DATA PROCESSING ADDENDUM (DPA)
This Data Processing Addendum (“Addendum”) forms part of the Visible – Terms of Service Agreement (collectively, the “Agreement”) between You and Visible. You and Visible are each referred to as a “Party” and collectively as the “Parties”.
Except as modified below, the terms of the Agreement shall remain in full force and effect. Notwithstanding anything to the contrary in the Agreement, if there is a conflict between this Addendum and the Agreement, this Addendum will control. In the event of any conflict or inconsistency between this Addendum and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
- Definitions. The terms used in this Addendum shall have the meanings set forth in this Addendum or as defined by Applicable Privacy Law, whichever is broader. Capitalized terms not otherwise defined herein or defined by Applicable Privacy Law shall have the meaning given to them in the Agreement. The following terms have the meanings set forth below:
- “Applicable Privacy Law” shall mean applicable data privacy, data protection, and cybersecurity laws, rules and regulations to which Visible is subject, including, but not limited to, (a) the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act, and any binding regulations promulgated thereunder (“CCPA”); (b) the EU General Data Protection Regulation 2016/679, including the applicable implementing legislation of each Member State (“EU GDPR”); (c) the UK Data Protection Act 2018 and the UK General Data Protection Regulation as it forms part of UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018, as amended (including by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019) (“UK GDPR” and together with the EU GDPR, the “GDPR”); (d) the Swiss Federal Act on Data Protection of 19 June 1992; (e) any other applicable law with respect to any Personal Data, including any comprehensive United States state privacy laws; and (f) any other data protection law and any guidance or statutory codes of practice issued by any relevant Privacy Authority, in each case, as amended from time to time and any successor legislation to the same.
- “Data Subject” shall mean an identified or identifiable natural person.
- “EEA” shall mean the European Economic Area.
- “Personal Data” shall mean (a) personal data, personal information, personally identifiable information, or similar term as defined by Applicable Privacy law or (b) if not defined by Applicable Privacy Law, any information that relates to a Data Subject; in each case, to the extent Processed by Visible, on behalf of You, in connection with Visible’s performance of the Services.
- “Privacy Authority” shall mean any competent supervisory authority, attorney general, or other regulator with responsibility for privacy or data protection matters.
- “Process,” “Processing,” or “Processed” shall mean any operation or set of operations, as defined in the Applicable Privacy Law, performed upon Personal Data whether or not by automatic means, including collecting, recording, organising, storing, adapting or altering, retrieving, consulting, using, disclosing, making available, aligning, combining, blocking, erasing and destroying Personal Data.
- “Security Breach” means a breach of Visible’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data in Visible’s possession, custody or control. Security Breaches do not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems.
- “Services” shall mean the services as described in the Agreement or any related order form or statement of work.
- “Standard Contractual Clauses” means (a) with respect to restricted transfers (as such term is defined under Applicable Privacy Law) which are subject to the EU GDPR and other Applicable Privacy Laws pursuant to which the same have been adopted, the Controller-to-Processor standard contractual clauses, as set out in the European Commission’s Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to GDPR, as may be amended or replaced by the European Commission from time to time (the “EU SCCs”), and (b) with respect to restricted transfers subject to the UK GDPR, the International Data Transfer Addendum to the EU Commission Standard Contractual of 21 March 2022, as may be amended or replaced by the UK Information Commissioner’s Office from time to time (the “UK SCCs”).
- “Subprocessor” shall mean any third party engaged by Visible to Process Personal Data on behalf of You.
- “Supervisory Authority” shall mean: (a) in the context of the UK GDPR the UK Information Commissioner’s Office; and (b) in the context of the EU GDPR, shall have the meaning given to that term in Article 4(21) of the EU GDPR.
- Processing Requirements.
- Visible shall comply with Applicable Privacy Law in the Processing of Personal Data and only Process Personal Data for the purposes of providing the Services and in accordance with Your instructions, and as may subsequently be agreed between the Parties in writing. Visible shall promptly inform You if (a) in Visible’s opinion, an instruction from You violates Applicable Privacy Law; or (b) Visible is required by applicable law to otherwise Process Personal Data, unless Visible is prohibited by that law from notifying You under applicable law.
- The subject matter, nature, purpose and duration of the Processing, as well as the types of Personal Data collected and categories of Data Subjects, are described in Exhibit A to this Addendum.
- Visible has implemented certain features in the Services that allows You to respond to Data Subject requests, such as an individual’s right to update, correct, or delete Personal Data. To the extent You is not able to directly address a Data Subject request, at Your cost, Visible will reasonably assist You in responding to Data Subject requests. You shall be responsible for any decisions it makes with regard to Data Subject requests.
- Visible shall not (a) sell or share (as such terms are defined under the CCPA) Personal Data; (b) retain, use, or disclose Personal Data for any purpose other than for the specific purpose of performing the Services, including retaining, using, or disclosing Personal Data for a commercial purpose other than providing the Services; (c) retain, use, or disclose Personal Data outside of the direct business relationship between the You and Visible; or (d) combine the Personal Data with any other personal information, except as permitted under Applicable Privacy Law.
- Visible shall notify You without undue delay in the event Visible makes a determination that it can no longer meet its obligations under Applicable Privacy Law. Upon prior notice to Visible, You may take reasonable and appropriate steps to stop and remediate Visible’s unauthorized use of Personal Data.
- To the extent permitted by applicable law, Visible may aggregate, deidentify, or anonymize Personal Data so it no longer meets the definition of Personal Data and may use such aggregated, deidentified, or anonymized data for its own purposes. To the extent Visible receives deidentified data from You or the Services allow for the deidentification of Personal Data, Visible represents and warrants that it shall not reidentify, attempt to reidentify, or direct any other party to reidentify any data that has been deidentified.
- Visible shall provide to You such co-operation, assistance and information as You may reasonably request to enable it to comply with its obligations under Applicable Privacy Law and co-operate and comply with the directions or decisions of a relevant Privacy Authority, in each case (a) solely to the extent applicable to Your provision of the Services, and (b) within such reasonable time as would enable You to meet any time limit imposed by the Privacy Authority.
- Confidentiality. Without prejudice to any existing contractual arrangements between the Parties, Visible will treat all Personal Data as confidential and it will inform all its employees, agents and any approved sub-processors engaged in processing the Personal Data of the confidential nature of the Personal Data. Visible will ensure that all such persons or parties have signed an appropriate confidentiality agreement, are otherwise bound to a duty of confidentiality, or are under an appropriate statutory obligation of confidentiality.
- Security of Personal Data. Visible shall maintain, during the term of the Agreement, appropriate technical and organizational security measures to protect the Personal Data against accidental or unlawful destruction or accidental loss, damage, alteration, unauthorized disclosure or access, as set forth in Exhibit B. Visible shall also ensure the reliability of any employees who Process Personal Data.
- Your Obligations.
- Your Security Responsibilities. You is solely responsible for its use of the Services, including (a) obtaining any needed consents or authorizations for Visible to Process Personal Data; (b) without limitation of Visible’s obligations under Section 4 (Security of Personal Data), making appropriate use of the Services to ensure a level of security appropriate to the risk in respect of the Personal Data; (c) securing the account authentication credentials, systems and devices You uses to access the Services; (d) securing Your systems and devices that Visible uses to provide the Services; and (e) backing up Personal Data..
- Prohibited Data. You represents and warrants to Visible that Personal Data provided to Visible under the Agreement does not and will not, without Visible’s prior written consent, contain any social security numbers or other government-issued identification numbers, protected health information subject to the Health Insurance Portability and Accountability Act (HIPAA) or other information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional; health insurance information; biometric information; passwords for online accounts; credentials to any financial accounts; tax return data; credit reports or consumer reports; any payment card information subject to the Payment Card Industry Data Security Standard; information subject to the Gramm-Leach-Bliley Act, Fair Credit Reporting Act or the regulations promulgated under either such law; information subject to restrictions under Applicable Data Protection Laws governing Personal Data of children, including, without limitation, all information about children under 13 years of age; or any information that falls within any special categories of data (as defined in GDPR).
- Subprocessors.
- You hereby authorizes Visible to appoint the Subprocessors specified here: visible.vc/subprocessor-list, which may be updated from time to time.Visible shall provide You prior notice of any additional or replacement Subprocessors via an email notifying You to view the updated Subprocessor list at the above-mentioned webpage. To receive such notification, You can follow link to join Visible’s distribution list.After being notified, You must notify Visible within fourteen (14) business days of any reasonable objection it has to such Subprocessors. You provides a general authorization for Visible to engage onward sub-processors that is conditioned on the following requirements:
- Visible will restrict the onward sub-processor’s access to You Data only to what is strictly necessary to provide the Services, and Visible will prohibit the sub-processor from processing the Personal Data for any other purpose.
- Visible shall remain liable for any Processing of Personal Data by each such Subprocessor as if it had undertaken such Processing itself.
- Visible will contractually impose data protection obligations on its Subprocessors that are no less onerous than those imposed on Visible under this Addendum.
- You hereby authorizes Visible to appoint the Subprocessors specified here: visible.vc/subprocessor-list, which may be updated from time to time.Visible shall provide You prior notice of any additional or replacement Subprocessors via an email notifying You to view the updated Subprocessor list at the above-mentioned webpage. To receive such notification, You can follow link to join Visible’s distribution list.After being notified, You must notify Visible within fourteen (14) business days of any reasonable objection it has to such Subprocessors. You provides a general authorization for Visible to engage onward sub-processors that is conditioned on the following requirements:
- Breach Notification.
- Notification to You. Unless otherwise prohibited by applicable law, Visible shall notify You without undue delay after Visible becomes aware of a Security Breach. Such notification shall include, to the extent such information is available (a) a detailed description of the Security Breach, (b) the type of data that was the subject of the Security Breach and (c) the identity of each affected person (or, where not possible, the approximate number of Data Subjects and of Personal Data records concerned). In addition, Visible shall communicate to You (x) the name and contact details of Visible’s data protection officer or other point of contact where more information can be obtained, (y) a description of the likely consequences of the Security Breach, (z) a description of the measures taken or proposed to be taken by Visible to address the Security Breach, including, where appropriate, measures to mitigate its possible adverse effects.
- Visible shall take prompt action to investigate the Security Breach and shall use industry standard, commercially reasonable efforts to mitigate the effects of any such Security Breach in accordance with its obligations hereunder.
- Privacy Impact Assessment. Visible shall, promptly upon receipt of written request by Yor (a) make available to You such information as is reasonably necessary to demonstrate Your compliance with Applicable Privacy Law to the extent applicable to the Services, and (b) reasonably assist You in carrying out any privacy impact assessment and any required prior consultations with Privacy Authorities, taking into account the nature of the Processing and the information available to Visible. Visible shall reasonably cooperate with You to implement such mitigation actions as are reasonably required to address privacy risks identified in any such privacy impact assessment. Unless such request follows a Security Breach or is otherwise required by Applicable Privacy Law, You shall not make any such request more than once in any 12-month period.
- Audit Rights. You may audit Visible’s compliance with its obligations under this Addendum up to once per year and on such other occasions as may be required by Applicable Privacy Laws, including where mandated by a Privacy Authority. Visible will contribute to such audits by providing You with the information and assistance that Visible considers appropriate in the circumstances and reasonably necessary to conduct the audit. To request an audit, You must submit a proposed audit plan to Visible at least two weeks in advance of the proposed audit date and any third-party auditor must sign a customary non-disclosure agreement mutually acceptable to the parties (such acceptance not to be unreasonably withheld) providing for the confidential treatment of all information exchanged in connection with the audit and any reports regarding the results or findings thereof. The proposed audit plan must describe the proposed scope, duration, and start date of the audit. Visible will review the proposed audit plan and provide You with any concerns or questions (for example, any request for information that could compromise Visible security, privacy, employment or other relevant policies). Visible will work cooperatively with You to agree on a final audit plan. Nothing in this Section 9 shall require Visible to breach any duties of confidentiality. If the controls or measures to be assessed in the requested audit are addressed in an SOC 2 Type 2, ISO, NIST or similar audit report performed by a qualified third-party auditor, You agree to accept such report in lieu of requesting an audit of such controls or measures. The audit must be conducted during regular business hours, subject to the agreed final audit plan and Visible’s safety, security or other relevant policies, and may not unreasonably interfere with Visible business activities. Any audits are at Your sole expense. You shall reimburse Visible for any time expended by Visible and any third parties in connection with any audits or inspections under this Section 9 at Visible’s then-current professional services rates, which shall be made available to You upon request. You will be responsible for any fees charged by any auditor appointed by You to execute any such audit.
- Deletion of Personal Data. Unless applicable law requires Visible to maintain Your Personal Data, the return or destruction of Personal Data shall be controlled by the applicable provisions in the Agreement.
- Third Party Disclosure Requests.
- Unless prohibited by applicable law, Visible shall promptly notify You of any inquiry, communication, request or complaint, to the extent relating to Visible’s Processing of Personal Data on behalf of You, from:
- any governmental, regulatory or supervisory authority, including Privacy Authorities or the U.S. Federal Trade Commission; and/or
- any Data Subject,
- and shall, taking into account the nature of the Processing, provide reasonable assistance to enable You to respond to such inquiries, communications, requests or complaints and to meet applicable statutory or regulatory deadlines. Visible shall not disclose Personal Data to any of the persons or entities in (a) or (b) above unless it is legally required to do so and has otherwise complied with the obligations in this Section 11.1 and Section 11.2.
- In the event that Visible is required by law, court order, warrant, or other legal judicial process (“Legal Request”) to disclose any Personal Data to any person or entity other than You, including any national security authority or other government body, Visible shall attempt to redirect the government request to You. If Visible is unable to redirect the request, Visible shall, unless prohibited by applicable law, notify You promptly and shall provide all reasonable assistance to You to enable You to respond or object to, or challenge, any such Legal Requests and to meet applicable statutory or regulatory deadlines. If Visible is prohibited by applicable law from providing notice to You of a Legal Request, Visible shall use commercially reasonable efforts to object to, or challenge, any such Legal Request to avoid or minimize the disclosure of Personal Data. Visible shall not disclose Personal Data pursuant to a Legal Request unless it is required to do so by applicable law and has otherwise complied with the obligations in this Section 11.2.
- Unless prohibited by applicable law, Visible shall promptly notify You of any inquiry, communication, request or complaint, to the extent relating to Visible’s Processing of Personal Data on behalf of You, from:
- Transfers out of the EEA. If You transfer Personal Data out of the EEA to Visible in a country not deemed by the European Commission to have adequate data protection, such transfer will be governed by the EU SCCs, the terms of which are hereby incorporated into this Addendum. In furtherance of the foregoing, the Parties agree that:
- You will act as the data exporter and Visible will act as the data importer under the EU SCCs;
- for purposes of Annex I to the EU SCCs, the categories of data subjects, data, special categories of data (if appropriate), and the Processing operations shall be as set out in Section B to Exhibit A;
- for purposes of Annex II to the EU SCCs, the technical and organizational measures shall be as set out in Exhibit B;
- The optional docking clause in Clause 7 of the EU SCCs shall be included;
- the audits described in Clause 8.9 of the EU SCCs shall be performed in accordance with Section 7 of this Addendum;
- Section 6 (Subprocessors) of this Addendum shall constitute the procedures for Processor to request general authorization for Subprocessors under Clause 9(a)(Option 2) of the EU SCCs. For purposes of Annex III to the EU SCCs, the approved list of Subprocessors shall be those set forth in Section 6 of this Addendum;
- the optional language in Section 11(a) of the EU SCCs shall not be included;
- Option 1 of Clause 17 shall apply, and the EU SCCs will be governed by the law of Ireland; and
- any dispute arising from the EU SCCs shall be resolved by the courts of Ireland.
- Transfers out of Switzerland. Pursuant to Section 12 of this Addendum, the EU SCCs shall govern with regard to transfers of Personal Data out of Switzerland to Visible in a country not deemed by Switzerland’s Federal Data Protection and Information Commissioner to have adequate data protection. For transfers of Personal Data out of Switzerland, the following additional terms shall apply:
- The term “Member State” as used in the EU SCCs, including the Annexes, shall be interpreted as including Switzerland and Data Subjects in Switzerland; and
- Data Subjects with their regular place of residence in Switzerland are permitted to bring a lawsuit in Switzerland against either the data exporter or the data importer in accordance with Clause 18(c) of the EU SCCs.
- Transfers out of the UK. If You transfer Personal Data out of the UK to Visible in a country not deemed by the UK Government to have adequate data protection, such transfer will be governed by the UK SCCs, the terms of which are hereby incorporated into this Addendum. Visible shall provide a copy of the signed version of the UK SCCs to You upon request. In furtherance of the foregoing, the parties agree that Tables 1 through 4 of the UK SCCs shall be satisfied by the following information:
- Table 1: Reference to Table 1 shall be satisfied by the information in Section A of Exhibit A.
- Table 2: For Table 2, the version of the Approved EU SCCs shall be the EU SCCs, Controller to Processor module.
- Table 3: Reference to Table 3 shall be satisfied by the information in Exhibits A and B and Section 6 of this Addendum.
- Table 4: For Table 4, the Exporter and Importer shall have the rights outlined in Section 19 of the UK SCCs.
- Claims. Any claims brought under, or in connection with, this Addendum, shall be subject to the exclusions and limitations of liability set forth in the Agreement.
- Amendments The Parties acknowledge and agree that, to the extent the Services contemplate the processing of Personal Data that is subject to Applicable Privacy Laws that require additional terms in this Addendum, the Parties shall enter into an amendment to this Addendum that addresses such additional terms.
EXHIBIT A
A) LIST OF PARTIES
Data exporter(s):
Name: As set forth when you accept the Agreement.
Address: As set forth when you accept the Agreement.
Contact person’s name, position and contact details: As set forth when you accept the Agreement.
Activities relevant to the data transferred under these Clauses: The activities specified in the Agreement and, if applicable, any accompanying statements of work or order forms.
Signature and Date: Your acceptance of the Agreement shall satisfy the signature requirement in this Exhibit A.
Role (Controller or Processor): Controller
Data importer(s):
Name: Visible.vc, Inc.
Address: 2045 W Grand Ave Ste B, Suite 82295, Chicago, Illinois 60612
Contact person’s name, position and contact details: Michael Preuss, CEO, gdpr@visible.vc
Activities relevant to the data transferred under these Clauses: The activities specified in the Agreement and any accompanying statements of work or order forms.
Signature and Date: Your acceptance of the Agreement shall satisfy the signature requirement in this Exhibit A.
Role (Controller or Processor): Processor
B) DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred The data subjects may include: (a) users authorized by the You to use the Services
Categories of personal data transferred You are required to provide certain Personal Data in order to use the Services, including certain device and location data and contact information (name, email address, and user credentials). You may submit additional Personal Data to the Services, the extent of which is determined and controlled by You in sole discretion.
Sensitive data / special categories of personal data Not applicable.
The frequency of the transfer (whether the data is transferred on a one-off or continuous basis) On a continuous basis during the term of the Agreement.
Nature of the processing As described in the Agreement.
Purpose(s) of the data transfer and further processing As described in the Agreement.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period Duration of performance of the Services.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing As described in the Agreement.
C) COMPETENT SUPERVISORY AUTHORITY
Where the EU GDPR applies, the competent supervisory authority shall be (i) the supervisory authority applicable to the data exporter in its EEA country of establishment or, (ii) where the data exporter is not established in the EEA, the supervisory authority applicable in the EEA country where the data exporter’s EU representative has been appointed pursuant to Article 27(1) GDPR, or (iii) where the data exporter is not obliged to appoint a representative, the supervisory authority applicable to the EEA country where the data subjects relevant to the transfer are located. Where the UK GDPR applies, the UK Information Commissioner’s Office.
EXHIBIT B
TECHNICAL AND ORGANIZATIONAL MEASURES INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Visible has implemented and maintains comprehensive technical and organizational safeguards, which contain those safeguards described below:
- Organizational management and dedicated staff responsible for the development, implementation and maintenance of Visible’s information security program.
- Audit and risk assessment procedures for the purposes of periodic review and assessment of risks to Visible’s organization, monitoring and maintaining compliance with Visible’s policies and procedures, and reporting the condition of its information security and compliance to internal senior management.
- Data security controls which include, at a minimum, logical segregation of data, restricted (e.g., role-based) access and monitoring, and utilization of commercially available industry standard encryption technologies for Personal Data that is transmitted over public networks or when transmitted wirelessly or at rest or stored on portable media.
- Logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions, (e.g., granting access on a need-to-know and least privilege basis, use of unique IDs and passwords for all users, periodic review and revoking/changing access promptly when employment terminates or changes in job functions occur).
- Password controls designed to manage and control password strength, expiration and usage including prohibiting users from sharing passwords and requiring that Visible’s passwords are subject to defined parameters.
- System audit or event logging and related monitoring procedures to proactively record user access and system activity.
- Physical and environmental security of data centers, server room facilities and other areas containing Personal Data designed to: (i) protect information assets from unauthorized physical access, (ii) manage, monitor and log movement of persons into and out of Visible’s facilities, and (iii) guard against environmental hazards such as heat, fire and water damage.
- Operational procedures and controls to provide for configuration, monitoring and maintenance of technology and information systems, including secure disposal of systems and media to render all information or data contained therein as undecipherable or unrecoverable prior to final disposal or release from Visible’s possession.
- Change management procedures and tracking mechanisms designed to test, approve and monitor all material changes to Visible’s technology and information assets.
- Incident management procedures design to allow Visible to investigate, respond to, mitigate and notify of events related to Visible’s technology and information assets.
- Network security controls designed to protect systems from intrusion and limit the scope of any successful attack.
- Vulnerability assessment, patch management and threat protection technologies, and scheduled monitoring procedures designed to identify, assess, mitigate and protect against identified security threats, viruses and other malicious code.
- Disaster recovery procedures designed to maintain service and/or recovery from foreseeable emergencies or disasters.