DATA PROCESSING ADDENDUM

This Data Processing Addendum (“DPA”) is part of and incorporated into the Terms of Service between Customer and Truepic (the “Agreement”). 

This DPA reflects the parties’ agreement with regard to the processing of Personal Data pursuant to the Agreement and in accordance with applicable Data Protection Laws. 

1. DEFINITIONS. The following capitalized terms shall have the meanings set forth below. All capitalized terms that are not defined in this DPA shall have the meanings ascribed to such terms in the Agreement.

“Affiliate” means any entity that is controlled by, controls, or is under common control with a party for so long as such relationship exists. For purposes of this definition, “control” means (i) beneficial ownership (direct or indirect) of at least fifty percent (50%) of the equity interests of the subject entity entitled to vote in the election of directors (or, in the case of an entity that is not a corporation, in the election of the corresponding managing authority) or (ii) any other arrangement whereby an entity controls or has the right to control the board of directors or equivalent governing body of the subject entity, or the ability to cause the direction of the management or policies of such subject entity.

“Data Controller” means the entity which determines the purposes and means of the Processing of Personal Data.

“Data Processor” means the entity which Processes Personal Data on behalf of the Data Controller.

“Data Protection Laws” means all privacy and data protection laws and regulations applicable to the Processing of Personal Data under the Agreement, including, as applicable: (a) the General Data Protection Regulation (EU) 2016/679 and any national implementing laws, regulations and secondary legislation, as amended or updated from time to time (“GDPR”); (b) the UK GDPR as defined by the Data Protection Act 2018; (c) the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, “CCPA”) as well as any regulations promulgated by the California Attorney General’s office and/or the California Privacy Protection Agency; (d) Canada’s Personal Information Protection and Electronic Documents Act and (e) any other applicable privacy or data protection laws in any relevant jurisdiction. 

“Data Subject” means the individual to whom Personal Data relates.

“Personal Data” means any information relating to an identified or identifiable person that is subject to the Data Protection Laws as specified in Annex I, including but not limited to any personal information as defined by the CCPA.

“Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction (“Process”, “Processes” and “Processed” shall have the same meaning).

“Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for the transfer of Personal Data to third countries approved by the European Commission or other applicable regulatory authority.

“Security Breach” has the meaning set forth in Section 7 of this DPA.

“Sub-processor” means any sub-processor engaged by Truepic for the Processing of Personal Data.

“Third Party Partner” means any entity engaged by Customer for the Processing of Personal Data other than Truepic.

2. ROLES OF THE PARTIES IN PROCESSING OF PERSONAL DATA
   
   1. To the extent the Services involve the Processing of Personal Data governed under Data Protection Laws, the parties agree that Customer is the Data Controller and Truepic is a Data Processor and that the subject matter and details of the processing of such Personal Data are described in Annex I. To the extent that CCPA applies to the Services, the parties agree that Truepic is a service provider of such Personal Data. To the extent that the data protection legislation of another jurisdiction is applicable to either party’s processing of data, the parties acknowledge and agree that the relevant party will comply with any obligations applicable to it under that legislation with respect to the processing of that data. Truepic shall keep a record of all processing activities with respect to Customer’s Personal Data as required under GDPR.
   2. Each party will comply with the obligations applicable to it under applicable Data Protection Laws with respect to the processing of Personal Data, including but not limited to providing the other party contact details for each party’s Data Protection Officer which are accurate and up to date. Customer shall Process Personal Data in accordance with the requirements of the Data Protection Laws and Customer will ensure that its instructions for the Processing of Personal Data shall comply with applicable Data Protection Laws. If Truepic believes or becomes aware that any of Customer’s instructions conflicts with any Data Protection Laws, Truepic shall inform Customer and may suspend performance of the applicable instruction until Customer confirms or modifies the instruction. Truepic shall not be liable for any delays or failures resulting from actions in takes in compliance with this Section 2.2. As between the parties, Customer shall have sole responsibility for determining the legal basis for Processing of Personal Data and obtain all legally required consents from Data Subjects necessary for collection, storage (e.g., via HTTP cookies) and Processing of Personal Data by Truepic. Both parties shall post a publicly facing privacy policy in compliance with Data Protection Laws and shall adhere to such policy during the term of the Agreement.
   3. The objective of Processing of Personal Data by Truepic is the performance of the Services pursuant to the Agreement. Truepic shall only Process Personal Data on behalf of and in accordance with the Agreement and Customer’s instructions and shall treat such Personal Data as Confidential Information. Customer instructs Truepic to Process Personal Data for the following purposes (each a permitted purpose): (i) Processing in accordance with the Agreement; (ii) Processing in order to establish the digital provenance and authenticity of certain photos and videos as directed by Customer; and (iii) Processing to comply with other reasonable instructions provided by Customer where such instructions are acknowledged by Truepic as consistent with the terms of the Agreement. Truepic may Process Personal Data other than on the instructions of Customer if it is mandatory under applicable law but otherwise shall not sell such Personal Data and may not share Personal Data except as instructed in writing by Customer.  In this situation Truepic shall inform Customer of such a requirement unless the law prohibits such notice. Both parties agree that Customer instructions may include Customer directing Truepic to send data to one or more Third Party Partner(s) for further processing.
3. RIGHTS OF DATA SUBJECTS; DATA DELETION
   
   1. Truepic shall provide reasonable and timely assistance to Customer to enable Customer to respond to: (i) any request from a Data Subject to exercise any of its rights under a Data Protection Law (including its rights of access, correction, objection, erasure and data portability, as applicable); and (ii) any other correspondence, inquiry or complaint received from a Data Subject in connection with the processing of the Data.
   2. If Truepic receives any request from a Data Subject directly, Truepic will promptly inform Customer of such request and will not process such request without Customer’s prior authorization unless legally required to do so.
   3. If Customer requires Truepic’s assistance with Data Subject requests beyond the reasonable assistance contemplated in Section 3.1, or if requests are manifestly unfounded, excessive, or repetitive, Truepic may charge Customer reasonable fees for such assistance based on then-current professional services rates, subject to Customer’s reasonable approval.
4. TRUEPIC PERSONNEL
   
   1. Truepic shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data as well as any security obligations with respect to such Data.
   2. Truepic will take appropriate steps to ensure compliance with the Security Measures outlined in Annex II by its personnel to the extent applicable to their scope of performance, including ensuring that all persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality and that any such obligations survive the termination of that individual’s engagement with Truepic.
   3. Truepic shall ensure that access to Personal Data is limited to those personnel who require such access to perform the Services.
5. SUB-PROCESSORS
   
   1. Customer acknowledges and agrees that Truepic may engage Affiliates and third-party Sub-processors in connection with the provision of the Services. Any such Sub-processors will be permitted to obtain Personal Data only to deliver the services Truepic has retained them to provide and are prohibited from using Personal Data for any other purpose. Truepic will have a written agreement with each Sub-processor and agrees that any agreement with a Sub-processor will include substantially the same data protection obligations as set out in this DPA.
   2. A list of Sub-processors is available in Annex III. Truepic may change the list of Sub-processors with thirty (30) days’ notice to Customer (which notice may be by email or posting on Truepic’s website at the URL in Annex III). Customer may object to Truepic’s change in such Sub-processors on reasonable data protection grounds by notifying Truepic in writing within fourteen (14) days of Truepic’s notice. If Truepic and Customer cannot resolve the objection through commercially reasonable efforts, Truepic may (without liability to Customer) terminate the portion of the Agreement relating to the Services that cannot reasonably be provided without the objected-to new Sub-processor. In the event of such termination, the parties shall negotiate in good faith regarding a partial refund for Customer. If Customer does not object within the fourteen (14) day period following notice by Truepic, Customer shall be deemed to have consented to the new Sub-processors.
   3. Truepic shall be liable for the acts and omissions of its Sub-processors to the same extent Truepic would be liable if performing the services of each Sub-processor directly under the terms of this DPA, except as otherwise set forth in the Agreement.
   4. Customer acknowledges and agrees that Third Party Partners are not Truepic’s Sub-processors and Truepic assumes no responsibility or liability for the acts or omissions of such Third-Party Partners.
6. SECURITY; AUDIT RIGHTS; PRIVACY IMPACT ASSESSMENTS
   
   1. Truepic shall maintain administrative, physical and technical safeguards for protection of the security, confidentiality and integrity of Customer’s Personal Data. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing Customer’s Personal Data as well as the risks of processing Customer’s Personal Data, Truepic will implement and maintain appropriate technical and organizational measures to protect Customer’s Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access. These shall include, at a minimum, those measures described in Annex II (the “Security Measures”). As described in Annex II, the Security Measures include measures to protect Personal Data; to help ensure ongoing confidentiality, integrity, availability and resilience of Truepic’s systems and services; to help restore timely access to Personal Data following an incident; and for regular testing of effectiveness. Truepic may update or modify the Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services.
   2. Truepic will (taking into account the nature of the processing of Customer Personal Data and the information available to Truepic) assist Customer in ensuring compliance with any of Customer’s obligations with respect to the security of Personal Data and Personal Data breaches applicable to GDPR, including (if applicable) Customer’s obligations pursuant to Articles 32 to 34 (inclusive) of the GDPR, by: (a) implementing and maintaining the Security Measures in accordance with Annex II,  and (b) complying with the terms of Section 7 of this DPA.
   3. No more than once per year, Customer may engage a mutually agreed upon third party to audit Truepic solely for the purposes of meeting its audit requirements pursuant to Article 28, Section 3(h) of the GDPR.  To request an audit, Customer must submit a detailed audit plan at least thirty (30) days in advance of the proposed audit date describing the proposed scope, duration, and start date of the audit. Audit requests must be sent to security@truepic.com. The auditor must execute a written confidentiality agreement acceptable to Truepic before conducting the audit. The audit must be conducted during regular business hours, subject to Truepic’s policies, and may not unreasonably interfere with Truepic’s business activities.  Any audits shall be at Customer’s sole expense.
   4. Any request for Truepic to assist with an audit is considered a separate service if such audit assistance requires the use of resources different from or in addition to those required by law.  Customer shall compensate Truepic for any time spent for any such audit at then-current professional services rates, which shall be mutually agreed upon by the parties. Before the commencement of any such audit, Customer and Truepic shall mutually agree upon the scope, timing, and duration of the audit in addition to the compensation rate for which Customer shall be responsible. All compensation rates shall be reasonable, taking into account then-current professional services rates and the resources expended by Truepic.
   5. Customer shall promptly notify Truepic with information regarding any non-compliance discovered during the course of an audit.
7. SECURITY BREACH MANAGEMENT AND NOTIFICATION
   
   1. If Truepic becomes aware of any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to any Personal Data transmitted, stored or otherwise Processed on Truepic’s equipment or facilities (“Security Breach”) which, in the reasonable opinion of Truepic’s Data Protection Officer, requires notification to Customer, Truepic will promptly notify Customer of the Security Breach. Notifications made pursuant to this Section will describe, to the extent possible, details of the Security Breach, including steps taken to mitigate the potential risks and steps Truepic recommends Customer take to address the Security Breach.
   2. Customer agrees that an unsuccessful Security Breach attempt will not be subject to this Section. An unsuccessful Security Breach attempt is one that results in no unauthorized access to Customer’s Personal Data or to any of Truepic’s equipment or facilities storing Customer’s Personal Data, and may include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, or similar incidents.
   3. Notification(s) of Security Breaches, if any, will be delivered to one or more of Customer’s business, technical or administrative contacts by any means Truepic selects, including via email. It is Customer’s sole responsibility to ensure it maintains accurate contact information on Truepic’s support systems at all times.
   4. Truepic’s notification of or response to a Security Breach under this Section 7 will not be construed as an acknowledgement by Truepic of any fault or liability with respect to the Security Breach.
   5. Truepic shall implement reasonable technical and organizational Security Measures to provide a level of security appropriate to the risk with respect to Customer’s Personal Data. As technical and organizational measures are subject to technological development, Truepic is entitled to implement alternative measures provided they do not fall short of the level of data protection set out by Data Protection Law.
   6. Customer acknowledges and agrees that (taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing of Customer’s Personal Data as well as the risks of processing Customer’s Personal Data) the Security Measures provide a level of security appropriate to the risk in respect to Customer Personal Data. 
8. RETURN AND DELETION OF CLIENT DATA
   
   1. Truepic will enable Customer to delete Customer’s Personal Data in a manner consistent with the functionality of the Services. This use will constitute an instruction to Truepic to delete the relevant Customer’s Personal Data from Truepic’s systems in accordance with Data Protection Laws. Truepic will comply with instructions from Customer to delete Personal Data as soon as reasonably practicable and within a maximum period of 30 days, unless a Data Protection Law (or, in the case the data is not subject to Data Protection Law, applicable law) requires further storage.
   2. On termination or expiration of the Agreement, Customer may instruct Truepic to delete all Customer’s Personal Data (including existing copies) from Truepic’s systems and discontinue processing of such Customer’s Personal Data in accordance with Data Protection Laws. Truepic will comply with this instruction as soon as reasonably practicable and within a maximum period of 30 days, unless a Data Protection Law (or, in the case the data is not subject to Data Protection Law, applicable law) requires further storage. This requirement shall not apply to the extent that Truepic has archived Customer’s Personal Data on back-up systems so long as Truepic securely isolates and protects such data from any further processing except to the extent required by applicable law. Without prejudice to this Section, Customer acknowledges and agrees that Customer will be responsible for exporting, before the Agreement terminates or expires, any Customer’s Personal Data it wishes to retain afterwards. On Customer’s request, Truepic will provide written confirmation of deletion of Customer’s Personal Data in accord with this section.
   3. Truepic may retain Personal Data to the extent required by applicable law, and only to the extent and for such period as required by applicable law. Any Personal Data retained shall remain subject to the confidentiality obligations in the Agreement and shall be processed only as necessary to comply with such legal obligation.
9. CROSS-BORDER DATA TRANSFERS
   
   1. Truepic may, subject to this Section 9, store and Process the relevant Personal Data in the European Economic Area, Switzerland, the United Kingdom and the United States.
   2. If the Services involve the storage and/or Processing of Customer’s Personal Data which transfers such Personal Data out of the European Economic Area or Switzerland to a jurisdiction that does not have adequate Data Protection Laws, and the Data Protection Laws apply to the transfers of such data (“Transferred Personal Data”), the parties agree that the Standard Contractual Clauses will apply and such Standard Contractual Clauses shall be incorporated by reference and form an integral part of this DPA. Purely for the purposes of the descriptions in the Standard Contractual Clauses and only as between Customer and Truepic, the parties agree that: (a) Roles of the Parties: Customer is a Data Controller and “data exporter” and Truepic is the Data Processor and “data importer” under the Standard Contractual Clauses, (b) Governing Law and Supervisory Authority: The Standard Contractual Clauses shall be governed by the law of the EU Member State in which the data exporter is established and enforced by the Supervisory Authority of such EU Member State. Where such law does not allow for third-party beneficiary rights, they shall be governed by the law of an EU Member State that does allow for third-party beneficiary rights. In such case, the Parties agree that this shall be the laws of Ireland; (c) Sub-Processors: the parties select general written authorization for Sub-processors; (d) Redress: The parties elect to omit the optional text; and (e) Annex I, II and III are provided at the end of this DPA and to the extent that there is a conflict as between the DPA and any Annex, the Annex shall govern.
   3. The parties further agree that if Transferred Personal Data includes Personal Data from Data Subjects located in the United Kingdom, and the Data Protection Laws apply to the transfers of such data, both parties agree that the Standard Contractual Clauses for transfers reflecting the roles of the parties as described in the DPA in the form approved by the UK Information Commissioner’s Office (as amended or updated from time to time) (“UK Standard Contractual Clauses”) shall be incorporated by reference and form an integral part of this DPA. For the purposes of the UK Standard Contractual Clauses, Annexes I, II and III of this Addendum shall take the place of Annexes I, II and III, respectively of the UK Standard Contractual Clauses.
   4. At Customer’s written request, or if the Services involve the storage and/or processing of Customer’s Personal Data collected from persons located in Argentina, Brazil or another jurisdiction not described above but which restricts the transfer of such Personal Data (each a “Restricted Transfer Country”) outside of each Restricted Transfer Country to a place that does not have adequate data protection laws, the parties agree to execute each applicable Restricted Transfer Country’s model clause agreement to ensure that such transfers are conducted in accordance with Data Protection Laws.
   5. To the extent Customer is the recipient of Personal Data from Truepic pursuant to this DPA, Customer agrees that Customer will provide at least the same level of protection for the information as Truepic has agreed to provide herein.
   6. If the Standard Contractual Clauses or any other model clause transfer agreement are deemed invalid by a governmental authority with jurisdiction over Transferred Personal Data (e.g., the EU Court of Justice) or if such governmental authority imposes additional rules and/or restrictions regarding such Transferred Personal Data, the parties agree to work in good faith to find an alternative and/or modified transfer mechanism.
10. LIABILITY
    
    1. Each party’s liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, shall be subject to the limitations of liability set forth in the Agreement. For the avoidance of doubt, Truepic’s total liability for all claims arising out of or related to this DPA shall not exceed the limitation amounts set forth in the Agreement
11. MISCELLANEOUS
    
    1. Term. This DPA shall commence on the effective date of the Agreement and shall remain in effect for so long as Truepic Processes Personal Data on behalf of Customer, or until the Agreement is terminated, whichever is later.
    2. No Third-party Beneficiaries. Nothing in this DPA shall confer any benefits or rights on any person or entity other than the parties to this DPA.
    3. Governing Law. Except where the Standard Contractual Clauses specify otherwise, this DPA shall be governed by the same law and dispute resolution provisions that govern the Agreement.
    4. Order of Precedence. With regard to the subject matter of this DPA, in the event of inconsistencies between the provisions of this DPA and any other agreements between the parties, including the Agreement, the provisions of this DPA shall prevail. Notwithstanding the foregoing, the Standard Contractual Clauses (if applicable) shall prevail over any conflicting provisions of this DPA and the Agreement.
    5. Amendments. Truepic may update this DPA from time to time to reflect changes in Data Protection Laws, guidance from supervisory authorities, or industry best practices. Truepic shall provide Customer with at least thirty (30) days’ prior written notice of any material changes to this DPA. Customer’s continued use of the Services after the effective date of such changes constitutes acceptance of the updated DPA.
    6. Severability. If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions shall remain in full force and effect, and the invalid or unenforceable provision shall be replaced with a valid and enforceable provision that most closely achieves the intended economic effect of the original provision.
    7. Notices. Unless specifically provided for otherwise, all notices under this DPA shall be provided in accordance with the notice provisions of the Agreement.

‍

ANNEXES TO DPA

ANNEX I: DATA PROCESSING DETAILS

Data exporter – The data exporter is Customer

Data importer – The data importer is Truepic, Inc., a company that provides a digital provenance and authenticity platform to Customer.

Purpose of Processing – As described in the Agreement.

Data subjects – The personal data transferred concern the following category of data subjects: Customer’s End-Users as well as Customer and Truepic personnel to the extent necessary to provide the Services.

Categories of data – The personal data transferred concern the following categories of personal data:

• The name, email address, phone number, user ID and login information of Customer’s End Users.
• GPS Coordinates, Physical Address, IP Address.
• In order to manage the Agreement, Truepic will process Personal Data from Customer’s employees and other personnel such as name, title, email address, telephone number and (for billing purposes) Customer’s payment details.  Customer will process Personal Data from Truepic’s employees and other personnel such as name, title, email address, telephone number.

Special categories of data (if appropriate): None.

Processing operations – The personal data transferred will be subject to the following basic processing activities: collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, use, alignment or combination, restriction, erasure or destruction.

ANNEX II: TECHNICAL AND ORGANIZATIONAL MEASURES

Set forth below is a summary description of the technical and organizational Security Measures implemented by Truepic:

1. Access control to premises and facilities: Truepic is a fully remote company without physical offices or facilities.
2. Access control to systems: Truepic uses standard personal computers which are managed by mobile device management (MDM). Each employee has his own account secured with a password and encrypted. In order to access the platform, which is hosted by Amazon Web Services (AWS), access is determined by AWS and Okta SSO including multi-factor authentication (MFA). These accounts are managed by Truepic’s Security Team who ensure that only employees who need to access the platform at Truepic can do so.
3. Access control to data: Admission control is performed by Truepic’s Security Officer, who, for example, creates, manages and terminates user accounts for employees as needed. Each account can be assigned with specific user roles with role specific admissions.
4. Disclosure control: All Truepic employees sign a non-disclosure agreement as part of their working contract. In addition, all employees sign a data privacy statement according to CCPA and GDPR data privacy law under which they undertake to comply with data secrecy requirements. Furthermore, data is encrypted with Virtual Private Network (VPN) and Secure Sockets Layer (SSL) technology when transferred between Truepic’s systems.
5. Input control: Truepic’s Security Officer regularly checks the logs of deployed systems and software. The Security Officer checks the plausibility of log entries, errors and warnings usually issued by respective systems. Depending on the configured log level, the logs give insights on data manipulation within the systems and, depending on the system, by whom the data has actually been changed or manipulated.
6. Job control: The wording of applicable agreements, such as the Terms of Service, defines the responsibilities between Truepic and Customer and ensures that all commissioned data processing must be carried out according to such agreements or Customer instructions. Where Sub-contractors are employed, Truepic carefully selects Sub-contractors and requires them to demonstrate their measures in terms of data security and privacy.
7. Availability control: Truepic has installed data backups to ensure the availability of Customer data. Data such as addresses, emails and calendars are stored and backed-up by respective service providers. Furthermore, Truepic deploys antivirus software on its computers. The antivirus software is updated on a regular basis. Firewalls provided by the operating systems are also activated for protection.
8. Segregation control: Truepic’s employees are instructed to only access data that is necessary to do their work. Truepic’s Security Officer manages master accounts to access the systems on which the Unified Intelligence Platform (UIP) is operated and to process Customer data so that such data cannot be accessed by all Truepic employees.

ANNEX III: SUB-PROCESSORS

LIST OF SUB-PROCESSORS

Customer authorizes Truepic to engage the following Sub-processors:

‍

Current List Available At: https://trust.truepic.com/subprocessors

Truepic shall maintain an up-to-date list of Sub-processors at the URL specified above and shall update this list in accordance with the terms of this DPA.

‍