This Data Processing Agreement (“DPA”) forms part of the Agreement between “Customer” and SignalSync and reflects the parties’ agreement with regard to the processing of Personal Data in accordance with applicable Data Protection Laws and Regulations.

1. Definitions.

For the purposes of this DPA, capitalized terms shall have the meanings detailed below. Capitalized terms not otherwise defined shall have the meaning given to them in the Agreement (the Terms and Conditions for the Services).

(a) “Customer’s Personal Data” means any personal data that is processed by SignalSync on behalf of the Customer to perform the Services under the Agreement.

(b) “Applicable Data Protection Laws” means the GDPR, as transposed into domestic legislation of each Member State (and the United Kingdom) and as amended, replaced or superseded from time to time, and laws implementing, replacing or supplementing the GDPR and all laws applicable to the collection, storage, processing, and use of Customer’s Personal Data, and, if the case, in relation to the Customer, the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et seq.

(c) “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

(d) “SignalSync Infrastructure” means (i) SignalSync’s physical facilities; (ii) hosted cloud infrastructure; (iii) SignalSync’s corporate network and the non-public internal network, software, and hardware necessary to provide the Services and which is controlled by SignalSync; in each case to the extent used to provide the Services.

(e) “Restricted Transfer” means a transfer of the Customer’s Personal Data from SignalSync to a sub-processor where such transfer would be prohibited by Applicable Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Applicable Data Protection Laws) in the absence of appropriate safeguards required for such transfers under Applicable Data Protection Laws.

(f) “Services” means the services provided by SignalSync to the Customer pursuant to the Agreement.

(g) “EU Standard Contractual Clauses” means the latest version of the standard contractual clauses for the transfer of personal data to processors established in third countries under the GDPR (the current version as at the date of this DPA is as annexed to European Commission Decision 2021/914 (EU) of June 4, 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council).

(h) “UK Addendum” means the United Kingdom Addendum (International Data Transfer Addendum to the EU Commission Standard Contractual Clauses) set out at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf(i) The terms “consent“, “controller“, “data subject“, “Member State“, “personal data“, “personal data breach“, “processor“, “sub processor“, “processing“, “supervisory authority” and “third party” shall have the meanings ascribed to them in article 4 of the GDPR.

2. Compliance with Applicable Data Protection Laws

(a) SignalSync and the Customer shall each comply with the provisions and obligations imposed on them by the Applicable Data Protection Laws and shall procure that their employees, agents and contractors observe the provisions of the Applicable Data Protection Laws.

3. Details and Scope of the Processing

(a) The Processing of the Customer’s Personal Data within the scope of the Agreement shall be carried out in accordance with the following stipulations and as required under Article 28(3) of the GDPR. The parties may amend this information from time to time, as the parties may reasonably consider necessary to meet those requirements.

(i) Subject matter and duration of the processing of Personal Data: The subject matter of the processing of the Personal Data is set out in the Agreement. The duration of the processing of Personal Data may commence on the date of signature by both parties of this DPA and shall terminate with the termination of the services under the Agreement.

(ii) The nature and purpose of the processing of Personal Data: Under the Agreement, SignalSync provides services to the Customer which involves the processing of personal data. Such processing activities include (a) providing the Services; (b) the detection, prevention and resolution of security and technical issues; and (c) responding to Customer’s support requests.

(iii) The types of Personal Data to be processed: The personal data submitted, the extent of which is determined and controlled by the Controller in its sole discretion, includes first name, last name, email, telephone numbers, IP address and other personal data.

(b) SignalSync shall only process the Customer’s Personal Data (i) for the purposes of fulfilling its obligations under the Agreement and (ii) in accordance with the documented instructions described in this DPA or as otherwise instructed by the Customer from time to time. Such Customer’s instructions shall be documented in the applicable order, services description, support ticket, other written communication or as directed by Customer using the Services (such as through an API or control panel).

(c) Where SignalSync reasonably believes that a Customer instruction is contrary to the provisions of the Agreement or this DPA, or that it infringes the GDPR or other applicable data protection provisions, it shall inform the Customer without delay. In both cases, SignalSync shall be authorized to defer the performance of the relevant instruction until it has been amended by the Customer or is mutually agreed by both Customer and SignalSync.

4. Controller and Processor

(a) For the purposes of this DPA, the Customer is the controller of the Customer’s Personal Data and SignalSync is the processor of such data, except when the Customer acts as a processor of the Customer’s Personal Data, in which case SignalSync is a sub-processor.

(b) SignalSync shall at all times have in place an officer who is responsible for assisting the Customer (i) in responding to inquiries concerning the Data Processing received from Data Subjects; and, (ii) in completing all legal information and disclosure requirements which apply and are associated with the Data Processing. The Data Protection Officer may be contacted directly at info@signalsync.ai.

(c) SignalSync shall ensure that persons authorised to process the personal data (including but not limited to the employees) have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

(d) The Customer warrants that:

(i) The processing of the Customer’s Personal Data is based on legal grounds for processing, as may be required by Applicable Data Protection Laws and that it has made and shall maintain throughout the term of the Agreement all necessary rights, permissions, registrations and consents in accordance with and as required by Applicable Data Protection Laws with respect to SignalSync’s processing of the Customer’s Personal Data under this DPA and the Agreement;

(ii) it is entitled to and has all necessary rights, permissions and consents to transfer the Customer’s Personal Data to SignalSync and otherwise permit SignalSync to process the Customer’s Personal Data on its behalf, so that SignalSync may lawfully use, process and transfer the Customer’s Personal Data in order to carry out the Services and perform SignalSync’s other rights and obligations under this DPA and the Agreement;

(iii) it will inform its Data Subjects about its use of Processors in Processing their Personal Data, to the extent required under Applicable Data Protection Laws; and,

(iv) it will respond in a reasonable time and to the extent reasonably practicable to enquiries by Data Subjects regarding the Processing of their Personal Data.

(v) it will provide all required instructions to the Processor in a timely, sufficiently clear and in detailed manner in either written or electronic form;

5. Confidentiality

(a) SignalSync shall ensure that each of its, and sub-processors’, personnel that is authorized to process the Customer’s Personal Data is subject to confidentiality undertakings or professional or statutory obligations of confidentiality and are trained with the relevant security and Data Protection requirements.

6. Technical and Organizational Measures

(a) SignalSync shall, in relation to the Customer’s Personal Data, (a) take and document, as appropriate, reasonable and appropriate measures required pursuant to Article 32 of the GDPR in relation to the security of the SignalSync Infrastructure and the platforms used to provide the Services as described in the Agreement, and (b) on reasonable request at the Customer’s cost, assist the Customer in ensuring compliance with the Customer’s obligations pursuant to Article 32 of the GDPR.

(b) SignalSync’s internal operating procedures shall comply with the specific requirements of an effective Data Protection management.

7. Data Subject Requests

(a) SignalSync provides specific tools in order to assist customers in replying to requests received from data subjects. These include our APIs and interfaces to search event data, suppressions, and retrieve message content. When SignalSync receives a complaint, inquiry or request (including requests made by data subjects to exercise their rights pursuant to Applicable Data Protection Laws) related to the Customer’s Personal Data directly from data subjects, SignalSync will notify in writing the Customer within fourteen (14) days from the receipt of the complaint, inquiry or request. Taking into account the nature of the processing, SignalSync shall assist the Customer, by appropriate technical and organizational measures, insofar as this is reasonably possible, for the fulfillment of the Customer’s obligation to respond to requests for exercising such data subjects’ rights.

8. Personal Data Breaches

(a) SignalSync shall notify the Customer without undue delay once SignalSync becomes aware of a personal data breach affecting the Customer’s Personal Data. SignalSync shall, taking into account the nature of the processing and the information available to SignalSync, use commercially reasonable efforts to provide the Customer with sufficient information to allow the Customer at the Customer’s cost, to meet any obligations to report or inform regulatory authorities, data subjects and other entities of such personal data breach to the extent required under Applicable Data Protection Laws. The Customer agrees that SignalSync may not notify the Customer of security-related events that do not result in a Personal Data Breach.

9. Data Protection Impact Assessments

(a) SignalSync shall, taking into account the nature of the processing and the information available, provide reasonable assistance to the Customer at the Customer’s cost, with any data protection impact assessments and prior consultations with supervisory authorities or other competent regulatory authorities as required for the Customer to fulfill its obligations under Applicable Data Protection Laws.

10. Audits

(a) SignalSync shall make available to the Customer on reasonable request, information that is reasonably necessary to demonstrate compliance with this DPA.

(b) Customer, or a mandated third party auditor, may upon written reasonable request conduct an inspection in relation to the Processing of the Customer’s Personal Data by SignalSync and to the extent necessary according to Data Protections Laws and without interrupting SignalSync’s business operations and ensuring confidentiality.

(c) The audit right as described in Paragraph 10(b) above will become applicable for the Customer, in case SignalSync has not provided sufficient evidence of its compliance with the technical and organizational measures. Sufficient evidence includes providing either: (i) a certification as to compliance with ISO 27001, ISO 27701 or other standards implemented by SignalSync (scope as defined in the certificate); or (ii) an audit or attestation report of an independent third party. An audit as described within this Paragraph 10 shall be carried out at the Customer’s cost and expense.

11. Return or Destruction of the Customer’s Personal Data

(a) The Customer may, by written notice to SignalSync, request the return and/or certificate of deletion of all copies of the Customer’s Personal Data in the control or possession of SignalSync and sub-processors. SignalSync shall provide a copy of the Controller’s Data in a form that can be read and processed further.

(b) Within ninety (90) days following termination of the account, the Processor shall delete and/or return all Personal Data processed pursuant to this DPA. This provision shall not affect potential statutory duties of the Parties to preserve records for retention periods set by law, statute or contract. SignalSync may retain electronic copies of files containing Customer’s Personal Data created pursuant to automatic archiving or back-up procedures which cannot reasonably be deleted. In these cases, SignalSync shall ensure that the Customer’s Personal Data shall be securely isolated and protected from any further processing, except to the extent required by applicable law.

(c) Any additional cost arising in connection with the return or deletion of Personal Data after the termination or expiration of the Agreement shall be borne by the Customer.

12. Data Transfers

(a) The Standard Contractual Clauses and, if required, the UK Addendum, having SignalSync act as data importer with the Customer acting as data exporter are incorporated as part of this DPA. If SignalSync’s arrangement with a sub-processor involves a Restricted Transfer, SignalSync shall ensure that the onward transfer provisions of the Standard Contractual Clauses and/or UK Addendum are incorporated into the Agreement, or otherwise entered into, between SignalSync and the sub-processor. The Customer agrees to exercise its audit right in the Standard Contractual Clauses by instructing SignalSync to conduct the audit set out in Paragraph 10.

(b) Controller acknowledges and agrees that, in connection with the performance of the Services under the Agreement, Processor may transfer Personal Data within its company group. These transfers are necessary to globally provide the Services, and are justified for internal administration purposes.

(c) For transfers of Personal Data from the European Union, the European Economic Area and/or their member states, Switzerland and the United Kingdom to countries which do not ensure an adequate level of Data Protection within the meaning of Data Protection Laws of the foregoing territories, to the extent such transfers are subject to Data Protection Laws and Regulations and in order to implement appropriate safeguards, the following safeguards are taken: (i) Standard Contractual Clauses as per European Commission’s Decision 2021/914/EU of June 4, 2021, (2) UK Addendum, and (3) additional safeguards with respect to security measures including data encryption, data aggregation, separation of access controls and data minimization principles.

13. Sub-processing

(a) The Customer hereby authorizes SignalSync to appoint sub-processors in accordance with this Paragraph 13 and Annex 1, subject to any restrictions in the Agreement. SignalSync will ensure that sub-processors are bound by written agreements that impose them data protection obligations substantially similar to those contained in this DPA as to provide at least the level of data protection required of SignalSync by this DPA. SignalSync may continue to use those sub-processors already engaged as at the date of this DPA.

(b) SignalSync shall give the Customer prior written notice of the intention to appoint of any new sub-processor. If, within ten (10) business days of receipt of that notice, the Customer notifies SignalSync in writing of any objections on reasonable grounds to the proposed appointment, SignalSync shall not appoint that proposed sub-processor until reasonable steps have been taken to address the objections raised by the Customer and the Customer has been provided with a reasonable written explanation of the steps taken. If SignalSync and the Customer are not able to resolve the appointment of a sub-processor within a reasonable period, either party shall have the right to terminate the Agreement for cause.

(c) This paragraph does not apply to the following ancillary services, namely telecommunication services, postal or transport services, maintenance and user support tools. SignalSync shall, however, be obligated to make appropriate and legally binding contractual arrangements and take appropriate inspection measures to ensure the Data protection and Data security of the Customer’s Data even for these outsourced ancillary services.

(d) SignalSync shall be responsible for the acts and omissions of any sub-processors as it is to the Customer for its own acts and omissions in relation to the matters provided in this DPA.

14. Liability and indemnity

(a) The Customer shall be liable for damages to concerned data subjects which are caused by processing of personal data which is not compliant with the Applicable Data Protection Laws and which are not caused by SignalSync acts or omissions.

5.2. Notwithstanding anything else agreed between the Parties, each Party (the First Party) shall indemnify the other Party (the Second Party) and hold such Second Party harmless from and against all claims, damages, losses, fines or other expenses whatsoever arising from any breach or default in the performance of any data protection obligation(s) that the First Party had to perform under the terms of the Agreement and this DPA and from and against all reasonable costs, legal fees, expenses and liabilities incurred in the defence of any claim or any action or proceeding brought thereon.

15. Governing law and jurisdiction

(a) The parties to this DPA hereby submit to the choice of jurisdiction stipulated in the Agreement with respect to any disputes or claims howsoever arising under this DPA, including disputes regarding its existence, validity or termination or the consequences of its nullity.

(b) This DPA and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the Agreement.

16. Order of precedence

(a) With regard to the subject matter of this DPA, in the event of inconsistencies between the provisions of this DPA and any other agreements between the parties, including the Agreement and including (except where explicitly agreed otherwise in writing, signed on behalf of the parties) agreements entered into or purported to be entered into after the date of this DPA, the provisions of this DPA shall prevail.

17. Severance

(a) Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.

18. Termination

(a) This DPA and the Standard Contractual Clauses will terminate contemporaneously and automatically with the termination of the Agreement.

(b) Any amendment or variation to this DPA shall not be binding on the Parties unless set out in writing and signed by authorised representatives of each of the Parties.