stripe.com/questions/accept-and-download-your-data-processing-agreement-(dpa)-with-stripe