(CONTROLLER-PROCESSOR)

This Data Processing Addendum ****("Data Processing Addendum" or "DPA") is entered into by and among Weavy Inc. or its applicable affiliate who is a party to the Agreement ("Service Provider" or "Weavy") and the Customer who is a party to the Agreement ("Customer"), becoming effective as of the Commencement Date of the Agreement.

1. SCOPE

  1. Customer and the Service Provider are parties to the Agreement, as defined below, to which this Data Processing Addendum applies and constitutes a part thereof. If Service Provider processes personal data, or if Service Provider has access to personal data in the course of its performance of Service Provider's services under the Agreement (the "Services"), Service Provider shall comply with the terms and conditions of this Data Processing Addendum ("Data Processing Addendum" or "DPA").
  2. Service Provider shall qualify as the Data Processor, as this term is defined under Data Protection Laws (or as the Service Provider, if the CCPA applies, as such term is defined in the CCPA). Customer acknowledges and agrees that as the Controller (or as the Business, if the CCPA applies, as such term is defined in the CCPA), it is responsible for the legal basis of Processing hereunder, including obtaining any necessary consents in accordance with the requirements of Data Protection Laws.
  3. All capitalized terms not defined herein shall have the meaning set forth in the Agreement.

2. DEFINITIONS

All capitalized terms not defined in this Data Processing Addendum have the meanings set forth in the Agreement.

  1. "Agreement" means the agreement(s) and/or purchase order(s) between Customer and the Service Provider which involve Service Provider having access to or otherwise processing personal data;
  2. "Approved Jurisdiction" means a member state of the European Economic Area ("EEA"), or other jurisdiction as may be approved as having adequate legal protections for data by the European Commission currently found here: http://ec.europa.eu/justice/data-protection/international-transfers /adequacy /index en.htm;
  3. "Breach Incident" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed;
  4. "Data Protection Laws" means any and/or all applicable domestic and foreign laws, rules, directives and regulations, on any local, provincial, state or federal or national level, pertaining to data privacy, data security and/or the protection of personal data, including the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data ("GDPR"), the Privacy and Electronic Communications Directive 2002/58/EC (and local implementing laws) concerning the processing of personal data and the protection of privacy in the electronic communications sector (the ePrivacy Directive), the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. as amended by the California Privacy Rights Act of 2020 and the regulation enacted thereunder ("CCPA"), and any amendments or replacements to aforementioned;
  5. "Standard Contractual Clauses" the standard contractual clauses for the transfer of personal data to third countries adopted by Commission Implementing Decision (EU) 2021/914 of 4 June 2021 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council pursuant to GDPR art. 46;
  6. The terms "data subject", "personal data", "process", "processing" and "Special Categories of Data" herein shall have the meaning ascribed to them in the GDPR. Where applicable, a data subject shall be deemed a "consumer" as this term is defined under the CCPA.

3. DATA PROTECTION AND PRIVACY

  1. If Service Provider has access to or otherwise processes personal data, then Service Provider shall:
  2. only process the personal data in accordance with Customer's documented instructions and on its behalf, and in accordance with the Agreement and this Data Processing Addendum, including such processing as required for regulatory compliance purposes in connection with the Services.
  3. take reasonable steps to ensure the reliability of its staff and any other person acting under its supervision who may come into contact with, or otherwise have access to and process, personal data; ensure persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; and ensure that such personnel are aware of their responsibilities under this Data Processing Addendum and any Data Protection Laws (or Service Provider’s own written binding policies are at least as restrictive as this Data Processing Addendum);
  4. assist Customer as needed to cooperate with and respond to requests from supervisor authorities, data subjects, customers, or others to provide information (including details of the services provided by Service Provider) related to Service Provider’s processing of personal data;