Data Processing Agreement
(Revised February 2024)
This Data Processing Agreement and its Exhibits (“DPA”) reflects the parties’ agreement with respect to the processing of Personal Data by Skarbe, Inc. and/or its Affiliates (collectively, “Skarbe”) and you, the Customer, (“Customer” or “you”) in connection with the subscription of Skarbe’s products and/or services under Skarbe’s Terms of Use available at website, or other written agreement, between you and Skarbe (also referred to in this DPA as the “Agreement”).
This DPA is supplemental to, and forms an integral part of, the Agreement and is effective upon its incorporation into the Agreement, which may be specified in the Agreement, a Proposal or an executed amendment to the Agreement. All capitalized terms not defined herein shall have the meaning set forth in the Agreement. In the event of inconsistencies between any provision of this DPA and any provision of the Agreement, the provisions of this DPA shall prevail. In the event of conflict between the Standard Contractual Clauses (SCCs) and this DPA, the SCCs shall prevail.
1. DEFINITIONS
“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership of or authority to direct more than 50% of the voting interests of the subject entity.
“Applicable Privacy and Data Protection Laws ” means all applicable privacy and data protection laws and regulations, including laws and binding regulations that apply to the Processing of Personal Data under the Agreement, or to the privacy of electronic communications, including, to the extent applicable, (i) the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the EU e-Privacy Directive (Directive 2002/58/EC), (ii) in respect of the United Kingdom the Data Protection Act 2018 and the GDPR as saved into United Kingdom law by virtue of Section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 (the "UK GDPR"), (iii) the California Consumer Privacy Act of 2018, as amended (Cal. Civ. Code §§ 1798.100 to 1798.199.95), the CCPA Regulations (Cal. Code Regs. tit. 11, §§ 7000 to 7102), and any related regulations or guidance provided by the California Attorney General (“CCPA” or “CPRA”), (iv) the state laws of Colorado, Virginia, Utah, Connecticut and any other U.S. states that are applicable to the Processing of Personal Data, and
(iv) the Swiss Federal Data Protection Act ("FADP"), (v) Brazilian General Data Protection Law (“LGPD”), (vi) Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”) and any legislation or regulations implementing, replacing, amending or made pursuant to such laws (in each case as may be amended or superseded from time to time).
“Controller” shall have the meanings given to them under Applicable Privacy and Data Protection Laws.
“Controller Affiliate” means any of Customer's Affiliate(s) (i) that are subject to Applicable Privacy and Data Protection Laws of the European Union, the European Economic Area and/or their member states, Switzerland and/or the United Kingdom, and (ii) permitted to use Skarbe’s products and/or services pursuant to the Agreement between Customer and Skarbe, but have not signed their own Order Form and are not a “Customer” as defined under the Agreement.
“Customer Data” means (unless otherwise defined in the Agreement in which case the definition in the Agreement shall apply), all data and information provided by Customer, its Affiliates and its customers to Skarbe in relation to Skarbe’s provision of the products and/or services including without limitation message text, files, comments, links and profile information. “Customer Data” does not include non-Skarbe products and/or services.
“Data Subject” means the identified or identifiable person to whom Personal Data relates.
"EEA" means the European Economic Area.
“Personal Data” means any information that relates to an identified or identifiable natural person or to an identified or identifiable legal entity, to the extent that such information is protected as personal data or personally identifiable information under Applicable Privacy and Data Protection Laws and such data submitted is Customer Data. “Personal Data” as used herein only applies to Personal Data for which Skarbe is a Processor.
“Process” or “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Processor” shall have the meanings given to them under Applicable Privacy and Applicable Privacy and Data Protection Laws.
“Skarbe Inc.” means Skarbe, Inc., a corporation incorporated in Delaware.
“Skarbe” means, collectively, Skarbe Inc. and its Affiliates engaged in the Processing of Personal Data.
“Restricted Transfer” means: (i) where the GDPR applies, a transfer of Personal Data originating from the EEA to a country outside of the EEA which is not subject to an adequacy determination by the European Commission; (ii) where the UK GDPR applies, a transfer of Personal Data originating from the United Kingdom to any other country which is not subject to adequacy regulations adopted pursuant to Section 17A of the United Kingdom Data Protection Act 2018; and (iii) where the Swiss Data Protection Act applies, a transfer of Personal Data originating from Switzerland to a country outside of Switzerland which is not included on the list of adequate jurisdictions published by the Swiss Federal Data Protection and Information Commissioner.
“Security Practices” means Skarbe’s “Security Practices Datasheet”, as updated from time to
time, and currently accessible at Exhibit 2.
“Standard Contractual Clauses” or “SCCs” (i) where the GDPR applies, the standard contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the European Council, (the "EU SCCs") and which are hereby incorporated into this DPA; (ii) where the UK GDPR applies, the International Transfer Addendum or Addendum to the EU SCCs for international data transfers issued under Section 119A of the Data Protection Act 2018 and approved by UK Parliament on 21 March 2022 (“International Data Transfer Addendum") and which is hereby incorporated into this DPA; and (iii) where the Swiss Data Protection Act applies, the applicable standard data protection clauses issued, approved or recognized by the Swiss Federal Data Protection and Information Commissioner (the "Swiss SCCs"), in each case as completed as described in Section 11 below. For the purposes of the EU SCCs and the International Transfer Addendum, if applicable, (a) Customer shall be the 'data exporter and Skarbe the 'data importer.
“Sub-processor” means any entity engaged by Skarbe and/or its Affiliates to Process Personal Data in connection with Skarbe’s products and/or services.
“Supervisory Authority” means an independent public authority which is established by an EU Member State pursuant to the GDPR for the EU; the Information Commissioner’s Office (‘ICO’) in the United Kingdom; or the Federal Data Protection and Information Commissioner (FDPIC) in Switzerland; the National Data Protection Authority (ANPD) in Brazil or the Privacy Commissioner of Canada in Canada
PROCESSING OF PERSONAL DATA
2.1. Roles of the Parties. The parties acknowledge and agree that with regard to the Processing of Personal Data, Customer is the Controller and Skarbe is the Processor. Skarbe may engage Sub-processors pursuant to the requirements set forth in Article 4 “Sub-processors” below to Process such Personal Data.
2.2.Processing of Personal Data. Customer shall have sole responsibility for the accuracy and quality of Personal Data, the means by which Customer acquired such Personal Data and ensure compliance with laws as it relates to the foregoing. Customer acknowledges that it is responsible for properly implementing access and use controls and configuring certain features and functionalities that Customer may elect to use and that it will do so in such manner that Customer deems adequate to maintain appropriate security, protection, deletion, and backup of Personal Data. Skarbe will be entitled to rely solely on Customer’s instructions relating to Personal Data Processed by Skarbe.
2.3. Skarbe’s Processing of Personal Data. With respect to Personal Data Processed by Skarbe as Customer’s Processor, Skarbe shall only Process Personal Data for the following purposes: (i) Processing in accordance with the Agreement and applicable Order Form(s); (ii) Processing initiated by authorized users in their use of Skarbe’s products and/or services; and (iii) Processing to comply with other reasonable instructions provided by Customer in writing (e.g., via email or support tickets) that are consistent with the terms of the Agreement (individually and collectively, the “Purpose”). Skarbe shall not disclose Personal Data to third parties except: (i) to employees, service providers, or advisers who have a need to know the Personal Data and are under confidentiality obligations at least as restrictive as those described under this DPA, or (ii) as required to comply with valid legal process in accordance with the terms of the Agreement. If Skarbe has reason to believe Customer’s instructions infringe the GDPR, UK GDPR, other EEA data protection provisions, the CCPA/CPRA or other applicable US state or federal laws, then Skarbe will promptly notify Customer. Customer acknowledges and agrees that Skarbe collects cumulative, anonymized data and analytics pertaining to its customers including without limitation Customer (“Unidentifiable Data”), and, provided that such Unidentifiable Data Subject is and will remain unidentifiable, the data is not subject to the deletion requirement set forth in Paragraph 7 (“Return and Deletion of Client Data”) herein.
2.4. Details of the Processing. Skarbe agrees that it will Process the Personal Data in relation to the Purpose and the provision of Skarbe’s products and/or services. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this DPA are further specified in Exhibit 3 attached hereto and incorporated herein.
3. RIGHTS OF DATA SUBJECTS & DATA SUBJECT REQUESTS
3.1. Skarbe shall, to the extent legally permitted, promptly notify Customer if Skarbe receives any requests from a Data Subject to exercise the following Data Subject rights: access, rectification, restriction of Processing, erasure (“right to be forgotten”), data portability, objection to the Processing, or to not be subject to an automated individual decision making (each, a “Data Subject Request”). Taking into account the nature of the Processing, Skarbe shall assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Customer’s obligation to respond to a Data Subject Request under Applicable Privacy and Data Protection Laws. In addition, to the extent Customer, in its use of Skarbe’s products and/or services, does not have the ability to address a Data Subject Request, Skarbe shall, upon Customer’s request, provide commercially reasonable efforts to assist Customer in responding to such Data Subject Request, to the extent Skarbe is legally permitted to do so and the response to such Data Subject Request is required under Applicable Privacy and Data Protection Laws. If appliable and to the extent legally permitted, Customer shall be responsible for any costs arising from Skarbe’s provision of such assistance, including without limitation any fees associated with provision of additional functionality.
SUB-PROCESSORS
4.1. Appointment of Sub-processors. Customer acknowledges and agrees that (a) Skarbe’s Affiliates may be retained as Sub-processors; and (b) Skarbe and Skarbe’s Affiliates respectively may engage third-party Sub-processors in connection with the provision of the products and/or services. As a condition to permitting a third-party Sub-processor to Process Personal Data, Skarbe or a Skarbe Affiliate will enter into a written agreement with each Sub-processor
containing data protection obligations that provide at least the same level of protection for Personal Data as those in this DPA, to the extent applicable to the nature of the services provided by such Sub-processor. Customer acknowledges that Skarbe, Inc. is located in the United States and provides Skarbe’s products and/or services to Customer. Customer agrees to enter into the SCCs and acknowledges that Sub-processors may be appointed by Skarbe in accordance with Clause 9 of the SCCs incorporated herein.
4.2. List of Current Sub-processors and Notification of New Sub-processors. The then-current list of Sub-processors Skarbe uses to provide the products and/or services, including the identities of those Sub-processors and their country of location, which may be updated by Skarbe from time to time, but not less than annually when applicable, upon advance written notice to Customer.
4.3. Objection Right for New Sub-processors. Customer may reasonably object to Skarbe’s use of a new Sub-processor (e.g., if making Personal Data available to the Sub-processor may violate Applicable Privacy and Data Protection Laws or weaken the protections for such Personal Data) by notifying Skarbe promptly in writing within 30 business days after Customer becomes aware of such change. Such notice shall include the date the Customer became aware of the new Sub- processor and explain the reasonable grounds for the objection. In the event Customer objects to a new Sub-processor, as permitted in the preceding sentence, Skarbe will use commercially reasonable efforts to make available to Customer a change in Skarbe’s products and/or services or recommend a commercially reasonable change to Customer’s configuration or use of Skarbe’s products and/or services to avoid Processing of Personal Data by the objected-to new Sub- processor without unreasonably burdening Customer. If Skarbe is unable to make available such change within a reasonable period of time, which shall not exceed sixty (60) days from the date Skarbe receives written notice from Customer, either party may terminate without penalty the applicable Order Form(s) with respect only to those Skarbe’s products and/or services which cannot be provided by Skarbe without the use of the objected-to new Sub-processor by providing written notice to the other party advising of such termination. Skarbe will refund to Customer any prepaid fees covering the remainder of the term of such Order Form(s) following the effective date of termination with respect to such terminated Skarbe products and/or services, without imposing a penalty for such termination on Customer.
4.4. Liability. Skarbe shall be liable for the acts and omissions of its Sub-processors to the same extent Skarbe would be liable if performing the services of each Sub-processor directly under the terms of this DPA, except as otherwise set forth in the Agreement.
SECURITY
5.1. Controls for the Protection of Customer Data. Skarbe shall maintain appropriate technical and organizational measures for protection of the security, confidentiality and integrity of Customer Data, as set forth in the Security Practices located at Skarbe.com/security.
6. CUSTOMER DATA INCIDENT MANAGEMENT AND NOTIFICATION
Skarbe shall maintain commercially reasonable security incident management policies and procedures specified in the Security Practices. Skarbe shall notify Customer without undue delay of any breach relating to Personal Data (within the meaning of Applicable Privacy and Data Protection Laws) of which Skarbe becomes aware and which may require a notification to be made to a Supervisory Authority or Data Subject under Applicable Privacy and Data Protection Laws or which Skarbe is required to notify to Customer under Applicable Privacy and Data Protection Laws (a “Customer Data Incident”). Taking into account the nature of Processing and the information available to Skarbe and in accordance with the Agreement, Skarbe shall provide commercially reasonable cooperation and assistance in identifying the cause of such Customer Data Incident and take commercially reasonable steps to remediate the cause to the extent the remediation is within Skarbe’s control. The obligations herein shall not apply to incidents that are caused by Customer, Customer’s authorized users and/or any non-Skarbe products and/or services.
7. RETURN AND DELETION OF CUSTOMER DATA
Skarbe agrees to preserve the confidentiality of any retained Customer Data for the duration of the Agreement only and will only actively Process such Customer Data after such date if agreed to by the parties or to otherwise comply with applicable laws. This Section 7 shall not apply to Unidentifiable Data, as defined herein.
CONTROLLER AFFILIATES
8.1. Contractual Relationship. The parties acknowledge and agree that, by executing the Agreement and/or Order Form and this DPA, Customer enters into the DPA on behalf of itself and, as applicable, in the name and on behalf of its Controller Affiliates, thereby establishing a separate DPA between Skarbe and each such Controller Affiliate subject to the provisions of the Agreement. Each Controller Affiliate agrees to be bound by the obligations under this DPA and, to the extent applicable, the Agreement. For the avoidance of doubt, a Controller Affiliate is not and does not become a party to the Agreement and is only a party to the DPA. All access to and use of the Skarbe products and/or services by Controller Affiliates must comply with the terms and conditions of the Agreement and any violation of the terms and conditions of the Agreement by a Controller Affiliate shall be deemed a violation by Customer and Customer shall be liable for such violation.
8.2. Communication. The Customer that is the contracting party to the Agreement shall remain responsible for coordinating all communication with Skarbe under this DPA and be entitled to make and receive any communication in relation to this DPA on behalf of its Controller Affiliates.
8.3. Rights of Controller Affiliates. If a Controller Affiliate becomes a party to the DPA with Skarbe, it shall, to the extent required under Applicable Privacy and Data Protection Laws, also be entitled to exercise the rights and seek remedies under this DPA, subject to the following:
8.3.1. Except where Applicable Privacy and Data Protection Laws require the Controller Affiliate to exercise a right or seek any remedy under this DPA against Skarbe directly by itself, the parties agree that (i) solely the Customer that is the contracting party to the Agreement shall exercise any such right or seek any such remedy on behalf of the Controller Affiliate, and (ii) the Customer that is the contracting party to the Agreement shall exercise any such rights under this DPA not separately for each Controller Affiliate individually but in a combined manner for all of its Controller Affiliates together (as set forth, for example, in Section 8.3.2, below).
1.3.2. The parties agree that the Customer that is the contracting party to the Agreement shall, if 8arrying out an audit of the Skarbe procedures relevant to the protection of Personal Data, take all reasonable measures to limit any impact on Skarbe by combining, to the extent reasonably possible, several audit requests carried out on behalf of different Controller Affiliates in one single audit.
9. SKARBE PERSONNEL
9.1. Confidentiality. Skarbe shall use commercially reasonable efforts to ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements. Skarbe shall ensure that such confidentiality obligations survive the termination of the personnel engagement.
9.2. Reliability. Skarbe shall take commercially reasonable steps to ensure the reliability of any Skarbe personnel engaged in the Processing of Personal Data.
9.3. Limitation of Access. Skarbe shall ensure that Skarbe’s access to Personal Data is limited
to those personnel performing services in accordance with the Agreement.
9.4. Data Protection Officer/Responsible Party. Skarbe has a data protection officer or individual responsible for its data protection in the United States, EU and UK that are collectively reached at support@skarbe.com.
9. SKARBE PERSONNEL
9.1. Confidentiality. Skarbe shall use commercially reasonable efforts to ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements. Skarbe shall ensure that such confidentiality obligations survive the termination of the personnel engagement.
9.2. Reliability. Skarbe shall take commercially reasonable steps to ensure the reliability of any Skarbe personnel engaged in the Processing of Personal Data.
9.3. Limitation of Access. Skarbe shall ensure that Skarbe’s access to Personal Data is limited
to those personnel performing services in accordance with the Agreement.
9.4. Data Protection Officer/Responsible Party. Skarbe has a data protection officer or individual responsible for its data protection in the United States, EU and UK that are collectively reached at support@skarbe.com.
11. Skarbe will Process Personal Data in accordance with the Applicable Privacy and Data Protection Laws requirements directly applicable to the provisioning of Skarbe’s products and services.For the avoidance of doubt, the total liability of Skarbe (and its Affiliates, if any) for all claims from the Customer and all of its Controller Affiliates arising out of and/or related to the Agreement and each DPA shall apply in the aggregate for all claims under the Agreement and all DPAs established under the Agreement, including by Customer and all Controller Affiliates. It is specifically understood that liability shall not apply individually and severally to Customer and to Controller Affiliates.
11.1. Data Protection Impact Assessment. Upon Customer’s request, Skarbe shall provide Customer with reasonable cooperation and assistance (at Customer’s expense) needed to fulfill Customer’s obligation under the GDPR to carry out a data protection impact assessment related to Customer’s use of Skarbe’s products and/or services, to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is available to Skarbe. Skarbe shall provide reasonable assistance to Customer in the cooperation or prior consultation with the Supervisory Authority, to the extent required under the GDPR.
11.2. Transfer Mechanisms.
11.2.1. Skarbe shall (and shall procure that any Subprocessor shall) not Process or transfer (directly or via onward transfer) any Customer Data in or to a territory other than the territory in which the Customer Data was first collected (nor permit the Customer Data to be so Processed or transferred) unless: (i) it has first obtained Customer's prior written consent and (ii) it takes all such measures as are necessary to ensure such Processing or transfer is in compliance with Applicable Privacy and Data Protection Laws (including such measures as may be communicated by Customer to Skarbe). Without prejudice to the foregoing, the Parties agree that when a transfer of Customer Data by Customer (as data exporter) to Skarbe (as data importer) under this DPA is a Restricted Transfer, Skarbe shall be bound by the SCCs, which shall be deemed incorporated into this DPA as follows: 1.2.1.1. In relation to transfers of Personal Data protected by the GDPR, the EU SCCs will apply completed as follows:
11.2.1.1.1. Where Customer is a controller of the Personal Data, Module Two (controller to processor transfers) shall apply;
11.2.1.1.2. In Clause 7, the optional docking clause will apply;
11.2.1.1.3. In Clause 9, Option 2 will apply, and the time period for prior notice of Subprocessor changes shall be as set out in Section 4 of this Agreement;
11.2.1.1.4. In Clause 11, the optional language will not apply;
11.2.1.1.5. In Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law;
11.2.1.1.6. In Clause 18(b), disputes shall be resolved before the courts of Ireland; and
11.2.1.1.7. Annex I and II of the EU SCCs shall be deemed completed with the information set out in Exhibits 2-4 of this DPA; 1.2.1.2. In relation to transfers of Personal Data protected by the UK GDPR, the EU SCCs will also apply to such transfers in accordance with Section 11.2.1.1 above, with the following modifications:
11.2.1.2.1. any references in the EU SCCs to "Directive 95/46/EC" or "Regulation (EU) 2016/679" shall be interpreted as references to the UK GDPR; references to specific Articles of "Regulation (EU) 2016/679" are replaced with the equivalent Article or Section of UK GDPR;
11.2.1.2.2. references to "EU", "Union" and "Member State law" are all replaced with "UK"; Clause 13(a) and Part C of Annex I of the EU SCCs are not used; references to the "competent supervisory authority" and "competent courts" shall be interpreted as references to the Information Commissioner and the courts of England and Wales;
11.2.1.2.3. Clause 17 of the EU SCCs is replaced to state that "The Clauses are governed by the laws of England and Wales" and Clause 18 of the EU SCCs is replaced to state "Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may bring legal proceeding against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts;"
11.2.1.2.4. The International Transfer Addendum is set forth at Exhibit 4 to this DPA, if applicable, unless the EU SCCs as implemented above cannot be used to lawfully transfer such Personal Data in compliance with the UK GDPR, in which event the UK SCCs shall instead be incorporated by reference and form an integral part of this DPA and shall apply to such transfers. Where this is the case, the relevant Annexes or Appendices of the UK SCCs shall be populated using the information contained in Exhibits 2 -4 of this DPA (as applicable). 1.2.1.3. In relation to transfers of Personal Data protected by the FAPD, the EU SCCs will also apply to such transfers in accordance with Section 11.2.1.1 above, with the following modifications:
11.2.1.3.1. any references in the EU SCCs to "Directive 95/46/EC" or "Regulation (EU) 2016/679" shall be interpreted as references to the Swiss Data Protection Act;
11.2.1.3.2. references to "EU", "Union", "Member State" and "Member State law" shall be interpreted as references to Switzerland and Swiss law, as the case may be; and
11.2.1.3.3. references to the "competent supervisory authority" and "competent courts" shall be interpreted as references to the FDIPC and competent courts in Switzerland,
unless the EU SCCs as implemented above cannot be used to lawfully transfer such Personal Data in compliance with the Swiss Data Protection Act, in which event the Swiss SCCs shall instead be incorporated by reference and form an integral part of this DPA and shall apply to such transfers. Where this is the case, the relevant Annexes or Appendices of the Swiss SCCs shall be populated using the information contained in Exhibits 2-4 of this DPA (as applicable).
11.3. Where the Processing involves the transfer of Customer Data subject to the LGPD and where such Customer Data is transferred either directly or via onward transfer to countries that do not ensure an adequate level of protection within the meaning of the LGPD, Skarbe agrees to process such Customer Data in compliance with LGPD and any other relevant Brazilian laws.
12. LEGAL EFFECT
This DPA shall only become legally binding between Customer and Skarbe (and Skarbe, Inc., if different) when Customer 1) affirmatively accepts this DPA through pressing the “I agree button” associated with this DPA or 2) upon continued use of the Services after December 27, 2022. If Customer has previously executed a data processing addendum with Skarbe concerning the subject matter hereof, the parties acknowledge and agree that this DPA supersedes and replaces such prior data processing addendum.
This DPA becomes legally binding between Customer and Skarbe (and Skarbe, Inc., if different) upon Customer's continued use of the Services. If Customer has previously executed a data processing addendum with Skarbe concerning the subject matter hereof, the parties acknowledge and agree that this DPA supersedes and replaces such prior data processing addendum. By using the service, Customer automatically agrees to be bound by the terms of this DPA.
13. VENUE
This DPA and any dispute or claim arising out of and/or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by, and construed in accordance with, the legal system of Ireland under GDPR for the EU and in accordance with the Terms of the Agreement for the United States.
14. MISCELLANEOUS
The parties agree that this DPA and, if applicable, the Standard Contractual Clauses, shall terminate automatically upon (i) termination of the Agreement; or (ii) if applicable, the expiration or termination of all Order Forms or similar contract documents entered into by Skarbe with Customer pursuant to the Agreement, whichever is later. Any obligation imposed on either party under this DPA in relation to the Processing of Personal Data that would reasonably be interpreted to survive any termination or expiration of this DPA, shall survive. Customer may notify Skarbe in writing from time to time of any variations to this DPA which are required as a result of a change in Applicable Privacy and Data Protection Laws. Any such required variations shall take effect on the date falling 45 (forty-five) calendar days after the date such written notice is received and Skarbe shall procure that, where necessary, the terms in each contract between Skarbe or any Skarbe Affiliate and each Sub- processor are amended to incorporate such variations within the same time period. Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
EXHIBIT 1.A TO THE DATA PROCESSING AGREEMENT CALIFORNIA SPECIFIC PROVISIONS
This Exhibit 1.A forms part of the DPA. Capitalized terms not defined in this Exhibit 1 have the meaning set forth in the DPA.
1. When processing California Personal Information (as defined in the California Privacy Rights Act of 2020 (Cal. Civ. Code §§ 1798.100 to 1798.199.100 “CPRA”) in accordance with Customer’s instructions, the parties acknowledge and agree that Customer is a Business and Skarbe is a Service Provider for the purposes of the CPRA. Skarbe shall process California Personal Information solely for a valid business purpose to perform the Services.
Skarbe understands and agrees to the prohibition from: (i) selling or sharing of California Personal Information that it processes on behalf of the Customer; (ii) retaining, using, or disclosing California Personal Information for a commercial purpose other than providing the Services or otherwise permitted by CCPA; (iii) retaining, using, or disclosing California Personal Information outside of the Agreement between Skarbe and Customer, (iv) retaining, using, or disclosing the personal information for any purpose outside those specified in the contract or outside the direct business-service provider relationship; and (v) combining the personal information received from or on behalf of the business with personal information the service provider received elsewhere, unless specific statutory or regulatory exceptions apply.
EXHIBIT 1.B TO THE DATA PROCESSING AGREEMENT VIRGINIA SPECIFIC PROVISIONS
This Exhibit 1.B forms part of the DPA. Capitalized terms not defined in this Exhibit1.B have the meaning set forth in the DPA.
1. When processing Virginia Personal Data (as defined in the Virginia Consumer Data Protection Act (Va. Code Ann. §§ 59.1-575 to 59.1-584 (effective January 1, 2023)) (“VCDPA”), in accordance with Customer’s instructions, the parties acknowledge and agree that Customer is the data controller and Skarbe is the data processor for the purposes of the VCDPA. When processing Virginia consumers’ Personal Data on Customer’s behalf, Skarbe agrees:
● To ensure that processing of Personal Data is subject to a duty of confidentiality with respect to the data;
● At the Customer's direction, delete or return all Personal Data to the controller as requested at the end of the provision of services, unless retention of the Personal Data is required by law;
● Upon the Customer’s reasonable request, Skarbe will make available to Customer all information in its possession necessary to demonstrate Skarbe's compliance with VCDPA obligations for processors;
● Allow, and cooperate with, reasonable assessments by Customer or Customer's designated assessor; alternatively, Skarbe may arrange for a qualified and independent assessor to conduct an assessment of its policies and technical and organizational measures in support of the obligations under VCDPA using an appropriate and accepted control standard or framework and assessment procedure for such assessments. Skarbe will provide a report of such assessment to Customer upon request; and
● To engage any subcontractor pursuant to a written contract with a requirement that the subcontractor must meet Skarbe’s obligations with respect to the Personal Data.
2. Skarbe understands and agrees to:
● Adhere to Customer’s instructions and will assist Customer in its obligation to respond to consumer rights requests in compliance with VCDPA;
● Assist Customer in relation to the notification of breach of security of Skarbe’s system in compliance with VCDPA; and
● To provide necessary information to enable Customer to conduct and document data protection assessment(s).
EXHIBIT 2 TO THE DATA PROCESSING AGREEMENT TECHNICAL AND ORGANIZATIONAL MEASURES
This Exhibit 2 forms part of the DPA. Capitalized terms not defined in this Exhibit 2 have the meaning set forth in the DPA.
Skarbe shall implement and maintain commercially reasonable administrative, technical, and physical safeguards designed to protect Customer Personal Data. Such safeguards shall include:
● Skarbe offers data residency in either the US or the EU. All data involving or related to customer service inquiries, including personal information personal information, is hosted and stored in the United States.
● IT Security Policy. Skarbe will maintain a written information security policy applicable to all authorized personnel and systems.
● Training. Skarbe will provide information security awareness training to all employees at least annually.
● Access Control. Skarbe will maintain an access control policy, procedures, and controls consistent with industry standard practices. Skarbe will limit access to Customer’s Personal Data to those employees and Sub-processors with a need-to-know.
● Logical Separation. Skarbe will ensure Customer’s Personal Data is logically separated from other Skarbe customer data.
● Networking. Skarbe will ensure network access control mechanisms are designed to prevent network traffic using unauthorized protocols from reaching the systems and applications infrastructure.
● Encryption. Where appropriate, Customer’s Personal Data will be encrypted in-transit and at rest using industry standard encryption technologies.
● Asset Inventory. Skarbe will maintain an inventory of all information technology assets used in its operation of the services.
● Password Management. Skarbe will maintain a password management policy designed to ensure strong passwords consistent with industry standard practices.
● Incident Response Plan. Skarbe will maintain an incident response plan that addresses Security Incident handling. Skarbe also maintains an event log of security incidents.
● Backups of Customer Personal Data. Skarbe will maintain an industry standard backup system and backup
of Customer’s Personal Data designed to facilitate timely recovery in the event of a service interruption.
● Disaster Recovery and Business Continuity Plans. Skarbe will maintain disaster recovery and business continuity plans consistent with industry standard practices.
● Malicious Code Protection. All Skarbe workstations will run the current version of industry standard anti- virus software with the most recent updates available on each workstation. Virus definitions will be updated within a reasonable period following release by the anti-virus software vendor.
● Data Minimization. Skarbe limits the use of any personal data collected to uses that are compatible with the context in which that personal data was collected.
● Vendor Management. Skarbe will maintain the Third Party/Vendor Management Program and oversee the risk and compliance program for vendors, partners and other third parties by assessing and managing the risks assumed by the nature of relationships with vendors, partners and other third parties.
● Vulnerability Management Controls. Skarbe will maintain a vulnerability management program to identify and resolve security vulnerabilities in a timely manner.
EXHIBIT 3 TO THE DATA PROCESSING AGREEMENT ANNEX 1-3 OF THE SCCS
SCCs ANNEX III
LIST OF SUB-PROCESSORS – US Servers/Data Residency
The Controller has authorized the following list of sub-processors:
EXHIBIT 4 – UK INTERNATIONAL DATA TRANSFER ADDENDUM
This Exhibit 4 forms part of the DPA.
International Data Transfer Addendum to the EU Commission Standard Contractual Clauses
VERSION B1.0, in force 21 March 2022
This Addendum has been issued by the Information Commissioner for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.
Part 1: Tables
Table 1: Parties
Table 2: Selected SCCs, Modules and Selected Clauses
Table 3: Appendix Information
“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:
Annex 1A: List of Parties: Skarbe and Customer
Annex 1B: Description of Transfer: As detailed in Annex I of the SCCs, detailed in Table 2
Annex II: Technical and organizational measures including technical and organizational measures to ensure the security of the data: As detailed in Annex II of the SCCs, detailed in Table 2.
Annex III: List of Sub processors (Modules 2 and 3 only): As detailed in Exhibit 1 of the DPA and noted on Appendix III of the SCCs, detailed in Table 2.
Table 4: Ending this Addendum when the Approved Addendum Changes
Alternative Part 2 Mandatory Clauses: