BandLab Data Processing Addendum

GDPR DATA PROCESSING ADDENDUM

This Processor Data Processing Addendum (“DPA”) will apply to you to the extent that either: (i) you are established in the European Economic Area, or (ii) the personal data we process as your processor relates to residents from the European Economic Area.


This DPA shall amend all of your agreements with us (“Agreements”) governing the use of the Website and/or the Services (as defined in the Agreements).


1. Definitions

Words and expressions used in this DPA but not defined herein shall have the meanings given to such words and expressions in the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (“GDPR”).

“Applicable Data Protection Law” means all applicable European Union laws and regulations governing the use or processing of data relating to natural persons (including the GDPR) and any national implementing laws, regulations and secondary legislation, as amended or updated from time to time.
“You” refers to the controller who has entered into this DPA with us, the processor and “Your Data" refers to the personal data that you provide to us from time to time.


2. Details of the Processing
The details of the processing of Your Data as required by Article 28(3) of the GDPR are set out in Annex 1.


3. Your Obligations

3.1 You determine the purposes for which Your Data is being or will be processed, and the manner in which they are or will be processed.


3.2 You represent, warrant and agree that with respect to Your Data provided to us pursuant to this DPA, You:


(a) comply with personal data security and other obligations prescribed by Applicable Data Protection Law for controllers;

(b) confirm that the provision of Your Data to us complies with Applicable Data Protection Law;

(c) have established a procedure for the exercise of the rights of the individuals whose personal data is collected;

(d) only process data that has been lawfully and validly collected and ensure that such data is relevant and proportionate to the respective uses;

(e) ensure that after assessment of the requirements of Applicable Data Protection Law, the security and confidentiality measures implemented are suitable for protection of Your Data against any accidental or unlawful destruction, accidental loss, alteration, unauthorized or unlawful disclosure or access, in particular when the processing involves data transmission over a network, and against any other forms of unlawful or unauthorized processing, and

(f) take reasonable steps to ensure compliance with the provisions of this DPA by Your personnel and by any person accessing or using Your Data on its behalf.

4. Our Obligations

4.1 We will carry out the processing of Your Data on Your behalf and on Your instructions.

4.2 Further to the provisions of Article 28 of the GDPR, we agree that we will:

(a) process Your Data only on Your behalf and in compliance with Your instructions (including relating to international data transfers), including instructions in this DPA and all Agreements between You and us, unless required to do so by European Union or Member State law to which we are subject;

(b) immediately inform You if in our opinion an instruction from You infringes Applicable Data Protection Law;

(c) implement appropriate technical and organizational security measures as set out in Annex 3 prior to the commencement of the processing activities for Your Data, maintain such security measures (or better security measures) for the duration of this DPA, and provide You with reasonable evidence of its privacy and security policies;

(d) take reasonable steps to ensure that (i) persons employed by it and (ii) other persons engaged at its place of business who may process Your Data are aware of and comply with this DPA;

(e) comply with confidentiality obligations in respect of Your Data as detailed in all Agreements and take appropriate steps to ensure that its employees, authorized agents and any sub-processors comply with and acknowledge and respect the confidentiality of Your Data, including after the end of their employment, contract or at the end of their assignment;

(f) inform You of:

(i) any legally binding request for disclosure of Your Data by a law enforcement authority, unless otherwise prohibited, such as in order to preserve the confidentiality of an investigation by the law
enforcement authorities;

(ii) any personal data breach within the meaning of Applicable Data Protection Law relating to Your Data which may require a notification to be made to a supervisory authority or data subject under Applicable Data Protection Law (“Security Incident”);

(iii) any relevant notice, inquiry or investigation by a supervisory authority relating to Your Data; and

(iv) any requests for access to, rectification, erasure, restriction, blocking or transmission of Your Data received directly from a data subject without responding to that request, unless You have authorized a
response or such a response is required by law;

(g) taking into account the nature of the processing and/or information available, provide reasonable co-operation and assistance to You in respect of Your obligations regarding:


(i) requests from data subjects in respect of access to, rectification, erasure, restriction, blocking or transmission of Your Data;

(ii) the investigation of any Security Incident and the notification to the supervisory authority and data subjects in respect of such a Security Incident;

(iii) the preparation of data protection impact assessments and, where applicable, carrying out consultations with the supervisory authority;

(iv) the security of Your Data, including by implementing the technical and organizational security measures as set out in Annex 3;

(h) if we are required by law to process Your Data, take reasonable steps to inform You of this requirement in advance of any processing, unless we are prohibited from informing You on grounds of important public interest; and

(i) upon reasonable request, make available to You information necessary to demonstrate compliance with the obligations in this Clause 4.

4.3 You or an accredited third-party audit firm appointed by You may audit our compliance with the terms of this DPA during regular business hours in a manner that is not disruptive to our business, upon reasonable advance notice to us of no less than 60 days and subject to reasonable confidentiality procedures. You are responsible for all costs and fees related to such audit, including all reasonable costs and fees for any and all time we expend for any such audit, in addition to the rates for support services performed by us and any expenses incurred by us in complying with this Clause 4.3 and Clause 4.2(i). Before the commencement of any such audit, You and us shall mutually agree upon the timing, duration and scope of the audit. You shall promptly notify us of information regarding any non-compliance discovered during the course of an audit. You may not audit us more than once annually.

5. Transfer, Disclosure and Third Parties

5.1 You acknowledge and agree that (a) our affiliates may be retained as sub-processors, and (b) we and our affiliates may engage third parties in connection with the provision of the data processing services. We or our affiliate shall enter into contractual arrangements with such sub-processors
requiring them to guarantee a similar level of data protection compliance and information security to that provided for herein. For the purposes of this Clause 5, You hereby authorise us to engage sub-processors required to assist us for the purposes of providing the data processing services.

5.2 A current list of sub-processors for the data processing services is set out in Annex 2. We will provide reasonable notice to You before we engage a new sub-processor of Your Data, including the date on which the new sub-processor will begin processing Your Data (the “Sub-Processor Effective Date”). You may object to our engagement of a new sub-processor by ceasing to use the Services prior to the Sub-Processor Effective Date. Your continued use of the applicable Services on or after the Sub-Processor Effective Date constitutes Your acceptance of the new sub-processor.

5.3 You and us agree that we may transfer and process Your Data outside the European Economic Area where the requirements of Articles 44 through 47 of the GDPR are fulfilled, or an exception as listed in Article 49 of the GDPR applies.

6. Termination

6.1 This DPA will terminate automatically upon termination of the Agreements.

6.2 On the termination of this DPA, at Your choice, us and any sub-processors shall, subject to the limitations described in any relevant Agreements, return all of Your Data and copies of such data to You or destroy them and demonstrate to Your satisfaction that it has taken such measures, unless Applicable Data Protection Laws prevents it from returning or destroying all or part of Your Data.
In such case, us or sub-processor agree to preserve the confidentiality of Your Data retained by it and that it will only actively process Your Data after such date in order to comply with the laws to which it is subject.

7. Governing law and jurisdiction

7.1 This DPA and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by, and construed in accordance with, the laws of Singapore.

7.2 The parties to this DPA irrevocably agree that the courts of Singapore shall have exclusive jurisdiction to settle any dispute or claim that arises out of or in connection with this DPA or its subject matter or formation (including non-contractual disputes or claims).

8. Conflicts

Except as amended by this DPA, the Agreements will remain in full force and effect. In the event of any conflict between the terms of this DPA and any other terms between You and us, including but not limited to the terms of any Agreements, the terms of this DPA will prevail.


ANNEX 1: DETAILS OF THE PROCESSING OF YOUR DATA

  • Subject matter of the processing: Your Data
  • Duration of the processing: Until termination of the DPA or until return or deletion of Your Data in accordance with this DPA, whichever later
  • Nature and purpose of the processing: Collecting, recording, organising, sorting, saving, modifying, storing, retrieving, using, transferring, restricting, deleting, and such other actions as are necessary to provide the Services to You on the terms set out in the Agreements and as further initiated by You in Your use of the Services from time to time
  • Types of personal data: Your Data as uploaded to or created on the Services, whether by You or other users, including without limitation, Your name, email address and profile picture
  • Categories of data subjects: The users of the Services in the European Economic Area
  • Controller’s obligations and rights: Your obligations and rights are as set out in this DPA


ANNEX 2: LIST OF THIRD-PARTY SUBPROCESSORS

Category Sub-processor Name Sub-processor Activity Country
Infrastructure Amazon Web Services, Inc. (AWS) Cloud computing and storage USA, Singapore
Infrastructure Microsoft Corporation (Microsoft) Cloud computing and storage USA, Singapore
Infrastructure Google LLC (Google) Cloud computing, storage, and user behavior analytics USA
Platform Braze, Inc. Cloud-based survey development USA
Platform Amplitude, Inc. User behavior analytics USA
Platform Sentry.io Error reporting for debugging USA
Customer and Support Services Zendesk, Inc. (Zendesk) Customer support and communications data processing USA
Customer and Support Services AppFollow User experience and feedback analytics Finland
Customer and Support Services Typeform Survey development and data collection Spain
Business Operations SurveyMonkey Europe UC NPS-surveys and customer insights USA
Business Operations Tremendous, LLC Management of gift card distributions USA
Business Operations Zapier, Inc. Data management and automation USA
Business Operations Unwrap.ai AI-powered feedback analytics USA
Business Operations SendGrid, Inc. Email automation for platform and marketing USA
Business Operations DocuSign, Inc. Digital signature processing USA, Japan
Business Operations Paddle Ltd Payment processing and merchant services UK
Business Operations Tipalti, Inc. Payout distribution management USA
Business Operations Airtable Marketing and data pipeline management USA
Business Operations Hive Moderation Automated content identification and moderation USA
Business Operations FUGA Digital media distribution The Netherlands
Business Operations Twilio Inc. 2FA SMS authentication USA
Business Operations Apple Inc. App distribution and payment processing USA
Business Operations Branch Metrics, Inc. App marketing and mobile advertising USA
Business Operations Cloudflare, Inc. Content distribution management USA

 

ANNEX 3: TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES


Such security measures include, but are not limited to:

1. The prevention of unauthorized persons from gaining access to personal data processing systems,

2. The prevention of personal data processing systems from being used without authorization,

3. Ensuring that persons entitled to use a personal data processing system gain access only to such personal data as they are entitled to accessing in accordance with their access rights, and that, in the course of processing or use and after storage, personal data cannot be read, copied, modified or deleted without authorization,

4. Ensuring that personal data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage on storage
media, and that the target entities for any transfer of personal data by means of
data transmission facilities can be established and verified,

5. Ensuring that personal data is processed solely in accordance with Your
instructions,

6. Ensuring that personal data is protected against accidental destruction or loss.

12 out of 12 found this helpful