Data Processing Addendum
SQLwallet Data Processing Addendum
This Data Processing Addendum (the “Addendum”) amends the terms and forms part of the SQLwallet Cloud Terms of Service or other agreement governing your use of the applicable SQLwallet Cloud Product(s) (the “Agreement”) by and between you and the applicable SQLwallet Entity from which you are purchasing the Cloud Products. This Addendum will be effective as of the date we receive a complete and executed Addendum from the Customer indicated in the signature block below in accordance with the instructions under Sections I and II below (the “Effective Date”). This Addendum shall apply to personal data processed by SQLwallet on your behalf in the course of providing the Cloud Products to you (“Customer Personal Data”)
The scope and duration, as well as the extent and nature of the collection, processing and use of Customer Personal Data under this Addendum shall be as defined in theAgreement. The term of this Addendum corresponds to the duration of the Agreement.
A. This Addendum has been pre-signed on behalf of the applicable SQLwallet Entity. To enter into this Addendum, you must:
i. be a customer of the Cloud Products;
ii. complete the signature block below by signing and providing all items identified as “Required”; and
iii. submit the completed and signed Addendum to SQLwallet as instructed.
A. This Addendum will only be effective (as of the Effective Date) if executed and submitted to SQLwallet accurately and in full accordance with paragraph I above and this paragraph II. If you make any deletions or other revisions to this Addendum, then this Addendum will be null and void.
B. Customer signatory represents to SQLwallet that he or she has the legal authority to bind Customer and is lawfully able to enter into contracts (e.g., is not a minor).
C. This Addendum will terminate automatically upon termination of the Agreement or as earlier terminated pursuant to the terms of this Addendum.
III. DATA PROCESSING TERMS
The parties agree:
1.1 The terms below shall have the following meanings: “SQLwallet”, “we”, “us”, “our” means the applicable SQLwallet Entity that provides therelevant Cloud Product(s), as designated in the Agreement.
“CCPA” means the California Consumer Privacy Act, as may be amended from time to time, and any rules or regulations implementing the foregoing.
“Cloud Product(s)” means our hosted or cloud-based solutions (currently designated as “Cloud” deployments) provided to you under the Agreement, including any client software we provide as part of the Cloud Products.
“Controller” means the entity which determines the purposes and means of the processing of Personal Data, including as applicable any "business' as defined under the CCPA.
“Customer”, “you”, “your” means the entity listed in the “Customer name” field on the signature block below.
"Customer Personal Data" means the personal data processed by SQLwallet on your behalf in the course of providing the Cloud Products to you.
"data processor", "data subject", "personal data", "processing" and "appropriate technical and organisational measures” as used in this Addendum shall have the meanings given in the GDPR irrespective of whether GDPR or U.S. Data Protection Law applies.
"Data Protection Law" means European Data Protection Law and U.S. Data Protection Law that are applicable to the processing of Customer Personal Data under this Addendum.
“End Users” means an individual you permit or invite to use the Cloud Products. For the avoidance of doubt: (a) individuals invited by your End Users, (b) individuals under managed accounts, and (c) individuals interacting with a Cloud Product as your customer
are also considered End Users.
"Europe" means, for the purposes of this Addendum, the member states of the European Economic Area, Switzerland and the United Kingdom.
"European Data Protection Law" means any data protection and privacy laws of Europe applicable to the Customer Personal Data in question, including where applicable (i) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection
Regulation)("GDPR"); (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector; (iii) any applicable national implementations of (i) and (ii); (iv) the Swiss Federal Data Protection Act of 19 June 1992 and its Ordinance; and (v) in respect of the United Kingdom, the Data Protection Act 2018 and any applicable national legislation that
replaces or converts in domestic law the GDPR or any other law relating to data and privacy as a consequence of the United Kingdom leaving the European Union; in each case as may be amended, superseded or replaced from time to time; .
“U.S. Data Protection Law” means data protection or privacy laws applicable to Customer Personal Data in force within the United States, including the CCPA.
“Privacy Shield Principles” means the Privacy Shield Principles (as supplemented by the Supplemental Principles) contained in Annex II to the European Commission Decision C(2016)4176 of 12 July 2016 (as may be amended, superseded or replaced).
“Processor” means the entity which processes Customer Personal Data on behalf of the Controller, including as applicable any “service provider” as defined by the CCPA.
"Standard Contractual Clauses" means the standard contractual clauses for Processors approved pursuant to the European Commission’s decision (C(2010)593) of 5 February 2010, in the form set out in Annex 4; as amended, superseded or replaced from time to time in accordance with this Addendum.
2. Scope of Data Protection Law. The parties acknowledge that European Data Protection Law and U.S. Data Protection Law will only apply to Customer Personal Data that is covered under definitions contained within those laws.
3. Processing of Personal Data
3.1 In processing your Customer Personal Data, we will comply with Data Protection Law.
3.2 The subject-matter of the data processing is providing the Cloud Products and the processing will be carried out until we cease to provide any Cloud Products to you. Annex 1 of this Addendum sets out the nature and purpose of the processing, the types of
Customer Personal Data we process and the data subjects whose Customer Personal Data
3.3 We shall:
3.3.1 per our obligations under Article 28 of GDPR:
a. process the Customer Personal Data only in accordance with documented instructions from you (as set forth in this Addendum or
the Agreement or as directed by you through the Cloud Products). If applicable law requires us to process the Customer Personal Data for
any other purpose, we will inform you of this requirement first, unless such law(s) prohibit this on important grounds of public interest;
b. notify you promptly if, in our opinion, an instruction for the processing of Customer Personal Data given by you infringes applicable Data
c. make available to you all information reasonably requested by you for the purpose of demonstrating that your obligations relating to the
appointment of processors have been met;
d. not engage any subprocessor to process any Customer Personal Data under this Addendum without your prior written consent. You provide
general consent under Section 11 of the Standard Contractual Clauses to our appointment of the SQLwallet affiliates and applicable third party
subprocessors listed at https://www.SQLwallet.com/legal/subprocessors for the purposes described in this Addendum. We may update the list of approved subprocessors, at which point you will have the opportunity to object within forty-five (45) days by terminating the Agreement for convenience. To receive notice of updates to the list of subprocessors please subscribe at the link provided above. When engaging subprocessors in the processing of Customer Personal Data, we are responsible for the performance of each subprocessor. We will include in our agreement with any such third party subprocessor terms which are at least as favourable to you as those contained herein and as are required by applicable Data Protection Law. We shall use reasonable efforts to require any subprocessor we appoint to allow us to disclose our agreement with the subprocessor to you;
3.3.2 assist you in your obligations under Articles 35 and 36 of GDPR by performing any required data protection impact assessments, and informing any supervisory authority if such assessment indicates that such processing would result in high risk in the absence of measures taken by you to mitigate the risk;
3.3.3 assist you in your obligations under Articles 15 through 18 of GDPR by providing you documentation, product functionality, or processes to assist you in retrieving, correcting, deleting or restricting Customer Personal Data;
3.3.4 ensure that our personnel required to access the Customer Personal Data are subject to a binding duty of confidentiality with regard to such Customer Personal Data;
3.3.5 except as set forth in Section 3.3.1 above, ensure that none of our personnel publish, disclose or divulge any Customer Personal Data to any third party;
3.3.6 upon your written request following the expiration or earlier termination of the Agreement securely delete such Customer Data in our possession in compliance with procedures and retention periods outlined in our Cloud Product specific terms or Trust Center;
3.3.7 on the condition that you have entered into an applicable non-disclosure agreement with us:
allow you and your authorized representatives to access and review up-to date attestations, certifications, reports or extracts thereof from independent bodies (e.g., external auditors, internal audit, data protection auditors) or other suitable certifications to ensure compliance with the
terms of this Addendum; or (ii) where required by Data Protection Law or the Standard Contractual Clauses (and in accordance with this Section 3.3.8), allow you and authorized representatives to conduct audits (including inspections) during the term of the Agreement to ensure compliance with the terms of this Addendum. Notwithstanding the foregoing, any audit must be conducted during our regular business hours, with reasonable advance notice to us and subject to reasonable confidentiality procedures. The scope of any audit shall not require us to disclose to you or your authorized representatives, or to allow you or your authorized representatives to access:
a. any data or information of any other SQLwallet customer;
b. any SQLwallet internal accounting or financial information;
c. any SQLwallet trade secret;
d. any information that, in our reasonable opinion could: 1) compromise the security of our systems or premises; or 2) cause us to breach our
obligations under Data Protection Law or our security, confidentiality and or privacy obligations to any other SQLwallet customer or any third party; or
e. any information that you or your authorized representatives seek to access for any reason other than the good faith fulfilment of your
obligations under the Data Protection Law and our compliance with the terms of this Addendum.
f. In addition, audits shall be limited to once per year, unless 1) we have experienced a Security Breach within the prior twelve (12) months
which has impacted your Customer Personal Data; or 2) an audit reveals a material noncompliance. If we decline or are unable to follow
your instructions regarding audits permitted under this Section 3.3.10 (or the Standard Contractual Clauses, where applicable), you are
entitled to terminate this Addendum and the Agreement for convenience.
3.4 If we cannot provide compliance with Clause 5(a) and/or Clause 5(b) of the Standard Contractual Clauses, we shall promptly inform you of our inability to comply, and you may suspend the transfer of data to the affected Cloud Products, provided that you give us notice and a reasonable period of time to cure the non-compliance (“Cure Period”). We will cooperate with you during the Cure Period to identify what additional safeguards or other measures are reasonably required to ensure your compliance with the Standard Contractual Clauses and European Data Protection Law.
4. Processing of Customer Personal Data Subject to U.S. Data Protection Law.
We shall not retain, use, sell or otherwise disclose Customer Personal Data other than as required by law or as needed to provide and support the Cloud Products, as set forth in the Agreement. For purposes of this section 4, the term “sell” shall have the meanings given in the CCPA.
5.1 We shall implement and maintain appropriate technical and organizational measures to protect the Customer Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, alteration or disclosure in accordance
with Annex 2. These measures shall be appropriate to the harm which might result from any unauthorized or unlawful processing, accidental loss, destruction, damage or theft of Customer Personal Data and appropriate to the nature of the Customer Personal Data which is to be protected. We may update the technical and organizational measures, provided, however, that such modifications shall not diminish the overall level of security.
5.2 If we become aware of and confirm any accidental, unauthorized or unlawful destruction, loss, alteration, or disclosure of, or access to your Customer Personal Data that we process in the course of providing the Cloud Products (a "Security Breach"), we will notify you without undue delay.
6. Data Transfers.
6.1 Transfer Mechanism. When SQLwallet processes Customer Personal Data under European Data Protection Law in a country that does not ensure an adequate level of protection (within the meaning of applicable European Data Protection Law), the following obligations shall apply:
(i) Standard Contractual Clauses. SQLwallet shall process Customer Personal Data in accordance with the Standard Contractual Clauses in the form set out in Annex 4, which are incorporated into and form a part of this Addendum. The parties agree that for the purposes of the descriptions in the Standard Contractual Clauses, SQLwallet is the "data importer" and Customer is the "data exporter" notwithstanding that Customer may itself be located outside Europe and/or is acting as a processor on behalf of third party controllers. It is not the intention of either party to contradict or restrict any of the provisions set forth in the Standard Contractual Clauses and, accordingly, in the event of any conflict or inconsistency between the provisions of the Agreement (including this Addendum) and the Standard Contractual Clauses, the provisions of the Standard Contractual Clauses shall prevail to the extent of such conflict.
(ii) Privacy Shield. Although SQLwallet does not rely on the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks ("Privacy Shield") as a legal basis for transfers of Customer Personal Data in light of the judgment of the Court of Justice of the EU in Case C-311/18, for so long as SQLwallet, Inc. and its covered entities are self-certified to the Privacy Shield we shall continue to process Customer Personal Data in accordance with the Privacy Shield Principles. We will promptly notify you if we make a determination that we can no longer meet our obligations under the Privacy Shield Principles.
6.2 Alternative Transfer Mechanism. If SQLwallet adopts an alternative data export mechanism (including any new version of or successor to the Standard Contractual Clauses or Privacy Shield adopted pursuant to applicable Privacy Laws) for the transfer of Customer Personal Data not described in this Addendum ("Alternative Transfer Mechanism"), the Alternative Transfer Mechanism shall apply instead of any applicable transfer mechanism described in this Addendum (but only to the extent such Alternative Transfer Mechanism complies with European Data Protection Law and extends to the territories to which Company Personal Data is transferred).
6.3 Disclosures: Each party acknowledges that the other party may disclose this Addendum (including the Standard Contractual Clauses) and any relevant privacy provisions in the Agreement to any relevant regulator or judicial body.
7.1 Customer acknowledges and agrees that as part of providing the Cloud Products and services, SQLwallet has the right to use data relating to or obtained in connection with the operation, support or use of the Cloud Products for its legitimate internal business purposes, such as to support billing processes, to administer the Cloud Products, to improve, benchmark, and develop our products and services, to comply with applicable laws (including law enforcement requests), to ensure the security of our Cloud Products and to prevent fraud or mitigate risk. To the extent any such data is personal data,SQLwallet warrants and agrees that:
it will process such personal data in compliance with Data Protection Law and only for the purposes that are compatible with those described in this Section 7.1; and it will not use Customer Personal Data for any other purpose or disclose it externally unless it has first aggregated and anonymised the data so that it does not identify the Customer or any other person or entity. SQLwallet further agrees that it shall be a Controller and solely responsible and liable for any of its processing of personal data pursuant to this Section 7.1.
7.2 Through use of the Cloud Products, as further described in the Agreement, you or your End Users, as applicable, may elect to grant third parties visibility to your data or content (which may include Customer Personal Data). You also understand that user profile information for the Cloud Products may be publicly visible. Nothing in this Addendum prohibits SQLwallet making visible your data or content (which may include Customer Personal Data) to third parties consistent with this paragraph, as directed by you or your End Users through the Cloud Products.
7.3 In the event of any conflict or inconsistency between the provisions of the Agreement and this Addendum, the provisions of this Addendum shall prevail. This Addendum is subject to the governing law and venue terms in the Agreement, except as otherwise provided in Annex 4.
7.4 Notwithstanding the foregoing, to the extent allowed by applicable law, all liability arising under this Addendum will be governed by the limitations of liability (including the liability caps) in the Agreement.
7.5 Please sign and return the enclosed copy of this Addendum as instructed to acknowledge the supplementation of these terms to the Agreement.
Customer name (Required):
EU Representative (Required only where applicable):
Data Protection Officer (Required only where applicable):
Data Protection Point of Contact: Gleb Kaplan
Contact Details: [email protected]
Name: Gleb Kaplan
Title: CEO and Director
Date: October 12, 2020