Date Processing Addendum
Effective Date: July/11/2021
This Data Processing Addendum, including its Exhibits and Appendices, (“DPA”) forms part of the Master Subscription Agreement or other written or electronic agreement between Dedicated and Customer for the subscription of services from Dedicated (identified either as “Services” or otherwise in the applicable agreement, and hereinafter defined as “Services”) (the “Agreement”) to reflect the parties’ agreement with regard to the Processing of Personal Data. In the event of a conflict, the DPA Exhibits prevail over the DPA which prevails over the rest of the Agreement.
By signing the Agreement, Customer enters into this DPA on behalf of itself and, to the extent required under applicable Data Protection Laws and Regulations, in the name and on behalf of its Authorized Affiliates, if and to the extent Dedicated processes Personal Data for which such Authorized Affiliates qualify as the Controller. For the purposes of this DPA only, and except where indicated otherwise, the term “Customer” shall include Customer and Authorized Affiliates. All capitalized terms not defined herein shall have the meaning set forth in the Agreement.
In the course of providing the Services to Customer pursuant to the Agreement, Dedicated may Process Personal Data on behalf of Customer and the Parties agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith.
How this DPA Applies
If the Customer entity signing this DPA is a party to the Agreement, this DPA is an addendum to and forms part of the Agreement. If the Customer entity signing this DPA has executed an Order Form with Dedicated or pursuant to the Agreement, but is not itself a party to the Agreement, this DPA is an addendum to that Order Form and applicable renewal Order Forms.
“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
“Authorized Affiliate” means any of Customer’s Affiliate(s) which (a) is subject to the data protection laws and regulations of the European Union, the European Economic Area and/or their member states, Switzerland and/or the United Kingdom, and (b) is permitted to use the Services pursuant to the Agreement between Customer and Dedicated, but has not signed its own Order Form with Dedicated and is not a “Customer” as defined under this DPA.
“Business” has the meaning set forth in Section 1798.140(v) of the CCPA.
“Business Purpose” has the meaning set forth in Section 1798.140(v) of the CCPA.
“CCPA” means the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., and its implementing regulations.
“Controller” means the entity which determines the purposes and means of the Processing of Personal Data.
“Customer” means the entity that executed the Agreement together with its Affiliates (for so long as they remain Affiliates) which have signed Order Forms.
“Customer Data” means what is defined in the Agreement as “Customer Data”, provided that such data is electronic data and information submitted by or for Customer to the Services. This DPA does not apply to Content as defined in the Agreement or, if not defined in the Agreement, as defined in the Master Subscription Agreement at https://www.dedicated.ai/services-agreement.
“Data Protection Laws and Regulations” means all laws and regulations, including laws and regulations of the European Union, the European Economic Area and their member states, Switzerland, the United Kingdom and the United States and its states, applicable to the Processing of Personal Data under the Agreement as amended from time to time.
“Data Subject” means the identified or identifiable person to whom Personal Data relates.
“End Users” means any individuals Customer permits to use the Services, as defined in the Agreement.
“GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), including as implemented or adopted under the laws of the United Kingdom.
“Personal Data” means any information relating to (i) an identified or identifiable natural person and, (ii) an identified or identifiable legal entity (where such information is protected similarly as personal data or personally identifiable information under applicable Data Protection Laws and Regulations), where for each (i) or (ii), such data is Customer Data.
“Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Processor” means the entity which Processes Personal Data on behalf of the Controller, including as applicable any “service provider” as that term is defined by the CCPA.
“Service Provider” has the meaning set forth in Section 1798.140(v) of the CCPA.
“Standard Contractual Clauses” means the agreement executed by and between Customer and Dedicated and attached hereto as Exhibit 2 pursuant to the European Commission’s decision (C(2010)593) of 5 February 2010 on Standard Contractual Clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection.
“Sub-processor” means any Processor engaged by Dedicated.
“Supervisory Authority” means an independent public authority which is established by an EU Member State pursuant to the GDPR or, for the United Kingdom, the Information Commissioner’s Office (“ICO”).
1.1 Customer is: (a) a Controller of Customer Data; or (b) acting as Processor on behalf of other Controllers and has been instructed by and obtained the authorization of the relevant Controller(s) to agree to the Processing of Customer Data by Dedicated as Customer's subprocessor as set out in this DPA. Customer appoints Dedicated as Processor to Process Customer Data. If there are other Controllers, Customer will identify and inform Dedicated of any such other Controllers prior to providing their Personal Data, in accordance with the relevant DPA Exhibits.
1.2 A list of categories of Data Subjects, types of Customer Data, Special Categories of Personal Data and the processing activities is set out in Exhibit 1. The duration of the Processing corresponds to the duration of the Service unless otherwise stated in Exhibit 1. The purpose and subject matter of the Processing is the provision of the Service as described in the Agreement.
1.3 Dedicated will Process Customer Data according to Customer's documented instructions. The scope of Customer's instructions for the Processing of Customer Data is defined by the Agreement, and, if applicable, Customer's and its End Users' use and configuration of the features of the Service. If Dedicated believes an instruction violates the Data Protection Laws and Regulations, Dedicated will immediately inform Customer, and may suspend the performance of such instruction until Customer has modified or confirmed its lawfulness in documented form.
1.4 Customer shall serve as a single point of contact for Dedicated. As other Controllers may have certain direct rights against Dedicated, Customer undertakes to exercise all such rights on their behalf and to obtain all necessary permissions from the other Controllers. Dedicated shall be discharged of its obligation to inform or notify another Controller when Dedicated has provided such information or notice to Customer. Similarly, Dedicated will serve as a single point of contact for Customer with respect to its obligations as a Processor under this DPA.
1.5 Dedicated will comply with all Data Protection Laws and Regulations in respect of the Services applicable to Dedicated as Processor. Dedicated is not responsible for determining the requirements of laws or regulations applicable to Customer's business, or that a Service meets the requirements of any such applicable laws or regulations. As between the parties, Customer is responsible for the lawfulness of the Processing of the Customer Data. Customer will not use the Services in a manner that would violate applicable Data Protection Laws and Regulations. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data. Customer specifically acknowledges that its use of the Services will not violate the rights of any Data Subject that has opted-out from sales or other disclosures of Personal Data, to the extent applicable under the CCPA.
2. Technical and organizational measures
2.1 Customer and Dedicated agree that Dedicated will implement and maintain the technical and organizational measures set forth in Dedicated’s Technical and Organizational Measures document, which ensure a level of security appropriate to the risk for Dedicated's scope of responsibility. Dedicated’s Technical and Organizational Measures is subject to technical progress and further development. Accordingly, Dedicated reserves the right to modify Dedicated’s Technical and Organizational Measures provided that the functionality and security of the Services are not degraded. The Technical and Organizational Measures can be found here.
3. Data Subject Rights and Requests
Dedicated will inform Customer of requests from Data Subjects exercising their Data Subject rights (e.g., including but not limited to rectification, deletion and blocking of data) addressed directly to Dedicated regarding Customer Data. Customer shall be responsible for handling such requests of Data Subjects. Dedicated will reasonably assist Customer in handling such Data Subject requests in accordance with Section 11.2.
4. Third Party Requests and Confidentiality
4.1 Dedicated will not disclose Customer Data to any third party, unless authorized by the Customer or required by law. If a government or Supervisory Authority demands access to Customer Data, Dedicated will notify Customer prior to disclosure, unless such notification is prohibited by law.
4.2 Dedicated requires all of its personnel authorized to Process Customer Data to commit themselves to confidentiality and not Process such Customer Data for any other purposes, except on instructions from Customer or unless required by applicable law.
5. Authorized Affiliates
5.1 The parties acknowledge and agree that, by executing the Agreement, Customer enters into the DPA on behalf of itself and, as applicable, in the name and on behalf of its Authorized Affiliates, thereby establishing a separate DPA between Dedicated and each such Authorized Affiliate subject to the provisions of the Agreement and this Section 5 and Section 6. Each Authorized Affiliate agrees to be bound by the obligations under this DPA and, to the extent applicable, the Agreement. For the avoidance of doubt, an Authorized Affiliate is not and does not become a party to the Agreement, and is only a party to the DPA. All access to and use of the Services and Content by Authorized Affiliates must comply with the terms and conditions of the Agreement and any violation of the terms and conditions of the Agreement by an Authorized Affiliate shall be deemed a violation by Customer.
5.2 Communication. The Customer that is the contracting party to the Agreement shall remain responsible for coordinating all communication with Dedicated under this DPA and be entitled to make and receive any communication in relation to this DPA on behalf of its Authorized Affiliates.
5.3 Rights of Authorized Affiliates. Where an Authorized Affiliate becomes a party to the DPA with Dedicated, it shall to the extent required under applicable Data Protection Laws and Regulations be entitled to exercise the rights and seek remedies under this DPA, subject to the following:
5.3.1 Except where applicable Data Protection Laws and Regulations require the Authorized Affiliate to exercise a right or seek any remedy under this DPA against Dedicated directly by itself, the parties agree that (i) solely the Customer that is the contracting party to the Agreement shall exercise any such right or seek any such remedy on behalf of the Authorized Affiliate, and (ii) the Customer that is the contracting party to the Agreement shall exercise any such rights under this DPA not separately for each Authorized Affiliate individually but in a combined manner for itself and all of its Authorized Affiliates together (as set forth, for example, in Section 5.3.2, below).
5.3.2 The parties agree that the Customer that is the contracting party to the Agreement shall, when carrying out an on-site audit of the procedures relevant to the protection of Personal Data, take all reasonable measures to limit any impact on Dedicated by combining, to the extent reasonably possible, several audit requests carried out on behalf of itself and all of its Authorized Affiliates in one single audit.
6. Limitation of Liabilit
6.1 Each party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA, and all DPAs between Authorized Affiliates and Dedicated, whether in contract, tort or under any other theory of liability, is subject to the “Limitation of Liability” section of the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and all DPAs together.
6.2 For the avoidance of doubt, Dedicated’s total liability for all claims from Customer and all of its Authorized Affiliates arising out of or related to the Agreement and all DPAs shall apply in the aggregate for all claims under both the Agreement and all DPAs established under the Agreement, including by Customer and all Authorized Affiliates, and, in particular, shall not be understood to apply individually and severally to Customer and/or to any Authorized Affiliate that is a contractual party to any such DPA.
7. Demonstration of Compliance and Audit
7.1 Subject to Sections 7.2 to 7.5, Dedicated shall make available to Customer on request information necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits, including inspections, by Customer or an auditor mandated by Customer in relation to Dedicated’s Processing of Customer Data, subject to the confidentiality obligations set forth in the Agreement. Customer acknowledges and agrees that Customer will exercise its audit rights under this DPA by instructing Dedicated to comply with the audit measures described in this Section 7. Customer further acknowledges that the Service is hosted by Dedicated’s data center partners who maintain independently validated security programs (including SOC 2 and ISO 27001). At Customer’s written request, Dedicated will provide written responses (on a confidential basis) to all reasonable requests for information made by Customer necessary to confirm our compliance with this DPA, provided that Customer will not exercise this right more than once per calendar year. Dedicated shall immediately inform Customer if, in its opinion, an instruction pursuant to this Section 7 (Audit Rights) infringes the GDPR or other EU or Member State data protection provisions. For the avoidance of doubt, if the Standard Contractual Clauses apply, nothing in this Section varies or modifies the Standard Contractual Clauses nor affects any supervisory authority’s or Data Subject’s rights under the Standard Contractual Clauses.
7.2 Information and audit rights of the Customer only arise under Section 7 to the extent that the Agreement does not otherwise give them information and audit rights meeting the relevant requirements of Data Protection Law (including, where applicable, Article 28(3)(h) of the GDPR).
7.3 Customer shall reimburse Dedicated for any time expended for any on-site audit at Dedicated’s then-current professional services rates, which shall be made available to Customer upon request. Before the commencement of any such on-site audit, Customer and Dedicated shall mutually agree upon the scope, timing, and duration of the audit in addition to the reimbursement rate for which Customer shall be responsible. All reimbursement rates shall be reasonable, taking into account the resources expended by Dedicated. Customer shall promptly notify Dedicated with information regarding any non-compliance discovered during the course of an audit.
7.4 In order to reduce any risk to Dedicated's other customers, Customer shall make (and ensure that each of its mandated auditors makes) reasonable endeavours to avoid causing (or, if it cannot avoid, to minimise) any inconvenience, damage, injury or disruption to Dedicated’s premises, equipment, personnel and business while its personnel are on those premises in the course of such an on-audit or inspection.
7.5 Any auditor mandated by the Customer shall not be a direct competitor of Dedicated with regard to the Services and shall be bound to an obligation of confidentiality.
8. Return or Deletion of Customer Data
8.1 Upon termination or expiration of the Agreement, Dedicated will either delete or return Customer Data in its possession as set out in the respective DPA Exhibit, unless otherwise required by applicable law.
9.1 Customer authorizes the engagement of other Processors to Process Customer Data (Subprocessors). A list of the current Subprocessors is set out in Exhibit 3. Dedicated will notify Customer in advance of any addition or replacement of the Subprocessors as set out in Exhibit 3. Within 30 days after Dedicated's notification of the intended change, Customer can object to the addition of a Subprocessor on the basis that such addition would cause Customer to violate applicable legal requirements. Customer's objection shall be in writing and include Customer's specific reasons for its objection and options to mitigate, if any. If Customer does not object within such period, the respective Subprocessor may be commissioned to Process Customer Data. Dedicated shall impose substantially similar but no less protective data protection obligations as set out in this DPA on any approved Subprocessor prior to the Subprocessor initiating any Processing of Customer Data.
9.2 If Customer legitimately objects to the addition of a Subprocessor and Dedicated cannot reasonably accommodate Customer's objection, Dedicated will notify Customer. Customer may terminate the affected Services as set out in the Agreement, otherwise the parties shall cooperate to find a feasible solution.
10. Personal Data Breach
10.1 Dedicated will notify Customer without undue delay after becoming aware of a Personal Data Breach with respect to the Services. Dedicated will promptly investigate the Personal Data Breach if it occurred on Dedicated infrastructure or in another area Dedicated is responsible for and will assist Customer as set out in Section 11.
11.1 Dedicated will assist Customer by technical and organizational measures for the fulfillment of Customer's obligation to comply with the rights of Data Subjects. To the extent that the required information is reasonably available to Dedicated and Customer does not otherwise have access to the required information, Dedicated will also assist in ensuring compliance with Customer’s obligations relating to the security of Processing, the notification and communication of a Personal Data Breach and the Data Protection Impact Assessment, including, to the extent required by European Data Protection Laws, prior consultation with the responsible Supervisory Authority, taking into account the nature of the processing and the information available to Dedicated.
11.2 Customer will make a written request for any assistance referred to in this DPA. To the extent permitted by law, Dedicated may charge Customer no more than a reasonable charge to perform such assistance, such charges to be set forth in a quote and agreed in writing by the parties, or as set forth in an applicable provision of the Agreement. If Customer does not agree to the quote, the parties agree to reasonably cooperate to find a feasible solution.
12. European Specific Provision
12.1 Transborder Data Processing
12.1.1 In the case of a transfer of Customer Data to a country not providing an adequate level of protection pursuant to the Data Protection Laws (Non-Adequate Country), the parties shall cooperate to ensure compliance with the applicable Data Protection Laws as set out in the following Sections. If Customer believes the measures set out below are not sufficient to satisfy the legal requirements, Customer shall notify Dedicated and the parties shall work together to find an alternative.
12.2 By entering into the Agreement, Customer is entering into EU Standard Contractual Clauses as set out in Exhibit 2 (EU SCC) with Dedicated as follows:
if Customer is a Controller of all or part of the Customer Data, Customer is entering into the EU SCC in respect to such Customer Data; and
Processor on behalf of other Controllers of all or part of the Customer Data, then Customer is entering into the EU SCC:if Customer is acting as
(i) as back-to-back EU SCC in accordance with Clause 11 of the EU Standard Contractual Clauses (Back-to-Back SCC), provided that Customer has entered into separate EU Standard Contractual Clauses with the Controllers; or
(ii) on behalf of the other Controller(s).
12.3 If Customer is unable to agree to the EU SCC or Back-to-Back SCC on behalf of another Controller, as set out in Section 10.2, Customer will procure the agreement of such other Controller to enter into those agreements directly. Additionally, Customer agrees and, if applicable, procures the agreement of other Controllers that the EU SCC or the Back-to-Back SCC, including any claims arising from them, are subject to the terms set forth in the Agreement, including the exclusions and limitations of liability. In case of conflict, the EU SCC and Back-to-Back SCC shall prevail.
13. CCPA Specific Provision
13.1 When processing California Personal Information in accordance with Customer’s Instructions, the parties acknowledge and agree that Customer is a Business and we are a Service Provider for the purposes of the CCPA.
13.2 Responsibilities. The parties agree that Dedicated will Process California Personal Information as a Service Provider strictly for the purpose of performing the Services under the Agreement (the "Business Purpose") or as otherwise permitted by the CCPA.
List of Exhibits
Exhibit 1. Details of the Processing
Exhibit 2. Standard Contractual Clauses
Exhibit 3. List of Sub-Processors