This Data Processing Addendum (“Addendum”) is entered into by and between Doppler Technologies, Inc., a California corporation with its primary place of business at 340 S. Lemon Avenue #5880 Walnut, CA 91789 (“Doppler”), and the legal entity using Doppler’s services (“Customer”) pursuant to the Doppler Terms of Service or Doppler Software Subscription Agreement, as applicable, executed concurrently herewith, or any other agreement between Customer and Doppler governing Customer’s use of the Subscription Services (the “Agreement”). Doppler and Customer are hereinafter referred to from time to time individually as “party” and collectively as “parties.”
The parties acknowledge that the terms of this Addendum, including the Appendices, are incorporated into and form part of the Agreement. Capitalized terms have the meaning given to them in the Agreement unless defined elsewhere in this Addendum. Where this Addendum uses terms that are defined in Applicable Data Protection Law (defined below), those terms shall have the same meaning as given to those terms (or an equivalent term) in the applicable law.
In the event and to the extent of a conflict between the provisions of the Agreement and this Addendum, this Addendum will prevail. Except as expressly set forth in this Addendum, all other provisions of the Agreement will remain in full force and effect. To the extent that the EU SCCs (defined below) or the UK International Data Transfer Agreement (defined below) are incorporated herein, such terms shall take precedence over both this Addendum and the Agreement to the extent necessary to resolve the conflict or inconsistency. For the avoidance of doubt, execution of the Agreement shall be deemed to constitute signature and acceptance of this Addendum and any SCCs or UK International Data Transfer Agreement incorporated herein.
1. Definitions:
- “Affiliate(s)” means any business entity that, directly or indirectly, through one or more intermediaries, controls, is controlled by, or is under common control with a party to the Agreement. For purposes of this definition, “control” means an ownership, voting, or similar interest representing fifty percent (50%) or more of the total interests then outstanding of the entity in question.
- “Applicable Data Protection Law” means all laws and regulations applicable to the processing of personal data under the Agreement. For the sake of clarity, Applicable Data Protection Law includes, without limitation (1) data protection laws and regulations of the European Union, the European Economic Area and their member states and Switzerland; (2) data protection laws and regulations of the United Kingdom; and (3) data protection laws and regulations of the United States and its individual states.
- “Controller-to-Processor Clauses” means the standard contractual clauses between controllers and processors for Data Transfers (module 2), as approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
- “Customer” means the Customer entities or Affiliates that are party to the Agreement.
- “Customer Account Data” means personal data that relates to Customer’s relationship with Doppler and for which Doppler determines the means and purposes of processing.
- “Customer Data” means any personal data that is (i) provided or made available or accessible to Doppler or its Sub-processors by or on behalf of Customer or a controller for whom Customer acts as a processor; and/or (ii) generated by Doppler or its Sub-processors in the performance of the Agreement.
- “Customer Usage Data” means any data relating to Customer’s use, support, and/or operation of the Services which is used by Doppler in an aggregated and anonymous manner.
- “Data Protection Supervisory Authority” means a supervisory authority or other government body responsible for the administration, implementation, and/or enforcement of Applicable Data Protection Law and includes, without limitation, competent supervisory authorities of the European Union (“EU”) and its member states, the Swiss Federal Data Protection Authority, and the United Kingdom (“UK”) Information Commissioner’s Office.
- “Data Transfer” means any situation in which Customer Data is transferred, either directly or via onward transfer to a Third Country.
- “Elections” means, with respect to the EU SCCs, (i) for purposes of clause 9(a), option 2 applies and the specified time period is the time period required under Section 5 (Sub-processing) of this Addendum for notice of change of a Sub-processor; (ii) for purposes of clause 11, the independent dispute resolution option does not apply; (iii) for purposes of clause 17, option 2 is selected, provided if the EU member state in which the data exporter is established does not allow for third-party beneficiary rights, then the law of Ireland shall govern; and (iv) as pertains to clause 18(b), the courts of the EU member state in which the data exporter is established shall be the choice of forum and jurisdiction.
- “EU SCCs” means (i) the Controller-to-Processor Clauses, or (ii) the Processor-to-Processor Clauses, as applicable in accordance with Section 2.1 (Scope and Role of the Parties), including the Elections and on the basis that Appendix 1 of this Addendum operates as Annex I to the EU SCCs and Appendix 2 of this Addendum operates as Annex II to the EU SCCs.
- “European and UK Data Protection Law” means all data protection laws and regulations applicable to Europe, including (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation, or “GDPR”); (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector; (iii) applicable national implementations of (i) and (ii); and (iii) in respect of the United Kingdom (“UK”) any applicable national legislation that replaces or converts in domestic law the GDPR or any other law relating to data and privacy as a consequence of the UK leaving the European Union.
- “Europe” means, for the purposes of this Addendum, the European Union (“EU”), the European Economic Area (“EEA”), and/or their member states, and Switzerland.
- “Processor-to-Processor Clauses” means the standard contractual clauses between processors for Data Transfers (module 3), as approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
- “Security Incident” means any confirmed or reasonably suspected unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, or alteration of, or unauthorized disclosure of or access to, Customer Data on systems managed or otherwise controlled by Doppler.
- “Sensitive Data” means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, data relating to criminal convictions or offenses, or other information that falls within the definition of “special categories of data” (or an equivalent term) under Applicable Data Protection Law.
- “Sub-processor(s)” means any person or entity engaged by Doppler or its Affiliates to perform Doppler’s obligations under the Agreement.
- “Third Country” means a country outside of Europe or the UK not recognized by the European Commission or the competent UK regulatory authority as providing an adequate level of protection for personal data under European and UK Data Protection Law.
- “UK International Data Transfer Addendum” means the UK International Data Transfer Addendum to the EU SCCs, issued by the UK Information Commissioner, Version B1.0, effective as of 21 March 2022, and on the following basis: (i) with respect to Table 1 of the UK International Data Transfer Addendum, the parties’ details and key contact information is located in Appendix 1 of this Addendum; (ii) with respect to Table 2, information about the version of the EU SCCs, modules, and selected clauses are located in the Elections, and (iii) with respect to Table 3, information about the parties and a description of the transfer is set forth in Appendix I to this Addendum, a description of Doppler’s technical and organizational security measures is located in Appendix II, and Doppler’s list of sub-processors is set forth in Section 5.1 (Authorized Sub-processors).
- “UK Personal Data” means Customer Data, the processing of which is within the territorial scope of the data protection, privacy, or security laws of the UK.
2. Processing of Personal Data:
- Scope and Roles of the Parties. The parties acknowledge and agree that with regard to the processing of Customer Data, Doppler will act as processor to Customer, who may act as either a controller or a processor. Each party shall comply with its obligations under Applicable Data Protection Law, and this Addendum, when processing Customer Data. When Customer is acting as a controller, the Controller-to-Processor Clauses will apply to any Data Transfer that occurs pursuant to the Agreement. When Customer is acting as a processor, the Processor-to-Processor Clauses will apply to any Data Transfer that occurs pursuant to the Agreement. Customer agrees that it is unlikely that Doppler will know the identity of Customer’s controllers, if any, because Doppler has no direct relationship with Customer’s controllers. Therefore, Customer agrees that it will fulfill Doppler’s obligations to Customer’s controllers under the Processor-to-Processor Clauses. For the avoidance of doubt, this Addendum does not apply to Customer Usage Data or Customer Account Data.
- Customer Instructions. Doppler shall process Customer Data only in accordance with Customer’s documented lawful instructions as set forth in (i) the Agreement, including this Addendum and any applicable order forms; (ii) as necessary to comply with applicable law; (iii) or as otherwise agreed in writing or as initiated by Authorized Users in their use of the Subscription Services (including via configuration tools and APIs made available through the Subscription Services (“Permitted Purposes”). Customer may give additional instructions throughout the term of the Agreement. Doppler shall immediately inform Customer if it is unable to follow those instructions.
- No Sale or Sharing. Except as expressly permitted by Applicable Data Protection Law, Doppler will not retain, use, disclose, or otherwise process Customer Data (i) for any purposes other than those specified in the Agreement and this Addendum, (ii) for any commercial purpose other than the specific business purposes specified in the Agreement and this Addendum, including to provide services to a different business; and (iii) outside the direct business relationship between Customer and Doppler, including to combine or update Customer Data with information received from or on behalf of another source or collected from Doppler’s own interactions with a data subject. Doppler will limit the collection, use, retention, and disclosure of Customer Data to activities reasonably necessary and proportionate to achieve the processing set out in this Addendum and the Agreement and will not process Customer Data in a manner incompatible with those purposes.
- Customer Obligations. Customer represents and warrants that (i) it has complied, and will continue to comply, with all applicable laws, including Applicable Data Protection Law, in respect of its processing of Customer Data and any processing instructions it issues to Doppler; and (ii) it has, and will continue to have, the right to transfer, or provide access to, the personal data to Doppler for processing in accordance with the terms of the Agreement and this Addendum. Customer shall have the sole responsibility for the accuracy, quality, and legality of Customer Data and the means by which Customer acquired Customer Data. Without prejudice to the generality of the foregoing, Customer agrees that it shall be responsible for complying with all laws (including Applicable Data Protection Law) applicable to any content created, sent, or managed through the Subscription Services. Customer specifically acknowledges and agrees that its use of the Subscription Services will not violate the rights of any data subject that has opted-out from the sale or other disclosure of his or her personal data.
- Lawfulness of Instructions. Customer acknowledges that Doppler is neither responsible for determining which laws or regulations are applicable to Customer’s business nor whether Doppler’s provision of the Subscription Services meets or will meet the requirements of such laws or regulations. Customer will ensure that its instructions comply with Applicable Data Protection Law and Doppler’s processing of the Customer Data in accordance with Customer’s instructions will not cause Doppler to violate any applicable law, regulation, or rule, including without limitation Applicable Data Protection Law. Doppler will inform Customer if it becomes aware or reasonably believes that Customer’s data processing instructions violate Applicable Data Protection Law.
- Doppler Personnel. Doppler shall grant access to Customer Data to members of its personnel only to the extent strictly necessary for the implementation, management, and monitoring of the Agreement. It will further ensure that any person it authorizes to process the Customer Data shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).
- Accuracy. Customer agrees that it is unlikely that Doppler would become aware that Customer Data it has received is inaccurate or outdated. Nonetheless, if Doppler does become aware that Customer Data it has received is inaccurate, or has become outdated, it shall inform Customer without undue delay and shall cooperate with Customer to erase or rectify the data.
- Return or Deletion of Customer Data. Doppler shall only process Customer Data for the duration specified in Appendix 1.B. Upon Customer's request or upon termination or expiration of the Agreement, Doppler agrees, at Customer’s option, exercised by delivery to Doppler in writing of its instruction, to either deliver to Customer or destroy in a manner that prevents Customer Data from being reconstructed any Customer Data and any copies thereof in Doppler's control or possession, except that this requirement shall not apply to the extent Doppler is required by applicable law to retain some or all of the Customer Data or to Customer Data it has archived on back-up systems, which Customer Data Doppler shall securely isolate, continue to protect using appropriate technical and organizational security measures until it may be disposed of, and eventually delete in accordance with Doppler’s deletion policies, except to the extent required by applicable law.
3. Responding to Data Subjects and Other Requests:
- Assistance Provided to Customer. Doppler provides Customer with several self-help features and tools within the Subscription Services, including the ability to delete, obtain a copy of, or restrict use of Customer Data. Customer may use these self-help features and tools to honor requests from data subjects to exercise their rights under Applicable Data Protection Law. To the extent Customer, in its ordinary use of the Subscription Services, does not have the ability to address a data subject request to exercise their rights under Applicable Data Protection Law, Doppler shall, upon Customer’s written request, provide commercially reasonable assistance to Customer in responding to such data subject request. If complying with Customer’s request for assistance will require Doppler to expend significant resources, such assistance shall be at Customer’s expense (scoped in advance).
- Handling Requests Made Directly to Doppler. In the event that any request, correspondence, enquiry or complaint from a data subject, regulator, or third party, including, but not limited to law enforcement, is made directly to Doppler in connection with Doppler’s processing of Customer Data, Doppler shall promptly inform Customer providing details of the same, to the extent legally permitted. Unless legally obligated to do so, Doppler shall not respond to any such request, inquiry, or complaint without Customer’s prior written consent. In the case of a legal demand for disclosure of Customer Data in the form of a subpoena, search warrant, court order or other compulsory disclosure request, Doppler shall attempt to redirect the requesting party or agency to request disclosure from Customer. Customer agrees that Doppler may provide Customer’s basic contact information for this purpose. If Doppler is unable to redirect the requesting party or agency, Doppler shall act in accordance with its obligations under the EU SCCs or UK International Data Transfer Agreement, as applicable, incorporated herein. For the avoidance of doubt, nothing in the Agreement, including this Addendum shall restrict or prevent Doppler from responding to any data subject requests or other requests in relation to personal data for which Doppler is a controller.
- Data Protection Impact Assessments. If Doppler believes or becomes aware that its processing of Customer personal data is likely to result in a high risk to the data protection rights and freedoms of data subjects, Doppler shall inform Customer and (taking into account the nature of the processing and the information available to Doppler) provide commercially reasonable cooperation to Customer in connection with any data protection impact assessment or consultations with Data Protection Supervisory Authorities that may be required under Applicable Data Protection Law. Doppler shall comply with the foregoing by: (i) complying with Section 4.7 (Audits); (ii) providing the information contained in the Agreement, including this Addendum; and (iii) if the foregoing sub-sections (i) and (ii) are insufficient for Customer to comply with such obligations, upon request, providing additional reasonable assistance at Customer’s expense (scoped in advance).
4. Security:
- Technical and Organizational Measures. Doppler has implemented and will maintain appropriate technical and organizational security measures designed to preserve the security and confidentiality of Customer Data in accordance with Doppler’s security standards described in Appendix 2 (“Security Measures”).
- Updates to Security Measures. Customer is responsible for reviewing the information Doppler makes available regarding its data security and making an independent determination as to whether the Subscription Services meet Customer’s requirements and legal obligations, including its legal obligations under Applicable Data Protection Law. Customer acknowledges that the Security Measures are subject to technical progress and development and that Doppler may update or modify the Security Measures from time to time, provided that such updates and modifications do not materially decrease the overall security of the Subscription Services.
- Security Incident Response. Doppler shall, to the extent permitted by law, notify Customer without undue delay of any reasonably suspected or actual Security Incident which affects Customer Data. Such notification will be delivered to one or more of Customer’s business or administrative contacts by any means Doppler selects, including via email. It is Customer’s sole responsibility to ensure it maintains accurate contact information in the Subscription Services and under the Agreement at all times. The notice shall summarize in reasonable detail the nature and scope of the Security Incident, to the extent known, and the corrective action already taken or to be taken by Doppler. Furthermore, Doppler shall provide timely information relating to the Security Incident as it becomes known or as reasonably requested by Customer and shall promptly take reasonable steps to remedy or mitigate the effect of any Security Incident. Doppler’s notification of or response to a Security Incident shall not be construed as an acknowledgement by Doppler of any fault or liability with respect to the Security Incident. The parties will collaborate on whether any notice of breach is required to be given to any person, and if so, the content of that notice. For clarity, Doppler will not publicly disclose any information regarding the Security Incident without Customer’s prior written consent, except (i) to its own employees, customers, advisors, agents, or contractors or (ii) where and to the extent explicitly compelled to do so by Applicable Data Protection Law, to Applicable Data Protection Supervisory Authorities and/or data subjects. Unless prohibited by an applicable statute or court order, Doppler shall also notify Customer of any third-party legal process relating to any Security Incident, including, but not limited to, any legal process initiated by any governmental entity.
- Unsuccessful Security Incidents. Customer agrees that an unsuccessful Security Incident will not be subject to Section 4.3 (Security Incident Response). An unsuccessful Security Incident is one that results in no unauthorized access to Customer Data or to any of Doppler’s equipment or facilities used to store or process Customer Data and could include, without limitation, pings and other broadcast attacks on firewalls, port scans, unsuccessful log-in attempts or invalid URLs, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond IP addresses or headers) or similar incidents.
- Customer Responsibilities. Notwithstanding the above, Customer agrees that except as provided in this Addendum or the Agreement, Customer is responsible for its secure use of the Subscription Services, including securing its account authentication credentials, using the Subscription Services strictly as permitted under the Agreement, and using features and functionalities made available by Doppler to maintain appropriate security in light of the nature of the data processed.
- Documentation and Compliance. The parties acknowledge that Customer must be able to assess Doppler’s compliance with its obligations under Applicable Data Protection Law and this Addendum. To facilitate such assessment, Doppler will keep appropriate documentation on the processing activities carried out on behalf of Customer under the Agreement, and upon written request, make available to Customer all information reasonably necessary to demonstrate compliance with the obligations set out in this Addendum.
- Audits. To the extent that Doppler is unable to demonstrate its compliance with Applicable Data Protection Law and this Addendum through appropriate documentation as described in Section 4.6 (Documentation and Compliance) above, then, upon Customer’s written request and subject to the confidentiality obligations set forth in the Agreement, Doppler shall allow for and contribute to audits and inspections conducted by Customer (or Customer’s independent, third-party auditor that is not a competitor of Doppler). Audits shall occur at most annually or more frequently (i) in response to a demand from a Data Protection Supervisory Authority, (ii) following notice of a Security Incident, or (iii) as a follow-up to a duly conducted annual audit. Audits must be preceded by thirty (30) days advance written notice, must be conducted during Doppler’s normal business hours, and must be limited to systems and procedures within Doppler’s control and relevant to Doppler’s processing of Customer Data. Doppler will make its personnel, records, and similar items available upon fewer than thirty (3) days advance notice, but no less than reasonable notice if (i) requested by a Data Protection Supervisory Authority pursuant to an audit of Customer or (ii) following notice of a Security Incident. In lieu of such an audit, in the event that Doppler independently obtains third-party annual audits of its privacy and security program, Customer agrees that Doppler may satisfy its obligations under this Section 4.7 (Audits), by making available to Customer a copy of Doppler’s then most recent third-party audit report. Such audit reports will be made available to Customer upon Customer’s written request, at reasonable intervals, and subject to the confidentiality obligations set forth in the Agreement. If any audit reveals any material vulnerability, Doppler shall take commercially reasonable steps to correct such vulnerability.
5. Sub-processing:
- Authorized Sub-processors. Doppler has Customer’s general authorization to engage third-party Sub-processors to fulfill its contractual obligations under this Addendum or to provide certain services on its behalf. The Sub-processors Doppler currently engages to carry out processing activities can be found here. At least ten (10) business days prior to engaging or removing any Sub-processor, Doppler will update this list and provide Customer with a mechanism to obtain notice of that update. Customer may object to in writing to Doppler's appointment or replacement of a Sub-processor prior to its appointment or replacement, provided such objection is based on reasonable grounds relating to data protection. In such event, the parties shall discuss commercially reasonable alternative solutions in good faith. If the parties cannot reach resolution, Doppler will, in its sole discretion, either not appoint such Sub-processor, direct such Sub-processor to not process Customer Data, or permit Customer to suspend or terminate the Agreement without liability to either party, in which case, however, and notwithstanding anything to the contrary in this Addendum, the applicable SCCs or UK International Data Transfer Addendum (as applicable), or the Agreement, Doppler shall refund Customer any prepaid fees covering the remainder of the term of the Agreement from the date of suspension/termination of the Agreement as per the foregoing.
- Sub-processor obligations. Doppler shall: (i) conduct appropriate due diligence on each Sub-processor it engages to perform services on its behalf; (ii) enter into a written agreement with each Sub-processor containing data protection obligations that provide at least the same level of protection for Customer Data as those in this Addendum, to the extent applicable to the nature of the service provided by such Sub-processor; and (iii) remain responsible for such Sub-processor’s compliance with the obligations of this Addendum and for any acts or omissions of such Sub-processor that cause Doppler to breach any of its obligations under this Agreement.
6. International Data Transfers:
- Data Center Locations. Customer understands and acknowledges that Customer Data may be transferred to and processed in the United States or in any country in which Doppler or its Sub-processors have operations. Doppler shall notify Customer at least ten (10) business days prior to adding or replacing a Sub-processor in the same manner provided for notification under Section 5.1 (Authorized Sub-processors) above. Customer may object in writing to Doppler’s changes as per the above, provided such objection is based on reasonable grounds relating to data protection (including, but not limited to, changes of location for processing (including access) from within Europe to the United States or another non-Europe country). In such event, the parties shall discuss commercially reasonable alternative solutions in good faith. If the parties cannot reach resolution, Doppler will, in its sole discretion, either not proceed with the change, or permit Customer to suspend or terminate the Agreement without liability to either party in which case, however, and notwithstanding anything to the contrary in this Addendum, the EU SCCs or UK International Data Transfer Addendum (as applicable), or the Agreement, Doppler shall refund Customer any prepaid fees covering the remainder of the term of the Agreement from the date of suspension/termination of the Agreement as per the foregoing. Doppler shall ensure that such transfers comply with the requirements of Applicable Data Protection Law.
- European and UK Data Transfers. To the extent that Doppler receives Customer Data protected by European and UK Data Protection Laws, Doppler agrees to abide by and process such data in compliance with the EU SCCs and UK International Date Transfer Addendum (as applicable), which are incorporated herein in full and form an integral part of this Addendum. For the purposes of the EU SCCS and UK International Data Transfer Addendum (as applicable): (i) Doppler is the “data importer” and Customer is the “data exporter” (notwithstanding that Customer may be an entity located outside of Europe or the UK); (ii) Appendixes 1 and 2 of this Addendum shall replace Annexes I and II of the EU SCCs and Tables 1 and 2 of the UK International Data Transfer Addendum (as applicable) and (iii) the EU SCCS shall be applied giving effect to the Elections. For the avoidance of doubt, the UK International Data Transfer Addendum shall apply to any Data Transfer pursuant to the Agreement that involves UK Personal Data.
7. Limitation of Liability:
- Liability Cap. Each party and all of its Affiliates’ liability to the other party and its Affiliates, taken together arising out of or related this this Addendum, including the EU SCCs and UK International Data Transfer Addendum (as applicable) shall be subject to the exclusions and limitations of liability set forth in the Agreement. For the avoidance of doubt, Doppler and its Affiliates’ total liability for all claims from Customer arising out of or relating to the Agreement or this Addendum shall apply in aggregate.
- Liability to Data Subjects. Nothing in Section 7.1 (Liability Cap) shall alter the parties’ liability to data subjects as provided for in either the EU SCCs or UK International Data Transfer Addendum (as applicable). Each party agrees that it will be liable to data subjects for the entire damage resulting from a violation by it of Applicable Data Protection Law. If one party paid full compensation for the damage suffered, it is entitled to claim back from the other party that part of the compensation corresponding to the other party’s part of the responsibility for the damage. Notwithstanding the foregoing, with respect to processing of personal data subject to either the EU SCCs or UK International Data Transfer Addendum, as provided herein, the allocation of liability to data subjects as between the parties shall be governed by the data transfer mechanism taking into consideration that both parties agree that Customer will be liable to data subjects for the entire damage resulting from a violation of European and UK Data Protection Law with regard to processing of personal data for which it is a controller, and that Doppler will only be liable to data subjects for the damage resulting from a violation of the obligations of European and UK Data Protection Law directed to processors where it has acted outside of or contrary to Customer’s lawful instructions or violated this Addendum. Doppler will be exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage.
8. Modification and Termination of this Addendum: This Addendum shall remain in effect until the later of (i) termination of the Agreement or (ii) such time as Doppler no longer processes any Customer Data on behalf of Customer. Failure to comply with any of the material provisions of this Addendum is considered a material breach of the Agreement. In the event of termination, Doppler will return or destroy data pursuant to Section 2.8 (Return or Deletion of Customer Data). Doppler may update the terms of this Addendum from time to time. The then-current terms of this Addendum are available here.
9. Entire Agreement; Conflict: This Addendum supersedes and replaces all prior and contemporaneous agreements, oral and written, with regard to the subject matter of this Addendum, including any prior data processing addenda entered into between Customer and Doppler. If there is any conflict between this Addendum and any agreement, including the Agreement, the provisions of the following documents (in order of precedence) shall prevail: (a) the EU SCCs and their Annexes and/or the UK International Data Transfer Addendum and its Tables (as applicable); then (b) this Addendum and its Appendices; then (c) the Agreement.
10. Invalidity and Severability:
10.1 General. If any provision of this Addendum is found by any court or administrative body of competent jurisdiction to be invalid and unenforceable, the invalidity or unenforceability of such provision shall not affect any other provision of this Addendum and all provisions not affected by such invalidity or unenforceability will remain in full force and effect.
10.2 Invalidity of EU SCCs and/or UK International Data Transfer Addendum. If the EU SCCs and/or UK International Data Transfer Addendum (as applicable) cease to or do not (including due to insufficient supplementary measures) meet the requirements under European and UK Data Protection Law or otherwise cease to or do not provide a valid legal basis to transfer personal data outside the EEA, EU, UK, or Switzerland, Doppler shall (i) promptly notify Customer using the email address on file; (ii) upon request (whether or not Doppler has provided notice to Customer) immediately stop and, as applicable procure the cessation of the processing by its Sub-processors of the affected personal data promptly after the occurrence of any such notifiable event outside the relevant countries (except to the extent directed otherwise by Customer), and as soon as possible put in place commercially reasonable measures to mitigate the impact of such; and (iii) discuss with Customer commercially reasonable alternative measures in order to ensure an adequate level of protection with respect to the privacy rights of individuals and the lawful transfer of, or access to, personal data outside the relevant countries whilst continuing the provision of the Subscription Services with minimum disruption to Customer. If the parties cannot reach resolution, Customer may suspend or terminate the Agreement without liability to either party, in which case, notwithstanding anything to the contrary in this Addendum or the Agreement, Doppler shall refund Customer any prepaid fees covering the remainder of the term of the Agreement from the date of suspension/termination of the Agreement as per the foregoing.
APPENDIX 1
A. LIST OF PARTIES
Data exporter(s):
The data exporter is the legal entity identified as “Customer” in the Agreement. Customer may be a controller or a processor with respect to Customer Data.
Data importer(s):
The data importer is Doppler Technologies, Inc. located at 340 S. Lemon Avenue #5880 Walnut, CA 91789.
Joel Watson is Doppler’s contact person with responsibility for data protection. He can be reached at privacy@doppler.com or (888) 737-9987.
Doppler Technologies, Inc. provides a platform for engineering teams to manage their digital authentication credentials, including passwords, API keys, certificates, tokens, and encryption keys across all of their environments, tools, and processes. Doppler is either a processor or a sub-processor with respect to Customer Data processed pursuant to the Agreement.
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred
Customer upload, submit, or otherwise provide personal data concerning the following categories of data subjects:
- Customer and Customer’s Authorized Users
Categories of personal data transferred
Customer may upload, submit, or otherwise provider certain personal data to Doppler, the extent of which is typically determined and controlled by Customer in its sole discretion, and may include the following types of personal data:
- Full name and contact information
- Company name and job title
- Billing and payment information
- Any other personal data uploaded, submitted, or otherwise provided to Doppler by Customer in its sole discretion.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance, strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
Doppler does not want to, nor does it intentionally, collect or process any Sensitive Data in connection with the provision of the Subscription Services. To the extent that Sensitive Data is nevertheless introduced into Customer Data, Customer agrees that it is solely responsible for ensuring that sufficient safeguards are in place to protect such Sensitive Data and Doppler shall have no liability whatsoever in relation to such data.
The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis)
Customer Data will be transferred on a continuous basis for the duration of the Agreement.
Nature of the processing
Customer Data will be processed in accordance with the Agreement (including this Addendum) and may be subject to the following processing activities:
- Computing, storage and other processing necessary to provide, maintain, and improve the service provided to Customer pursuant to the Agreement; and/or
- Disclosures in accordance with the Agreement, Customer’s instructions, and/or as compelled by applicable law.
Purpose(s) of the data transfer and further processing
Doppler shall only process Customer Data as described in Section 2.2 (Customer Instructions) and Section 2.3 (No Sale or Sharing).
The period for which the personal data will be retained, or if that is not possible, the criteria used to determine that period
Customer Data will be retained for the duration of the Agreement plus thirty (30) days after expiration or termination unless expressly instructed by Customer to delete or destroy Customer Data sooner or as otherwise required or permitted by law.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
For all transfers to Sub-processors the subject matter, nature, and duration of the processing are as follows:
- Subject matter: The subject matter of the transfer and processing is the Customer Data.
- Nature of processing: The nature of the processing varies by Sub-processor. Detailed information for each Sub-processor can be found here.
- Duration of the processing: The duration of the processing is for so long as is necessary for the purpose for which the information was transferred to the Sub-processor and in any event, for no longer than the duration of the agreement between Doppler and the relevant Sub-processor.
C. DATA PROTECTION SUPERVISORY AUTHORITY
- The competent authority for the processing of personal data relating to data subjects located in the EEA is the Supervisory Authority of Ireland.
- The competent authority for the processing of personal data relating to data subjects located in the UK is the UK Information Commissioner.
- The competent authority for the processing of personal data relating to data subjects located in Switzerland is the Swiss Federal Data Protection and Information Commissioner.
APPENDIX 2 - SECURITY MEASURES
Description of the technical and organizational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.
Doppler will, at a minimum, implement the following types of security measures:
1. Virtual Access Control
Technical and organizational measures to prevent data processing systems from being used by unauthorized persons include the following:
- User identification and authentication procedures;
- ID/password security procedures (e.g., minimum length and multifactor authentication features);
- Automatic blocking (e.g., password or timeout); and
- Encryption of archived data media.
2. Data Access Control
Technical and organizational measures to ensure that persons entitled to use a data processing system gain access only to such Customer Data in accordance with their access rights, and that Customer Data cannot be read, copied, modified, or deleted without authorization include the following:
- Internal policies and procedures;
- Control authorization schemes;
- Differentiated access rights (profiles, roles, transactions, and objects);
- Monitoring and logging of accesses;
- Disciplinary action against employees who access Customer Data without authorization;
- Reports of access;
- Access procedure;
- Change procedure;
- Deletion procedure; and
- Encryption.
3. Disclosure Control
Technical and organizational measures to ensure that Customer Data cannot be read, copied, modified, or deleted without authorization during electronic transmission, transport, or storage on storage media (manual or electronic), and that it can be verified to which companies or other legal entities Customer Data is disclosed, include the following:
- Encryption/tunneling;
- Tokenization;
- Logging; and
- Transport security.
4. Entry Control
Technical and organizational measures to monitor whether Customer Data have been entered, changed, or removed and by whom from data processing systems, include the following:
- Logging and reporting systems.
5. Control of Instructions
Technical and organizational measures to ensure that Customer Data is processed solely in accordance with the instructions of the Customer/controller include the following:
6. Availability Control
Technical and organizational measures to ensure that Customer Data is protected against accidental destruction or loss (physical/logical) include the following:
- Backup procedures
- Redundant storage; and
- Remote storage.
7. Separation Control
Technical and organizational measures to ensure that Customer Data collected for different purposes can be processed separately include the following:
- Separation of databases;
- Segregation of functions (production/testing); and
- Procedures for storage, amendment, deletion, transmission of data for different purposes.