DATA PROCESSING ADDENDUM
This Data Processing Addendum (“DPA”) forms an integral part of the Agreement (“Main Agreement”) entered between Ballerine Inc. ("Ballerine", or "Company") and between the counterparty agreeing to these terms ("Customer"; each “Party” and together “Parties”) and applies to the extent that Ballerine processes Personal Data on behalf of the Customer, in the course of its performance of its obligations under the Main Agreement.
If you are accepting this DPA on behalf of Customer, you warrant that: (a) you have full legal authority to bind Customer to this DPA; (b) you have read and understand this DPA; and (c) you agree, on behalf of Customer, to this DPA. If you do not have the legal authority to bind Customer, please do not accept this DPA.
All capitalized terms not defined herein shall have the meaning set forth in the Main Agreement.
- Definitions
- "Approved Jurisdiction" means a jurisdiction approved as having adequate legal protections for data by the European Commission (or by the UK Information Commissioner's Office, where applicable), currently found here: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en and here: https://ico.org.uk/for-organisations/dp-at-the-end-of-the-transition-period/data-protection-and-the-eu-in-detail/the-uk-gdpr/international-data-transfers/.
- “Data Protection Laws” means, any and all applicable domestic and foreign laws, rules, directives and regulations, on any local, provincial, state, federal or national level, pertaining to data privacy, data security or the protection of Personal Data, including the Privacy and Electronic Communications Directive 2002/58/EC (as amended, and respective local implementing laws) concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”), the Data Protection Act 2018 and the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 ("UK GDPR"), the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. and the regulation enacted thereunder ("CCPA"), the Virginia Consumer Data Protection Act, Va. Civ. Code § 59.1 ("VCDPA"); the Colorado Privacy Act, 2021 Colo. ALS 483; 2021 Colo. Ch. 483; 2021 Colo. SB. 190 ("CPA"), the Connecticut Data Privacy and Online Monitoring Act, Conn. Gen. Stat. §42-515 et. Seq. ("CTDPA"), the Utah Consumer Privacy Act, Utah Code Ann. Title 13, Ch. 61 ("UCPA") (CCPA, VCDPA, CPA, CTDPA and UCPA shall collectively called "US Data Protection Laws"); and any amendments or replacements to the foregoing.
- “Data Subject” means an individual to whom Personal Data relates. Where applicable, a Data Subject shall be deemed a "Consumer" as this term is defined under applicable US Data Protection Laws.
- "EEA" means those countries that are members of the European Economic Area.
- “Permitted Purposes” mean any purposes in connection with Ballerine performing its obligations under the Main Agreement.
- "Security Incident" shall mean any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed. For the avoidance of doubt, any Personal Data Breach (as defined under the GDPR) will comprise a Security Incident.
- “Security Measures” mean commercially reasonable security-related policies, standards, and practices commensurate with the size and complexity of Ballerine's business, the level of sensitivity of the data collected, handled, and stored, and the nature of Ballerine's business activities.
- “Standard Contractual Clauses" means (a) where the GDPR applies – the applicable Module of the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council from June 4th 2021; and (b) with respect to data transfers to which the UK GDPR applies - the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, which was entered into force on 21 March, 2022, as available here: https://ico.org.uk/media/for-organisations/documents/4019483/international-data-transfer-addendum.pdf ("UK Addendum"); both (a) or (b) above, as applicable, are incorporated herein by reference.
- “Sub-Processor(s)” mean any third party vendors or service provider of Ballerine that processes Customer Personal Data in order to provide the Service under the Main Agreement.
- The terms "Business", "Controller", "Personal Data", "Personal Information", "Processor", "Process", "Processing" and "Service Provider" shall have the meanings ascribed to them under Data Protection Laws, as applicable.
- Application of this DPA
- This DPA will only apply to the extent all of the following conditions are met:
- Ballerine processes Personal Data that is made available by the Customer in connection with the Main Agreement (whether directly by the Customer or indirectly by a third party retained by and operating for the benefit of the Customer);
- Data Protection Laws apply to the processing of Personal Data.
- This DPA will only apply to the services for which the Parties agreed to in the Main Agreement ("Services"), which incorporates the DPA by reference.
- Parties' Roles
- In respect of the Parties' rights and obligations under this DPA regarding the Personal Data, the Parties hereby acknowledge and agree that the Customer is the Controller (as well as, as applicable, the Business or Service Provider, as these terms are defined under the CCPA) and Ballerine is a Processor or Sub-Processor (as well as, as applicable, the Service Provider, as this term is defined under the CCPA), and accordingly:
- Ballerine agrees that it shall process all Personal Data in accordance with its obligations pursuant to this DPA;
- The Parties acknowledge that the Customer discloses Personal Data to Ballerine only for the performance of the Services and that this constitutes a valid business purpose for the processing of such data.
- If Customer is a Processor, Customer warrants to Ballerine that Customer’s instructions and actions with respect to the Personal Data, including its appointment of Ballerine as another Processor and concluding the Standard Contractual Clauses, have been authorized by the relevant Controller.
- Notwithstanding anything to the contrary in the DPA, Customer acknowledges that Ballerine shall have the right to collect, use and disclose Personal Data:
- collected in the context of providing the Services to Customer for its legitimate internal business purposes including but not limited to for the purposes of billing, record-keeping, account management, support, protection against fraudulent or illegal activity and the prevention of misuse of the Services, for the purpose of compliance with legal obligations, and the establishment, exercise and defense of legal claims.
- collected in the context of using the Services, for the purpose of analytics, market research, product improvement and development, provided however that the foregoing shall be based on the processing of aggregated or anonymized information.
- To the extent any data referred to under section 3(3) above is considered Personal Data, than Ballerine shall be deemed to be an independent Controller of such data under Data Protection Laws, and its Processing shall be outside the scope of this DPA.
- Compliance with Laws
- Each Party shall comply with its respective obligations under the Data Protection Law.
- Ballerine shall provide reasonable cooperation and assistance to Customer in relation to Ballerine's processing of Personal Data in order to allow Customer to comply with its obligations as a Data Controller under the Data Protection Law.
- Ballerine agrees to notify Customer promptly if it becomes unable to comply with the terms of this DPA and take reasonable and appropriate measures to remedy such non-compliance.
- Throughout the duration of the DPA, Customer represents and warrants that:
- Personal Data has been and will continue to be collected, processed and transferred by Customer to Ballerine in accordance with the relevant provisions of the Data Protection Laws;
- Customer is solely responsible for determining the lawfulness of the data processing instructions it provides to Ballerine and shall provide Ballerine only instructions that are lawful under Data Protection Laws;
- the processing of Personal Data by Ballerine for the Permitted Purposes, as well as any instructions to Ballerine in connection with the processing of the Personal Data (“Processing Instructions”), has been and will continue to be carried out in accordance with the relevant provisions of the Data Protection Law; and that
- The Customer has informed Data Subjects of the processing and transfer of Personal Data pursuant to the DPA and obtained any relevant consents or established other lawful grounds thereto (including without limitation any consent required in order to comply with the Processing Instructions and the Permitted Purposes).
- Processing Purpose and Instructions
- The subject matter of the processing, the nature and purpose of the processing, the type of personal data and categories of Data Subjects, shall be as set out in the Main Agreement, or in the attached Annex 1, which is incorporated herein by reference.
- Ballerine shall process Personal Data only for the Permitted Purposes and in accordance with Customer’s written Processing Instructions (unless waived in a written requirement), the Main Agreement and the Data Protection Law, unless Ballerine is otherwise required to do so by law to which it is subject (and in such a case, Company shall inform Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest). Ballerine shall promptly inform Customer if, in Ballerine's opinion, an instruction is in violation of Data Protection Laws.
- To the extent that the Processing Instructions may result in the Processing of any Personal Data outside the scope of the Main Agreement or the Permitted Purposes, then such Processing will require prior written agreement between Ballerine and Customer, which may include any additional fees that may be payable by Customer to Ballerine for carrying out such Processing Instructions. Additional instructions of the Customer outside the scope of the Main Agreement shall also require a prior and separate agreement between Customer and Ballerine, including an agreement on additional fees (if any) payable to Ballerine for executing such instructions.
- Ballerine shall not sell, retain, use or disclose the Personal Data for any purpose other than for the specific purpose of performing the Services or outside of the direct business relationship between the Parties, including for a commercial purpose other than providing the Services, except as required under the Data Protection Laws, or as may otherwise be permitted for service providers or under a comparable exemption from “sale” in the CCPA (as applicable), as reasonably determined by Ballerine. Ballerine's performance of the Services may include disclosing Personal Data to Sub-Processors where this is relevant in accordance with this DPA.
- Reasonable Security and Safeguards
- Ballerine agrees to use Security Measures (i) to protect the availability, confidentiality, and integrity of any Personal Data collected, accessed or processed by Ballerine in connection with this DPA, and (ii) to protect such data from Security Incidents. Such Security Measures are set out in Annex 2.
- The Security Measures are subject to technical progress and development and Ballerine may update or modify the Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the services procured by Customer.
- Ballerine shall take reasonable steps to ensure the reliability of its staff and any other person acting under its supervision who has access to and processes Personal Data. Ballerine shall ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
- Ballerine is responsible for performing its obligations under the DPA in a manner which enables Ballerine to comply with Data Protection Law, including implementing appropriate technical and organizational measures to ensure a level of security appropriate to the risks that are presented by the processing of Personal Data, in particular protection against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
- Security Incidents
- Upon becoming aware of a Security Incident, Ballerine will notify Customer without undue delay and will provide information relating to the Security Incident as reasonably requested by Customer. Ballerine will use reasonable endeavors to assist Customer in mitigating, where possible, the adverse effects of any Security Incident.
- Security Assessments and Audits
- Ballerine audits its compliance with data protection and information security standards on a regular basis. Such audits are conducted by Ballerine's internal audit team or by third party auditors engaged by Ballerine, and will result in the generation of an audit report (“Report”), which will be Ballerine's confidential information.
- Ballerine shall, upon reasonable and written notice and subject to obligations of confidentiality, no more than once a year and in normal business hours, allow its data processing procedures and documentation to be inspected by Customer (or its designee), at Customer's expense, in order to ascertain compliance with this DPA; Ballerine shall cooperate in good faith with such audit requests by providing access to relevant knowledgeable personnel and documentation.
- At Customer’s written request, and subject to obligations of confidentiality, Ballerine may satisfy the requirements set out in this section by providing Customer with a copy of the Report so that Customer can reasonably verify Ballerine's compliance with its obligations under this DPA.
- Cooperation and Assistance
- If Ballerine receives any requests from individuals or applicable data protection authorities relating to the processing of Personal Data under the Main Agreement, including requests from individuals seeking to exercise their rights under applicable Data Protection Law, Ballerine will promptly redirect the request to Customer. Ballerine will not respond to such communication directly without Customer's prior authorization, unless legally compelled to do so. If Ballerine is required to respond to such a request, Ballerine will promptly notify Customer and provide Customer with a copy of the request, unless legally prohibited from doing so. The Customer is responsible for verifying that the requestor is the data subject whose information is being sought. Ballerine bears no responsibility for information provided in good faith to Customer in reliance on this subsection.
- If Ballerine receives a legally binding request for the disclosure of Personal Data which is subject to this DPA, Ballerine shall (to the extent legally permitted) notify Customer upon receipt of such order, demand, or request. It is hereby clarified however that if no such response is received from Customer within three (3) business days (or otherwise any shorter period as dictated by the relevant law or authority), Ballerine shall be entitled to provide such information.
- Notwithstanding the foregoing, Ballerine will cooperate with Customer with respect to any action taken by it pursuant to such order, demand or request, including ensuring that confidential treatment will be accorded to such disclosed Personal Data. Customer shall cover all costs incurred by Ballerine in connection with its provision of such assistance.
- Upon reasonable notice, Ballerine shall:
- taking into account the nature of the processing, provide reasonable assistance to the Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Customer’s obligation to respond to requests for exercising Data Subject's rights, at Customer’s expense;
- provide reasonable assistance to the Customer in ensuring Customer’s compliance with its obligation to carry out data protection impact assessments or prior consultations with data protection authorities with respect to the processing of Personal Data, provided, however, that if such assistance entails material costs or expenses to Ballerine, the Parties shall first come to agreement on Customer reimbursing Ballerine for such costs and expenses.
- Use of Sub-Processors
- Customer provides a general authorization to Ballerine to appoint (and permit each Sub-Processor appointed in accordance with this Clause to appoint) Processors and/or Sub Processors in accordance with this Clause.
- Ballerine may continue to use those Sub-Processors already engaged by Ballerine as at the date of this DPA, subject to Ballerine, in each case as soon as practicable, meeting the obligations set out in this Clause.
- Ballerine can at any time appoint a new Sub-Processor provided that Customer is given ten (10) days' prior notice (such notice may be given through Ballerine's Services) and the Customer does not legitimately object to such changes within that timeframe. Legitimate objections must contain reasonable and documented grounds relating to a Sub-Processor's non-compliance with Data Protection Laws. If, in Ballerine's reasonable opinion, such objections are legitimate, Ballerine shall either refrain from using such Sub-Processor in the context of the processing of Personal Data or shall notify Customer of its intention to continue to use the Sub-Processor. Where Ballerine notifies Customer of its intention to continue to use the Sub-Processor in these circumstances, Customer may, by providing written notice to Ballerine, terminate the affected portion of the Main Agreement.
- With respect to each Sub-Processor, Ballerine shall ensure that the arrangement between Ballerine and the Sub-Processor is governed by a written contract including terms which offer at least the same level of protection as those set out in this DPA and meets the requirements of Data Protection Laws.
- Ballerine will be responsible for any acts or omissions by its Sub-Processors, which may cause Company to breach any of its obligations under this DPA.
- Ballerine will only disclose Personal Data to Sub-Processors for the specific purposes of carrying out the Services on Ballerine's behalf.
- Transfer of EEA resident Personal Data outside the EEA
- To the extent that Ballerine processes Personal Data outside the EEA, then the Parties shall be deemed to enter into the Standard Contractual Clauses, subject to any amendments contained in Exhibit A, in which event the Customer shall be deemed as the Data Exporter and the Ballerine shall be deemed as the Data Importer (as these terms are defined therein).
- Ballerine may transfer Personal Data of residents of the EEA outside the EEA, UK or an Approved Jurisdiction ("Transfer"), only subject to the following:
- the Transfer is necessary for the purpose of Ballerine carrying out its obligations under the Main Agreement, or is required under applicable laws; and
- the Transfer is: (i) subject to appropriate safeguards (for example, through the use of the Standard Contractual Clauses, or other applicable frameworks), or (ii) in accordance with any of the exceptions listed in the Data Protection Law (in which event Customer will inform Ballerine which exception applies to each Transfer and will assume complete and sole liability to ensure that the exception applies).
- Data Retention and Destruction
- Ballerine will only retain Personal Data for the duration of the Main Agreement or as required to perform its obligations under the Agreement, or has otherwise required to do so under applicable laws or regulations. Following expiration or termination of the Main Agreement, Ballerine will delete or return to Customer all Personal Data in its possession as provided in the Main Agreement, except to the extent Ballerine is required under applicable laws to retain the Personal Data. The terms of this DPA will continue to apply to such Personal Data. This section shall not apply to the activities that are the subject matter of section 3(1) herein.
- Notwithstanding the foregoing, Ballerine shall be entitled to retain Personal Data following the termination of this DPA for statistical, legal or financial purposes provided that where possible, Ballerine maintains such Personal Data on an aggregated basis or otherwise after having removed all personally identifiable attributes from such Personal data.
- General
- Any claims brought under this DPA will be subject to the terms and conditions of the Main Agreement, including any exclusions and limitations set forth therein.
- In the event of a conflict between the Main Agreement (or any document referred to therein) and this DPA, the provisions of this DPA shall prevail.
- Ballerine may change this DPA if the change is required to comply with Data Protection Laws, a court order or guidance issued by a governmental regulator or agency, provided that such change does not: (i) seek to alter the categorization of the Parties; (ii) expand the scope of, or remove any restrictions on, either Party’s rights to use or otherwise process Personal Data; or (iii) have a material adverse impact on Customer, as reasonably determined by Ballerine. Ballerine will use commercially reasonable efforts to inform Customer at least 30 days (or such shorter period as may be required to comply with applicable law, applicable regulation, a court order or guidance issued by a governmental regulator or agency) before the change will take effect. If the Customer continues to use the Services after the effective date of any such change, this will constitute the Customer’s acceptance of and agreement to the updated DPA.
- By signing the Main Agreement, utilization of the Services, and/or accessing or using Ballerine’s platform, website, or products in any manner, you acknowledge that you have read, understood, and agree to be bound by this DPA. If you do not agree to this DPA, you must not access or use the Services.
- Your use of the Service constitutes your agreement to this DPA. This agreement is legally binding, even though it is not signed in a physical or electronic format.
Exhibit A - SCC
- If Company is a controller – the Parties shall be deemed to enter into the Controller to Processor Standard Contractual Clauses (Module 2); if Company is a processor – the Parties shall be deemed to enter into the Processor to Processor Standard Contractual Clauses (Module 3).
- This Exhibit A sets out the Parties' agreed interpretation of their respective obligations under Module 2 or Module 3 of the Standard Contractual Clauses (as applicable).