TORII DATA PROCESSING ADDENDUM
This Data Processing Agreement (“DPA”) is made and entered into as of the date last signed below and forms part of Torii’s Service Agreement (available at https://toriihq.com/terms) or other commercial agreement between the Parties (the “Agreement”). This DPA indicates that the entity accepting the Agreement, as listed in the applicable Order Form (”You”, ”Your”, “Customer”, or “Data Controller”) are entering into a binding legal agreement with Torii Software, Inc. (if Customer is located within the United States) or Torii Labs Ltd. (if Customer is located outside the United States), together with its affiliates (hereinafter “Torii”, “Us”, “We”, “Our”, “Service Provider” or “Data Processor”). The purpose of this DPA is to reflect the parties’ agreement with regard to the Processing of Personal Data (as such terms are defined below) by Torii on behalf of the Customer. Both parties shall be referred to as the “Parties” and each, a “Party”.
By using Torii’s services (the “Services”), Customer accepts this DPA and you represent and warrant that you have full authority to bind the Customer and its Authorized Affiliates to this DPA. If you cannot, or do not agree to, comply with and be bound by this DPA, or do not have authority to bind the Customer or any other entity, please do not provide Personal Data to us.
The headings contained in this DPA are for convenience only and shall not be interpreted to limit or otherwise affect the provisions of this DPA. Capitalized terms not defined herein shall have the meanings assigned to such terms in the Agreement.
1. DEFINITIONS
1.1“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control”, for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
1.2 “Authorized Affiliate” means any of Customer’s Affiliate(s) which is explicitly permitted to use the Services pursuant to the Agreement between Customer and Torii, but has not signed its own agreement with Torii and is not a “Customer” as defined under the Agreement.
1.3 “CCPA” means the California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100 et. seq, and its implementing regulations, as may be amended from time to time, including the California Privacy Rights Act.
1.4 The terms, “Controller“, “Member State“, “Processor“, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR. The terms “Business”, “Business Purpose”, “Consumer” and “Service Provider” shall have the same meaning as in the CCPA.
1.5 “Data Subject” means the identified or identifiable person to whom the Personal Data relates.
1.6 “Data Protection Laws and Regulations” means all applicable and binding privacy and data protection laws and regulations applicable to the respective party in its role in the providing and/or Processing of Personal Data under the Agreement, including, where applicable, and to the extent Customers’ Personal Data is subject to such laws and regulations, the laws and regulations of the European Union, the European Economic Area and their Member States, Switzerland, the United Kingdom, Canada, Israel and/or the United States of America, as applicable to the Processing of Personal Data under the Agreement including (without limitation) the GDPR, the UK GDPR, the FADP,the CCPA, the Virginia Consumer Data Privacy Act, and the Colorado Privacy Act, as known or reasonably expected by Torii to be applicable to the Processing of Personal Data hereunder and in effect at the time of Processor’s performance hereunder.
1.7 “FADP” means the Federal Act on Data Protection of 19 June 1992, and as revised as of 25 September 2020, the “Revised FADP.”
1.8 “GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
1.9 “Personal Data” or “Personal Information” means any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, to or with an identified or identifiable natural person or the equivalent definition under applicable Data Protection Laws and Regulations.
1.10 “Security Documentation” means the Security Documentation applicable to the specific Services purchased by Customer, as updated from time to time or as otherwise made reasonably available by Torii.
1.11 “Sensitive Data” means Personal Data that is protected under a special legislation and requires unique treatment, such as “special categories of data”, “sensitive data” or other materially similar terms under applicable Data Protection Laws.
1.12 “Standard Contractual Clauses” means (a) where the GDPR applies, the Standard Contractual Clauses set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (“EU SCCs”), or (b) where the UK GDPR applies, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses of 21 March 2022 (“UK Addendum”).
1.13 “Sub-processor” means any third party that Processes Personal Data under the instruction or supervision of Torii.
1.14 “Torii Group” means Torii and its Affiliates engaged in the Processing of Personal Data.
1.15 “UK GDPR” means the Data Protection Act 2018, as well as the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (SI 2019/419).
2. PROCESSING OF PERSONAL DATA
2.1 Roles of the Parties. The Parties acknowledge and agree that with regard to the Processing of Personal Data under this DPA, (i) Customer is the Data Controller, (ii) Torii is the Data Processor and that (iii) Torii or members of the Torii Group may engage Sub-processors pursuant to the requirements set forth in Section 5 “Sub-processors” below. For the avoidance of doubt, this DPA does not apply with respect to Processing involving Personal Data of which Torii is a Controller, which shall be governed by Torii’s Privacy Notice available at: https://www.toriihq.com/privacy. For the purposes of the CCPA (and to the extent applicable), Customer is the “Business” and Torii is the “Service Provider” (as such terms are defined in the CCPA), with respect to Processing of Personal Data described in this DPA.
2.2 Customer’s Processing of Personal Data. Customer shall, in its use of the Services, Process Personal Data in accordance with the requirements of Data Protection Laws and Regulations, and comply at all times with the obligations applicable to data controllers (including, without limitation, Article 24 of the GDPR). For the avoidance of doubt, Customer’s instructions for the Processing of Personal Data shall comply with Data Protection Laws and Regulations. Without limiting the foregoing, Customer shall comply with any and all transparency-related obligations (including, without limitation, displaying any and all relevant and required privacy notices or policies) and shall have any and all required legal bases in order to collect, Process and transfer to Torii the Personal Data and to authorize the Processing by Torii of the Personal Data which is authorized in this DPA, including the pursuit of ‘business purposes’ as defined under the CCPA. Customer shall have sole responsibility for the means by which Customer acquired Personal Data. Customer shall defend, hold harmless and indemnify Torii, its Affiliates and subsidiaries (including without limitation their directors, officers, agents, subcontractors and/or employees) from and against any liability of any kind related to any breach, violation, or infringement by Customer and/or its Users of any Data Protection Laws and Regulations and/or this DPA.
2.3 Torii’s Processing of Personal Data. Subject to the Agreement, Torii shall Process Personal Data in accordance with Customer’s documented instructions as necessary for the following purposes: (i) Processing in accordance with the Agreement and this DPA and to provide the Services; (ii) Processing for Customer to be able to use the Services; (iii) Processing to comply with other documented reasonable instructions provided by Customer (e.g., via email) where such instructions are consistent with the terms of the Agreement; (iv) rendering Personal Data fully anonymous, non-identifiable and non-personal in accordance with applicable standards recognized by Data Protection Laws and guidance issued thereunder; (v) Processing as required by Union or Member State law to which Torii is subject and/or as required by a court of competent jurisdiction or other competent governmental or semi-governmental authority to which Torii is subject; in such a case, Torii shall inform the Customer of the legal requirement before processing, unless that law prohibits such information on important grounds of public interest. The duration of the Processing, the nature and purposes of the Processing, as well as the types of Personal Data Processed and categories of Data Subjects under this DPA are further specified in Schedule 1 (Details of the Processing) to this DPA.
To the extent that Torii cannot comply with an instruction or request for the Processing of Personal Data given by Customer and/or its authorized users or where Torii considers such an instruction or request to be unlawful, Torii (i) shall inform Customer, providing relevant details of the problem, (ii) Torii may, without any kind of liability towards Customer, temporarily cease all Processing of the affected Personal Data (other than securely storing those data), and (iii) if the Parties do not agree on a resolution to the issue in question and the costs thereof, each Party may, as its sole remedy, terminate the Agreement and this DPA with respect to the affected Processing, and Customer shall pay to Torii all the amounts owed to Torii or due before the date of termination. Customer will have no further claims against Torii (including, without limitation, requesting refunds for Services) due to the termination of the Agreement and/or the DPA in the situation described in this paragraph.
Torii will not be liable in the event of any claim brought by a third party, including, without limitation, a Data Subject, arising from any act or omission of Torii, to the extent that such is a result of Customer’s instructions.
2.4 Details of the Processing. The subject-matter of Processing of Personal Data by Torii is the performance of the Services pursuant to the Agreement. The duration of the Processing, the nature and purpose of the Processing, as well as the types of Personal Data Processed and categories of Data Subjects under this DPA are further specified in Schedule 1 (Details of the Processing) to this DPA.
2.5 Sensitive Data. The Parties agree that the Services are not intended for the processing of Sensitive Data, and that if Customer wishes to use the Services to process Sensitive Data, it must first obtain Torii’s explicit prior written consent and enter into any additional agreements as required by Torii.
2.6 CCPA Standard of Care; No Sale of Personal Information. Torii acknowledges and confirms that it does not receive or process any Personal Information as consideration for any services or other items that Torii provides to Customer under the Agreement. Torii shall not have, derive, or exercise any rights or benefits regarding Personal Information Processed on Customer’s behalf, and shall not retain, use, or disclose any Personal Information (i) for any purpose other than the Permitted Purposes (defined below), and/or (ii) outside of the direct business relationship between the Parties. Torii may use and disclose Personal Information solely for the purposes for which such Personal Information was provided to it, as stipulated in the Agreement and this DPA. For the avoidance of doubt, such Processing shall include the pursuit of Business Purposes, including providing Customer with Torii’s SaaS management platform designed to help organizations monitor and optimize the use and cost of SaaS applications (collectively: the “Permitted Purposes“). Torii shall not combine the Personal Information Processed on Customer’s behalf with any information it receives from or processes on behalf of any other parties, by way of logical separation. Torii certifies that it understands the rules, requirements and definitions of the CCPA and agrees to refrain from selling and/or sharing (as such terms are defined in the CCPA) any Personal Information Processed hereunder without Customer’s prior written consent or instruction, nor taking any action that would cause any transfer of Personal Information to or from Torii under the Agreement or this DPA to qualify as “selling” or “sharing” such Personal Information under the CCPA. Torii shall notify Customer in the event Torii makes a determination that it can no longer meet its obligations under this Section 2.6 and/or the CCPA.
3. RIGHTS OF DATA SUBJECTS. Torii shall, to the extent legally permitted, promptly notify Customer if it receives a request from a Data Subject to access, correct or delete that person’s Personal Data, a request from a Data Subject to exercise the Data Subject’s right of access, right to rectification or erasure, data portability, objection to the Processing, their right not to be subject to automated individual decision making, to opt-out of the sale of Personal Information, or the right not to be discriminated against (“Data Subject Request”). Torii may respond to a Data Subject Request without Customer’s consent in order to confirm that such request relates to Customer, to which Customer hereby agrees. Taking into account the nature of the Processing, Torii shall assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Customer’s obligation to respond to a Data Subject Request under Data Protection Laws and Regulations. To the extent legally permitted, Customer shall be responsible for any costs arising from Torii’s provision of such assistance.
4. TORII PERSONNEL. Torii shall grant access to the Personal Data to persons under its authority (including, without limitation, its personnel) only on a need-to-know basis and ensure that such persons engaged in the Processing of Personal Data have committed themselves to confidentiality and non-disclosure. Torii may disclose and Process the Personal Data (a) as permitted hereunder (b) to the extent required by a court of competent jurisdiction or other Supervisory Authority and/or otherwise as required by applicable Data Protection Laws and Regulations (in such a case, Torii shall inform the Customer of the legal requirement before the disclosure, unless that law prohibits such information on important grounds of public interest), or (c) on a “need-to-know” basis under an obligation of confidentiality to legal counsel(s), data protection advisor(s) and accountant(s), investors or potential acquirers.
5. AUTHORIZATION REGARDING SUB-PROCESSORS
5.1 Appointment of Sub-processors. Customer acknowledges and agrees that (a) Torii’s Affiliates may be used as Sub-processors; and (b) Torii and/or Torii’s Affiliates respectively may engage third-party Sub-processors in connection with the provision of the Services. Torii makes available to Customer the current list of Sub-processors used by Torii to process Personal Data on Torii’s website at: https://info.toriihq.com/torii-sub-processors (“Sub-processor List”). The Sub-processor List as of the date of execution of this DPA is hereby deemed authorized by Customer. Customer may find on Torii’s webpage accessible via https://info.toriihq.com/torii-sub-processors a mechanism to subscribe to notifications of new Sub-processors, to which Customer shall subscribe, and if Customer subscribes, Torii shall provide notification of any new Sub-processor(s) before authorizing such new Sub-processor(s) to Process Personal Data in connection with the provision of the Services.
5.2 Objection Right for New Sub-processors. If Torii provides notice of a new Sub-processor, Customer may reasonably object to Torii’s use of the new Sub-processor for reasons related to the GDPR by notifying Torii promptly in writing at [email protected] within three (3) business days after receipt of Torii’s notice, and such written objection shall include the reasons related to the GDPR for objecting to Torii’s use of such new Sub-processor. Failure to object to such new Sub-processor in writing within three (3) business days following Torii’s notice shall be deemed as acceptance of the new Sub-Processor. In the event Customer reasonably objects to a new Sub-processor, as permitted in the preceding sentences, Torii will use reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer’s use of the Services to avoid Processing of Personal Data by the objected-to new Sub-processor without unreasonably burdening the Customer. If Torii is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, Customer may, as a sole remedy, terminate the applicable Agreement and this DPA with respect only to those Services which cannot be provided by Torii without the use of the objected-to new Sub-processor by providing written notice to Torii, provided that all amounts due under the Agreement before the termination date with respect to the Processing at issue shall be duly paid to Torii. Until a decision is made regarding the new Sub-processor, Torii may temporarily suspend the Processing of the affected Personal Data. Customer will have no further claims against Torii due to the termination of the Agreement (including, without limitation, requesting refunds) and/or the DPA in the situation described in this paragraph.
5.3 Agreements with Sub-processors. Torii or a Torii’s Affiliate on behalf of Torii will enter into a written agreement with each Sub-processor containing appropriate safeguards to the protection of Personal Data. Where Torii engages a Sub-processor for carrying out specific Processing activities on behalf of the Customer, the same or materially similar data protection obligations as set out in this DPA shall be imposed on such new Sub-processor by way of a contract, in particular obligations to implement appropriate technical and organizational measures in such a manner that the Processing will meet the requirements of the GDPR. Where a Sub-processor fails to fulfil its data protection obligations concerning its Processing of Personal Data, Torii shall remain responsible for the performance of the Sub-processor’s obligations.
6. SECURITY
6.1 Controls for the Protection of Personal Data. Taking into account the state of the art, Torii shall maintain all industry-standard technical and organizational measures required pursuant to Article 32 of the GDPR for protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Personal Data), confidentiality and integrity of Personal Data, as set forth in the Security Documentation which are hereby approved by Customer. Upon the Customer’s request, Torii will use commercially reasonable efforts to assist Customer, at Customer’s cost, in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR taking into account, the state of the art, the costs of implementation, the scope, the context, the purposes of the Processing, the nature of the processing and the information available to Torii.
6.2 Third-Party Certifications and Audits. Upon fourteen (14) days prior written request at reasonable intervals (but no more than once every 12 month period), and subject to the confidentiality obligations set forth in the Agreement and this DPA, Torii shall make available to Customer, or its independent third-party auditor, that is not a competitor of Torii, a copy or a summary of Torii’s then most recent third-party audits or certifications, as applicable (which shall constitute Torii’s Confidential Information), and provided that the copy or a summary, shall only be used by Customer to assess compliance with this DPA, and shall not be used for any other purpose whatsoever. At Customer’s cost and expense, Torii shall allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller (who is not a direct or indirect competitor of Torii) provided that the parties shall agree on the scope, methodology, timing and conditions of such audits and inspections. Notwithstanding anything to the contrary, such audits and/or inspections shall not contain any information, including without limitation personal data, that does not belong to Customer.
7. PERSONAL DATA INCIDENT MANAGEMENT AND NOTIFICATION. To the extent required under applicable Data Protection Laws and Regulations, shall notify Customer without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data, including Personal Data, transmitted, stored or otherwise Processed by Torii or its Sub-processors of which Torii becomes aware (a “Personal Data Incident”). Torii shall make reasonable efforts to identify the cause of such Personal Data Incident and take those steps as Torii deems necessary, possible and reasonable in order to remediate the cause of such a Personal Data Incident to the extent the remediation is within Torii’s reasonable control. The obligations herein shall not apply to incidents that are caused by Customer or anyone who uses the Services on Customer’s behalf. In any event, Customer will be the party responsible for notifying supervisory authorities and/or concerned data subjects (where required by Data Protection Laws and Regulations).
8. RETURN AND DELETION OF PERSONAL DATA. Subject to the Agreement, Torii shall, at the choice of Customer, delete or return the Personal Data to Customer within up to six (6) months after the end of the provision of the Services relating to processing, and shall delete existing copies unless applicable law requires storage of the Personal Data. In any event, to the extent required or allowed by applicable law, Torii may retain one copy of the Personal Data for evidence purposes and/or for the establishment, exercise or defense of legal claims and/or to comply with applicable laws and regulations. If the Customer requests the Personal Data to be returned, the Personal Data shall be returned in the format generally available for Torii’s customers.
9. TRANSFERS OF DATA
9.1 Transfers from the EEA, Switzerland and the United Kingdom to countries that offer adequate level of data protection. Personal Data may be transferred from EU Member States, the three EEA member countries (Norway, Liechtenstein and Iceland) (collectively, “EEA”), Switzerland and the United Kingdom (“UK”) to countries that offer an adequate level of data protection under or pursuant to the adequacy decisions published by the relevant data protection authorities of the EEA, the European Union, the Member States or the European Commission, Switzerland, and/or the UK as relevant (“Adequacy Decisions”), as applicable, without any further safeguard being necessary.
9.2 Transfers from the EEA, Switzerland and the United Kingdom to other countries. If the Processing of Personal Data by Torii includes a transfer (either directly or via onward transfer):
9.2.1 from the EEA to other countries which have not been subject to a relevant Adequacy Decision, and such transfers are not performed through an alternative recognized compliance mechanism for the lawful transfer of personal data (as defined in the GDPR) outside the EEA (“EEA Transfer”), the terms set forth in Part 1 of Schedule 2 (EEA Cross Border Transfers) shall apply;
9.2.2 from the UK to other countries which have not been subject to a relevant Adequacy Decision, and such transfers are not performed through an alternative recognized compliance mechanism for the lawful transfer of personal data (as defined in the UK GDPR) outside the UK (“UK Transfer”), the terms set forth in the UK Addendum as incorporated by Part 2 of Schedule 2 (UK Cross Border Transfers) shall apply;
9.2.3 from Switzerland to other countries which have not been subject to a relevant Adequacy Decision, and such transfers are not performed through an alternative recognized compliance mechanism for the lawful transfer of personal data (as defined under the GDPR) outside Switzerland (“Switzerland Transfer”), the terms set forth in Part 3 of Schedule 2 (Switzerland Cross Border Transfers) shall apply;
9.2.4 the terms set forth in Part 4 of Schedule 2 (Additional Safeguards) shall apply to any of such transfers.
10. AUTHORIZED AFFILIATES
10.1 Contractual Relationship. The Parties acknowledge and agree that, by executing the DPA, the Customer enters into the DPA on behalf of itself and, as applicable, in the name and on behalf of its Authorized Affiliates, thereby establishing a separate DPA between Torii. Each Authorized Affiliate agrees to be bound by the obligations under this DPA. All access to and use of the Services by Authorized Affiliates must comply with the terms and conditions of the Agreement and this DPA and any violation of the terms and conditions therein by an Authorized Affiliate shall be deemed a violation by Customer.
10.2 Communication. The Customer shall remain responsible for coordinating all communication with Torii under the Agreement and this DPA and shall be entitled to make and receive any communication in relation to this DPA on behalf of its Authorized Affiliates.
11. DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION. Upon Torii’s reasonable request, Torii shall provide Customer, at Customer’s cost, with reasonable cooperation and assistance needed to fulfill Customer’s obligation under the GDPR or the UK GDPR (as applicable) to carry out a data protection impact assessment related to Customer’s use of the Services, to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is available to Torii. Torii shall provide, at Customer’s cost, reasonable assistance to Customer in the cooperation or prior consultation with the Supervisory Authority in the performance of its tasks relating to this Section 11 to the extent required under the GDPR or the UK GDPR, as applicable.
12. TERMINATION. This DPA (including without limitation, any applicable Standard Contractual Clauses) shall automatically terminate upon the termination or expiration of the Agreement under which the Services are provided. For clarity, this DPA cannot, in principle, be terminated separately to the Agreement, except where the Processing ends before the termination of the Agreement, in which case, this DPA shall automatically terminate.
13. RELATIONSHIP WITH AGREEMENT. This DPA is part of the Agreement and shall be governed by the terms contained therein, including all limitations of liability set forth therein. In the event of any conflict between the provisions of this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail over the conflicting provisions of the Agreement.
The Parties represent and warrant that they each have the power to enter into, execute, perform and be bound by this DPA on behalf of itself and its Authorized Affiliates. You, as the signing person on behalf of Customer, represent and warrant that you have, or you were granted, full authority to bind the Organization and, as applicable, its Authorized Affiliates to this DPA. If you cannot, or do not have authority to, bind your organization and/or its Authorized Affiliates, you shall not supply or provide Personal Data to Torii.
Customer enters into this DPA on behalf of itself and, to the extent required or permitted under applicable Data Protection Laws and Regulations, in the name and on behalf of its Authorized Affiliates, if and to the extent that Torii processes Personal Data for which such Authorized Affiliates qualify as the/a “data controller”.
***
SCHEDULE 1 – DETAILS OF THE PROCESSING
1. Subject matter
Torii will Process Personal Data as necessary to perform the Services pursuant to the Agreement, as further instructed by Customer in its use of the Services.
2. Nature and Purpose of Processing
● Providing the Service(s) to Customer.
● Setting up an account/account(s) for Customer.
● Setting up profile(s) for users authorized by Customers.
● For Customer to be able to use the Services.
● For Torii to comply with documented reasonable instructions provided by Customer where such instructions are consistent with the terms of the Agreement.
● Performing the Agreement, this DPA and/or other contracts executed by the Parties.
● Providing support and technical maintenance, if agreed in the Agreement.
● Resolving disputes.
● Enforcing the Agreement, this DPA and/or defending Torii’s rights.
● Management of the Agreement, the DPA and/or other contracts executed by the Parties, including fees payment, account administration, accounting, tax, management, litigation;
● Complying with applicable laws and regulations, including for cooperating with local and foreign tax authorities, preventing fraud, money laundering and terrorist financing; and
● All tasks related with any of the above.
3. Duration of Processing
Subject to any Section of the DPA and/or the Agreement dealing with the duration of the Processing and the consequences of the expiration or termination thereof, Torii will Process Personal Data for the duration of the Agreement, unless otherwise agreed upon in writing.
4. Type of Personal Data
Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:
● Email
● User Names
● SaaS usage
● IP Address
● Profile image
● SaaS licenses
● Position
● Department, group, site
● Manager, subordinates
The Customer and the Data Subjects shall provide the Personal Data to Torii by supplying the Personal Data to Torii’s Service.
In some limited circumstances Personal Data may also come from others sources, for example, in the case of anti-money laundering research, fraud detection or as required by applicable law. For clarity, Customer shall always be deemed the “Data Controller” and Torii shall always be deemed the “data processor” (as such terms are defined in the GDPR).
5. Categories of Data Subjects
Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects:
● Employees and contractors of Customer and any other person Customer allows to interact with its business applications
SCHEDULE 2 – CROSS BORDER TRANSFERS
PART 1 – EEA Cross Border Transfers
1. The parties agree that the terms of the Standard Contractual Clauses are hereby incorporated by reference and shall apply to an EEA Transfer.
2. Module Two (Controller to Processor) of the Standard Contractual Clauses shall apply where the EEA Transfer is effectuated by Torii as the data controller of the Personal Data and Vendor is the data processor of the Personal Data.
3. Clause 7 of the Standard Contractual Clauses (Docking Clause) shall not apply.
4. Option 2: GENERAL WRITTEN AUTHORISATION in Clause 9 of the Standard Contractual Clauses shall apply, and the method for appointing and time period for prior notice of Sub-processor changes shall be as set forth in Section 5.2 of the DPA..
5. In Clause 11 of the Standard Contractual Clauses, the optional language will not apply.
6. In Clause 17 of the Standard Contractual Clauses, Option 1 shall apply, and the Parties agree that the Standard Contractual Clauses shall be governed by the laws of the Republic of Ireland.
7. In Clause 18(b) of the Standard Contractual Clauses, disputes will be resolved before the courts of the Republic of Ireland.
8. Annex I.A of the Standard Contractual Clauses shall be completed as follows:
Data Exporter: Customer.
Contact details: As detailed in the Agreement.
Data Exporter Role: Module Two: The Data Exporter is a data controller.
Signature and Date: By entering into the Agreement and DPA, Data Exporter is deemed to have signed these Standard Contractual Clauses incorporated herein, including their Annexes, as of the Effective Date of the Agreement.
Data Importer: Torii Labs Ltd.
Contact details: As detailed in the Agreement.
Data Importer Role: Module Two: The Data Importer is a data processor.
Signature and Date: By entering into the Agreement and DPA, Data Importer is deemed to have signed these Standard Contractual Clauses, incorporated herein, including their Annexes, as of the Effective Date of the Agreement.
9. Annex I.B of the Standard Contractual Clauses shall be completed as follows:
The categories of data subjects are described in Schedule 1 (Details of Processing) of this DPA.
The categories of personal data are described in Schedule 1 (Details of Processing) of this DPA.
The frequency of the transfer is a continuous basis for the duration of the Agreement.
The nature of the processing is described in Schedule 1 (Details of Processing) of this DPA.
The purpose of the processing is described in Schedule 1 (Details of Processing) of this DPA.
The period for which the personal data will be retained is for the duration of the Agreement, unless agreed otherwise in the Agreement and/or the DPA.
In relation to transfers to Sub-processors, the subject matter, nature, and duration of the processing is set forth in Schedule 1 of the DPA.
10. Annex I.C of the Standard Contractual Clauses shall be completed as follows:
The competent supervisory authority in accordance with Clause 13 is the supervisory authority in the Member State stipulated in Section 7 above.
The Security Documentation referred to in the DPA serves as Annex II of the Standard Contractual Clauses.
11. To the extent there is any conflict between the Standard Contractual Clauses and any other terms in this DPA or the Agreement, the provisions of the Standard Contractual Clauses will prevail.
PART 2 – UK Cross Border Transfers
Table 1: The Parties: as stipulated in Section 8 of Part 1 of this Schedule 2.
Table 2: Selected SCCs, Modules and Selected Clauses: as stipulated in Part 1 of this Schedule 2.
Table 3: Appendix Information: means the information which must be provided for the selected modules as set out in the Appendix of the EU SCCs (other than the Parties), and which for this Part 2 is set out in Part 1 to this Schedule 2.
Entering into this Part 2:
1. Each Party agrees to be bound by the terms and conditions set out in this Part 2, in exchange for the other Party also agreeing to be bound by this Part 2.
2. Although Annex 1.A and Clause 7 of the EU SCCs require signature by the Parties, for the purpose of making UK Transfers, the Parties may enter into this Part 2 in any way that makes them legally binding on the Parties and allows data subjects to enforce their rights as set out in this Part 2. Entering into this Part 2 will have the same effect as signing the EU SCCs and any part of the EU SCCs.
Interpretation of this Part 2:
3. Where this Part 2 uses terms that are defined in the EU SCCs, those terms shall have the same meaning as in the EU SCCs. In addition, the following terms have the following meanings:
| Addendum EU SCCs | The version(s) of the EU SCCs which this Part 2 is appended to, as set out in Table 2, including the Appendix Information. |
| Appendix Information | As set out in Table 3. |
| Appropriate Safeguards | The standard of protection over the personal data and of data subjects’ rights, which is required by UK Data Protection Laws when the Parties are making a UK Transfer relying on standard data protection clauses under Article 46(2)(d) UK GDPR. |
| EU SCCs | As defined in the DPA |
| ICO | The information commissioner. |
| Part 2 | This Part 2 which is made up of this Part 2 incorporating the Addendum EU SCCs. |
| UK Addendum | As defined in the DPA |
| UK Data Protection Laws | All laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018. |
| UK GDPR | As defined in Section 3 of the Data Protection Act 2018. |
| UK | The United Kingdom of Great Britain and Northern Ireland. |
| UK Transfer | A transfer which is covered by Chapter V of the UK GDPR. |
4. This Part 2 must always be interpreted in a manner that is consistent with UK Data Protection Laws and so that it fulfils the Parties’ obligation to provide the Appropriate Safeguards.
5. If the provisions included in the Addendum EU SCCs amend the EU SCCs in any way which is not permitted under the EU SCCs or this Part 2, such amendment(s) will not be incorporated by this Part 2 and the equivalent provision of the EU SCCs will take their place.
6. If there is any inconsistency or conflict between UK Data Protection Laws and this Part 2, UK Data Protection Laws applies.
7. If the meaning of this Part 2 is unclear or there is more than one meaning, the meaning which most closely aligns with UK Data Protection Laws applies.
8. Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, reenacted and/or replaced after this DPA has been entered into.
Hierarchy:
9. Although Clause 5 of EU SCCs sets out that the EU SCCs prevail over all related agreements between the Parties, the Parties agree that, for a UK Transfer, the hierarchy in Section 10 will prevail.
10. Where there is any inconsistency or conflict between this Part 2 and the Addendum EU SCCs (as applicable), this Part 2 overrides the Addendum EU SCCs, except where (and in so far as) the inconsistent or conflicting terms of the Addendum EU SCCs provides greater protection for data subjects, in which case those terms will override the provisions of this Part 2.
11. Where this Part 2 incorporates Addendum EU SCCs which have been entered into to protect transfers subject to the General Data Protection Regulation (EU) 2016/679 then the Parties acknowledge that nothing in this Part 2 impacts those Addendum EU SCCs.
Incorporation and changes to the EU SCCs:
12. This Part 2 incorporates the Addendum EU SCCs which are amended to the extent necessary so that:
a. together they operate for data transfers made by the data exporter to the data importer, to the extent that UK Data Protection Laws apply to the data exporter’s processing when making that data transfer, and they provide Appropriate Safeguards for those data transfers;
b. Sections 9 to 11 override Clause 5 (Hierarchy) of the EU SCCs; and
c. this Part 2 (including the Addendum EU SCCs incorporated into it) is (1) governed by the laws of England and Wales and (2) any dispute arising from it is resolved by the courts of England and Wales, in each case unless the laws and/or courts of Scotland or Northern Ireland have been expressly selected by the Parties.
13. Unless the Parties have agreed alternative amendments which meet the requirements of Section 12, the provisions of Section 15 below will apply.
14. No amendments to the EU SCCs other than to meet the requirements of Section 12 may be made.
15. The following amendments to the Addendum EU SCCs (for the purpose of Section 12) are made:
a. References to the “Clauses” means this Part 2, incorporating the Addendum EU SCCs;
b. In Clause 2, delete the words: “and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679”;
c. Clause 6 (Description of the transfer(s)) is replaced with: “The details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred) are those specified in Annex I.B where UK Data Protection Laws apply to the data exporter’s processing when making that transfer.”;
d. Clause 8.8(i) is replaced with: “the onward transfer is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer;”
e. References to “Regulation (EU) 2016/679”, “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)” and “that Regulation” are all replaced by “UK Data Protection Laws”. References to specific Article(s) of “Regulation (EU) 2016/679” are replaced with the equivalent Article or Section of UK Data Protection Laws;
f. References to Regulation (EU) 2018/1725 are removed;
g. References to the “European Union”, “Union”, “EU”, “EU Member State”, “Member State” and “EU or Member State” are all replaced with the “UK”;
h. Clause 13(a) and Part C of Annex I are not used;
i. The “competent supervisory authority” and “supervisory authority” are both replaced with the “Information Commissioner”;
j. In Clause 16(e), subsection (i) is replaced with: “the Secretary of State makes regulations pursuant to Section 17A of the Data Protection Act 2018 that cover the transfer of personal data to which these clauses apply;”;
k. Clause 17 is replaced with: “These Clauses are governed by the laws of England and Wales.”;
l. Clause 18 is replaced with: “Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts.”; and
m. The footnotes to the EU SCCs do not form part of this Part 2, except for footnotes 8, 9, 10 and 11.
Amendments to this Part 2
16. The Parties may agree to change Clause 17 and/or 18 of this Part 2 to refer to the laws and/or courts of Scotland or Northern Ireland.
17. If the Parties wish to change the format of the information included in Tables 1, 2 or 3 of this Part 2, they may do so by agreeing to the change in writing, provided that the change does not reduce the Appropriate Safeguards.
18. From time to time, the ICO may issue a revised UK Addendum which:
a. Makes reasonable and proportionate changes to the UK Addendum, including correcting errors in the UK Addendum; and/or
b. reflects changes to UK Data Protection Laws;
The revised UK Addendum will specify the start date from which the changes to the UK Addendum are effective and whether the Parties need to review this Part 2 including the Appendix Information. This Part 2 is automatically amended as set out in the revised UK Addendum from the start date specified.
19. If the ICO issues a revised UK Addendum under Section 18,if any Party will as a direct result of the changes in the UK Addendum have a substantial, disproportionate and demonstrable increase in
a. its direct costs of performing its obligations under this Part 2; and/or
b. its risk under this Part 2,
and in either case it has first taken reasonable steps to reduce those costs or risks so that it is not substantial and disproportionate, then that Party may end this Part 2 at the end of a reasonable notice period, by providing written notice for that period to the other Party before the start date of the revised UK Addendum.
20. The Parties do not need the consent of any third party to make changes to this Part 2, but any changes must be made in accordance with its terms.
PART 3 – Switzerland Cross Border Transfers
The Parties agree that the EU SCCs as amended by Part 1 of this Schedule 2, shall be adjusted as set out below where the Federal Act on Data Protection of 19 June 1992 (the “FADP”, and as revised as of 25 September 2020, the “Revised FADP”) applies to Switzerland Transfers:
1. References to the EU SCCs means the EU SCCs as amended by this Part 3;
2. The Swiss Federal Data Protection and Information Commissioner (“FDPIC”) shall be the sole Supervisory Authority for Switzerland Transfers exclusively subject to the FADP;
3. The terms “General Data Protection Regulation” or “Regulation (EU) 2016/679” as utilized in the EU SCCs shall be interpreted to include the FADP with respect to Switzerland Transfers.
4. References to Regulation (EU) 2018/1725 are removed.
5. Switzerland Transfers subject to both the FADP and the GDPR, shall be dealt with by the EU Supervisory Authority named in Part 1 of this Schedule 2;
6. references to the “Union”, “EU” and “EU Member State” shall not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of exercising their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the EU SCCs;
7. Where Switzerland Transfers are exclusively subject to the FADP, all references to the GDPR in the EU SCCs are to be understood to be references to the FADP;
8. Where Switzerland Transfers are subject to both the FDPA and the EU GDPR, all references to the GDPR in the EU SCCs are to be understood to be references to the FDPA insofar as the Switzerland Transfers are subject to the FADP;
9. The Swiss SCCs also protect the Personal Data of legal entities until the entry into force of the Revised FADP.
PART 4 – Additional Safeguards
1. In the event of an EEA Transfer, a UK Transfer or a Switzerland Transfer, the Parties agree to supplement these with the following safeguards and representations, where appropriate:
a. The data importer (as defined in Part. 1 of this Schedule 2) shall have in place and maintain in accordance with good industry practice measures to protect the Personal Data from interception (including in transit from the data exporter (as defined in Part. 1 of this Schedule 2) to the data importer and between different systems and services). This includes having in place and maintaining network protection intended to deny attackers the ability to intercept data and encryption of Personal Data whilst in transit and at rest intended to deny attackers the ability to read data.
b. The data importer will make commercially reasonable efforts to resist, subject to applicable laws, any request for bulk surveillance relating to the Personal Data protected under GDPR the UK GDPR, or the FADP including under section 702 of the United States Foreign Intelligence Surveillance Act (“FISA”);
c. If the data importer becomes aware that any government authority (including law enforcement) wishes to obtain access to or a copy of some or all of the Personal Data, whether on a voluntary or a mandatory basis, then unless legally prohibited or under a mandatory legal compulsion that requires otherwise:
i. The data importer shall inform the relevant government authority that the data importer is a processor of the Personal Data and that the data exporter has not authorized the data importer to disclose the Personal Data to the government authority, and inform the relevant government authority that any and all requests or demands for access to the Personal Data should therefore be notified to or served upon the data exporter in writing;
ii. The data importer will use commercially reasonable legal mechanisms to challenge any such demand for access to Personal Data which is under the data importer’s control. Notwithstanding the above, (a) the data exporter acknowledges that such challenge may not always be reasonable or possible in light of the nature, scope, context and purposes of the intended government authority access, and (b) if, taking into account the nature, scope, context and purposes of the intended government authority access to Personal Data, the data importer has a reasonable and good-faith belief that urgent access is necessary to prevent an imminent risk of serious harm to any individual or entity, this subsection (e)(II) shall not apply. In such event, the data importer shall notify the data exporter, as soon as possible, following the access by the government authority, and provide the data exporter with relevant details of the same, unless and to the extent legally prohibited to do so.
2. Once in every 12-month period, the data importer will inform the data exporter, at the data exporter’s written request, of the types of binding legal demands for Personal Data it has received and solely to the extent such demands have been received, including national security orders and directives, which shall encompass any process issued under section 702 of FISA.
