Re:amaze Data Processing Addendum
Last Revised: July 10, 2024
This Data Processing Addendum (the “DPA”) is entered into by Lantirn, Inc. (“Re:amaze”) and the (“Customer”) who has agreed to use Re:amaze's services pursuant to the Re:amaze Terms of Service (the "Agreement"). Re:amaze and Customer are referred to herein, individually, as “Party”, and collectively as the “Parties”. This DPA is effective as of the first date that customer provides Customer Personal Data (defined below) to Re:amaze and governs all Processing of Customer Personal Data under the Re:amaze Terms of Service.
1. Definitions
Unless otherwise defined in applicable Data Protection Laws (as defined below), the capitalized terms listed in this Section have the following meanings:
1.1 “Affiliate” means any entity that controls or is under common control with a Party. “Control” means direct or indirect ownership or control of fifty percent (50%) or more of the voting interests of an entity.
1.2 “Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of processing Customer Personal Data under the Agreement.
1.3 "Customer Personal Data" means any Personal Data (as defined below) processed by Re:amaze on Customer's behalf in connection with Customer's use of the Services. Customer Personal Data does not include Re:amaze Data.
1.4 "Data Protection Law" means any law or regulation applicable to processing of Customer Personal Data under the Agreement.
1.5 "Data Subject" means an identified or identifiable natural person to whom specific Personal Data relates.
1.6 "De-indentified Data" means data that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a specific Data Subject.
1.7 "Re:amaze Data" means (a) all information relating to Re:amaze's business and delivery of the Services, including but not limited to Personal Data concerning Customer and its employees or representatives, (b) other data concerning or relating to Customer's account, transaction history, use of the Services and identity verification, and (c) subject to any restrictions under any applicable Data Protection Laws, De-Identified Data.
1.8 "Personal Data" means information that relates to an identified or identifiable natural person, including any information defined as Personal Data, Personal Information, or Personally Identifiable Information ("PII") in any applicable Data Protection Laws. Personal Data does not include De-Identified Data.
1.9 "Processing" means any operation performed on Customer Personal Data, such as collection, use, storage, disclosure, analysis, deletion, or modification, whether by manual or automated means. .
1.10 "Processor" means a natural or legal person, public authority, agency, or body that processes Customer Personal Data on behalf of a Controller under the Agreement.
1.11 "Sensitive Personal Data" means (a) social sevurity number, passport number, driver's license number or similar identifier; (b) credit or debit card information, financial information, bank account numbers, or account passwords; (c) employment, financial, genetic, biometric, or health information; (d) racial, ethnic, political or religious affiliation, trade union membership, or information about sexual life or orientation; (e) account passwords, mother's maiden name, date of birth, and similar information used to authenticate a user's identity; (f) criminal history; (g) biometric data used to identify a specific person (e.g. fingerprints); or (h) any other information or combination of information that falls within the definitions of "special categories data" under any applicable Data Protection Law.
1.12 "Services" means the products or services that Re:amaze has agreed to provide pursuant to the Agreement that involve processing of Customer Personal Data.
1.13 "Subprocessor" means any natural or legal person, public authority, agency, or body with whom Re:amaze contracts to process Customer Personal Data.
1.14 "Transfer" means (a) transfer of Customer Personal Data from Controller to Processor, whether by physical transfer or by granting access to the Customer Personal Data held or otherwise controlled by Controller or (b) an onward transfer of Customer Personal Data from a Processor to a Subprocessor (and any subsequent onward transfer by a Subprocessor to another Subprocessor).
2. Scope of Data Processing and Relationship of Parties
2.1 Customer as Controller or Processor
2.1.1 Where Customer is a Controller, Customer (a) is solely responsible for determining the purposes and means of processing Customer Personal Data, (b) has all necessary authority, grounds, rights, and permissions to provide Customer Personal Data to Re:amaze, and (c) will comply with its obligations as a Controller under applicable Data Protection Laws.
2.1.2 Where Customer is a Processor, Customer (a) is solely responsible for complying with its agreement(s) with the data Controller(s) on whose behalf Customer is processing Customer Personal Data; (b) has all necessary permissions from the Controller to provide Customer Personal Data to Re:amaze, and (c) will comply with its obligations as a Processor under applicable Data Processing Laws.
2.2 Re:amaze as Processor or Subprocessor.
2.2.1 1 Re:amaze will take all steps reasonably necessary to enable Customer to comply with Customer's obligations as a Controller and/or Processor under the Data Protection Laws consistent with the character, nature, scope, and purpose of the Services provided by Re:amaze. For the avoidance of doubt, Re:amaze is not required to undertake any steps to alter or make Re:amaze's Services compliant for Customer's specific use. Customer's sole remedy in the event the Services are determined to be not compliant for Customer's specific use is termination of any portion of the Agreement that relates to processing of Customer Personal Data.
2.2.2 Re:amaze will process Customer Personal Data only upon documented instructions for the limited and specific purposes described in the Agreement, this DPA, or as required by law.
2.2.3 Re:amaze will not sell, retain, use, or disclose Customer Personal Data for a commercial purpose other than providing the Services.
2.2.4 Re:amaze will not Process Customer Personal Data outside of the Parties' direct business relationship described in the Agreement and this DPA.
2.2.5 Re:amaze will not combine Customer Personal Data with any other data Re:amaze collects (directly or via any third party) other than as expressly permitted under the Agreement.
2.2.6 Re:amaze will stop all Processing and will notify Customer within three (3) business days if Re:amaze: (a) believes that a Customer instruction violates any applicable Data Processing Laws or (b) determines Re:amaze is unable to comply with any applicable Data Processing Laws or its obligations under this DPA.
2.3 Affiliates
2.3.1 Customer Affiliates. For purposes of this DPA, any Personal Data provided to Re:amaze or Re:amaze's Affiliates by a Customer Affiliate for processing on Customer's and/or Customer's Affiliate's behalf shall be deemed to be Customer Personal Data and to have been provided by Customer. Customer represents that it will take all measures reasonably necessary to ensure its Affiliates comply with all Customer obligations with respect to this DPA. Customer is responsible for its Affiliates' compliance with all terms of this DPA.
2.3.2 Re:amaze Affiliates. For purposes of this DPA, any Customer Personal Data received by Re:amaze's Affiliates shall be deemed to have been received by Re:amaze. Re:amaze represents that it will take all measures reasonably necessary to ensure that its Affiliates comply with Re:amaze's obligations with respect to processing of Customer Personal Data under this DPA. Re:amaze is responsible for Re:amaze's Affiliates' compliance with all terms of this DPA.
3. Sub-Processing
3.1 Customer provides general authorization for Re:amaze to engage subprocessors.
3.2 You are invited to review a list of our subprocessors.
3.3 Before transferring Customer Personal Data to a Subprocessor, Re:amaze will: (a) enter into a written agreement with the Subprocessor that is at least as protective of Customer Data as this DPA; (b) conduct due diligence to confirm the Subprocessor can comply with the material terms of this DPA and the Data Protection Laws as they relate to Re:amaze's processing of Customer Data, including the information security requirements of Sections 5, 6, and 8, and of Schedule 2 of this DPA.
3.4 Re:amaze is liable for its Subprocessors' acts and omissions, including any acts or omissions of its Subprocessors' subprocessors.
3.5 New Subprocessors; Right to Object.
3.5.1 Re:amaze will exercise reasonable efforts to notify Customer in writing at least sixty (60) days in advance if Re:amaze intends to appoint new a Subprocessor; provided, however, that sixty (60) days' advance notice is not required and Re:amaze will notify Customer without undue delay after the appointment of a new Subprocessor if immediate appointment is required to maintain the security of Customer Personal Data or to comply with applicable law.
3.5.2 If Customer reasonably objects to a new Subprocessor, Customer must notify Re:amaze in writing within thirty (30) days after the Subprocessor's appointment. In Re:amaze's sole discretion, Re:amaze may use commercially reasonable efforts to address Customer's objection. If the Parties are unable to resolve Customer's objection within thirty (30) days, Customer may terminate this DPA and any portion of the Agreement relating to the processing of Customer Personal Data.
3.5.3 If Customer does not object to a new Subprocessor within thirty (30) days of notice of Subprocessor's appointment, Customer will be deemed to have accepted the new Subprocessor.
3.5.4 Notice of a new Subprocessor may be provided by updating the Subprocessor list described in Section 3.2.
4. Legal Process and Other Third Party Requests for Customer Personal Data
4.1 Re:amaze will not respond to any informal request for any Customer Personal Data from a government body, law enforcement agency, or other person except in response to a subpoena, search warrant, court order, or other similar legal process (collectively, “Legal Process”), unless such disclosure is determined by Re:amaze in its reasonable discretion to be (a) required by law, (b) necessary to protect Re:amaze's systems or data from harm or misuse, or (c) necessary to protect Re:amaze or any other person from damage or physical harm.
4.2 Unless prohibited by law, Re:amaze will notify Customer promptly if it receives any Legal Process that requires Re:amaze to provide access to or disclose Customer Personal Data.
4.3 Unless otherwise required by law, Re:amaze will cooperate with Customer (at Customer's reasonable expense) in any efforts by Customer to prevent disclosure of Customer Personal Data in response to Legal Process.
5. Data Security
5.1 Re:amaze maintains an information security program that includes appropriate and documented technical and organizational measures to ensure a level of security appropriate to the risk of Processing Customer Personal Data under the Agreement, including any specific measures required by applicable Data Protection Laws.
5.2 Customer expressly acknowledges that Re:amaze provides security features and functionality that Customer can use to protect Customer Personal Data. Customer is solely responsible for taking appropriate risk-based steps to protect the security of Customer's account and Customer Personal Data within Customer's control, including by using security features and functionality provided by Re:amaze. Customer also is solely responsible for ensuring that all content that Customer places or causes to be placed within the Services is free of vulnerabilities that could result in the compromise of Customer Personal Data and Re:amaze's systems, including but not limited to malicious software. Re:amaze is not responsible for backing up Customer Personal Data.
5.3 Re:amaze does not offer services for processing of Customer Personal Data containing credit, debit, payment card or other similar information that may be subject to Payment Card Industry Data Security Standard Requirements (“PCI-DSS”). Customer is expressly prohibited from using Re:amaze services to process PCI-DSS data. Customer is solely responsible for any violation of PCI-DSS requirements if Customer uses Re:amaze Services to process or store PCI-DSS Data.
5.4 In addition to any measures required for Re:amaze to comply with its obligations under applicable Data Protection Laws, Re:amaze will implement the specific technical and organizational measures identified in Schedule 2 of this DPA.
6. Data Security Incidents
6.1 Re:amaze offers Customer extensive opportunities to access and control Customer Personal Data Processed on Customer's behalf. Re:amaze is not responsible for any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data that does not result from a compromise of Re:amaze's systems. Examples of Security Incidents for which Re:amaze is not responsible include Customer's failure to maintain the secrecy of its passwords, downloading of malicious content, or any other security vulnerability caused by or introduced into the Services and Customer's hosted environment by Customer.
6.2 Re:amaze will use commercially reasonable efforts to notify Customer of a breach of security of Re:amaze's systems leading to the accidental or unlawful, destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data (“Security Incident”) within the time period required under applicable law.
6.3 Re:amaze will take appropriate, risk-based steps that are reasonably necessary to contain, mitigate, and remediate a Security Incident without unreasonable delay.
6.4 Re:amaze will provide information reasonably requested by Customer to assess the impact of a Security Incident on Customer Personal Data and for Customer to provide notice of the Security Incident to governmental authorities, affected Data Subjects, or any other person.
6.5 Re:amaze's acknowledgement of a Security Incident or decision to notify Customer of a Security Incident is not an admission of fault or liability.
7. Data Subject Rights
7.1 Customer is solely responsible for responding to any request to exercise a Data Subject's rights under the Data Protection Laws, Customer's privacy policies, or Customer's terms of service, including but not limited to requests to know, access, correct, or delete Customer Personal Data (“Data Subject Requests”).
7.2 Re:amaze will not respond to a Data Subject Request except on documented instructions from Customer or as otherwise required under applicable law.
7.3 Re:amaze will notify Customer of any Data Subject Request. Customer is solely responsible for responding to any Data Subject request. If Customer has exhausted all means available to respond to a Data Subject Request – subject to Customer's agreement to pay Re:amaze's reasonable expenses in advance – Re:amaze will provide Customer with assistance reasonably necessary to allow Customer to respond to a Data Subject Request.
8. Data Protection Impact Assessments, Prior Consultation, and Compliance Inquiries
8.1 Data Protection Impact Assessments; Prior Consultation. At Customer's expense, Re:amaze will provide reasonable assistance to Customer in conducting any data protection impact assessments and consultations with government authorities or regulators concerning processing of Customer Personal Data.
8.2 Compliance Inquiries. Customer may periodically request information reasonably necessary to confirm Re:amaze’s compliance with its obligations under applicable Data Protection Laws. If Re:amaze fails to respond to Customer’s request within forty-five (45) days, Customer may terminate the Agreement. For the avoidance of doubt, nothing in this DPA gives Customer the right to conduct an audit of Re:amaze’s business, systems, or services. Re:amaze’s obligation under this section is limited to providing Customer with information reasonably necessary to confirm that Re:amaze is in compliance with its obligations under applicable Data Protection Laws.
9. Jurisdiction Specific Requirements and International Data Transfers of Personal Data
9.1 Processing of Customer Personal Data under this DPA may involve Processing regulated by one or more Data Protection Laws and/or may involve the international transfer of Customer Personal Data.
9.2 If Customer Personal Data originates from the United States, the terms relating to the U.S. Data Protection Laws specified in Schedule 3 (Section 1) to this DPA apply.
9.3 If Customer Personal Data originates from the European Union/European Economic Area (“EU/EEA”), the United Kingdom (“UK”), or Switzerland, or if Customer is established in one or more of those jurisdictions, the terms relating to applicable EU/EEA, UK and/or Swiss Data Protection Laws specified in Schedule 3 (Section 2) to this DPA apply.
9.4 If a valid international data transfer mechanism (“Mandatory Transfer Mechanism”) is required to lawfully Transfer Customer Personal Data, the terms specified in Schedule 4 to this DPA apply.
10. General
10.1 Complete Agreement; Interpretation. This DPA constitutes the entire agreement between the Parties concerning the subject matter of this DPA and supersedes all prior or contemporaneous representations, understandings, agreements, and communications between the Parties, whether written or verbal, regarding the subject matter of this DPA. In the event of a conflict between this DPA and the Agreement (or any other agreement between the Parties), this DPA will govern and control with respect to the subject matter of this DPA. If there is a conflict between any terms of this DPA and the Mandatory Transfer Provisions described in Schedule 4, those Mandatory Transfer Provisions shall prevail.
10.2 Amendment. This DPA may be modified or amended by Re:amaze in its sole discretion pursuant to the procedures set forth in the Agreement. If Customer disagrees with such amendment, Customer’s sole remedy is to terminate that portion of the Agreement relating to the Processing of Customer Personal Data on thirty (30) days’ notice. Unless expressly agreed by the Parties in writing, any amendment of the Agreement is effective only with respect to Processing that occurs after the date of such amendment.
10.3 Waiver. The waiver of any breach of this DPA is effective only if in writing by an authorized representative of the Party waiving such breach and no such waiver will be construed as a waiver of any subsequent breach.
10.4 Severance. If any provision of this DPA is found to be unenforceable, then that provision shall be modified to the extent necessary to make it enforceable and the remainder of this DPA shall remain in effect as written. However, if modifying any unenforceable provision would result the failure of the essential purpose of this DPA, the entire DPA shall be considered null and void unless amended pursuant to Section 10.2.
10.5 Notices. Except as expressly stated herein, notices required under this DPA will be provided in accordance with the Notice requirements set forth in the Agreement.
10.6 Liability. This DPA does not provide any basis for either Party or any other person to recover damages of any type other than those set forth in the Agreement and subject to all limitations set forth therein.
10.7 Enforcement. The terms of this DPA may only be enforced by the Parties on behalf of themselves and their respective Affiliates in accordance with the dispute resolution provisions set forth in the Agreement. This restriction on enforcement has no effect, however, on an individual Data Subject’s ability to enforce their rights under the Data Protection Laws.
10.8 Termination. Unless terminated earlier pursuant to the Agreement or any other applicable provision of this DPA or any applicable Data Protection Laws, this DPA shall terminate upon the completion of Processing or termination of the Agreement, whichever is later. Following termination of this DPA, Re:amaze will return, delete, or de-identify Customer Personal Data pursuant to the terms of the Agreement and this DPA, unless Re:amaze is required to maintain Customer Personal Data pursuant to applicable law. If Re:amaze is required to retain Customer Personal Data following termination of the Agreement, Re:amaze will continue to comply with its obligations relating to the Processing of Customer Personal Data under this DPA and will promptly return or delete any such Customer Personal Data after retention is no longer legally required.
10.9 Governing Law and Jurisdiction. This DPA is governed by the laws stipulated in the Agreement, except to the extent otherwise required by the Data Protection Laws, in which case the laws of the jurisdiction prescribed by the Data Protection Laws apply. No provision of this DPA shall be deemed to limit any person’s rights or obligations under any applicable Data Protection Laws.
Schedule 1: Details of Processing of Customer Personal Data
This Schedule 1 includes details of Processing Customer Personal Data Required under the Data Protection Laws.
Subject matter and duration of Processing of Customer Personal Data:
The subject matter and duration of Processing of Customer Personal Data are described in the Agreement.
The nature and purpose of Processing of Customer Personal Data:
Processing of Customer Personal Data by Re:amaze is reasonably required to provide the Services as described in the Agreement.
Type of Personal Data and Categories of Data Subjects:
The types of Customer Personal Data and categories of Data Subjects are controlled by Customer and/or the Controller who provided Customer Personal Data to Customer in its/their sole discretion.
Sensitive Data or Special Categories of Data:
Sensitive Data may, from time-to-time, be Processed pursuant to the Agreement. The types of Sensitive Data Processed under the Agreement are determined by Customer and/or the Controller who provided Sensitive Data to Customer in its/their sole discretion.
Obligations and Rights of the Controller:
The obligations and rights of Customer are described in the Agreement and this DPA.
Schedule 2: Technical and Organizational Security Measures
1. Applicability
1.1 The requirements of this Schedule 2 apply to Re:amaze and any Subprocessor (including but not limited to any cloud service provider) used by Re:amaze to provide the Services and/or Process Customer Personal Data.
1.2 If Re:amaze uses any Subprocessor to provide the Services and/or Process Customer Personal Data, Re:amaze shall ensure that such Subprocessor complies with each of the requirements of this Schedule.
2. Information Privacy and Data Security Management
2.1 Risk Management Process. Re:amaze shall maintain an appropriate risk management process to frame, assess, respond to and monitor risk to Customer Personal Data, consistent with Re:amaze’s obligations under the Agreement, the DPA, and applicable law.
2.2 Information Security Program Scope. At a minimum, Re:amaze’s information security program, including all applicable privacy and data protection policies, shall be designed to:
2.2.1 Protect the confidentiality, integrity and availability of Customer Personal Data in Re:amaze’s possession or control or to which Re:amaze has access; and
2.2.3 Protect against reasonably anticipated threats or hazards to the confidentiality, integrity, and availability of Customer Personal Data.
2.3 Information Security Program Updates. Re:amaze will regularly review and update its information security program in accordance with industry standard practices and frameworks appropriate to the type, volume, and sensitivity of Customer Personal Data processed by Re:amaze.
2.4 Risk Assessments and Testing. Re:amaze will regularly conduct risk assessments for all systems processing Customer Personal Data and will periodically conduct third-party penetration testing on applications and infrastructure used to provide the Services as reasonably deemed necessary by Re:amaze.
2.5 Continuity and Resiliency. Re:amaze will implement appropriate measures to protection the integrity and availability of its systems that Process Customer Personal Data, including measures such as performance and availability monitoring, design of redundant and resilient systems, use of uninterruptable power supplies, DDoS protections, load and stress testing, and other similar measures.
3. Organizational Security
3.1 Accountability. Re:amaze will develop and implement written information security policies and procedures that clearly define responsibility for protection of Customer Personal Data within Re:amaze, including designation of one or more specific individuals to be responsible for the administration of Re:amaze’s information security program and protection of Customer Personal Data.
3.2 Asset Management and Controls. Re:amaze will maintain an asset management policy and asset controls, including asset classification and an inventory of devices and systems that are used to provide the Services and/or process Customer Personal Data.
3.3 Physical Security. Re:amaze also shall implement risk-based controls to maintain the physical security of its facilities, including implementing reasonable measures to ensure that only authorized users have access to Re:amaze’s electronic devices, network, critical systems, applications, server room, communication rooms, and work environments. Measures that Re:amaze may employ, where appropriate, include but are not limited to alarms, CCTV monitoring, visitor access management, and destruction of Personal Data on physical devices before disposal/recycling.
4. Security Operations
4.1 Secure System Configuration. Re:amaze will establish controls to ensure that systems used to provide the Services and/or Process Customer Personal Data are securely configured.
4.2 Vulnerability and Patch Management. Re:amaze will establish and maintain a vulnerability and patch management system that ensures all systems used to provide the Services and/or Process Customer Personal Data are patched against known security vulnerabilities in a reasonable time period based on the criticality of the patch and sensitivity of the Customer Personal Data.
4.3 Malware Prevention. Re:amaze will implement detection, prevention, and remediation controls to protect against malicious software (including appropriate user awareness programs).
4.4 Logging and Auditing. Re:amaze will employ a log management program that defines the scope, creation, storage, analysis, and disposal of logs using risk-based industry standards.
4.5 Security Incident Detection and Response. Re:amaze will maintain risk-based systems for detecting Security Incidents as required by Section 6 of the Agreement, including use of intrusion detection and intrusion prevention systems.
5. Training
Re:amaze will ensure that its personnel receive regular training regarding their confidentiality and data protection obligations as they relate to Customer Personal Data.
6. Access Controls
6.1 Unique Identification. Re:amaze will assign individual unique user credentials to personnel with access to Customer Personal Data, including but not limited to personnel with administrative access.
6.2 Password Management. Re:amaze will implement policies and procedures for password management, including centralized password management and password policies.
6.3 Multi-Factor Authentication. . Re:amaze will implement multi-factor authentication for remote access to networks, systems, or applications used to Process and/or store Customer Personal Data.
6.4 Least Privilege. Re:amaze will restrict access to Customer Personal Data to those personnel who are bound by appropriate confidentiality obligations and have a “need to know” or “need to access” for purposes of providing the Services.
7. Data Security Controls
7.1 Data Segregation. Re:amaze will maintain Customer Personal Data in logically separate and secure environments.
7.2 Encryption and other Measures. Re:amaze will employ appropriate risk-based measures to protect Customer Personal Data, including encryption, pseudonymization, and other appropriate measures such as employing algorithms for hashing secrets, including passwords and API tokens used for accessing systems containing Customer Personal Data.
Schedule 3: Jurisdiction Specific Terms
1. United States
1.1 California
1.1.1 Definitions
1.1.1.1 The following terms are specifically defined according to the definitions set forth in the California Data Protection Laws: “Business”, “Commercial Purpose”, “Service Provider”, “Sell”, “Share”, and “Third-Party”.
1.1.1.2 The term “Customer Personal Data” includes Personal Information of an identified or identifiable natural person or household.
1.1.2 The Parties’ Roles
1.1.2.1 If Customer is deemed to be a Business under applicable California Data Protection Laws, all references to Customer’s rights and obligations as Controller under this DPA shall also be deemed to refer to Customer’s rights and obligations as a Business. If Customer is deemed to be a Service Provider under applicable California Data Protection Laws, all references to Customer’s rights and obligations as Processor under this DPA shall also be deemed to refer to Customer’s rights and obligations as a Service Provider.
1.1.2.2 If Re:amaze is deemed to be a Service Provider or Third-Party under the California Data Protection Laws, all references to Re:amaze’s rights and obligations as a Processor or Subprocessor under this DPA shall also be deemed to refer to Re:amaze’s rights and obligations as a Service Provider or Third Party, as applicable.
1.2 All U.S. States (including California)
1.2.1 Re:amaze may not (a) sell or share Customer Personal Data, (b) retain, use, or disclose Customer Personal Data for any purpose other than the business purposes specified in the Agreement, or (c) retain, use, or disclose any Customer Personal Data outside of the direct business relationship between Re:amaze and Company.
1.2.2 Re:amaze’s access to Customer Personal Data is not part of the consideration exchanged by the Parties under the Agreement.
1.2.3 Customer shall have the right to take reasonable steps to: (a) verify Re:amaze processes Customer Personal Data in a manner consistent with this DPA, including exercising the rights set forth in Section 8 of the DPA; (b) requiring stopping and remediation of Re:amaze’s Processing activities conducted in violation of the DPA’s terms, and (c) taking any other reasonable steps (as determined in Customer’s sole discretion) to ensure Re:amaze’s compliance with this DPA. If Re:amaze is unable or unwilling to comply with Customer’s reasonable requests pursuant to this Section 1.2.3, Customer’s sole remedy is to terminate this DPA and that portion of the Agreement that relates to processing of Customer Personal Data.
1.2.4 Re:amaze certifies that it understands and will comply with the obligations under the Data Protection Laws and this DPA, including all restrictions on Processing Customer Personal Data.
2. European Union/European Economic Area
2.1 Subprocessors
2.1.1 When Re:amaze engages a Subprocessor, it will:
2.1.1.1 Require the Subprocessor to comply with those technical and organizational measures set forth in Sections 5, 6, and 8 of the DPA, and Schedule 2 of the DPA that are appropriate to the nature of processing by the Subprocessor, including but not limited to all technical and organizational measures required by Article 28 of the EU General Data Protection Regulation (“GDPR”); and
2.1.1.2 2.1.1.2 Require the Subprocessor to agree in writing to only process Customer Personal Data (a) in the EU/EEA, (b) in a country that the European Commission has declared to have an “adequate” level of data protection, or (c) on terms set forth in Schedule 4 regarding international Transfers of Customer Personal Data.
2.2 Liability for Regulatory Penalties. Notwithstanding any other term set forth in this DPA or the Agreement (including either Party’s indemnification obligations under the Agreement), neither Party will be responsible for any fines issued or levied by any regulatory authority or government body on the other Party, including any fines under Article 83 of the EU GDPR.
3. Switzerland
3.1 When Re:amaze engages a Subprocessor, it will:
3.1.1 Require the Subprocessor to comply with those Technical and Organizational Measures set forth in Sections 5, 6, and 8, and Schedule 2 of the DPA that are appropriate to the nature of processing by the Subprocessor, including but not limited to all Technical and Organizational Measures required by Article 28 of the GDPR; and
3.1.2 Require the Subprocessor to agree in writing to only process Customer Personal Data (a) in Switzerland, (b) in the EU/EEA, (c) in another country that the European Commission has declared to have an “adequate” level of data protection, or (d) on terms set forth in Schedule 4 regarding international Transfers of Customer Personal Data.
3.2 To the extent Customer Personal Data Transfers from Switzerland are made subject to the EU Standard Contractual Clauses (as defined in Schedule 4), the following amendments apply:
3.2.1 References to “Member State” will be interpreted to include Switzerland; and
3.2.2 To the extent Transfers are subject to the Federal Act on Data Protection (“FADP”) references to “Regulation (EU) 2016/679” will be deemed to be references to the FADP.
4. United Kingdom
4.1 References to “GDPR” will be deemed to be references to the corresponding laws and regulations of the United Kingdom, including, without limitation the UK GDPR and UK Data Protection Act of 2018.
4.2 When Company engages a Subprocessor, it will:
4.2.1 Require the Subprocessor to comply with those technical and organizational measures set forth in Sections 5, 6, and 8, and Schedule 2 of the DPA that are appropriate to the nature of processing by the Subprocessor, including but not limited to all technical and organizational measures required by Article 28 of the UK GDPR; and
4.2.2 Require the Subprocessor to agree in writing to only process Customer Personal Data in (a) the UK, (b) the EU/EEA, (c) another country that the United Kingdom has declared to have an “adequate” level of data protection, or (d) on terms set forth in Schedule 4 regarding international Transfers of Customer Personal Data.
Schedule 4: International Mandatory Cross Border Transfer Mechanisms
1. Definitions
1.1 The “Data Privacy Framework (‘DPF’)” means the EU-US, Swiss-US, or UK-US Data Privacy Framework certification programs operated by the U.S. Department of Commerce [www.dataprivacyframework.gov](www.dataprivacyframework.gov).
1.2 The “UK-US Data Bridge” means the UK Extension to the EU-US Data Privacy Framework.
1.3 The “EU Standard Contractual Causes” mean the standard contractual clauses approved by the European Commission and attached in the annex to decision 2021/914 of June 2021.
1.4 The UK International Data Transfer Agreement (“UK IDTA”) issued by the UK Information Commissioner, Version B1.0, is deemed to be executed by the Parties as of the Effective Date of the Agreement, and the EU Standard Contractual Clauses are deemed amended as specified by the UK IDTA in relation to data transfers from the UK.
2. Order of Precedence
2.1 No Mandatory Transfer Mechanism is used if a transfer is made to a country that has been deemed to offer an adequate level of data protection by the Data Protection Laws of the country from which such Customer Personal Data is transferred.
2.2 If a Transfer is required and such Transfer is covered by more than one Mandatory Transfer Mechanism, the Transfer will be subject to a single Mandatory Transfer Mechanism in accordance with the following order of precedence: (a) the applicable EU or Swiss DPF; (b) the UK-US Data Bridge; (c) the EU Standard Contractual Clauses; (d) the UK IDTA; or (e) any other applicable Mandatory Transfer Mechanism permitted under the applicable Data Protection Laws.
2.3 If a Mandatory Transfer Mechanism is deemed invalid after execution of this Agreement, all future Transfers will be deemed made by the next applicable valid Mandatory Transfer Mechanism.
3. Data Privacy Framework
3.1 Self-Certification
3.1.1 Re:amaze’s Certification. Re:amaze represents that it is self-certified under the DPF. Re:amaze agrees (a) to provide at least the same level of protection to any Customer Personal Data as required under the DPF’s Data Privacy Principles; (b) to notify Customer in writing without undue delay, if Re:amaze’s certification to the DPF is withdrawn, terminated, revoked, or otherwise invalidated; and (c) upon written notice from Customer to take reasonable and appropriate steps to stop and remediate any unauthorized processing of Customer Personal Data.
3.1.2 Company’s Certification. To the extent Company is certified under the DPF, Company agrees (a) to provide at least the same level of protection to any Personal Data as required under the DPF’s Data Privacy Principles; (b) to notify Re:amaze in writing without undue delay, if Company’s certification to the DPF is withdrawn, terminated, revoked, or otherwise invalidated; and (c) upon written notice to Re:amaze to take reasonable and appropriate steps to stop and remediate any unauthorized processing of Customer Personal Data.
3.2 Status
3.2.1 EU-US DPF. The EU-US DPF has been deemed to provide an adequate level of data protection by the European Commission pursuant to a 10 July 2023 adequacy decision and is in effect as of 10 October 2023.
3.2.2 UK-US Data Bridge. The UK-US Data Bridge has been deemed to provide an adequate level of data protection by the UK Secretary of State for Science, Innovation, and Technology who has laid adequacy regulations in Parliament as of 21 September 2023. The UK-US Data Bridge regulations and are in effect as of 12 October 2023.
3.2.3 Swiss-US DPF. The Swiss-US DPF is not yet in effect.
3.2.3.1 The Parties agree that to the extent the terms of this DPA are consistent with the Swiss DPF or its reasonable analog when it goes into effect, applicable Transfers of Customer Personal Data from Switzerland shall be treated as if they are made under the Swiss DPF.
3.2.3.2 To the extent any further terms are required to be added to this DPA by the Swiss DPF, the Parties agree such terms shall be incorporated automatically without further action by the Parties; provided, that such additional terms do not impose any additional material obligations on either Party or materially impair the original terms and conditions of the Agreement.
3.2.3.3 To the extent additional terms cannot be added automatically to this DPF, this DPA may be amended to allow Transfers pursuant to the Swiss DPF.
3.2.3.4 Notwithstanding any other term of this DPA, nothing in this DPA limits, restricts, or otherwise affects the Parties’ ability to transfer Personal Data pursuant to another lawful data transfer mechanism.
3.3 Company and Company’s Subprocessors will take all steps necessary to enable Re:amaze to comply with its obligations as a Controller and/or Processor under the DPF, including but not limited to assisting Re:amaze and/or the Controller in responding to requests from individuals to exercise their Data Subject rights.
4. The EU Standard Contractual Clauses
4.1 For Personal Data Transfers from the EU/EEA and Switzerland that are subject to the EU Standard Contractual Clauses, Module Two (Controller to Processor) or Module Three (Processor to Processor) applies depending on whether Re:amaze is a Controller or Processor with respect to the Customer Personal Data to be Transferred.
4.2 With respect to Modules Two and Three of the EU SCCs:
4.2.1 In Clause 7, the optional docking clause will not apply.
4.2.2 In Clause 9, Option 2 will apply and the process for providing notice and the time period for objections to Subprocessor changes will be as set forth in Section 3 of the DPA.
4.2.3 In Clause 11, the optional language will not apply.
4.2.4 In Clause 17 (Option 1), the EU Standard Contractual Clauses will be governed by the internal laws of Germany.
4.2.5 In Clause 18(b), disputes relating to the DPA shall be resolved in the Federal Republic of Germany.
4.3 For purposes of Annex I, Part A:
4.3.1 Data Exporter
4.3.1.1 The Data Exporter will be Company.
4.3.1.2 Company may be contacted at the addresses set forth in the notice provision of the Agreement.
4.3.1.3 By entering into this DPA, Company is deemed to have signed these EU Standard Contractual Clauses, including their Annexes, as of the Effective Date of the Agreement.
4.3.2 Data Importer
4.3.2.1 The Data Importer will be Re:amaze and/or authorized affiliates of Re:amaze.
4.3.2.2 Re:amaze may be contacted at the addresses set forth in the notice provision of the Agreement or at privacy@Re:amaze.com.
4.3.2.3 By entering into this DPA, Re:amaze is deemed to have signed these EU Standard Contractual Clauses, including their Annexes, as of the Effective Date of the Agreement.
4.4 For purposes of Annex I, Part B:
4.4.1 The categories of Data Subjects are described in Schedule 1
4.4.2 The sensitive data (if any) Transferred is described in Schedule 1.
4.4.3 The frequency of Transfer is the duration of the Agreement and DPA.
4.4.4 The nature of Processing is described in Schedule 1.
4.4.5 The purpose of Processing is described in Schedule 1.
4.4.6 The period of Processing is described in Schedule 1.
4.5 For purposes of Annex I, Part C, in accordance with clause 13, the competent supervisory authority is defined as follows:
4.5.1 For transfers of Personal Data from the EU/EEA, the Supervisory Authority is the North Rhine-Westphalia State Commissioner for Data Protection and Freedom of Information.
4.5.2 The Swiss Federal Data Protection and Information Commissioner shall act as the competent supervisory authority insofar as the relevant Transfer or Onward Transfer is governed by Swiss Data Protection Laws and Regulations.
4.6 In Annex II of the EU Standard Contractual Clauses, Schedule 2 contains the technical and organizational measures implemented by Company as Data Importer under the DPA.
4.7 In Annex III of the EU Standard Contractual Clauses, view our Subprocessor list in Section 6 of this document.
5. United Kingdom International Data Transfer Agreement
5.1 The UK IDTA applies to Transfers of Customer Personal Data transferred from the United Kingdom to any country outside the United Kingdom that is not recognized by the competent United Kingdom regulatory authority or government body as providing an adequate level of Personal Data protection.
5.2 For Transfers subject to the UK IDTA, the UK IDTA is deemed entered into by the Parties and completed as follows:
5.2.1 In Table 1 of the IDTA, the Parties’ details and key contact information is located in Section 4.3 of this Schedule 4.
5.2.2 In Table 2 of the IDTA, information about the version of the EU Standard Contractual Clauses, modules and selected clauses to which the UK IDTA is appended is located in Section 4 of this Schedule.
5.2.3 In Table 3 of the UK IDTA:
5.2.3.1 The list of Parties is located in Section 4.3 of this Schedule 4.
5.2.3.2 The description of the transfer is set forth in Schedule 1.
5.2.3.3 Annex II is located in Schedule 2.
5.2.3.4 Company’s list of Subprocessors is located in Section 6 of this document.
5.2.3.5 In Table 4 of the UK IDTA, both Re:amaze and Company may end the UK IDTA in accordance with its terms.
5.3 The UK Information Commissioner shall act as the competent supervisory authority insofar as the relevant Transfer is governed by UK Data Protection Laws and Regulations.
5.4 Conflict. To the extent there is any conflict or inconsistency between the EU Standard Contractual Clauses or the UK IDTA and any other terms in this DPA, the provisions of the EU Standard Contractual Clauses or the UK IDTA, as applicable, will prevail.
6. Subprocessor List
We use the following external service providers for contract performance:
Company Name | Country of Incorporation | Processing Description | Processing Categories |
---|---|---|---|
Amazon Web Services | United States of America | Cloud datacenter and network provider. Service provider for infrastructure platform, products and service provisioning. | Infrastructure & network traffic data. Customer hosted data including but not limited to websites, applications, and data from the customer’s customer(s). Product content and customer account information needed for product and service provisioning. |
Cloudflare Inc | United States of America | CDN (Content Delivery Network), DNS management. | Website traffic inspection. Metadata of IP addresses, timestamps, and network traffic. |
Mailgun Technologies Inc. | United States of America | Provider of email services. | All customer account information needed for provisioning, and email data. |
Pusher | United Kingdom | Live messaging function between customers and end-users. | All customer account information needed for provisioning, and chat data. |
Qualtrics LLC | United States of America | Quality assurance surveys | No personal data is intentionally processed. |
Pinecone Systems, Inc. | United States of America | Message analysis, identifying relevant help articles from a vector database. | Customer and end-user communication data. |
OpenAI, L.L.C. | United States of America | Create product content, Generating and searching knowledge based content, Communications & Chat transcripts. | Text and media supplied by the customer, and the customer’s customer(s), customer account information, product content and activity metadata, chat transcripts. |
We use the following external service providers for contract performance:
GoDaddy Operating Company LLC | United States of America | Service provider of internal platforms and data centers. Selected products and services supported in The Netherlands, Singapore & USA. (e.g. Hosting and Server products, Email, Authentication, CRM, Network & DNS Services.) | Product content and customer account information needed for product and service provisioning |