Data processing addendum
EXHIBIT B: DATA PROCESSING ADDENDUM
Last revised: 25 February 2022
This Data Processing Addendum ("DPA") is a contract between Exchange Gate and the entity that has agreed to the Exchange Gate Terms of Service (or "you" as defined in the Terms; referred to as "Customer" in this document). This DPA incorporates and supplements the Exchange Gate Terms of Service (hereinafter, the "Agreement"), as applicable. Capitalized terms that are not defined elsewhere in this document will have the meanings assigned to them in the Agreement.
The customer acknowledges that Exchange Gate is a conduit for Content transmitted via the Exchange Gate solution, some of which may contain Personal Data as defined below, unbeknownst to Exchange Gate. Such Personal Data is only kept for as long as it is required to transmit it (except if and to the extent the customer elects to store such data, as data controller). Exchange Gate does not use, modify, access, store, process, or transmit Personal Data in the course of providing the Exchange Gate solution, and is unaware of its existence.
The customer may be either the controller or the processor of Personal Data. When the customer is the controller and shares Personal Data with Exchange Gate, Exchange Gate will be the processor. When the customer is the processor and shares Personal Data with Exchange Gate, Exchange Gate will be the Personal Data's sub-processor. This DPA only applies to the extent that Exchange Gate processes Personal Data on behalf of the customer as a processor or sub-processor.
A. In this DPA, the following definitions apply:
|"Data Protection Law"||This means all current data protection, privacy, and electronic marketing legislation, including I the General Data Protection Regulation (EU 2016/679) ("EU GDPR") and (ii) any national implementing laws (including laws implementing the Privacy and Electronic Communications Directive 2002/58/EC), as amended or updated from time to time, as applicable to either party, and the UK Data Protection Act 2018, regulations, and secondary legislation, as amended or updated from time to time.|
|"GDPR"||Refers to the EU GDPR and/or the UK GDPR, as applicable.|
|"Personal Data"||Refers to the EU General Data Protection Regulation (GDPR) and/or the UK General Data Protection Regulation (GDPR), where applicable.|
|"Standard Contractual Clauses"||Refers to the EU Standard Contractual Clauses and/or the UK Standard Contractual Clauses, as applicable.|
|"EU Standard Contractual Clauses"||This means the annex to the European Commission decision of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries according to Regulation (EU) 2016/679 of the European Parliament and the Council, available at https://eur-lex.europa.eu/eli/dec impl/2021/914/oj, specifically Modules 2 and 3 (as applicable), and any modifications and replacements to them, or other standard contractual clauses adopted by the European Commission.|
|"sub-processor"||This means any processor that is engaged by a party to assist in its processing of Personal Data for another party.|
|"UK Standard Contractual Clauses"||This means the annex found in the European Commission decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and the Council, available at https://op.europa.eu/en/publication-detail/-/publication/473b885b-31d6-4f3b-a10f-01152e62be6e/ as adapted for the UK, or such alternative contractual arrangement or clauses approved by the Information Commissioner’s Office from time to time.|
B. The terms “controller”, “data subject”, “personal data”, “processor” and “processing” will have the meanings given to them in the UK GDPR or the EU GDPR, as applicable.
1. Both parties will adhere to all applicable Data Protection Law requirements. The obligations of a party under Data Protection Law are not relieved, removed, or replaced by this DPA.
2. Except as provided in section 8 below, the parties agree that Exchange Gate will act as a processor or sub-processor of customer with respect to Personal Data. Customer may act as a controller with respect to Personal Data or a processor when processing such data under the instructions and on behalf of a third party (for example, customer's customers).
3. Details of Personal Data Processing (EU Standard Contractual Clauses Annex 1 and Annex 2 and/or UK Standard Contractual Clauses Appendix 1 and Appendix 2, as applicable):
- Data Exporter - customer sending Personal Data to Exchange gate.
- Data Importer - is Exchange gate.
- Subject matter - the data and content specified below are the subject matter of the data processing under this DPA.
- Purpose - the purpose of the data processing under this DPA is the provision of the Exchange Gate solution initiated by customer from time to time.
- Nature of the processing - supply of services as stipulated in the agreement and as requested by customer.
- Categories of data subjects - Customers, workers, guests, invitees, suppliers, and End Users of Customer and its customers are examples of data subjects, as well any other individuals identified or identifiable within the personal data given by such individuals.
Types of Personal Data - Exchange gate collects and processes the following as a necessary step in providing the Exchange gate solution, all or some of which may or may not be personally identifying or identifiable information: in addition to Personal Data incidentally captured in Content ("Captured Personal Data"), Exchange gate collects and processes the following as a necessary step in providing Exchange gate service:
- IP addresses;
- End User login credentials;
- Client device descriptions/identifiers;
- Special Categories of Data - data are not actively or deliberately collected, processed, or transferred by the parties, yet such data may be included in Captured Personal Data.
- Processing operations- as described in this DPA, including Annex 1.
Special Categories of Data:
- Captured Personal Data is held by Exchange Gate for a short period of time (typically 2 minutes or less, but up to 24 hours as needed to provide the Exchange Gate solution), unless Customer elects to store such Personal Data for a longer period as determined by customer (as data controller) and via customer's instruction to Exchange Gate, or until customer's account is deleted.
- IP addresses: up to 14 calendar days or until customer’s account is deleted.
- End User login credentials: up to 14 calendar days or until customer’s account is deleted.
- Descriptions/identifiers of client devices: until customer's account is deleted. When such data is no longer needed, the customer agrees to remove it.
- Competent Supervisory Authority - Data Protection Commissioner of Latvia (LV)
4. Customer will guarantee and warrant that it has in place all necessary suitable consents and notices, in any form needed by Data Protection Law or other UK or EU regulations (as applicable), to enable lawful transfer of Personal Data to Exchange Gate for the term and purposes of the Agreement.
5. Customer will ensure and warrant that Personal Data is not transferred from the European Economic Area ("EEA") to anywhere outside the EEA, or from the UK to anywhere outside the UK, as part of the customer's use or deployment of the Exchange Gate solution, to a third country that the Commission considers providing an adequate level of protection (in the case of transfers subject to EU GDPR) or that the UK Secretary of State considers providing an adequate level of protection (in the case of transfers subject to UK GDPR) (in the case of transfers subject to UK GDPR). Adequate measures will be made to guarantee that Personal Data is adequately protected and that data subjects' rights under the Data Protection Law are not harmed as a result of the transfer. Customer acknowledges that subject to Exchange Gate's obligations in section 9.5 below regarding Exchange Gate sub-processors and section 11 below regarding the Standard Contractual Clauses, Customer is solely responsible for ensuring that Personal Data is transferred outside of the EEA or the UK in full compliance with the Data Protection Law.
6. Customer certifies that it has evaluated any security measures in place at the time of this Agreement and will continue to do so on an ongoing basis to guarantee compliance with this DPA's responsibilities. If such safeguards fail to satisfy the standards required by Data Protection Law, the customer is exclusively accountable (as between the parties and to data subjects and supervisory authorities).
7. Customer guarantees and verifies that all information required to be provided to a data subject has been done so, or that an appropriate exemption exists and is being used by the customer.
8. Customer and Exchange Gate agree that they will process any personal data of the other's staff as independent controllers in connection with their admission into the Agreement or the management of their commercial relationship.
9. In relation to any Personal Data processed in conjunction with the offering of the Exchange Gate service, Exchange Gate shall:
- 9.1. process that Personal Data only on the written instructions of customer except to the extent Exchange Gate is required to process data by applicable law. Where Exchange Gate is relying on applicable law as the basis for processing Personal Data, Exchange Gate shall without undue delay notify customer unless applicable law prohibits Exchange Gate from so notifying customer;
- 9.2. not access or use, or disclose to any third party, any Personal Data, except, in each case, as necessary to maintain or provide the Exchange Gates solution, or as necessary to comply with the law or a valid and binding order of a governmental body or court;
- 9.3. ensure that it has in place appropriate technical and organizational measures outlined in Annex 1 to this DPA to protect against unauthorized or unlawful processing of Personal Data and accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorized or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures;
- 9.4. ensure that all Exchange Gate personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential;
- 9.5. ensure that where sub-processors are used outside the EEA or the UK such that Personal Data is transferred from within the EEA to anywhere outside the EEA or from the UK to anywhere outside of the UK, and such transfer is not to a third country that the Commission considers providing an adequate level of protection (in the case of transfers subject to EU GDPR) or that the Secretary of State considers providing an adequate level of protection (in the case of transfers subject to UK GDPR), adequate measures will be taken to ensure the Personal Data will be protected to an adequate level and the data subjects’ rights under the Data Protection Law will not be prejudiced by such a transfer;
- 9.6. as required by Data Protection Law, keep records of processing actions performed on behalf of the customer;
- 9.7. taking into account the nature of the processing, assist the Customer, in so far as this is possible, in responding to any request from a data subject and in ensuring compliance with its obligations under Data Protection Law for security, breach notifications, data protection impact assessments and consultations with supervisory authorities or regulators;
- 9.8. notify the customer without undue delay on becoming aware of a security incident affecting Personal Data. Exchange Gate is not obligated to report incidents that result in no unlawful or accidental destruction, loss, alteration, disclosure of, or access to Personal Data or any of Exchange Gate equipment or facilities storing Personal Data, and may include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond headers) or similar incidents. Exchange Gate's obligation to report or respond to a security incident under this section is not and will not be construed as an acknowledgment by Exchange Gate of any fault or liability of Exchange Gate for the incident;
- 9.9. make all information reasonably necessary to establish compliance with the duties in this section 9 available to the customer
- 9.10. at the written direction of customer, delete Personal Data on termination of the Agreement unless required by applicable law to store the Personal Data.
10. If any essential appropriate consents and notices required to enable lawful transmission of Personal Data to Exchange gate for the length and purposes of this Agreement have been breached, canceled, withdrawn, or are otherwise no longer valid, customer will immediately notify Exchange gate.
11. The parties agree that the Standard Contractual Clauses will apply if Personal Data is transferred to Exchange Gate or its sub-processors located outside of the EEA or the UK, and the transfer is not to a third country that the Commission considers providing an adequate level of protection (in the case of transfers subject to EU GDPR) or that the UK Secretary of State considers providing an adequate level of protection (in the case of transfers subject to UK GDPR).The terms "Data Importer" and "Data Exporter" will have the meanings ascribed to them in the Standard Contractual Clauses when used in this section. For the Standard Contractual Clauses, the parties accept that Exchange Gate is acting as a Data Importer and Customer is acting as a Data Exporter (notwithstanding that Customer may be located outside of the EEA or the UK or is acting as a processor on behalf of third-party controllers). In their respective roles as Data Exporter and Data Importer, each party will adhere to the applicable duties of the Standard Contractual Clauses.The data subjects, categories of data, and processing operations (as required to be disclosed in Appendix 1 of the Standard Contractual Clauses) are as outlined in this DPA. The technical and security measures implemented by Exchange Gate are detailed in Annex 1 of this DPA, as required by Appendix 2 of the Standard Contractual Clauses.
12. The parties also agree that the laws of Ireland will govern the Standard Contractual Clauses entered into by Exchange Gate and the Customer where the EU Standard Contractual Clauses apply and the Customer is established in the EEA, and the laws of England and Wales will govern where the UK Standard Contractual Clauses apply. If there is a conflict between this section 12 and any other provision determining the governing law of the Standard Contractual Clauses between Customer and Exchange Gate, this section 12 will prevail.
13. The customer acknowledges and agrees that by instructing Exchange Gate to comply with the audit measures described in section (e) of Annex 1 to this DPA, it will be able to exercise its audit rights under this DPA (including, where applicable, the Standard Contractual Clauses) and any audit rights granted by Data Protection Law.
14. Exchange Gate states and declares that it has not received any order, request, or other communication from a governmental entity requiring personal data disclosure, and that it will:
- 14.1. if it receives such an order, request, or other communication, it should endeavor to send the governmental entity to a customer for the requested data. Exchange Gate may supply the relevant body with the customer's basic contact information as part of this endeavor. Unless Exchange Gate is legally forbidden from doing so, if compelled to reveal Customer Data to a governmental agency, Exchange Gate will give Customer reasonable notice of the demand so that Customer can obtain a protective order or another suitable remedy;
- 14.2. publish a transparency report or provide information to Customer on request regarding: (a) the number of orders, requests or other communications from governmental bodies for the disclosure of personal data and/or assistance in surveillance processes and the type of information requested, (b) its responses to the foregoing, and (c) its process for challenging such confidential and non-confidential orders, requests and communications; and;
- 14.3. if the Customer's ability to protect the confidentiality and security of personal data is jeopardized for any reason, including orders, requests, or communications described above, the Customer will be notified and processing, including receiving such personal data, will be halted.;
15. Customer consents to the use of sub-processors as indicated in this section for Exchange Gate to perform its contractual obligations under this DPA or to offer certain services on its behalf, such as providing support services. The Exchange Gate website (currently available at https://exchange-gate.io/legals/sub-processors) contains a list of sub-processors with whom exchange Gate is currently working to provide the Exchange Gate service. Exchange Gate will update the applicable website and notify the Customer of the update via the means indicated in the Agreement for notices at least 10 working days before engaging any new sub-processor to carry out processing operations on Personal Data on behalf of Customer (sec. 2.12).If Customer objects to a new sub-processor, Customer must notify Exchage gate in writing within ten days of Customer’s notice of the updated website (without prejudice to any termination rights Customer has under the Agreement), after which time Customer shall be deemed to have consented to the new sub-processor’s appointment.