Last update: March 1, 2022This Data Protection Addendum (this “
DPA”) forms part of that certain agreement for services, as may be amended from time to time (the “
Principal Agreement”), by and between Shiny Planes, Inc. d/b/a Launchnotes, having an address at 340 S. Lemon Avenue, #3304, Walnut, California 91789 (“
Company”) and the customer of Company that is party to the Principal Agreement with Company (“
Customer”).
Capitalized terms used in this DPA shall have the meanings set forth in this DPA, and capitalized terms not otherwise defined herein shall have the meaning given to them in the Principal Agreement. Except as modified below, the terms of the Principal Agreement shall remain in full force and effect.
Company will implement policies, processes, and measures to come into compliance with Applicable Data Protection Laws, including the European Union (the “
EU”) General Data Protection Regulation 2016/679, including EU member state legislation implementing the same (collectively, the “
GDPR”), the United Kingdom (the “
UK”) Data Protection Act 2018 (the “
UK DPA 2018”), the California Consumer Privacy Act of 2018, as amended, inclusive of the California Privacy Rights Act, and all implementing regulations (the “
CCPA”), and Brazil’s
Lei Geral de Proteção de Dados Pessoais, or the General Law for the Protection of Personal Data (“
LGPD”).
In consideration of the mutual obligations set out herein, the parties hereby agree that the terms and conditions set forth below shall be part of the Principal Agreement.
1.1
“Applicable Data Protection Laws” means all laws concerning data protection and data privacy that are applicable to the Parties’ respective performance under the Principal Agreement, including, but not limited to, the GDPR, UK DPA 2018, LGPD, and CCPA;
1.2
“Contracted Processor” means Company or a Sub-processor;
1.3
“Customer Personal Data” means any Personal Data Processed by a Contracted Processor on behalf of Customer in connection with Company’s performance of the Services;
1.4
“Data Subject” means an identified or identifiable individual whose Personal Data is being Processed by Company in connection with Company’s performance of the Services;
1.5
“EEA” means the European Economic Area;
1.6 “
EU Standard Contractual Clauses” means standard contractual clauses adopted by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council;
1.7
“Services” means the services performed by or on behalf of Company for Customer pursuant to the Principal Agreement, as described in the Principal Agreement;
1.8
“Sub-processor” means any person (including any third party, but excluding an employee of Company or any of its sub-contractors) appointed by or on behalf of Company to Process Customer Personal Data on behalf of Customer in connection with Company’s performance of the Services;
1.9 “
UK Standard Contractual Clauses” means the standard contractual clauses approved by the European Commission by way of Commission Decision C(2010)593, as amended by the UK Information Commissioner’s Office for use in a UK context, available on the Effective Date of this DPA at
https://ico.org.uk/media/for-organisations/documents/2618973/uk-sccs-c-p-202012.docx, and as may be amended or replaced by the Information Commissioner’s Office or/and Secretary of State from time to time;
1.10 The terms
“Commission,” “Controller,” “Data Subject,” “Member State,” “Personal Data,” “Personal Data Breach,” “Processing,” “Sensitive Personal Data” and
“Supervisory Authority” shall have the same meanings as in the GDPR or any such similar term as set forth in other Applicable Data Protection Law, and their equivalent terms shall be construed accordingly.
This DPA applies to the Processing by Company of Customer Personal Data in connection with Company’s performance of the Services. For purposes of this DPA, Customer is the Data Controller and Company is the Data Processor. A description of the data processing activities is set forth in Exhibit A.
3.1 Customer hereby instructs Company and authorizes Company to instruct each Sub-processor to Process Customer Personal Data to the minimum extent reasonably necessary for the provision of the Services and consistent with the Principal Agreement. Customer expressly acknowledges and agrees that Customer will be solely responsible for the accuracy, quality, and legality of all Customer Personal Data. As between the parties, Customer shall own all Customer Personal Data, and Customer hereby grants Company a limited, revocable, royalty-free, worldwide, and non-transferrable (except with respect to the use of Sub-processors) right to Process such Customer Personal Data in accordance with this DPA and the Principal Agreement. As the Data Controller, Customer shall be solely responsible for determining the scope, purposes and manner by which Customer Personal Data may be accessed or Processed by Company.
3.2 Company will comply with its obligations under Applicable Data Protection Laws and its obligations with respect to Personal Data under this DPA. Company will Process Customer Personal Data only for the purposes of performing the Services, for the duration of this DPA, and only in accordance with documented instructions contained in this DPA, including, but not limited to, those instructions listed in Exhibits A and A-1, unless such Processing is required by the Applicable Data Protection Laws, in which case Company
will, to the extent permitted by law, inform Customer of that legally required Processing before the Processing takes place. Customer shall not instruct Company to Process any Customer Personal Data in violation of any Applicable Data Protection Laws. Company will notify Customer prior to carrying out any instruction from Customer if, in Company’s opinion, such instruction is likely to result in Processing that is in breach of Applicable Data Protection Laws. Company will not otherwise modify, amend or alter the contents of Customer Personal Data or disclose or permit the disclosure of any Personal Data to any third party (including a Data Subject) unless specifically authorized to do so in writing by Customer.
3.3 Each party acknowledges and agrees that the collection and disclosure of Customer Personal Data to the other does not constitute, and is not the intent of either party for such disclosure to constitute, a Sale of Customer Personal Data, and if valuable consideration, monetary or otherwise, is being provided by either party, such valuable consideration, monetary or otherwise, is being provided for the Services and not for the disclosure of Customer Personal Data. Company will not, unless otherwise approved in writing by Customer, collect, retain, use, or disclose Customer Personal Data for any purpose other than for the specific purpose of performing the Services or as permitted by Applicable Data Protection Law. For the avoidance of doubt, Company will not Sell Customer Personal Data except as necessary to satisfy its obligations under the Principal Agreement. Company hereby certifies that it understands the restrictions set forth herein and will comply with them. For purposes of this Section 3.3 of this DPA only, the terms “Sale” and “Sell” shall have their respective meanings as set forth in the CCPA.
4.1 Company will implement appropriate technical and organizational measures to ensure a level of security of Customer Personal Data appropriate to the risk, in particular against unauthorized or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure of, or access to, Customer Personal Data, including as appropriate: (i) the pseudonymization and encryption of Customer Personal Data; (ii) the ability to ensure the ongoing confidentiality, integrity, and availability of Customer Personal Data and resilience of Processing systems and services; (iii) the ability to restore the availability of, and access to, Customer Personal Data in a timely manner in the event of a physical or technical incident; and (iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing of Customer Personal Data. Notwithstanding the foregoing, Company will encrypt (using commercially reasonable means), or enable Customer to encrypt (using commercially reasonable means), Customer Personal Data that is transmitted over public networks or when stored, at-rest. Without limiting the generality of the foregoing, Company’s information security program will satisfy the standards and criteria set forth in Exhibit B.
4.2 Upon Customer’s request, Company will provide a written description of the technical and organizational methods employed by Company and its Sub-processors for Processing Customer Personal Data and provide Customer copies of all documentation relevant to such compliance, including protocols, procedures, guidance, training, and manuals, subject to Customer’s obligation to maintain all such documentation as Company’s confidential information, whether pursuant to the confidentiality obligations of the Principal Agreement or a separate confidentiality agreement between the parties.
4.3 Company will, at least annually, conduct a risk assessment, or similar analysis, in order to identify any and all reasonably foreseeable threats and risks to Customer Personal Data in its custody or control and undertake commercially reasonable measures to mitigate any material or significant threats or risks identified therein.
5.1 Company will, solely in connection with Company’s Processing of Customer Personal Data, reasonably cooperate with Customer in ensuring compliance regarding the security of Customer Personal Data in Company’s possession in relation to the Processing of Customer Personal Data by Company.
5.2 Company will cooperate with Customer with respect to Customer’s fulfilling its obligations to Data Subjects, solely in connection with Company’s performance of the Services pertaining to rights of Data Subjects under the GDPR or other Applicable Data Protection Laws. Without limiting the generality of the foregoing, Company will timely refer to Customer any correspondence, inquiry, complaint, request, or demand received by Company concerning Company’s Processing of Customer Personal Data (collectively or individually, “
Data Notice”) and will not respond to any such Data Notice, unless otherwise required by applicable law. Notwithstanding the foregoing, in response to any such Data Notice, Company may furnish Customer’s business contact information and request the Data Notice be submitted directly to Customer. Upon reasonable written request from Customer in connection with any such Data Notice, Company will promptly provide Customer with access to, amend, correct, or delete Customer Personal Data in Company’s custody or control.
5.3 After Customer Personal Data is no longer needed for Company to provide Services and, in any event, not later than a reasonable period following the termination or expiration of the Principal Agreement, Company will (i) delete or, at Customer’s request, return all Customer Personal Data to Customer, and (ii) delete any existing copies of such Customer Personal Data. Notwithstanding the preceding sentence, if applicable laws require retention by Company of any Customer Personal Data, Company will retain such Customer Personal Data strictly for the purposes of compliance with applicable laws.
Company will take reasonable steps to ensure the reliability of any of Company’s personnel who have access to Customer Personal Data. Company will ensure that access to Customer Personal Data is limited to those Company employees who need to have access to it and that these employees (i) are informed of the confidential nature of Customer Personal Data, (ii) are under a contractual or statutory obligation to keep Customer Personal Data confidential, and (iii) comply with the applicable obligations in this DPA.
7.1 Company will promptly and without undue delay (but in any event within 72 hours of becoming aware of it) notify Customer of any actual unauthorized disclosure, loss, destruction, compromise, damage, alteration, access or theft of Customer Personal Data(collectively, a “
Security Event”), and provide sufficient information to Customer to enable Customer to meet its obligations under Applicable Data Protection Laws, and take such reasonable and commercial steps as requested by Customer to assist in the investigation, mitigation, and remediation of any Security Event. The aforementioned notification from Company to Customer will, to the extent possible, include a description of (i) the nature of the Security Event, (ii) the categories of Customer Personal Data affected and approximate number of records of Customer Personal Data affected, (iii) the approximate number of individuals affected by the Security Event, (iv) any potential legal or regulatory consequences of which Company is aware, and (v) the measures taken or proposed to be taken to address the Security Event. In the event of an actual or a reasonably suspected Security Event, Company will designate a senior employee to serve as Company single point of contact from whom Customer can obtain more information about the Security Event.
7.2 Company will establish, implement, and maintain a written incident response plan (“
IRP”) to identify, remediate, respond to, and recover from, an actual or a reasonably suspected Security Event. The IRP will include: (i) the designation of a senior employee who will be responsible for establishing, implementing, and maintaining the IRP, (ii) the identification of internal and external resources to assist in addressing an actual or a reasonably suspected Security Event, (iii) automated technical means to assist in the identification of activity indicative of an actual or a reasonably suspected Security Event, (iv) processes and programs to contain and remediate the impact of an actual or a reasonably suspected Security Event, and recover to a normal state of business operations, and (v) processes to convene, when appropriate, a post-Security Event review team to consider the effectiveness and efficiency of identifying, remediating, responding to, and recovering from an actual or a reasonably suspected Security Event.
8.1 Company will cooperate with and make available to Customer all applicable and reasonable information necessary to demonstrate compliance with the obligations of both Customer and Company specified in the Applicable Data Protection Laws (including by providing to Customer a copy of all Customer Personal Data held by Company) with respect to Customer Personal Data that is Processed by Company in connection with the Services.
8.2 Notwithstanding any other clause in this DPA, Company will not disclose or provide access to any Customer Personal Data to a Supervisory Authority, or any other public authority, unless required by law.
9.1 Customer hereby expressly acknowledges and agrees that Company may engage Sub-processors to Process Customer Personal Data in connection with the Services in accordance with this Section 9. Company is hereby permitted to use the Sub-processors set forth in Exhibit C, which may be updated by Company from time to time.
9.2 Company remains responsible for each Sub-Processor’s fulfillment of its obligations in relation to the Processing of any Customer Personal Data in connection with the Services performed under the Principal Agreement.
10.1
EU Standard Contractual Clauses. To the extent Customer Personal Data originates in the EEA or in Switzerland, and Company is not established in a country which the European Commission has granted an adequacy status, and Company has not obtained Binding Corporate Rules authorization in accordance with Applicable Data Protection Laws, the parties agree to apply the provisions of the EU Standard Contractual Clauses and supplementary measures, where required. To the extent Customer Personal Data originates outside of the EEA and Switzerland, the parties will also agree to apply the provisions of the EU Standard Contractual Clauses, provided that the EU Standard Contractual Clauses are legally required and sufficient to meet the requirements of the applicable data protection regulations for the transfer of Personal Data. If the EU Standard Contractual Clauses are applicable between the parties pursuant to this Section 10.1, their provisions will be deemed incorporated by reference into this DPA. To the extent required by Applicable Data Protection Laws, the parties shall enter into and execute the EU Standard Contractual Clauses as a separate document.
10.2
UK Standard Contractual Clauses. To the extent Customer Personal Data originates in the UK, and Company is not established in the UK, or a country which the UK authorities granted an adequacy status, and Company has not obtained Binding Corporate Rules authorization in accordance with Applicable Data Protection Laws, the parties agree to apply the provisions of the UK Standard Contractual Clauses and hereby incorporate the UK Standard Contractual Clauses (Controller to Processor) by reference into this DPA. In case the parties can no longer rely on the UK Standard Contractual Clauses as an appropriate data transfer mechanism, the parties will conclude an alternative data transfer mechanism to replace the UK Standard Contractual Clauses.
Customer warrants that it has all necessary rights to provide the Customer Personal Data to Company for the Processing to be performed in relation to the Services, and that one or more lawful bases set forth in Applicable Data Protection Laws support the lawfulness of the Processing. To the extent required by Applicable Data Protection Laws, Customer is responsible for ensuring that all necessary privacy notices are provided to Data Subjects, and unless another legal basis set forth in Applicable Data Protection Laws supports the lawfulness of the Processing, that any necessary Data Subject consents to the Processing are obtained, and for ensuring that a record of such consents is maintained. Should such a consent be revoked by a Data Subject, Customer is responsible for communicating the fact of such revocation to Company, and Company will implement Customer’s instructions with respect to the Processing of that Customer Personal Data.
12.1 In the event of inconsistencies between the provisions of this DPA and the Principal Agreement, the provisions of this DPA shall prevail.
12.2 The term of this DPA will end simultaneously and automatically at the later of (i) the termination or expiration, as the case may be, of the Principal Agreement, or (ii) when all Customer Personal Data is deleted from Company’s devices, networks, and systems. The Exhibits form part of this DPA and shall have the same force and effect as if expressly set out in the body of this DPA, and any reference to this DPA shall include the Exhibits.
Exhibit A
Data Processing ActivitiesA. The Parties:
B. Description of Transfer: The description of the Personal Data transferred is as follows:
(i) Categories of Data Subjects: Set forth in Exhibit A-1.
(ii) Categories of Personal Data transferred: Set forth in Exhibit A-1.
(iii) Sensitive Personal Data transferred: Set forth in Exhibit A-1.
(iv) The frequency of transfer: Set forth in Exhibit A-1.
(v) Nature of Processing: software and similar IT solutions, cloud data storage, and to facilitate access and use of the Services.
(vi) Purpose of the data transfer and further Processing: to provide access to and use of the Services.
(vii) The period for which personal data will be retained: for the duration of the Principal Agreement and for the termination and transition period thereafter, as set forth in the Principal Agreement and this DPA.
(viii) Sub-processor transfers: the relevant information as set forth in Section 9 and Exhibit C of this DPA.
Exhibit A-1
1. Data Processing ActivitiesCompany will Process Customer Personal Data as required to provide the Services and in accordance with the Principal Agreement, for the duration of the Principal Agreement and in accordance with the terms of this DPA. Such Processing will include all activities necessary for the performance of the Principal Agreement.
2. Data Subjects. The Personal Data that Company Processes concerns the following categories of Data Subjects:
☑ Employees (current)
☐ Employees (former)
☑ Customers (current)
☐ Webpage users
☐ Vendors
☐ Customers (potential)
☐ Other
3. Categories of Personal Data:
☑ Name
☐ Shipping Address
☑ Email Address
☐ Social Security No.
☐ Passport number
☐ Driver’s License Number
☐ Telephone Number
☑ IP Address/Online Identifiers
☐ Financial Data ☐Education Data
☑ Online Behavior/Preferences
☐ HR Data (employee activities)
☐ Device/Usage Data
☐ Date of Birth
☐ Other
4. Special Categories/Sensitive Personal Data:
☑ Not Applicable
☐ Race
☐ Ethnicity
☐ Political opinion
☐ Religion
☐ Philosophical beliefs
☐ Genetic data
☐ Biometric data
☐ Health data
☐ Sex life or orientation
☐ Trade union membership
5. The frequency of transfer:
☑ Continuous and as often as Customer uses the Services.
☐ Other
Exhibit B
Security ControlsCompany will implement and maintain the following security measures to safeguard Customer Personal Data in Company’s possession or control:
1. General Obligations. Company will have reasonable security measures in place to protect the Customer Personal Data against loss and unauthorized access, misuse, interference, disclosure, alteration or other Processing. These measures include firewall, anti-virus software, malware protection and similar protections installed and kept up-to-date on all information systems used by Company to process the Customer Personal Data, in addition to the measures set out in Sections 2 to 8 below.
2. Access Control. Company will restrict access to the Customer Personal Data to employees and relevant contractors on a need-to-know basis and will revoke access where appropriate, including from those employees whose employment is terminated. Company will restrict both physical and electronic access to Customer Personal Data as set out in Sections 2.1 and 2.2 below.
2.1. Access Control in a Physical Sense. Company will prevent unauthorized persons from gaining access to data processing systems by implementing a physical access control system (ID reader, magnetic card, chip card); keys; door locking (electric door openers, etc.); security staff, janitors; and surveillance facilities (alarm system, CCTV monitor, etc.).
2.2. Access Control to the IT System. Company will prevent data processing systems from being used without authorization by implementing password procedures (including special characters, minimum length, frequent change of passwords); automatic blocking (e.g., password or timeout); creation of one master password per user; differentiated access rights (profiles, roles, transactions and objects); reports; access; change; deletion; and encryption of backup production data.
3. Transmission Control. Company will ensure that Customer Personal Data cannot be read, copied, altered or removed without authorization during electronic transfer or transport or while being recorded onto data storage media, and that it is possible to ascertain and check to which recipient addressee the Customer Personal Data will be transferred by using data transmission facilities. To this Company will implement NIST-approved encryption/tunneling (Virtual Private Network); login/password access control; transport security, and other equivalent measures when transmitting Customer Personal Data electronically, in compliance with industry best practices and any requirements of the Applicable Data Protection Laws.
4. Input control and integrity. Company will employ measures to ensure the integrity and accuracy of the Customer Personal Data, including, without limitation, monitoring systems able to ascertain whether Customer Personal Data has been accessed, altered or removed from Company’s data processing systems, and if so, by whom. Company also will employ measures that allow Customer Personal Data to be updated or completed pursuant to a request by the Data Subject.
5. Availability control. Company will ensure that Customer Personal Data is protected against accidental destruction or loss by: implementing backup procedures; mirroring of hard disks; uninterruptible power supply; remote storage; anti-virus and firewall systems; and disaster recovery plans.
6. Separation Control. Company will ensure that data that the applicable Customer Personal Data that was collected for different purposes can be Processed separately by implementing “internal client” concept/limitation of use; segregation of functions production/testing; logical or physical data separation; and multitenancy.
7. Job Control and Training. Company will ensure that its employees and other personnel having access or otherwise Processing Customer Personal Data have undergone reasonably adequate training on information security and the protection of Customer Personal Data, the care, handling and Processing of the Customer Personal Data, and the requirements of the Applicable Data Protection Laws. Company employees and other personnel having access or otherwise Processing Customer Personal Data will be subject to confidentiality obligations which will survive the termination of their employment.
8. Data Security Officer. Company has appointed an employee or employees in charge of data security to deal with (i) data protection matters, including receiving the complaints due to any violation or non-compliance with the Applicable Data Protection Law, and (ii) the need to amend Customer Personal Data so that it is accurate, complete or up-to-date.
Exhibit C
Company’s Sub-processors
A complete list of sub-processors is maintained here:
LaunchNotes Data Sub-processors