Data Protection Addendum
This Data Protection Addendum (“DPA”) is incorporated to and forms part of the relevant agreement (the “Agreement”) between Mediar, Inc. d/b/a Screenpipe (“Screenpipe”) and customer (“Customer”) pursuant to the Agreement under which ScreenPipe provides the Services to Customer. Capitalized terms used but not defined in this DPA shall have the meaning as set forth in the Agreement. ScreenPipe and Customer may also be referred to hereunder as a “Party” or, collectively, the “Parties”.
Definitions
“Controller” means the entity which, alone or jointly with others, determines the purposes and means of Processing of Personal Data.
“Customer Personal Data” means Personal Data that is provided by Customer or otherwise collected via the Services on behalf of the Customer, and is not Services Data.
“Data Protection Laws” mean all laws applicable to the Processing of Customer Personal Data.
“Data Subject” means any individual about whom Customer Personal Data may be Processed under this DPA.
“Personal Data” means “personal data,” “personal information,” “personally identifiable information,” or an equivalent term under Data Protection Laws.
“Process” or “Processing” means any operation or set of operations performed on Customer Personal Data or on sets of Personal Data, whether by automated means, such as collection, recording, organization, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction of Personal Data.
“Processor” means the entity which Processes Personal Data on behalf of the Controller.
“Services” means the services provided by ScreenPipe to Customer pursuant to the Agreement.
“Services Data” means data that relates to ScreenPipe’s relationship with Customer, including (i) contact information of individuals authorized by Customer to access Customer’s account; (ii) any data ScreenPipe may need to collect for the purpose of managing its relationship with Customer, identity verification, or as otherwise required by applicable laws and regulations; (iii) Service use data collected in connection with the provision of the Services, including without limitation data used to identify the source and destination of a communication, activity logs, and data used to optimize and maintain performance of the Services, and to investigate and prevent system abuse.
RELATIONSHIP BETWEEN THE PARTIES. The Parties acknowledge that for purposes of any Customer Personal Data processed pursuant to the Agreement, Customer is a Controller and ScreenPipe is a Processor. The Parties will Process Customer Personal Data in accordance with the Agreement and applicable Data Protection Laws.
CUSTOMER OBLIGATIONS. Customer represents and warrants that its collection of Customer Personal Data and disclosure to ScreenPipe complies with Data Protection Laws, and that Customer has provided all notices and obtained all consents required by Data Protection Laws – including but not limited to notices and consents required under applicable wiretapping and workplace recording laws – to enable ScreenPipe to Process Customer Personal Data for the purposes set out in the Agreement, including Annex I to this DPA.
INSTRUCTIONS. ScreenPipe will Process Customer Personal Data only (i) in accordance with Customer’s instructions as documented in the Agreement, including Annex I to this DPA; and (ii) as needed to comply with applicable law, in which case ScreenPipe will inform Customer before Processing Customer Personal Data unless applicable law prohibits such information on important grounds of public interest. ScreenPipe shall not be required to act on any Customer instruction that could (in ScreenPipe’s reasonable opinion) cause ScreenPipe to breach applicable law. ScreenPipe will inform Customer if it believes that any Customer instructions regarding Customer Personal Data Processing would violate applicable Data Protection Law.
SECURITY. ScreenPipe will implement technical and organizational measures designed to protect Customer Personal Data against anticipated threats or hazards to its security, confidentiality, or integrity. ScreenPipe will require persons that ScreenPipe authorizes to Process Customer Personal Data to protect the confidentiality of the information.
SECURITY INCIDENTS. ScreenPipe will notify Customer without undue delay whenever ScreenPipe learns that there has been a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data that results in compromise of the privacy, security, integrity or availability of Customer Personal Data (“Security Incident”), unless prohibited by applicable law or otherwise instructed by law enforcement or a supervisory authority. ScreenPipe will make reasonable efforts to identify the cause of such Security Incident and take steps it deems necessary and reasonable in order to remediate such Security Incident and provide information about the Security Incident to Customer to enable Customer to comply with its obligations under Data Protection Laws, to the extent the Security Incident is within ScreenPipe’s reasonable control. The obligations herein shall not apply to incidents that are caused by Customer or Customer’s users. In any event, Customer will be the party responsible for notifying supervisory authorities and/or concerned Data Subjects (where required by Data Protection Laws).
RETURN OR DISPOSAL. Following completion of the Services, ScreenPipe will destroy and/or return all Customer Personal Data to Customer within 120 days, unless applicable law requires or authorizes storage of Customer Personal Data by ScreenPipe.
AUDITS; INQUIRIES. Upon Customer’s reasonable request (to be exercised no more than once a year, unless required more frequently by a supervisory authority) ScreenPipe will make available for Customer’s review copies of certifications or reports demonstrating ScreenPipe’s compliance with its obligations under this DPA. If the provision of reports or certifications is not reasonably sufficient under Data Protection Laws, ScreenPipe will allow an independent third party to be mutually agreed on by the Parties to conduct an audit or inspection of ScreenPipe’s data security infrastructure and procedures that is sufficient to demonstrate ScreenPipe’s compliance with its obligations under this DPA, provided that (i) Customer provides 60 days’ prior written notice of any such request for an audit and such inspection shall not be unreasonably disruptive to ScreenPipe’s business; (ii) such audit shall only be performed during business hours and occur no more than once per calendar year; and (iii) such audit shall be restricted to data relevant to Customer. Customer shall be responsible for the costs of any such audits or inspections, including without limitation reimbursing ScreenPipe for any time expended for on-site audits. All information provided will be ScreenPipe’s Confidential Information and may not be disclosed without ScreenPipe’s prior written consent, except as required by applicable law.
SUB-PROCESSORS. Customer authorizes ScreenPipe to transfer Customer Personal Data to sub-processors for purposes of providing the Services to Customer. ScreenPipe will maintain a list of the sub-processors and will provide this list to Customer upon request. Annex III lists ScreenPipe’s current list of sub-processors. ScreenPipe will provide Customer 14 days’ prior notice when adding a sub-processor to this list and the opportunity to object to such addition on grounds relating to privacy and data protection. If ScreenPipe does not receive an objection within 14 days of the notice, the sub-processor is deemed to be accepted by Customer. In the event Customer objects to a new sub-processor on the basis of reasonable data protection concerns, ScreenPipe will discuss such concerns in good faith with Customer to see whether they can be resolved. If the parties are unable to mutually agree to a resolution of such concerns, ScreenPipe or Customer may terminate the Agreement by providing written notice to the other Party. Any termination pursuant to this Section 8 will not affect Customer’s obligation to pay fees incurred prior to the termination. ScreenPipe will enter into an agreement with such sub-processor that includes data protection terms similar to this DPA.
SCREENPIPE ASSISTANCE. At Customer’s reasonable request and taking into account the nature of the Processing and information available to ScreenPipe, ScreenPipe will take reasonable steps: (i) to assist Customer with Customer’s obligation to respond to Data Subjects’ requests to exercise their rights under applicable law by taking appropriate technical and organizational measures; and (ii) in meeting Customer’s compliance obligations to carry out data protection impact assessments and related consultations with supervisory authorities.
CALIFORNIA CONSUMER PRIVACY ACT (CCPA) PROVISIONS
Applicability. The provisions in this Section 10 are applicable solely to the extent that Customer Personal Data pertains to California residents.
Legal Compliance. ScreenPipe will provide the same level of privacy protection for Customer Personal Data of California residents as required of Customer under the CCPA. ScreenPipe will notify Customer in writing if ScreenPipe determines that it can no longer meet its obligations under the CCPA. Customer has the right, upon providing notice to ScreenPipe, to take reasonable and appropriate steps to stop and remediate unauthorized use of Customer Personal Data, including where ScreenPipe has notified Customer that it can no longer meet its CCPA obligations.
Restriction on Processing. In no event may ScreenPipe: (a) disclose Customer Personal Data of California residents to a third party for monetary or other valuable consideration or disclose Customer Personal Data to a third party for cross-context behavioral advertising; (b) disclose Customer Personal Data of California residents to any third party for the commercial benefit of ScreenPipe or any third party; (c) retain, use, or disclose Customer Personal Data of California residents outside of ScreenPipe’s direct business relationship with Customer or for a commercial purpose other than the business purposes specified in the Agreement or as otherwise permitted by applicable laws; or (d) combine Customer Personal Data of California residents with personal information that ScreenPipe receives from, or on behalf of, other persons, or collects from its own interaction with the Data Subject, except as permitted under applicable laws. ScreenPipe certifies that it understands and will comply with the foregoing restrictions.
DATA TRANSFERS
Restricted Transfers from the EEA. The EU Standard Contractual Clauses (Module 2 Controller to Processor) ((EU) 2021/914) available at https://eur-lex.europa.eu/eli/dec_impl/2021/914 (“EU SCCs”), and incorporated herein by reference, together with the attached Annexes, will apply as completed below to any transfer to ScreenPipe of Customer Personal Data from Customer in the European Economic Area (“EEA”). Notwithstanding the foregoing, the EU SCCs will not apply to the extent the transfer is covered by a decision adopted by a competent authority with jurisdiction over Customer declaring that a jurisdiction meets an adequate level of protection of Customer Personal Data (an “Adequacy Decision”). Signature to the Agreement will be considered a signature to the EU SCCs. The Parties agree that the EU SCCs will be completed as follows:
Optional Clause 7 is removed.
In Clause 9, the Parties agree that Option 2 will apply in accordance with Section 9 (Sub-Processors).
The optional language in Clause 11 is excluded.
In Clause 17, the EU SCCs will be governed by the laws of Ireland.
In Clause 18, any dispute arising from the EU SCCs will be resolved by the courts of Ireland.
In Annex IC, the data protection authority where Customer is located is the competent supervisory authority.
Restricted Transfers from Switzerland. The EU SCCs, as modified in this section, will apply to any transfer to ScreenPipe of Customer Personal Data from Customer in Switzerland where the transfer is not otherwise subject to an Adequacy Decision:
The term “EU Member State” must not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility for suing their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c).
References in the EU SCCs to the GDPR are to be understood as references to the Federal Act on Data Protection (FADP).
In Clause 17, the EU SCCs will be governed by the laws of Switzerland.
In Annex IC, the Swiss Federal Data Protection and Information Commissioner is the competent supervisory authority.
Restricted Transfers from the United Kingdom. Where Customer Personal Data is transferred to ScreenPipe from Customer in the UK and the transfer is not otherwise subject to an Adequacy Decision, the Parties agree:
The provisions of the UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, Version B1.0, in force from March 21, 2022, available at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf (“UK Addendum”) are herein incorporated by reference and shall apply in full;
In Table 1 of the UK Addendum, the names of the Parties, their roles and their details shall be set out in the attached Annex I;
In Tables 2 and 3 of the UK Addendum, Module 2 of the EU SCCs incorporated into this DPA by reference, including the information set out in the attached Annexes, shall apply; and
In Table 4 of the UK Addendum, either Party may end the UK Addendum.
ANALYTICS DATA. Customer acknowledges and agrees that ScreenPipe may create and derive from Processing related to the Services anonymized and/or aggregated data that does not identify or relate to Customer or any Data Subject (“Analytics Data”) and use such Analytics Data for ScreenPipe’s own business purposes.
SERVICES DATA. The Parties acknowledge and agree that ScreenPipe is an independent Controller with respect to Services Data. ScreenPipe will process Services Data in accordance with ScreenPipe’s privacy policy.
LIABILITY. Each Party’s liability towards the other Party under or in connection with this DPA will be limited in accordance with the provisions of the Agreement. Customer acknowledges that ScreenPipe is reliant on Customer for direction as to the extent to which ScreenPipe is entitled to Process Customer Personal Data on behalf of Customer in performance of the Services. Consequently, ScreenPipe will not be liable under the Agreement for any claim brought by a Data Subject arising from (a) any action or omission by ScreenPipe in compliance with Customer’s instructions or (b) from Customer’s failure to comply with its obligations under the Data Protection Laws.
AUTHORIZED AFFILIATES. The Parties acknowledge and agree that, by executing the DPA, Customer enters into the DPA on behalf of itself and, as applicable, in the name and on behalf of its affiliates. Each affiliate agrees to be bound by the obligations under this DPA. All access to and use of the Services by affiliates must comply with the terms and conditions of the Agreement and this DPA and any violation of the terms and conditions therein by an affiliate shall be deemed a violation by Customer. Customer shall remain responsible for coordinating all communication with ScreenPipe under the Agreement and this DPA and shall be entitled to make and receive any communication in relation to this DPA on behalf of its affiliates.
MODIFICATIONS. If required by applicable law, ScreenPipe may modify this DPA with respect to such requirements with the provision of written notice to Customer.
CONFLICTS; ENFORCEABILITY. If any provision of this DPA is held to be invalid or unenforceable by any court of competent jurisdiction, such holding will not invalidate or render unenforceable any other provision of this DPA or any other contract between Customer and ScreenPipe. This DPA supplements the Agreement. This DPA will control in the event of any inconsistency between the Agreement and this DPA. Any other provisions of or obligations under the Agreement that are otherwise unaffected by this DPA will remain in full force and effect. If this DPA, or any actions to be taken or contemplated to be taken in performance of this DPA, do not or would not satisfy either Party’s obligations under the laws applicable to each Party, the Parties will negotiate in good faith upon an appropriate amendment to this DPA.
Annex I
LIST OF PARTIES AND DESCRIPTION OF TRANSFER
A. LIST OF PARTIES
Data exporter(s):
Name |
Customer |
|---|---|
Role (controller/processor) |
Controller |
Data importer(s):
Name |
Mediar, Inc. |
|---|---|
Role (controller/processor) |
Processor |
B. DESCRIPTION OF TRANSFER
Categories of Data Subjects whose Personal Data is transferred |
Customer’s employees, contractors, and other authorized users. |
|---|---|
Categories of Personal Data transferred |
Personal Data submitted by Customer, including Personal Data contained in on-device screen, audio, and OS activity through captured workflows. |
Categories of sensitive Personal Data transferred |
Sensitive Personal Data submitted by Customer contained in on-device screen, audio, and OS activity through captured workflows. |
The frequency of the transfer |
Continuous basis. |
Nature and purpose of the processing |
Performing the Agreement, this DPA and/or other contracts executed by the Parties, including providing the Services to Customer. |
The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period |
Personal Data will be retained for the period required to perform the Services under the Agreement unless a longer period is permitted or required by applicable law. |
For transfers to (sub-) processors, also specify subject matter, nature, and duration of the Processing |
See description above. |
ANNEX II
SECURITY MEASURES
A description of our security measures is provided in our Trust Center.
ANNEX III
LIST OF SUBPROCESSORS
A list of our subprocessors is provided in our Trust Center.