Data Processing Addendum

This Data Processing Addendum (“Addendum”) is entered into by and between Deeto, Inc.  (“Deeto”) and the organization identified in the Enrollment (“Customer”).

WHEREAS, Customer and Deeto have engage in an agreement (the “Agreement”) pursuant to which Deeto provides Customer access to Deeto’s software as a service platform that helps businesses to improve their selling process to prospects and connect between prospects and references (the “Platform”);

WHEREAS, the Platform involves processing certain personal data and the parties wish to regulate Deeto’s processing of such personal data, through this Addendum, which will be attached to and become an integral part of the Agreement.

THEREFORE, the parties have agreed to this Addendum, consisting of two parts:

  • Part One applies with respect to the California Consumer Privacy Act of 2018 (“CCPA”) and other state privacy laws in the United States.
  • Part Two applies with respect to the GDPR (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and supplementary GDPR legislations in EU member states).
  • Part Three applies with respect to the UK Data Protection Act 2018, as well as the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (SI 2019/419) (“UK GDPR”).

Parts One, Two, and Three apply only to Deeto’s processing personal data or personal information as a Processor (as defined in the GDPR or state privacy laws in the U.S.), or a Service Provider (as defined in the CCPA), acting on behalf of the Customer and under the Customer’s instructions.  Deeto is a Processor or Service Provider for the processing of the following information about the representatives of Customer, representatives of Customer’s prospects and representatives of Customer’s references: (a) the Platform’s fields of personal data or personal information configurable by the Customer, (b) information of surveys submitted by representatives of Customer’s prospects and references, and (c) credit point earnings for users engaging in certain activities on the Platform, as determined by the Customer.

Parts One, Two, and Three do not apply to Deeto’s processing personal data or personal information necessary for the operation of the Platform, for which Deeto is a Controller (as defined in the GDPR). Deeto is a Controller for the processing of the information explained in Deeto's privacy policy for the Platform.

In the event of any conflicting provisions between this Addendum and the terms or any other agreement in place between the parties, the provisions of this Addendum prevail, except where explicitly agreed otherwise in writing.

PART ONE

1. Scope. This Part One applies to the processing of personal information or personal data by Deeto within the scope identified in the preamble of this Addendum.

2. Definitions

  1. Capitalized terms used in this Part One but not defined in this Part One have the meaning ascribed to them in the Agreement and the Addendum.
  2. “Applicable State Privacy Laws” means the CPRA and in other applicable state privacy laws in the United States, such as (but not limited to): Virginia Consumer Data Protection Act, Connecticut Act Concerning Personal Data Privacy and Online Monitoring, Utah Consumer Privacy Act, and the Colorado Privacy Act.
  3. “Consumer” means a natural person, including a natural person in their professional or work capacity.
  4. “CPRA” means Cal. Civ. Code §1798.100 et seq. and the regulations at 11 C.C.R. §7000 et seq.
  5. “Personal Information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
  6. “Collect” (and its cognate terms) means buying, renting, gathering, obtaining, receiving, or accessing any Personal Information pertaining to a Consumer by any means. This includes obtaining information from the Consumer, either actively or passively, or by observing the Consumer’s behavior or interaction.
  7. “Process” (and its cognate terms) means any operation or set of operations that are performed on Personal Information or on sets of personal information, whether or not by automated means.
  8. “Sell” (and its cognate terms) means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a Consumer’s Personal Information for monetary or other valuable consideration.
  9. "Share” (and its cognate terms) means sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a Consumer’s Personal Information  for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions for cross-context behavioral advertising  in which no money is exchanged.

3. Deeto’s Obligations. The Parties acknowledge and agree that Deeto is a ‘service provider’ and ‘processor’ within the meaning of the terms in Applicable State Privacy Laws. To that end, and unless otherwise requires by law:

  1. Deeto must not Sell or Share any Personal Information it Collects.
  2. The parties agree that Customer is disclosing the Personal Information to Deeto only for the following limited and specified business purposes: to provide and support the operation of the Platform.
  3. Deeto is prohibited from retaining, using, or disclosing the Personal Information that it Collects for any commercial purpose other than the foregoing business purposes, unless expressly permitted by Applicable State Privacy Laws and this Part One. Additionally, Deeto is prohibited from retaining, using, or disclosing the Personal Information that it Collects pursuant to this Agreement outside the direct business relationship between Deeto and Customer, unless expressly permitted by Applicable State Privacy Laws and this Part One.
  4. Deeto shall comply with all relevant sections of Applicable State Privacy Laws and shall provide, with respect to Personal Information it Collects, the same level of privacy protection as required by Applicable State Privacy Laws.
  5. Deeto grants Customer the right to take reasonable and appropriate steps to ensure that Deeto uses the Personal Information it Collects in a manner consistent with the obligations under this Part One and the CPRA.
  6. Deeto must promptly notify Customer when it makes a determination that it can no longer meet its obligations under this Part One or Applicable State Privacy Laws.
  7. Deeto grants Customer the right, upon notice, to take reasonable and appropriate steps to stop and remediate Deeto’s unauthorized use of Personal Information.
  8. If Deeto received a request from a Consumer about his or her Personal information, Deeto shall not comply with the request itself, inform the Consumer that Deeto’s basis for denying the request is that the Deeto is merely a service provider that follows Customer’s instruction, and inform the consumer that they should submit the request directly to the Customer and provide the Consumer with the Customer’s contact information.

4. Subcontracting to suppliers. Customer authorizes Deeto to subcontract any of its Platform-related activities which involve the Processing of Personal Information or requiring Personal Information to be Processed by any third party supplier, provided that Deeto ensures that the third party is bound by obligations consistent with this Part One.

5. Return or deletion of information. Upon Customer’s written request where no subsequent further Processing is required, Deeto shall, at the instruction of Customer, either delete, or return to Customer, some or all (however instructed) of the of the personal information that it and its third party suppliers Process for Customer.

6. Assistance in responding to consumer requests. Deeto shall assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to requests for exercising the Consumer rights under Applicable State Privacy Laws.

7. Data security. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Deeto’s Processing of Personal Information for Customer, as well as the nature of personal information Processed for Customer, Deeto will implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure (including data breaches).

PART TWO

This Part Two only applies within the scope identified in the preamble of this Addendum.

1. Customer commissions, authorizes, and requests that Deeto provide Customer access to use the Platform, which involves Processing Personal Data (as these capitalized terms are defined and used in the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), and in applicable national law implementing the GDPR, or in any subsequent superseding legislation; these shall collectively be referred to as “Data Protection Law”).

2. Customer shall: (a) establish, abide by, and communicate a privacy notice to its data subjects, as may be necessary under Data Protection Law; (b) substantiate the legal basis under Data Protection Law for obtaining and Processing the Personal Data as carried out by Deeto on behalf of the Customer; and (c) credit point earnings for users engaging in certain activities on the Platform, as determined by the Customer.

3. Customer and Deeto hereby assent to the Annex to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“SCCs”), in its MODULE TWO, as follows:

3.1. In Section II (Obligations of the Parties), Clause 9(a) for MODULE TWO: Transfer controller to processor: The data importer has the data exporter’s general authorisation for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub-processors at least 10 days in advance, thereby giving the data exporter sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the data exporter with the information necessary to enable the data exporter to exercise its right to object.

3.2. In Section IV (Final Provisions), Clause 17 for MODULE TWO: Transfer controller to processor: The Parties agree that this shall be the EU member state in which the Customer is established, or, if the Customer is not established in any EU member state, then the law of the Republic of Ireland.

3.3. In Section IV (Final Provisions), Clause 18(b) for MODULE TWO: Transfer controller to processor: The Parties agree that those shall be the courts of the EU member state’s town in which the Customer is established, or, if the Customer is not established in any EU member state, then the courts of Dublin, Ireland.

3.4. In Annex I, for MODULE TWO: Transfer controller to processor:

3.4.1. Data Exporter: Customer.

3.4.1.1 Activities relevant to the data transferred under these Clauses: a company using the Platform.

3.4.1.2 Role: Controller.

3.4.2. Data Importer: Deeto

3.4.2.1 Activities relevant to the data transferred under these Clauses: Developer, operator and provider of the Platform.

3.4.2.2 Role: Processor.

3.5. Description of Transfer:

3.5.1. Categories of data subjects whose personal data is transferred: representatives of the data exporter, representatives of data exporter’s prospects and representatives of data exporter’s references.

3.5.2. Categories of personal data is transferred: (a) the Platform’s fields of personal data or personal information configurable by the data exporter, and (b) information of surveys submitted by representatives of data exporter’s prospects and references.

3.5.3. Sensitive data transferred: None.

3.5.4. The frequency of the transfer: on a continuous basis.

3.5.5. Nature of the processing: uploading data to the Platform, storage on the Platform, retrieval, analytics reporting and derived insights.

3.5.6. Purpose(s) of the data transfer and further processing: the provision of a technology platform that that helps businesses to improve their selling process to prospects and connect between prospects and references.

3.5.7. The period for which the personal data will be retained: the period set out in the Agreement.

3.5.8. Transfers to (sub-) processors:

Name

Subject matter and nature of Processing Activities

Location of processing and EU Safeguard Mechanism

AWS - Amazon Web Services, Inc.
Data and cloud storage solution
United States (SCCs), Adequacy Decision (US-EU Data Privacy Framework)
Twilio, Inc.
Email messages and notifications
United States (SCCs), Adequacy Decision (US-EU Data Privacy Framework)

3.5.9. Competent Supervisory Authority: the data protection authority in the EU member state in which the Customer is established, or the Customer’s lead supervisory authority for GDPR purposes, but if the Customer is not established in any EU member state, then the supervisory authority of the EU member state in which the Customer’s EU representative pursuant to Article 27 of the GDPR is located.

3.6. In Annex II, for MODULE TWO (TECHNICAL AND ORGANIZATIONAL MEASURES INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA): Transfer controller to processor – See appendix below.

4. The Customer will comply with its obligations under the GDPR, in particular in the Processing instructions it issues to Deeto as per Clause 8.1 of the SCCs.

5. If Deeto’s assistance to Customer under Clause 10 of the SCCs entails material costs, expenses, or resources to Deeto, then the parties shall first discuss and agree on the fees payable to Deeto for such assistance.

6. Audit and inspections conducted under Clause 8.9 of the SCCs shall be conducted during ordinary business hours of Deeto and with minimal disruption to Deeto’s ordinary course of business, shall not extend to any activities of Deeto with other customers or parties, and if conducted by an independent auditor, such auditor shall be made subject to appropriate confidentiality undertakings satisfactory to Deeto. If such inspections or audits entail material costs, expenses or resources to Deeto, then the parties shall first discuss in good faith and agree on the fees payable to Deeto for such inspections or audits.

APPENDIX

Description of the technical and organizational security measures implemented by Deeto

1. Risk Management:

1.1 Deeto maintains a formal risk management program to continually discover, research, plan, resolve, monitor, and optimize information security risks that impact Deeto's business objectives, regulatory requirements, and customers.

1.2 Deeto identifies, classifies and manages the inventory of information assets. The assets inventory is reviewed by the CISO on an annual basis.

1.3 IT vendors that engage in business with Deeto are subject to information security, confidentiality, and privacy commitments as part of their agreements with Deeto.

1.4 Deeto reviews the critical vendors' SOC2 report on an annual basis. The review includes identifying and documenting the controls in place at Deeto to address the CUECs, noted deviations, and the auditor's opinion.

1.5 Deeto has procedures in place to dispose of confidential information according to Deeto's data retention and disposal policy.

1.6 Deeto enforces segregation between development, staging and production environments to enforce confidentiality and privacy on customers data.

2. Vulnerabilities, PTs, Incidents

2.1 An external web application penetration test is conducted annually. Critical and High issues are investigated and resolved in a timely manner.

2.2 Production networks undergo vulnerability scans continuously. When an incident is detected, alerts are sent to relevant stakeholders for investigation and resolution in a timely manner.

2.3 Vulnerability scans for the source code are performed to identify security issues as part of the SDLC. High/critical issues are remediated in a timely manner.

2.4 Intrusion detection system scans continuously for potential security issues and alerts the administrator upon discovering unexpected and potentially malicious activity in the production environment, with a high/critical risk rating.

2.5 Deeto has developed a Security Incident Response Policy in order to respond to security incidents and personal data breaches in accordance with applicable laws and regulations.

3. Availability, BCP and DR

3.1 Deeto's application uptime is continuously monitored for availability.

3.2 Deeto has developed a Disaster Recovery Plan to continue to provide critical services in the event of a disaster. The DRP is reviewed on an annual basis. Deeto conducts disaster recovery (DR) testing on an annual basis to provide a coordinated venue for infrastructure and application teams to test communication plans, fail-over scenarios, operational transition, and other emergency responses. All teams that participate in the DR exercise develop testing plans and post mortems which document the results and lessons learned from the tests.

3.3 Deeto conducts pre-employment screening checks of candidates commensurate with the employee’s position and level, in accordance with local laws and the HR policy.

3.4 New employees go through an onboarding process to be informed of their role responsibilities, organizational policies, and provisioning of relevant access.

3.5 Deeto has established a Security Awareness Training program and requires all employees to complete this training every year.

4. Access Control

4.1 User accounts are disabled or deleted on the production and other organizational information assets timely upon notification of job termination.

4.2 Deeto has established a formal standard for passwords to govern the management and use of authentication mechanisms. Strong password configuration settings, where applicable, are enabled and including: (1) Use a minimum of characters (2) Use upper case, lower case, numeric, and special character values (3) Enforced password history policy with at least 5 previous passwords remembered.

4.3 User access and permissions in restricted environments are reviewed and approved by Deeto's management on a quarterly basis.

4.4 Access to the identity management tool is performed using two-factor authentication and is restricted to authorized personnel. Access to the production environment console is restricted to authorized personnel and performed using a two-factor authentication method. Access to the source control tool is performed using two-factor authentication and is restricted to authorized personnel.

4.5 Access to alter and delete backups is restricted to authorized users and uses two-factor authentication.

4.6 Access to PII in databases is restricted to authorized Deeto personnel including help desk personnel.

4.7 Audit trail (security logs) are deployed on the production environment continuously to capture actions made directly by the user or a cloud service.

5. Network and Device Security, Encryption

5.1 Deeto has enabled multiple network security controls, such as VPC security, cloud firewall, and port restriction.

5.2 Restricted information assets containing sensitive customer data hosted on databases and backups are at least disk-level encrypted.

5.3 Encrypted communication between Deeto's customers and Deeto's assets is enabled using a valid HTTPS TLS 1.2 authenticated certificate.

5.4 Deeto secures and controls its employees' laptops to enforce its security settings, including hard-disk encryption and auto patching.

5.5 Anti Malware software detection is installed on employees' devices (i.e., workstations and laptops) and configured to receive updates regularly.

5.6 Deeto has an established key management process in place to support the organization’s use of cryptographic techniques.

PART THREE

1. Customer and Deeto hereby assent to the Annex to the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses of 21 March 2022 issued under Section 119A of the UK Data Protection Act 2018, available at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf (“UK SCCs”), as follows:

Section of the UK SCCs

Content

Table 1 – Start Date

The Effective Date of the Agreement

Table 1 – Parties’ details

Exporter (who sends the Restricted Transfer)

Full legal name: As set forth in the Agreement.

Main address (if a company registered address): As set forth in the Enrollment.
Importer (who receives the Restricted Transfer)

Full legal name: Deeto, Inc.

Main address (if a company registered address): As set forth in the Agreement.

Table 1 – Key Contact

As set forth in the Enrollment.
Email address: support@deeto.ai 

Table 2 - Addendum EU SCCs

The version of the Approved EU SCCs in Part Two above, including the Appendix Information.

Date: The Effective Date of the Agreement

Reference (if any): Part Two

Table 3 – Appendix Information

Annex 1A: List of Parties: see Part Two

Annex 1B: Description of Transfer: see Part Two

Annex II: Technical and organizational measures including technical and organizational measures to ensure the security of the data:  see Appendix to Part Two.

Table 4 – Table 4: Ending this Addendum when the Approved Addendum Changes

Which Parties may end this Addendum:
☐  Importer
☒ Exporter
☐ neither Party