Data Protection Addendum
Standard Contractual Clauses and Data Transfer
Date: April 25, 2023
Parties
1. LiquidText Inc. (“data importer”); and
2. Client (“data exporter”),
(each of data importer and data exporter a “party” and together the “parties”).
Introduction
(A) The data exporter wishes to transfer certain personal data to the data importer and the data importer accepts such transfer, in regard to the underlying productivity software and services (including the storage and certain services related to textual documents and other data) specified in the terms and conditions of the data importer and any other separate agreement by and between the parties (the “Agreement”).
(B) As the data importer is based outside of the European Economic Area, the parties are entering into these Standard Contractual Clauses to ensure an adequate level of protection for the rights and freedoms of the data exporter's data subjects in relation to the processing of personal data.
Standard Contractual Clauses
1. For the purposes of this Data Protection Addendum:
1.1 “personal data,” “special categories of data/sensitive data,” “process/processing,” “controller,” “processor,” “data subject,” and “supervisory authority/authority” shall have the meaning given in the GDPR (whereby “the authority” shall mean the competent data protection authority in the territory in which the data exporter is established);
1.2 “EEA Personal Data” means personal data to which the EU GDPR applies;
1.3 “GDPR” or “EU GDPR” means: Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation);
1.4 “Standard Contractual Clauses” means: (i) in respect of EEA Personal Data, the contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“EU SCCs”) (located at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX%3A32021D0914&locale=en or at any other official link, and as may be updated or replaced by the European Commission);
1.5 “Restricted Transfer” means: (i) a transfer of EEA Personal Data to a country outside of the European Economic Area which is not subject to an adequacy determination by the European Commission.
1.6 References to Clauses shall be to the Standard Contractual Clauses unless the context determines otherwise.
1.7 The details of the transfer (as well as the personal data transferred and the purposes of the processing)
- as required under the Annexes of the Standard Contractual Clauses
- are specified in the Appendix, which forms an integral part of this DPA.
1.8 Each party agrees to execute such further agreements and take all such actions, as may be reasonably required for the purposes of processing personal data pursuant to this DPA in accordance with the applicable European data protection laws, including the GDPR.
2. Adherence to the Standard Contractual Clauses
2.1 Where there is a Restricted Transfer of personal data from the data exporter to the data importer, the Standard Contractual Clauses shall apply and be completed as set out in the Data Transfer Appendix to this Addendum.
3. Miscellaneous
3.1 This Addendum shall be incorporated into, and form part of, the Agreement to which it is attached, and shall be subject to all of the terms and conditions of such Agreement. In the event of any conflict between this Addendum (including the Data Transfer Appendix) and the main body of the Agreement, this Addendum shall prevail to the extent of that conflict.
DATA TRANSFER APPENDIX
For Restricted Transfers of EEA Personal Data from the data exporter to the data importer, the EU SCCs will apply and shall be deemed completed as follows:
I. Module one (controller to controller transfer) of the EU SCCs applies in cases, where both the data importer and the data exporter act as controllers. This includes cases, where the data importer processes names and contact information of representatives and persons acting in the data exporter’s (client’s) name (including individual clients).
1. General. Module one of the EU SCCs applies.
2. Clause 7. The Parties agree that Clause 7 of the EU SCCs (Docking Clause) shall apply.
3. Clause 11. The Parties agree that the optional language of Clause 11 shall not apply.
4. Clause 14. The Parties agree to document a transfer impact assessment. Data importer will provide the relevant information needed to complete a transfer impact assessment by providing the information specified in Annex IV, however, it is not required to provide additional information and does not undertake any liability of the data exporter under the GDPR or other applicable laws.
5. Clause 17. The Parties agree that option 2 applies to the transfer and that the EU SCCs shall be governed by the law of the EU Member State in which the data exporter is established. Where such law does not allow for third-party beneficiary rights, they shall be governed by the law of Italy.
6. Clause 18. The Parties agree that any dispute arising from the EU SCCs shall be resolved by the courts of Italy.
7. Annex I of the EU SCCs shall be deemed completed with the information set out in Annex I to this Data Transfer Appendix.
8. Annex II of the EU SCCs shall be deemed completed with the information set out in Annex II to this Data Transfer Appendix.
II. Module two (controller to processor transfer) of the EU SCCs applies in cases, where the data exporter acts as controllers and the data importer acts as processor. This includes cases, where the data importer processes personal data in the name of the data exporter (e.g. personal data in documents that the data exporter processes as controller and regarding which it requires the services of the data importer as its processor).
1. General. Module two of the EU SCCs applies.
2. Clause 7. The Parties agree that Clause 7 of the EU SCCs (Docking Clause) shall apply.
3. Clause 9. The Parties agree that option 2 applies and that data importer has the data exporter’s general authorization for the engagement of sub-processor(s) specified in this Addendum.
4. Clause 11. The Parties agree that the optional language of Clause 11 shall not apply.
5. Clause 14. The Parties agree to document a transfer impact assessment. Data importer will provide the relevant information needed to complete a transfer impact assessment by providing the information specified in Annex IV, however, it is not required to provide additional information and does not undertake any liability of the data exporter under the GDPR or other applicable laws.
6. Clause 17. The Parties agree that option 2 applies to the transfer and that the EU SCCs shall be governed by the law of the EU Member State in which the data exporter is established. Where such law does not allow for third-party beneficiary rights, they shall be governed by the law of Italy.
7. Clause 18. The Parties agree that any dispute arising from the EU SCCs shall be resolved by the courts of Italy.
8. Annex I of the EU SCCs shall be deemed completed with the information set out in Annex I to this Data Transfer Appendix.
9. Annex II of the EU SCCs shall be deemed completed with the information set out in Annex II to this Data Transfer Appendix.
10. Annex III of the EU SCCs shall be deemed completed with the information set out in Annex III to this Data Transfer Appendix.
III. Module three (processor to processor transfer) of the EU SCCs applies in cases, where the data exporter acts as a processor for another person/entity acting as controller and transfers personal data to the data importer acting as another processor contracted by the data exporter.
1. General. Module three of the EU SCCs applies.
2. Clause 7. The Parties agree that Clause 7 of the EU SCCs (Docking Clause) shall apply.
3. Clause 9. The Parties agree that option 2 applies and that data importer has the data exporter’s general authorization for the engagement of sub-processor(s) specified in this Addendum.
4. Clause 11. The Parties agree that the optional language of Clause 11 shall not apply.
5. Clause 14. The Parties agree to document a transfer impact assessment. Data importer will provide the relevant information needed to complete a transfer impact assessment by providing the information specified in Annex IV.
6. Clause 17. The Parties agree that option 2 applies to the transfer and that the EU SCCs shall be governed by the law of the EU Member State in which the data exporter is established. Where such law does not allow for third-party beneficiary rights, they shall be governed by the law of Italy.
7. Clause 18. The Parties agree that any dispute arising from the EU SCCs shall be resolved by the courts of Italy.
8. Annex I of the EU SCCs shall be deemed completed with the information set out in Annex I to this Data Transfer Appendix.
9. Annex II of the EU SCCs shall be deemed completed with the information set out in Annex II to this Data Transfer Appendix.
10. Annex III of the EU SCCs shall be deemed completed with the information set out in Annex III to this Data Transfer Appendix.
Annex I
Description of data transfers
A List of Parties
1. Name and address. The name and address of the “data exporter” and “data importer” are provided in the Agreement to which this Schedule is attached.
2. Contact points for data protection enquiries.
Data exporter:
Client and its contact details as specified in the Agreement
Data importer:
LiquidText Inc.
Tashman, Craig, CEO; PO 703 South Salem, NY 10590, USA
email: contact@liquidtext.net
3. Activities relevant to the data transferred under these Clauses.
Data exporter:
Services and/or activities provided and/or undertaken by the Client in accordance with the Agreement.
Data importer:
Productivity software and services (including the storage and certain services related to textual documents).
4. Signature and date. The Parties agree that the Clauses shall be deemed executed upon execution of the Agreement to which the Addendum is attached.
5. Role (controller/processor).
Data exporter:
Module 1: Controller
Module 2: Controller
Module 3: Processor
Data importer:
Module 1: Controller
Module 2: Processor
Module 3: Processor
B Description of Transfer
6. Categories of Data subjects whose personal data is transferred. The personal data transferred concern the following categories of data subjects:
Data subjects whose data are contained in documents and other data shared with the data importer by the data exporter (“Affected Persons”).
Employees, directors, and other individuals employed by or otherwise representing data exporter and service providers and business partners of the data exporter where relevant with respect to the Agreement (“Business Contacts”).
7. Categories of personal data transferred.
The personal data processed and transferred concern the following categories of personal data.
For Affected Persons: name and other personal data identifying the Affected Person and shared by the data exporter.
For Business Contacts: name; contact details; and other relevant contractual information as may be necessary to facilitate data exporter’s business dealings with the data importer.
8. Sensitive data transferred. The personal data transferred concern the following categories of sensitive data:
For Affected Persons: It is possible that documents shared with the data importer contain sensitive data (e.g. health data) or personal data relating to criminal convictions and offences (e.g. documents shared by law firm/lawyer clients), however such data are uncommon.
Sensitive data shall be protected in accordance with the security measures described in Annex II.
9. The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis). Continuous basis.
10. Nature of the processing. The processing of personal data as necessary to provide the services agreed between the parties in the Agreement.
11. Purposes of the data transfer and further processing. The data will be processed, and the transfer will be made for provision of the data importer’s productivity software and services (including the storage and certain services related to textual documents).
This also means that personal data are processed and transferred as required to perform any contractual obligations of the data importer under the Agreement, recordkeeping and billing, compliance with the Agreement, exercise of contractual rights and protection of business interests and reputation.
12. The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period. The personal data will be retained for the duration of time consistent with the requirements agreed between the parties pursuant to the Agreement.
13. Competent supervisory authority. Where the EU SCCs apply, the competent supervisory authority shall be determined in accordance with Clause 13 of the EU SCCs.
14. For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing. As specified under Annex III.
Annex II
Technical and Organizational Security Measures
Each party is required to implement and maintain all appropriate administrative, organizational, physical and technical safeguards and measures (collectively the “Safeguards”) designed to prevent any collection, use, accidental loss, disclosure or destruction of, or damage to, or access to personal data that the Agreement and the Addendum do not authorize, and to ensure a level of confidentiality and security appropriate to the risks represented by the processing and the nature of personal data. Each party’s Safeguards, including, without limitation, its information security program, will meet industry standard practices for safeguarding data. Each party shall promptly notify the other party of any unauthorized access, use, losses or disclosure of any personal data and both parties will assist reasonably in investigating and remedying such security breach.
The technical and organizational measures implemented by the data importer to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risk for the rights and freedoms of natural persons, will include the following:
Human Resources Security
Employees and independent contractors are required to sign confidentiality and non-disclosure agreements, and all workforce members are familiarized with the data importer’s security and privacy policies. Contracts require contractors and service providers to protect personal data. The information security team has implemented network and endpoint security controls to protect the storage and transmission of personal data and uses threat intelligence to inform protection against advanced virus, spyware and other malware threats.
Access Control
Extensive security tools and processes offered by our cloud service providers are leveraged to provide access control. Access to personal data is controlled through access privileges, user identities and other authentication methods. The information security measures put in place by the data importer also include access control requirements for employees when accessing sensitive systems and data; such measures also require that employees use strong passwords and protect their passwords from disclosure. New employees must complete an onboarding and user registration process prior to their data importer employee account being granted. Administrative accounts are subject to additional security management processes including security monitoring. The information security team employs internal tools to monitor for endpoint security controls such as passwords. Access to data processing systems is based on job function.
Physical & Environmental Security
Data importer has disaster recovery and business continuity plans to ensure the availability, security, integrity and (where necessary) restoration of the personal data on the occurrence of a force majeure or similar business interruption event.
Operations Security
Operating procedures are managed on a per-team and per-system basis. Development and production environments are separated. Malware detection and remediation technologies are established. Various network and employee workstation security technologies are in use. Backups of data are centrally stored and regularly tested. For key systems, security-related events are logged and subject to review. Certain systems containing sensitive data (for example, financial account information) are subject to additional restrictions for access control.
Communications Security
Network segregation and segmentation is implemented. Publicly accessible and communicating systems use SSL or other encryption mechanisms to preserve confidentiality and integrity of data, including personal data.
Systems Acquisition, Development & Maintenance
Widely-used technology platforms and tools are centrally managed. Security controls are implemented that perform continuous security testing (such as source code static analysis). Post-deployment analysis of certain security controls is performed automatically on an ongoing basis.
Service Provider Security
Service provider contracts include security and data protection requirements. Service provider access to internal systems is restricted. The information security team evaluates service provider security controls.
Additional Data Security Measures
To provide an additional layer of protection and compliance with relevant data protection laws, the data importer ensures geo-fencing (data storage in the client’s geographical location) and end-to-end encryption on certain plans for clients requesting such solutions.
Annex III
Sub-processors
The data importer has authorised the use of the following sub-processors (in cases, where data importer acts as a processor):
1. Name: Microsoft Corporation
Address: One Microsoft Way, Redmond, Washington 98052
Contact person’s name, position and contact details: Scott McLean, Data Protection Officer, dpoffice@microsoft.com, phone: 01 706 3117
Description of processing: Provision of MS Azure services.
2. Name: PubNub Inc.
Address: 50 Francisco Street, Suite 100, San Francisco, CA 94133
Contact person’s name, position and contact details: Representative: privacy@pubnub.com attention to PubNub’s Chief Privacy Officer
Description of processing: Real-time message exchange services.
3. Name: Heap Inc.
Address: Heap, Inc. 225 Bush St. 2nd Floor, San Francisco, CA 94104
Contact person’s name, position and contact details: Jerry van Leeuwen, DPO, dpo@heap.io
Description of processing: Data analytics.
4. Name: OpenAI OpCo, LLC
Address: OpenAI, LLC, 3180 18th Street, San Francisco, CA, United States
Contact person’s name, position and contact details: Head of Commercial Legal, privacy@openai.com
Description of processing: AI data analysis and content generation services.
It is highlighted that the first three of these companies apply Standard Contractual Clauses for data transfers from the EU to third countries. Users may opt out of using the 4th company’s services if desired, without affecting any other functionality.
It is further noted that in cases, where the data importer acts as controller, these companies are regarded as the data importer’s data processors or – in cases specified in their privacy policies – as controllers.
Annex IV
Transfer Impact Assessment
Step 1: Where will data be processed?
The personal data described in Annex I will be transferred to the data importer in the United States of America (“US”). It is noted that transient data storage can take place in other third countries with regard to PubNub’s real-time data sharing support, however, such data transfers take place in accordance with EU SCCs providing an adequate level of protection for personal data affected. It is likewise noted that analytics data storage can take place in other third countries with regard to Heap’s analytics support, however, such data transfers take place in accordance with EU SCCs providing an adequate level of protection for personal data affected. The personal data transferred is adequate, relevant and limited to what is necessary in relation to the purposes described under paragraph 11 of Annex I.
Step 2: Identify the transfer tools you are relying on (nothing to complete here):
Data exporter and data importer will rely on the EU SCCs for any Restricted Transfers.
Step 3: Assess whether the transfer tool relied upon is effective in the circumstances:
LiquidText is not subject to s.702 FISA nor Executive Order 12333. To explain:
· LiquidText is not an electronic communications service provider and is therefore outside of the scope of a FISA 702 request.
· Executive Order 12333 sets out the rules for US intelligence agencies as they carry out authorized surveillance. However, there is nothing in EO 12333 to compel a private organization to turn over data or to assist the US government in carrying out surveillance. EO 12333 does not apply to, nor require any activity by, LiquidText.
Further, the limited and highly specific personal data described in Annex I does not lend itself to the “mass surveillance” and disproportionate processing concerns raised by the CJEU.
In view of the above, LiquidText has no reasons to believe that the laws and practices in the third countries applicable to its processing of personal data prevent it from fulfilling its obligations under the Standard Contractual Clauses.
Step 4: Adopt supplementary measures:
In view of the above, LiquidText believes that the third country legislation applicable to this specific transfer does not adversely impact its ability to comply with its commitments under the Standard Contractual Clauses. Notwithstanding this, LiquidText has implemented the security measures described in Annex II to protect the personal data it will process and, further, has in place robust mechanisms for reviewing, assessing and (where appropriate) resisting requests (if any) received from law enforcement and government agencies in respect of the personal data it processes.
Step 5: Procedural steps necessary to implement effective supplementary measures: No further procedural steps (e.g. regulatory authorization of the Standard Contractual Clauses) are required.
Step 6: Re-evaluate at appropriate intervals:
Data importer will review and, where necessary, adapt any supplementary measures it has implemented at least annually to address changing data protection regulatory and risk environments.