TrailerVote Data Processing Addendum

This Data Processing Addendum, including the Standard Contractual Clauses referenced herein (“DPA”), amends and supplements any existing and currently valid TrailerVote Platform Services Agreement (the “Agreement”) either previously or concurrently made between you (together with subsidiary(ies) and affiliated entities, collectively, “Customer”) and TrailerVote Corp. (together with subsidiary(ies) and affiliated entities, collectively “Company”). Defined terms used herein but not otherwise defined shall have the meanings set forth in the Agreement(s).

Purpose of the DPA. This DPA is intended to: (a) satisfy the requirement for an obligatory contract under GDPR between the processor and controller for the onward transfer of personal data from the European Union to the United States; and (b) reflect the parties’ agreement with regard to the Processing of data, including Personal Data in connection with the provision of services to Customer (“Services”) pursuant to the Agreement.

Definitions. For the purpose of this DPA, these terms shall mean the following:

1. “Applicable Laws” shall mean all applicable federal, state and foreign data protection, privacy and data security laws, as well as applicable regulations and formal directives intended by their nature to have the force of law, including, without limitation, the EU Data Protection Laws and the California Consumer Privacy Act (“CCPA”) but excluding, without limitation, consent decrees.

1. “Authorized Personnel” means (a) Company’s employees who have a need to know or otherwise access Personal Data for the purposes of performing applicable Services; and (b) Company’s contractors, agents, and auditors who have a need to know or otherwise access Personal Data to enable Company to perform its obligations under this DPA, and who are bound in writing by confidentiality and other obligations sufficient to protect Personal Data in accordance with the terms and conditions of this DPA.

1. “EU Data Protection Laws” means all laws and regulations of the European Union, the European Economic Area, their member states, Switzerland and the United Kingdom, applicable to the processing of Personal Data under the Agreement, including (where applicable) the GDPR.

1. “GDPR” means the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data).

1. “Personal Data” means any data relating to an identified or identifiable person that is submitted to, or collected by, Company in connection with the Services or in connection with the provision of the Services to Customer, when such data is protected as “personal data” or “personally identifiable information” or a similar term under Applicable Laws.

1. “Process” or “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.

1. “Security Breach” means any negligent act or omission by Company that materially compromises the security, confidentiality, or integrity of Personal Data where such compromise of the Personal Data meets the definitions of both “personal data” (or like term) and “security breach” (or like term) under Applicable Law(s) governing the particular circumstances.

1. “Standard Contractual Clauses” means the model clauses for the transfer of personal data to processors established in third countries approved by the European Commission, the approved version of which is set out in the European Commission's Decision 2010/87/EU of 5 February 2010 and and at http://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32010D0087.

Processing Personal Data. Company shall process Personal Data in accordance with Customer’s written instructions (unless waived in a written requirement) provided during the term of this DPA. In the event Company reasonably believes there is a conflict with any Applicable Law and Customer’s instructions, Company will inform Customer promptly and the parties shall cooperate in good faith to resolve the conflict and achieve the goals of such instruction.

EU Data Protection Laws.

4.1 Transfers of EU Personal Data. Customer acknowledges and agrees that Company is located in the United States and that Customer’s provision of Personal Data from the European Economic Area, Switzerland and the United Kingdom (“EU”) to Company for processing is a transfer of EU Personal Data to the United States. All transfers of Customer Personal Data out of the EU (“EU Personal Data”) to the United States shall be governed by the Standard Contractual Clauses (unless Company shall have in place a valid Privacy Shield filing, in which case, compliance with it shall suffice). The terms of the Standard Contractual Clauses, together with Appendices 1 and 2 set out in Exhibit A to this DPA, are incorporated in this DPA by this reference solely as required with respect to EU Personal Data. Execution of this DPA by both parties includes execution of the Standard Contractual Clauses with respect to the processing of EU Personal Data.

4.2 GDPR Contractual Requirements. Company shall: (a) assist, to a reasonable extent, the fulfillment of Customer’s obligations to respond to requests for exercising a data subject’s rights with respect to Personal Data under Chapter III of GDPR; (b) assist, to a reasonable extent, Customer in complying with its obligations with respect to Personal Data pursuant to Articles 32 to 36 of GDPR; (c) make available to Customer information reasonably necessary to demonstrate compliance with its obligations as a processor specified in Article 28 of GDPR; (d) maintain a record of all categories of processing activities carried out on behalf of Customer in accordance with Article 30(2) of the GDPR; and (e) cooperate, on request, with an EU supervisory authority in the performance of the services under the Agreement.

4.3 Sub-processors. Customer grants a general authorization to Company to appoint its affiliates as sub-processors, and a specific authorization to Company and its affiliates to appoint as sub-processors the entities and the sub-processing activities set out in Exhibit B attached hereto, as it may be updated from time to time.

Compliance with Data Protection Laws.

5.1 Representation and Warranty. Customer represents and warrants that the Personal Data provided to Company for processing under the Agreement and this DPA is collected and/or validly obtained and utilized by Customer in compliance with all Applicable Laws, including without limitation the disclosure, informed affirmative consent and targeted advertising provisions of the EU Data Protection Laws, including without limitation Chapter II of the GDPR, and Customer shall defend, indemnify and hold harmless Company from and against all loss, expense (including reasonable out-of-pocket attorneys’ fees and court costs), damage or liability arising out of any claim arising out of a breach of this Section 5.1.

5.2 Data Security. Company will utilize its best efforts to protect the security, confidentiality and integrity of the Personal Data transferred to it using reasonable administrative, physical, and technical safeguards. Notwithstanding the generality of the foregoing, Company shall: (a) not use or disclose Personal Data for any purpose other than those purposes instructed or permitted by Customer; (b) only use and disclose Personal Data in a manner and to the extent permitted in this DPA or as otherwise agreed between the parties and observe all limitations as to such use or disclosure as Customer may notify to Company; (c) employ reasonable administrative, physical and technical safeguards (including commercially reasonable safeguards against worms, Trojan horses, and other disabling or damaging codes) to afford protection of the Personal Data in accordance with Applicable Law as would be appropriate based on the nature of the Personal Data; (d) utilize its best efforts to keep the Personal Data reasonably secure and in an encrypted form, and use industry standard security practices and systems applicable to the use of Personal Data (such as ISO 27001) to prevent, and take prompt and proper remedial action against unauthorized access, copying, modification, storage, reproduction, display or distribution of Personal Data; (e) cease to retain documents containing Personal Data, or remove the means by which Personal Data can be associated with particular individuals reasonably promptly after it is reasonable to assume that (i) the specified purposes are no longer being served by Company’s retention of Personal Data, and (ii) retention is no longer necessary for legal or business purposes; and (f) upon receiving a request from Customer to correct an error or omission in the Personal Data about the individual that is in the possession or under the control of Company, correct the Personal Data as soon as reasonably practicable.

5.3 Authorized Personnel; Sub-processors. Company shall ensure that Authorized Personnel have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality with obligations at least as restrictive as those contained in this DPA. In addition, Company is authorized to use sub-processors provided that Company shall enter into an agreement with the sub-processor containing data protection obligations that are at least as restrictive as the obligations under this DPA.

5.4 Security Breaches. Company will promptly, without undue delay, after becoming aware of a Security Breach (a) notify Customer of the Security Breach; (b) investigate the Security Breach; (c) provide Customer with details about the Security Breach; and (d) take reasonable actions to prevent a recurrence of the Security Breach. Company agrees to cooperate in Customer’s handling of the matter by: (i) providing reasonable assistance with Customer’s investigation; and (ii) making available relevant records, logs, files, data reporting, and other materials related to the Security Breach’s effects on Customer, as required to comply with Applicable Law.

6.0 Audits and Certifications. Within thirty (30) days of Customer’s written request, and no more than once annually and subject to the confidentiality obligations set forth in the Agreement (unless such information is reasonably required to be disclosed as a response to a data subject’s inquiries under Applicable Law), Company shall make available to Customer (or a mutually agreed upon third-party auditor) information regarding Company’s compliance with the obligations set forth in this DPA, including reasonable documentation (such as a SOC 2 report).

7.0 Miscellaneous.

7.1 In the event of any conflict or inconsistency between this DPA and Applicable Law, Applicable Law shall prevail. In the event of any conflict or inconsistency between the terms of this DPA and the terms of the Agreement, the terms of this DPA shall prevail solely to the extent that the subject matter concerns the processing of Personal Data.

7.2 To the extent that it is determined by any data protection authority that the Agreement or this DPA is insufficient to comply with the applicable EU Data Protection Laws, or to the extent required otherwise by any changes in the applicable data protection laws, Customer and Company agree to cooperate in good faith to amend the Agreement or this DPA or enter into further mutually agreeable data processing agreements in an effort to comply with any Applicable Laws.

7.3 Each party’s liability arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, is subject to the limitations of liability contained in the Agreement. For the avoidance of doubt, each reference herein to the “DPA” means this DPA including its exhibits and appendices.

7.4 This DPA is without prejudice to the rights and obligations of the parties under the Agreement which shall continue to have full force and effect. This DPA does not confer any third-party beneficiary rights, is intended for the benefit of the parties hereto and their respective permitted successors and assigns only, and is not for the benefit of, nor may any provision hereof be enforced by, any other person. This DPA only applies to the extent Company processes Personal Data on behalf of Customer. This DPA together with the Agreement is the final, complete and exclusive agreement of the parties with respect to the subject matter hereof and supersedes and merges all prior discussions and agreements between the parties with respect to such subject matter.

Data Processing Addendum

Exhibit A: Appendices to Standard Contractual Clauses

Appendix 1 to the Standard Contractual Clauses

This Appendix forms part of the Standard Contractual Clauses

Data exporter

The data exporter is Customer, a user of services provided by Processor, the entity that has executed an Agreement and assented to the Standard Contractual Clauses as a data exporter.

Data importer

The data importer is TrailerVote Corp., a global producer of software and services and processes Personal Data upon the instruction of the data exporter in accordance with the terms of the Agreement and the DPA.

Data subjects

Data exporter may submit Personal Data to TrailerVote Corp., the extent of which is determined and controlled by the data exporter in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects: the data exporter’s representatives and end-users including employees, contractors, business partners, collaborators, and customers of the data exporter. Data subjects may also include individuals attempting to communicate or transfer Personal Data to users of the Services.

Categories of data

Data exporter may submit Personal Data to TrailerVote Corp., the extent of which is determined and controlled by the data exporter in its sole discretion, and which may include, but is not limited to the following categories of personal data: (a) First and last name; (b) Title; (c) Position; (d) Employer; (e) Contact information (company, email, phone, physical business address); (f) ID data; (g) Professional life data; (h) Personal life data; (i) Connection data; (j) Localisation data; and (k) other data in an electronic form used by Customer in the context of the Services.

Special categories of data (if appropriate)

The personal data transferred concern the following special categories of data (please specify): None

Processing operations

The objective of the processing of personal data by data importer is the performance of the contractual services related to the Agreement with the data exporter. The processes may include collection, storage, retrieval, consultation, use, erasure or destruction, disclosure by transmission, dissemination or otherwise making available data exporter’s data as necessary to provide the Services in accordance with the data exporter’s instructions, including related internal purposes (such as quality control, troubleshooting, product development, etc.).

Appendix 2 to the Standard Contractual Clauses

This Appendix forms part of the Standard Contractual Clauses.

Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):

TrailerVote Corp.will maintain reasonable administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of personal data transferred to Processor as described in the Agreement.

Data Processing Addendum

Exhibit B: TrailerVote’s Sub-Processors

Sub-processor name

Permitted sub-processing activities

Amazon Web Services

Cloud Hosting Services

Google’s Firebase

Crash reporting, application logging and statistical analysis of application logs

Adbutler

Ad serving

Twilio

Push notifications/SMS