EU Data Processing Addendum

Last updated on: April 26, 2018

This Data Processing Addendum (“DPA”), effective as of the DPA Effective Date (defined below), forms part of the online Terms of Service (the “Agreement”) between Senvee Inc (“Senvee”, “we”, “our”) and the customer that signs or electronically accepts this DPA (“Customer”, “you”, “your”) to reflect the parties’ agreement with regard to Processing of Personal Data in connection with Customer’s use of the enchant.com platform (“Service”). All capitalized terms not defined in this DPA shall have the meanings set forth in the Agreement.

If you are accepting this DPA on behalf of a company or other legal entity, you represent that you have the authority to bind such entity and affiliates to the DPA.

1. Definitions

“Adequate Country” means a country or territory that is recognized under EU Data Protection Laws as providing adequate protection for Personal Data.

“Customer Data” means any Personal Data that Senvee processes on behalf of Customer as a Data Processor in the course of providing the Service, as more particularly described in this DPA.

“Data Controller” means an entity that determines the purposes and means of the processing of Personal Data.

“Data Processor” means an entity that processes Personal Data on behalf of a Data Controller.

“Data Protection Laws” means all data protection and privacy laws applicable to the processing of Personal Data under the Agreement, including, where applicable, EU Data Protection Law.

“DPA Effective Date” means either (i) May 25, 2018, if the date on which you sign or electronically accept this DPA is prior to that date; or (ii) the date on which you sign or electronically accept this DPA, if that date is after or on May 25, 2018.

“EEA” means, for the purposes of this DPA, the European Economic Area, United Kingdom and Switzerland.

“EU Data Protection Law” means Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (“General Data Protection Regulation”, “GDPR”).

“Personal Data” means any information relating to an identified or identifiable natural person, to the extent that such information is protected under applicable Data Protection Laws.

“Security Incident” means any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Data. Security Incidents will not include unsuccessful attempts or activities that do not compromise the security of Customer Data, including, without limitation, pings, port scans, denial of service attacks, network attacks on firewall or networked systems, or unsuccessful login attempts.

“Subprocessor” means any Data Processor engaged by Senvee to assist in fulfilling its obligations with respect to providing the Service pursuant to the Agreement or this DPA.

“Processing” has the meaning given to it in the GDPR and “process”, “processes” and “processed” shall be interpreted accordingly.

2. Relationship with the Agreement

Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. Specifically, nothing in this DPA will affect any of the terms of the Agreement relating to Senvee’s limitations of liability, which will remain in full force and effect. If there is any conflict between this DPA and the Agreement, this DPA shall prevail to the extent of that conflict.

The parties agree that this DPA shall replace any existing DPA the parties may have previously entered into in connection with the Service.

No one other than a party to this DPA, its successors and permitted assignees shall have any right to enforce any of its terms.

This DPA shall be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by applicable Data Protection Laws.

This DPA will terminate simultaneously and automatically with the termination or expiry of the Agreement.

3. Roles and Scope of Processing

Roles of the Parties. The parties acknowledge and agree that with regard to the Processing of Personal Data, Customer is the Data Controller, Senvee is a Data Processor. Customer instructs Senvee to Process Customer’s Personal Data directly and/or using Subprocessors, as reasonably necessary for the provision of the Service and consistent with the Agreement.

Customer’s Processing of Personal Data. Customer shall, in its use of the Service, Process Personal Data in accordance with the requirements of Data Protection Laws and regulations. For the avoidance of doubt, Customer’s instructions for the Processing of Personal Data shall comply with Data Protection Laws and regulations. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired and uses Personal Data.

Senvee’s Processing of Personal Data. Senvee shall only Process Personal Data on behalf of and in accordance with Customer’s instructions for the period set out in the Agreement. If Senvee is required to process the personal data for any other purpose provided by applicable law to which it is subject, Senvee will inform Customer of such requirement prior to the processing unless legally prohibited from doing so.

4. Details of Data Processing

Subject Matter. The subject matter of the data processing under this DPA is the Customer Data

Duration. The duration of the data processing under this DPA is until the termination of the Agreement in accordance with its terms.

Nature and purpose of the processing. The purpose of the data processing is the provision of the Service to the Customer in accordance with the Agreement and this DPA.

Categories of data subjects. Any individual accessing and/or using the Service through the Customer’s account (“Users”); and any individual: (i) who communicates or engages with the Customer or the Users using the service; (ii) whose information is stored on or collected via the Service (collectively, “End Users”).

Types of personal data. Personal data submitted to, stored on, or sent via the Service may include, without limitation, the following types of data: IP addresses, browser agent details, email addresses, usernames, full names, browser and operating system identifiers, emails, documents, and any other personal data that the Customer, Users or End Users choose to send to Senvee during the course of our provision of the Service.

5. Security

Confidentiality. Senvee shall ensure that any person who is authorized by Senvee to process Customer Data (including its staff, agents and subcontractors) shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).

Security Measures. Senvee shall implement and maintain appropriate technical and organizational security measures to protect Customer Data from Security Incidents and to preserve the security and confidentiality of the Customer Data, in accordance with Senvee’s security standards described at https://www.enchant.com/security (“Security Measures”).

Updates to Security Measures. Customer acknowledges that the Security Measures are subject to technical progress and development and that Senvee may update or modify the Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Service.

Customer Responsibilities. Customer is responsible for reviewing the information made available by Senvee relating to data security and making an independent determination as to whether the Service meets Customer’s requirements and legal obligations under Data Protection Laws. Customer agrees that except as provided by this DPA, Customer is responsible for its secure use of the Service, including securing its account authentication credentials, protecting the security of Customer Data when in transit to and from the Service and taking any appropriate steps to securely backup Customer Data.

Security Incident Notification. Upon becoming aware of a Security Incident, Senvee shall notify Customer without undue delay and shall provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by Customer.

Audit Rights. Senvee shall make available to the Customer, on reasonable request, information that is reasonably necessary to demonstrate compliance with our obligations in this DPA. Senvee will allow for and assist with an audit of Senvee’s procedures relevant to the protection of Customer Data, but only to the extent required under applicable Data Protection Laws. Before the commencement of any such audit, Customer and Senvee shall mutually agree upon the scope, timing, duration and security and confidentiality controls applicable to the audit. Customer shall promptly notify Senvee with information regarding any non-compliance discovered during the course of an audit. Customer will be responsible for all costs associated with the provision of information and audit rights under this section. Customer agrees not to exercise these audit rights more than once in any twelve (12) calendar month period.

6. Subprocessors

Authorized Subprocessors. Customer authorizes Senvee to engage Subprocessors to process Customer Data on the Customer’s behalf, as necessary for the provision of the Service. Senvee shall make available to Customer the current list of Subprocessors for the Service by posting that list online at https://www.enchant.com/subprocessors. We will update the list from time to time as our subprocessors change.

Subprocessor Obligations. Senvee shall: (i) enter into a written agreement with the Subprocessor imposing data protection terms that require the Subprocessor to protect the Customer Data to the standard required by Data Protection Laws; and (ii) remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Subprocessor that cause Senvee to breach any of its obligations under this DPA.

Objection Right for new Subprocessors. Senvee will notify Customer (for which email shall suffice) if it adds Subprocessors at least fourteen (14) days prior to any such changes. Within fourteen (14) days of notice of any Subprocessor change, Customer has the right to object to the appointment of that Subprocessor by providing documentary evidence that reasonably shows that the Subprocessor does not or cannot comply with the requirements set forth in this DPA (each, an “Objection”). If we do not remedy or provide a reasonable workaround for your Objection within a reasonable time, you may, as your sole remedy and our sole liability for your Objection, terminate the Agreement. If you terminate the Agreement pursuant to this section, we will refund any prepaid fees covering the reminder of your billing period.

7. Cooperation

The Service provides Customer with a number of controls that Customer may use to retrieve, correct, delete or restrict Customer Data, which Customer may use to assist it in connection with its obligations under the GDPR, including its obligations relating to responding to requests from data subjects or applicable data protection authorities. To the extent that Customer is unable to independently access the relevant Customer Data within the Services, Senvee shall (at Customer’s expense) provide reasonable cooperation to assist Customer to respond to any requests from individuals or applicable data protection authorities relating to the processing of Personal Data under the Agreement. In the event that any such request is made directly to Senvee, Senvee shall not respond to such communication directly without Customer’s prior authorization, unless legally compelled to do so. If Senvee is required to respond to such a request, Senvee shall promptly notify Customer and provide it with a copy of the request unless legally prohibited from doing so.

If a law enforcement agency sends Senvee a demand for Customer Data (for example, through a subpoena or court order), Senvee shall attempt to redirect the law enforcement agency to request that data directly from Customer. As part of this effort, Senvee may provide Customer’s basic contact information to the law enforcement agency. If compelled to disclose Customer Data to a law enforcement agency, then Senvee shall give Customer reasonable notice of the demand to allow Customer to seek a protective order or other appropriate remedy unless Senvee is legally prohibited from doing so.

To the extent Senvee is required under EU Data Protection Law, Senvee shall provide reasonably requested information regarding the Service to enable the Customer to carry out data protection impact assessments or prior consultations with data protection authorities.

8. Data Transfers

Data Storage and Processing Facilities. Customer agrees that Senvee may store and process Customer Data in Canada or any other country in which our Subprocessors maintain facilities.

Adequacy. To the extent that Senvee processes any Personal Data protected by EU Data Protection Law under the Agreement and/or that originates from the EEA, parties acknowledge that Senvee shall be deemed to provide adequate protection for any such Personal Data by virtue of Senvee being established in and being subject to the laws of an Adequate Country.

9. Return or Deletion of Data

Upon termination or expiration of the Agreement, Senvee shall (at Customer’s election) delete or return to Customer all Customer Data. This requirement shall not apply to the extent Senvee is required by applicable law to retain some or all of the Customer Data, or to Customer Data it has archived on back-up systems, which Customer Data Senvee shall securely isolate and protect from any further processing, except to the extent required by applicable law.

10. Tracking Technologies

Customer acknowledges that in connection with the performance of the Service, Senvee employs the use of cookies, unique identifiers, web beacons and similar tracking technologies (“Tracking Technologies”). Customer shall maintain appropriate notice, consent, opt-in and opt-out mechanisms as are required by Data Protection Laws to enable Senvee to deploy Tracking Technologies lawfully on, and collect data from, the devices of Users and End Users.

11. Additional Information

You acknowledge that we are required under EU Data Protection Laws (i) to collect and maintain records of certain information, including, among other things, the name and contact details of each processor and/or controller on whose behalf we are acting and, where applicable, of such processor’s or controller’s local representative and data protection officer; and (ii) to make such information available to the supervisory authorities. Accordingly, you will, when requested, provide this additional information to us, and ensure that the information is kept accurate and up-to-date.