This Data Protection Addendum (“Addendum”) is entered into as of the date of the last signature below, (the “Effective Date”), by and between Doppler Technologies, Inc., a California corporation with its primary place of business at 340 S. Lemon Avenue #5880 Walnut, CA 91789 (“Doppler”), and the customer using Doppler’s platform (“Customer”) pursuant to the Doppler Terms of Service available at https://doppler.com/legal/terms, as updated from time to time, or other agreement between Customer and Doppler governing Customer’s use of the Services (the “Agreement”).
This Addendum is incorporated into and forms part of the Agreement. The terms used in this Addendum have the meaning set forth in this Addendum. Capitalized terms not otherwise defined herein have the meaning given to them in the Agreement. The term of this Addendum shall follow the term of the Agreement. Except as modified below, the Agreement remains in full force and effect.
HOW TO EXECUTE THIS ADDENDUM
For the avoidance of doubt, executing this Addendum shall be deemed to constitute signature and acceptance of the Standard Contractual Clauses incorporated herein, including their Appendices.
HOW THIS ADDENDUM APPLIES
Doppler provides services to Customer under the Agreement. Pursuant to the Agreement, Doppler may from time to time process Personal Data (as defined below) for which Customer may be a “Data Controller” as defined by applicable privacy laws, including the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”).
Because such processing may, from time to time, require the maintenance and implementation of appropriate technical and organizational safeguards, and because such processing may, from time to time, involve the transfer of Personal Data from the European Union to the United States, Customer and Doppler have agreed to execute this Addendum in order to ensure that adequate safeguards are established with respect to the protection of Personal Data.
2. Processing of Personal Data:
2.1 Roles of the Parties. The parties acknowledge and agree that with regard to the processing of Customer Information, Customer is the data Controller and Doppler is the data Processor as further described in Appendix A (Details of Data Processing) of this Addendum. Each party shall comply with its obligations under Applicable Data Protection Law, and this Addendum, when processing Customer Information.
2.2 Customer Instructions. The parties agree that the Agreement, including this Addendum constitute Customer’s complete and final instructions to Doppler in relation to the processing of Customer Information. Doppler shall process Customer Information only in accordance with these instructions, as necessary to comply with applicable law, or as otherwise agreed in writing (“Permitted Purposes”).
2.3 Customer Obligations. Customer represents and warrants that (i) it has complied, and will continue to comply, with all applicable laws, including Applicable Data Protection Law, in respect of its processing of Customer Information and any processing instructions it issues to Doppler; and (ii) it has provided, and will continue to provide, all notice and has obtained, and will continue to obtain, all consents and rights necessary under Applicable Data Protection Law for Doppler to process Customer Information for the purposes described in the Agreement. Customer shall have the sole responsibility for the accuracy, quality, and legality of Customer Information and the means by which Customer acquired Customer Information. Without prejudice to the generality of the foregoing, Customer agrees that it shall be responsible for complying with all laws (including Applicable Data Protection Law) applicable to any content created, sent, or managed through the Service.
2.4 Violations of Applicable Data Protection Law. Customer will ensure that Doppler’s processing of the Customer Information in accordance with Customer’s instructions will not cause Doppler to violate any applicable law, regulation, or rule, including without limitation Applicable Data Protection Law. Doppler will inform Customer if it becomes aware or reasonably believes that Customer’s data processing instructions violate Applicable Data Protection Law.
2.5 Confidentiality Obligations of Doppler Personnel. Doppler will ensure that any person it authorizes to process the Customer Information shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).
2.6 Return or Deletion of Customer Information. Upon Customer's request or upon termination of the Agreement, Doppler agrees, at Customer’s option, to either deliver to Customer or destroy in a manner that prevents Customer Personal Data from being reconstructed, any Customer Personal Data and any copies in Doppler's control or possession, except that this requirement shall not apply to the extent Doppler is required by applicable law to retain some or all of the Customer Information or to Customer Information it has archived on back-up systems, which Customer Information Doppler shall securely isolate, protect from any further processing, and eventually delete in accordance with Doppler’s deletion policies, except to the extent required by applicable law.
2.7 No Sale of Information. Doppler will not sell Customer Information, nor retain, use, or disclose Customer Information for any commercial purpose other than providing the Doppler Services. Doppler will not disclose Customer Information outside the scope of the Agreement. Doppler understands its obligations under Applicable Data Protection Law and will comply with them.
3. Rights of Data Subjects:
3.1 Data Subject Rights. To the extent Customer, in its ordinary use of the Doppler Services, does not have the ability to address a data subject request to exercise their rights under Applicable Data Protection Law, Doppler shall, upon Customer’s request, provide commercially reasonable assistance to Customer in responding to such data subject request.
3.2 Responding to Requests. In the event that any request, correspondence, enquiry or complaint from a data subject, regulatory or third party, including, but not limited to law enforcement, is made directly to Doppler in connection with Doppler’s processing of Customer Information, Doppler shall promptly inform Customer providing details of the same, to the extent legally permitted. Unless legally obligated to do so, Doppler shall not respond to any such request, inquiry or complaint without Customer’s prior consent. In the case of a legal demand for disclosure of Customer Information in the form of a subpoena, search warrant, court order or other compulsory disclosure request, Doppler shall attempt to redirect the requesting party or agency to request disclosure from Customer. Customer agrees that Doppler may provide Customer’s basic contact information for this purpose. If Doppler is legally compelled to respond to such a request, Doppler shall give Customer reasonable notice of the demand to allow Customer to seek a protective order or other appropriate remedy, unless Doppler is legally prohibited from doing so. For the avoidance of doubt, nothing in this Agreement, including this Addendum shall restrict or prevent Doppler from responding to any data subject or data protection authority requests in relation to personal data for which Doppler is a controller.
3.3 Data Protection Impact Assessments. If Doppler believes or becomes aware that its processing of Customer Personal Data is likely to result in a high risk to the data protection rights and freedoms of data subjects, Doppler shall inform Customer and (taking into account the nature of the processing and the information available to Doppler) provide reasonable cooperation to Customer in connection with any data protection impact assessment or consultations with supervisory authorities that may be required under Applicable Data Protection Law. Doppler shall comply with the foregoing by: (i) complying with Section 4.5 (Audits); (ii) providing the information contained in the Agreement, including this Addendum; and (iii) if the foregoing sub-sections (i) and (ii) are insufficient for Customer to comply with such obligations, upon request, providing additional reasonable assistance at Customer’s expense.
4.1 Technical and Organizational Measures. Doppler has implemented and will maintain appropriate technical and organizational security measures to protect Customer Information from Security Incidents and designed to preserve the security and confidentiality of Customer Information in accordance with Doppler’s security standards described in Appendix B (“Security Measures”).
4.2 Updates to Security Measures. Customer is responsible for reviewing the information made available by Doppler relating to data security and making an independent determination as to whether the Service meets Customer’s requirements and legal obligations under Applicable Data Protection Laws. Customer acknowledges that the Security Measures are subject to technical progress and development and that Doppler may update or modify the Security measures from time to time, provided that such updates and modifications do not materially decrease the overall security of the Service provided to Customer.
4.3 Security Incident Response. Doppler shall, to the extent permitted by law, notify Customer without undue delay of any reasonably suspected or actual Security Incident which affects Customer Information. The notice shall summarize in reasonable detail the nature and scope of the Security Incident, to the extent known, and the corrective action already taken or to be taken by Doppler. Furthermore, Doppler shall provide timely information relating to the Security Incident as it becomes known or as reasonably requested by Customer and promptly take reasonable steps to remedy or mitigate the effect of any Security Incident. Doppler’s notification of or response to a Security Incident shall not be construed as an acknowledgement by Doppler of any fault or liability with respect to the Security Incident. The parties will collaborate on whether any notice of breach is required to be given to any person, and if so, the content of that notice. Unless prohibited by an applicable statute or court order, Doppler shall also notify Customer of any third-party legal process relating to any Security Incident, including, but not limited to, any legal process initiated by any governmental entity. Customer agrees that an unsuccessful Security Incident will not be subject to this Section 4.3 (Security Incident Response). An unsuccessful Security Incident is one that results in no unauthorized access to Customer Information or to any of Doppler’s equipment or facilities used to store or process Customer Information.
4.4 Customer Responsibilities. Notwithstanding the above, Customer agrees that except as provided in this Addendum, Customer is responsible for its secure use of the Service, including securing its account authentication credentials, protecting the security of Customer Information when in transit to and from the Service, and taking any appropriate steps to securely encrypt or backup any Customer Information uploaded to the Service.
4.5 Audits. Subject to reasonable notice, Doppler shall provide Customer an opportunity, at Customer’s cost and expense, to conduct a privacy and security audit of Doppler’s security program and systems and procedures that are applicable to the services provided by Doppler to Customer. Audits will occur at most annually or following notice of a Security Incident and will be completed in no more than thirty (30) calendar days. If the audit reveals any material vulnerability, Doppler shall take commercially reasonable steps to correct such vulnerability.
5.1 Authorized Sub-processors. Customer agrees that Doppler may engage third party sub-processors to fulfill its contractual obligations under this Addendum or to provide certain services on its behalf. The sub-processors Doppler currently engages to carry out processing activities can be found here. At least 10 days prior to engaging or removing any sub-processor, Doppler will update this list and provide Customer with a mechanism to obtain notice of that update. Customer may object to in writing to Doppler's appointment or replacement of a sub-processor prior to its appointment or replacement, provided such objection is based on reasonable grounds relating to data protection. In such event, the parties shall discuss commercially reasonable alternative solutions in good faith. If the parties cannot reach resolution, Doppler will, in its sole discretion, either not appoint such Sub-processor, or permit Customer to suspend or terminate the Agreement without liability to either party.
5.2 Sub-processor obligations. Doppler shall: (i) conduct appropriate due diligence on each Sub-processor it engages to perform services on its behalf; (ii) enter into a written agreement with each Sub-processor containing data protection obligations that provide at least the same level of protection for Customer Information as those in this Addendum, to the extent applicable to the nature of the service provided by such Sub-processor; and (iii) remain responsible for such Sub-processor’s compliance with the obligations of this Addendum and for any acts or omissions of such Sub-processor that cause Doppler to breach any of its obligations under this Agreement.
6. International Transfers of Customer Personal Data:
6.1 Data Center Locations. Customer agrees that Doppler may transfer and process Customer Information to and in the United States and any other country where Doppler or its Affiliates or Sub-processors conduct operations. Doppler shall ensure that such transfers comply with the requirements of Applicable Data Protection Laws.
6.2 European Data Transfers. To the extent that Doppler receives Customer Information protected by EU Data Protection Laws, Doppler agrees to abide by and process such data in compliance with the SCCs, which are incorporated in fully by reference and form an integral part of this Addendum. For the purposes of the SCCs: (i) Doppler is the “data importer” and Customer is the “data exporter” under the SCCs (notwithstanding that Customer may be an entity located outside the EU); and (ii) Appendixes A and B of this Addendum shall replace Appendixes 1 and 2 of the SCCs, respectively. For the avoidance of doubt, the SCCs will apply to Personal Data processed by Doppler in the context of providing the Services to Customer that are transferred from Europe to outside Europe, either directly or via onward transfer, to (i) the United States when the transfer is not covered by a valid Privacy Shield certification, or (ii) any country or recipient not recognized by the European Commission as providing an adequate level of protection under EU Data Protection Law.
7. Limitation of Liability:
7.1 Liability Cap. Each party and all of its affiliates’ liability taken together arising out of or related this this Addendum, including the SCCs, shall be subject to the exclusions and limitations of liability set forth in the Agreement.
7.2. Liability to Data Subjects. Each Party agrees that it will be liable to Data Subjects for the entire damage resulting from a violation of Applicable Data Protection Laws. If one Party paid full compensation for the damage suffered, it is entitled to claim back from the other Party that part of the compensation corresponding to the other Party’s part of the responsibility for the damage. For that purpose, both Parties agree that Customer will be liable to Data Subjects for the entire damage resulting from a violation of EU Data Protection Law with regard to Processing of Personal Data for which it is a Controller, and that Doppler will only be liable to Data Subjects for the entire damage resulting from a violation of the obligations of EU Data Protection Law directed to Processor where it has acted outside of or contrary to Customer’s lawful instructions. Doppler will be exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage.
8. Modification and Termination of this Addendum: This Addendum shall remain in effect for so long as Doppler processes Customer Information on behalf of Customer or until termination of the Agreement. Failure to comply with any of the material provisions of this Addendum is considered a material breach of the Agreement. In the event of termination, Doppler will return or destroy data pursuant to Section 2.7 (Return or Deletion of Customer Information). This Addendum may only be modified by a written amendment signed by each of the parties.
9. Entire Agreement; Conflict: This Addendum supersedes and replaces all prior and contemporaneous agreements, oral and written, with regard to the subject matter of this Addendum, including any prior data processing addenda entered into between Customer and Doppler. If there is any conflict between this Addendum and any agreement, including the Agreement, the provisions of the following documents (in order of precedence) shall prevail: (a) SCCs; then (b) this Addendum; then (c) the Agreement.
11. Invalidity and Severability. If any provision of this Addendum is found by any court or administrative body of competent jurisdiction to be invalid and unenforceable, the invalidity or un-enforceability of such provision shall not affect any other provision of this Addendum and all provisions not affected by such invalidity or un-enforceability will remain in full force and effect.
Appendix A – Details of Processing
The subject matter of the data processing under this Addendum is the Customer Information.
Duration of the processing:
Doppler will process Customer Information as outlined in Section 2.2 (Customer Instructions), 2.7 (Return or Deletion of Customer Information), and 8 (Modification and Termination of this Addendum) of this Addendum.
Doppler shall only process Customer Information for the Permitted Purposes, which shall include: (i) processing as necessary to provide the Service in accordance with the Agreement; (ii) processing initiated by Customer in its use of the Service; and (iii) processing to comply with any other reasonable instructions provided by Customer (e.g. via email or support tickets) that are consistent with the terms of the Agreement.
Categories of data subjects:
Customer may submit personal data in course of using Doppler’s services, the extent of which is determined and controlled by Customer in its sole discretion and may include, but is not limited to personal data relating to Customer, Customer’s contacts, and Customer’s authorized users, which includes Customer’s employees and contractors who are granted per-user access rights to Doppler’s Services.
Types of Customer Information:
Customer may upload, submit, or otherwise provide certain personal data to the Service, the extent of which is typically determined and controlled by Customer in its sole discretion, and may include the following types of personal data:
Special categories of data:
The parties do not anticipate the transfer of special categories of data.
Customer Information will be processed in accordance with the Agreement (including this Addendum) and may be subject to the following processing activities:
Appendix B – Security Measures
Doppler will, at a minimum, implement the following types of security measures:
Technical and organizational measures to prevent data processing systems from being used by unauthorized persons include:
Technical and organizational measures to ensure that persons entitled to use a data processing system gain access only to such Customer Information in accordance with their access rights, and that Customer Information cannot be read, copied, modified, or deleted without authorization include:
Technical and organizational measures to ensure that Customer Information cannot be read, copied, modified, or deleted without authorization during electronic transmission, transport, or storage on storage media (manual or electronic), and that it can be verified to which companies or other legal entities Customer Information is disclosed, include:
Technical and organizational measures to monitor whether Customer data have been entered, changed, or removed, and by whom, from data processing systems, include:
Technical and organizational measures to ensure that Customer Data are processed solely in accordance with the instructions of the Controller include:
Technical and organizational measures to ensure that Customer Data are protected against accidental destruction or loss (physical/logical) include:
Technical and organizational measures to ensure that Customer Data collected for different purposes can be processed separately include: