This Vectorize Data Processing Agreement (“DPA”) forms a part of the Vectorize Terms (the  “Agreement”) or other agreement(s) entered into between you or the entity which you represent  (“Customer”) and Vectorize, Inc. This DPA governs any processing by Vectorize of Customer  Data that is also Personal Data (“Customer Personal Data”), where applicable, in relation to  Vectorize Products and Services (and as described in Section 1 of Annex 1 as amended from  time to time). This DPA applies to the use by Customer of all Vectorize Products and Services in  order to ensure that adequate safeguards are put in place with respect to the protection of  Personal Data as required by Applicable Privacy Laws.

1. Definitions: In this DPA, the following terms shall have the following meanings:  

(a) “Controller”, “Processor”, “Data Subject”, “Personal Data”, “Processing” (and  “Process”) and “Special Categories of Personal Data” shall have the meanings  given in Applicable Privacy Law; and 

(b) “Applicable Privacy Law(s)” means the relevant data protection and privacy  law(s) to which each of the parties are subject, including (where relevant) but not  limited to EU/UK Data Protection Laws. 

(c) “EU/UK Data Protection Law(s)” means: (a) the General Data Protection  Regulation (Regulation (EU) 2016/679) (“GDPR”); (b) the GDPR as saved into  United Kingdom law by virtue of section 3 of the United Kingdom’s European  Union (Withdrawal) Act 2018 (the “UK GDPR”); (c) the EU e -Privacy Directive  (Directive 2002/58/EC); and (d) any and all applicable national data protection  laws made under or pursuant to or that apply in conjunction with any of (a),(b)  or (c) above; as may be amended or superseded from time to time. 

(d) “Restricted Transfer” means: (a) where the GDPR applies, a transfer of personal  data from the European Economic Area to a country outside of the European  Economic Area which is not subject to an adequacy determination by the  European Commission; and (b) where the UK GDPR applies, a transfer of  personal data from the United Kingdom to any other country which is not subject  based on adequacy regulations pursuant to Section 17A of the United Kingdom  Data Protection Act 2018; and 

(e) “Standard Contractual Clauses” means (a) where the GDPR applies, the  contractual clauses annexed to the European Commission’s Implementing  Decision 2021/914 of 4 June 2021 on standard contractual clauses for the  transfer of personal data to third countries pursuant to Regulation (EU) 2016/679  of the European Parliament and of the Council (“EU SCCs”); and (b) where the  UK GDPR applies, the “International Data Transfer Addendum to the EU Commission Standard Contractual Clauses” issued by the Information Commissioner under s.119A(1) of the Data Protection Act 2018 (“UK Addendum”).

2. Customer Personal Data Processing

(a) The type of Customer Personal Data (categories of data) that may be processed  pursuant to this DPA and the subject matter, duration, nature (processing  operations), purpose of the processing, and the categories of Data Subjects, are  to enable Vectorize to supply the Products and Services to the Customer and  fulfill its obligations to the Customer under the Agreement. Customer shall not  make Personal Data, other than such Personal Data necessary for Vectorize to  provide the Products and/or Services, accessible to Vectorize. 

(b) Each of the Customer and Vectorize warrant in relation to Customer Personal  Data that it will where applicable comply (and will procure that any of its staff  and/or Processors comply) with Applicable Privacy Laws and all other applicable laws. 

(c) In respect of the parties’ rights and obligations under the Agreement regarding  the Customer Personal Data, the parties hereby acknowledge and agree that the  Customer is the Controller and Vectorize is the Processor (or where Customer  is a Processor on behalf of a third party Controller, Vectorize shall be a  subprocessor) and accordingly Vectorize agrees that it shall process all Personal  Data in accordance with its obligations pursuant to this DPA. 

3. Vectorize Obligations: With respect to all Customer Personal Data, and insofar as Vectorize processes Customer Personal Data, Vectorize warrants that it shall:

(a) only process the Customer Personal Data in order to provide the Products and/  or Services and shall act only in accordance with this DPA and the Agreement; 

(b) if applicable laws require Vectorize to process Customer Personal Data other  than pursuant to this DPA, Vectorize will notify the Customer (unless prohibited  from so doing by applicable laws); 

(c) implement appropriate technical and organizational measures to ensure a level  of security appropriate to the risks that are presented by the processing, in  particular protection against accidental or unlawful destruction, loss, alteration,  unauthorized disclosure of, or access to Customer Personal Data (a “Security  Breach”). Such measures include, without limitation, the security measures set  out in Annex II;

(d) take reasonable steps to ensure that only authorized personnel have access to  such Customer Personal Data and that any persons whom it authorizes to have  access to the Customer Personal Data are under obligations of confidentiality; 

(e) as soon as reasonably practicable but no longer than 90 days following  termination or expiry of the Agreement or completion of applicable Product delivery, Vectorize will delete or return to the Customer (at the Customer’s  direction as Controller or on behalf of the third party Controller) all Customer  Personal Data (including copies thereof) processed pursuant to this DPA, unless  required to retain the Customer Personal Data by applicable laws, in an  accessible and machine-readable format; 

(f) if Vectorize becomes aware of a confirmed Security Breach, Vectorize will inform  Customer (who, where Customer is a Processor, shall in turn inform its  Controller) without undue delay and shall provide the Customer with reasonable  information and cooperation to the Customer to that Customer (or its Controller)  can fulfill any data breach reporting obligations it may have under (and in  accordance with the timescales required by) Applicable Privacy Laws; 

(g) not make any announcement about a Security Breach (a “Breach Notice”)  without: 

(i) the prior written consent from the Customer (on its behalf or on behalf  of its Controller); and 

(ii) prior written approval by the Customer (on its behalf or on behalf of its  Controller) of the content, media and timing of the Breach Notice, unless required to make a disclosure or announcement by applicable law; 

(h) promptly notify the Customer (who, where Customer is a Processor, shall in turn  inform its Controller) if it receives a request from a Data Subject to exercise their  rights under Applicable Privacy Laws (including its rights of access, correction,  objection, erasure and data portability, as applicable) (a “Data Subject  Request”). Unless required by applicable law, Vectorize shall not respond to a  Data Subject Request received by Vectorize without the Customer’s prior written  consent except to confirm that su ch request relates to the Customer to which  the Customer hereby agrees, and to the extent Customer (or its Controller) does  not have the ability to address a Data Subject Request, Vectorize shall upon the  Customer’s request provide reasonable assistance to facilitate a Data Subject  Request to the extent Vectorize is able to consistent with applicable law  (provided that Customer shall pay Vectorize’s costs for providing such  assistance at the Vectorize’s standard consultancy rates);

(i) provide such assistance as the Customer reasonably requests (taking into  account the nature of processing and the information available to Vectorize) to  the Customer in relation to the Customer’s (or its Controller’s) obligations under  Applicable Privacy Laws with respect to: 

(i) data protection impact assessments (as such term is defined in the  GDPR/UK GDPR); 

(ii) notifications to the supervisory authority under EU/UK Data Protection  Laws and/or communications to data subjects by the Customer (or its Controller) in response to any Security Breach; and 

(iii) the Customer’s (or its Controller’s) compliance with its obligations under  the GDPR/UK GDPR with respect to the security of processing, provided that Customer shall pay Vectorize’s charges for providing such assistance at Vectorize’s standard consultancy rates.

4. Customer Obligations

(a) Customer agrees that, taking into account Vectorize’s obligations under this  DPA, Customer is solely responsible for its use of the Vectorize Products and/  or Services to ensure: 

(i) that unless otherwise directed by Vectorize in writing, Customer shall  not make any Personal Data accessible to or by Vectorize outside of  such Personal Data that is required by Vectorize in order to provide the  Vectorize Products and/or Services; 

(ii) that Customer warrants that it has all and any applicable legal consents  and authority required by any applicable laws to disclose any and all  Personal Data that it shares with Vectorize; 

(iii) Customer warrants that they will not upload any data which is  categorized under Data Restrictions under the relevant agreement for  Products and/ or Services  

(b) Customer shall (and shall require its Controller shall) comply with the obligations  that apply to it under Applicable Privacy Laws. 

5. Sub-processing

(a) The Customer grants a general authorisation on its behalf, and where Customer  is a processor, on behalf of the Controller: (a) to Vectorize to appoint other  members of the Vectorize Group as subprocessors; and (b) to Vectorize to appoint third party data center operators, providers of information technology  tools, and outsourced service providers as sub processors to support the  performance and delivery of the Vectorize Products and/ or Services. 

(b) Vectorize will maintain a list of relevant sub processors at the following URL:  https://blog.vectorize.io/subprocessors and will add the names of  new and replacement Processors as applicable from time to time.  

(c) If the Customer has a reasonable objection to any new or replacement  subprocessor, it shall notify Vectorize of such objections in writing within ten (10)  days of the notification and the parties will seek to resolve the matter in good  faith. Vectorize may use a new or replacement subprocessor whilst the objection  procedure in this section is in process. 

(d) Vectorize will ensure that any subprocessor it engages to provide the services  on its behalf in connection with the Agreement does so only on the basis of a  written contract which imposes on such subprocessor terms substantially  similar to Customer Personal Data than those imposed on Vectorize in this DPA.  Vectorize shall procure the performance by such Data Processor with those  terms. 

(e) Vectorize remains liable for any breach of this DPA that is caused by an act,  error or omission of its subprocessor, subject to the other terms of the Agreement.  

6. Data Transfers

(a) The Customer acknowledges that the provision of Vectorize Products and/ or  Services under the Agreement may require the processing of Customer Personal  Data by Vectorize and its subprocessor(s) in countries outside the EEA or the  UK from time to time. 

(b) The parties agree that when the transfer of Customer Personal Data from  Customer (as “data exporter”) to Vectorize (as “data importer”) is a Restricted  Transfer it shall be subject to the appropriate standard contractual clauses as  follows: 

(i) In relation to data that is protected by the GDPR, the EU SCCs will apply  completed as follows: 

(A) Module Two will apply to the extent that Customer is a Controller of the Customer Personal Data, and Module Three will apply to the extent that Customer is a Processor of the Customer Personal Data on behalf of a third party Controller;

(B) in Clause 7, the optional docking clause will apply;  

(C) in Clause 9, Option 2 will apply, and the time period for prior  notice of subprocessor changes shall be as set out in Clause 5  of this Agreement;  

(D) in Clause 11, the optional language will not apply;  

(E) in Clause 17, Option 1 w ill apply, and the EU SCCs will be  governed by Irish law;  

(F) in Clause 18(b), disputes shall be resolved before the courts of  Ireland;  

(G) Annex I of the EU SCCs shall be deemed completed with the  information set out in Annex I to this DPA;  

(H) Annex II of the EU SCC s shall be deemed completed with the  information set out in Annex II to this DPA.  

(c) In relation to data that is protected by the UK GDPR, the UK Addendum will  apply completed as follows:  

(i) The EU SCCs as set out above in Clause 6(b)(i) of this DPA shall also  apply to transfers of such Customer Personal Data, subject to sub – clause (ii) below;  

(ii) Tables 1 to 3 of the UK Addendum shall be deemed completed with  relevant information from the EU SCCs , completed as set out above,  and the options “neither party” shall be deemed checked in Table 4. The  start date of the UK Addendum (as set out in Table 1) shall be the date  of this DPA.  

(d) In the event that any provision of this DPA contradicts, directly or indirectly, the  Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.  

(e) If, in the performance of this DPA and/or the Agreement, Vectorize transfers any  Customer Personal Data to a subprocessor (which shall include without  limitation any affiliates of Vectorize) and without prejudice to section 4 where  such transfer is a Restricted Transfer, Vectorize shall in advance of any such  transfer ensure that it has taken such measures as are necessary to ensure the  transfer is compliant with EU /UK Data Protection Law and is made pursuant to  Standard Contractual Clauses implemented between the relevant exporter and  importer of the Customer Personal Data. 

(f) Where Standard Contractual Clauses are put in place between Vectorize and a  subprocessor and there is a conflict between the terms of this DPA (as passed  down to the subprocessor) and the Standard Contract Clauses entered into  between Vectorize and the subprocessor, the Standard Contract Clauses will  prevail. 

7. Audit and Records

(a) Vectorize shall, in accordance with and to the extent required by Applicable  Privacy Laws, make available to the Customer such information in Vectorize’s  possession or control as the Customer may reasonably request and which  Vectorize is lawfully entitled to disclose with a view to demonstrating Vectorize’s  compliance with this DPA.  

(b) The Customer may exercise its right of audit under Applicable Privacy Laws,  through Vectorize providing to Customer an audit report provided that the  applicable audit(s): are performed periodically; are assessed against relevant  standards; are conducted by auditors selected by Vectorize but otherwise  conducted with all due and necessary independence and professionalism; and  are documented in a report that affirms that Vectorize’s controls meet the  standards against which they are assessed.  

(c) Vectorize shall further provide detailed written responses (on a confidential  basis) to all reasonable requests for information made by Customer, including  responses to information security and audit questionnaires, that Customer  considers necessary to confirm Vectorize’s compliance with the Applicable  Privacy Laws.  

(d) Customer shall promptly notify Vectorize with information regarding any non – compliance discovered during the course of an audit, and Vectorize shall use  commercially reasonable efforts to address any confirmed non -compliance.   

8. Miscellaneous

(a) If the Customer (or its Controller) decides that a Security Breach must be notified  to any Supervisory Authority and/or Data Subjects and/or the public or portions  of the public, the Customer will notify Vectorize before the communication is  made by the Customer (or its Controller) and supply Vectorize with copies of any  written documentation to be filed with the Supervisory Authority and of any  notification the Customer (or its Controller) proposes to make (whether to any  Supervisory Authority, Data Subjects the public or portions of the public) which  references Vectorize, its security measures and/or role in the Security Breach,  whether or not by name. The Customer will consult with (and require its  Controller via the Customer to consult with) Vectorize in good faith and take account of any clarifications or corrections Vectorize reasonably requests to  such notifications and which are consistent with the GDPR/UK GDP R.  

(b) Vectorize’s liability to the Customer and Customer Group under or in connection  with this DPA shall be subject to the same limitations and exclusions of liability  as apply under the Agreement as if that liability arose under the Agreement.  Nothing in this DPA will limit Vectorize’s liability in respect of personal injury or  death in negligence or for any other liability or loss which may not be limited by  agreement under applicable law.  

(c) This DPA sets out all of the terms that have been agreed between the parties in  relation to the Processing of Customer Personal Data as defined in this DPA.  Other than in respect of statements made fraudulently, no other representations  or terms shall apply or form part of this DPA.  

(d) A person who is not a party to this DPA shall not have any rights to enforce this  DPA including (where applicable) under the Contracts (Rights of Third Parties)  Act 1999 of the United Kingdom to enforce any term of this DPA.  

(e) Should any provision of this DPA be invalid or unenforceable, then the remainder  of this DPA shall remain valid and in force. The invalid or unenforceable provision  shall be either amended as necessary to ensure its validity and enforceability,  while preserving the parties’ intentions as closely as possible or, if this is not  possible, construed in a manner as if the invalid or unenforceable part had never  been contained therein.  

(f) Other than in respect of any accrued liabilities of either party and the provisions  of this section, this DPA shall terminate automatically on the expiry or  termination for whatever reason of the Agreement. Notwithstanding the  foregoing, Vectorize’s obligations hereunder with respect to any Customer  Personal Data processed pursuant to this DPA shall continue until the later of  the expiration or termination of the Agreement or Vectorize’s deletion of  Customer Personal Data.

 

California Consumer Privacy Act Addendum (CCPA-A)

Scope

This CCPA-A is an addendum to the DPA and applies where Vectorize processes Customer Data  of California residents (“CCPA Personal Information”). Vectorize shall not retain, use or disclose  the CCPA Personal Information for any purpose other than for the specific purpose of performing  the Vectorize services, or as otherwise permitted by the CCPA, including retaining, using or  disclosing the CCPA Personal Information for a commercial purpose other than providing the  Vectorize services.  

Capitalized terms shall have the meanings as set out in section 18 of the DPA, except where a  term is defined in this CCPA -A in which case the definition in the CCPA -A shall control the  meaning of the word.  

Conflict Of Terms

This CCPA -A is without prejudice to the rights and obligations of the parties under the  Agreement, which shall continue to have full force and effect. In the event of any conflict between  the terms of this CCPA-A and the terms of the Agreement and/or DPA, the terms of this CCPA – A shall prevail so far as the subject matter concerns California residents.  

This CCPA-A may be updated from time to time by Vectorize.  

Definitions And Interpretation

“California Consumer Privacy Act” or “CCPA” means the “Assembly Bill No.375” enacted by the  legislature, and as amended from time to time of aforementioned legislature, in the state of  California, the United States of America; “CCPA-A” means this “California Consumer Privacy Act  Addendum”;  

“Personal Information” means all data which is defined as “Personal Information” under the  California Consumer Privacy Act and to which the California Privacy Act applies. 

How To Contact Us Regarding This CCPA-A Addendum

For any enquiries please email privacy@vectorize.io.

 

Annex 1

Details of the Personal Data and Processing Activities

A. LIST OF PARTIES

Data exporter:

 

Name:

Customer

Address:

As provided for in the Agreement

Contact person’s name, position and contact details:

As provided for in the Agreement

Activities relevant to the data transferred under these Clauses:

Supply of the products and services as provided for in theAgreement

Role (controller/processor):

Controller or Processor acting on behalf of the Controller.

Data importer: 

Name:

Vectorize, Inc

Address:

1111B S Governors Ave STE 3875

Dover, DE 19904

Contact person’s name, position and contact details:

Chris Latimer, CEO privacy@vectorize.io

Activities relevant to the data transferred under these Clauses:

Providing the services set out in the Agreement.

Role (controller/processor):

Processor or Subprocessor

 

В. DESCRIPTION OF TRANSFER 

The Customer acknowledges that the processing of Customer Personal Data by Vectorize will include all Customer Personal Data uploaded to the Products for the purpose of Vectorize provisioning the Products to Customer. The descriptions of the processing and transfer of Customer Personal Data is set out below and are subject to change or modification pursuant to Section 2(a) of this DPA.

Vectorize Cloud Software Services

Categories of data subjects whose personal data is transferred

The categories of data subjects are determined and controlled by Customer in its sole discretion and may include: 

(i) Customers’ employees involved in the procurement and receipt of the Vectorize products and services; and

(ii) other data subjects whose Personal Data is contained within any data made available to Vectorize by Customers or its Affiliates.

Categories of personal data transferred

The categories of personal data transferred are determined and controlled by the Customer, in its sole discretion, subject to any applicable conditions or restrictions under the Agreement. 

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only if or staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

     

Sensitive data transferred is determined and controlled by the Customer, in its sole discretion, subject to any applicable conditions or restrictions under the Agreement.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

Continuous Basis

Nature of the processing

  1. providing support, maintenance and advice in relation to Vectorize’s Software;

  2. providing consultancy services in relation to Vectorize’s Software;

  3. the provision of any other Vectorize products and services; product and customer account management activities including relevant outreach activities and information provision; and

  4. where applicable to the service, providing database administration and management services including providing supporting services such as search, advanced replication, tiered storage, and analytics; and

  5. anonymising Customer Personal Data to create a non-personal dataset for Product and/or Service development and improvement purposes.

Purpose(s) of the data transfer and further processing

To enable Vectorize, Inc. to provide the services set out in the Agreement

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

Until the earliest of: (i) the expiry/termination of the Agreement; or (ii) the date upon which processing is no longer necessary for the purposes of either party performing its obligations under the Agreement (to the extent applicable).

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing 

As specified at https://blog.vectorize.io/subprocessors

ANNEX II – TECHNICAL AND ORGANIZATIONAL MEASURES INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

 

Details of the technical and organizational measures for the protection of Customer Data can be found at https://blog.vectorize.io/technical-security-measures