Data Processing Addendum
This Data Processing Addendum (“DPA”) forms part of and is incorporated into the Agreement between SoundStack, Inc. (“SoundStack”) and the Customer (together, the “Parties”). This DPA sets forth Customer’s instructions for the processing of Personal Data in connection with the Services provided under the Agreement and the rights and obligations of both Parties. Except as expressly set forth in this DPA, the Agreement shall remain unmodified and in full force and effect. In the event of any conflicts between this DPA and the Agreement, this DPA will govern to the extent of the conflict.
1. DEFINITIONS.
For the purposes of this DPA, the following terms shall have the meanings set out below. Capitalized terms used but not defined in this DPA shall have the meanings given in the Agreement. All other terms in this DPA not otherwise defined in the Agreement shall have the corresponding meanings given to them in Privacy Laws.
“Controller to Processor Clauses” means (i) in respect of transfers of Personal Data subject to the GDPR, the standard contractual clauses for the transfer of Personal Data to third countries set out in Commission Decision 2021/914 of 4 June 2021, specifically including Module 2 (Controller to Processor) (“EU SCCs”); and (ii) in respect of transfers of Personal Data subject to the UK GDPR, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (version B.1.0) issued by the UK Information Commissioner (“UK Addendum”), in each case as amended, updated or replaced from time to time.
“EU/UK Privacy Laws” means, as applicable: (a) the General Data Protection Regulation 2016/679 (the “GDPR”); (b) the Privacy and Electronic Communications Directive 2002/58/EC; (c) the UK Data Protection Act 2018, the UK General Data Protection Regulation as defined by the UK Data Protection Act 2018 as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (together with the UK Data Protection Act 2018, the “UK GDPR”), and the Privacy and Electronic Communications Regulations 2003; and (d) any relevant law, directive, order, rule, regulation or other binding instrument which implements any of the above, in each case, as applicable and in force from time to time, and as amended, consolidated, re-enacted or replaced from time to time.
“Personal Data” means any information SoundStack processes on behalf of Customer to provide the Services that is defined as “personal data” or “personal information” or “personally identifiable information” under any Privacy Law domestic or international.
“Privacy Laws” means, as applicable, EU/UK Privacy Laws, US Privacy Laws and any similar law of any other jurisdiction which relates to data protection, privacy or the use of Personal Data, in each case, as applicable and in force from time to time, and as amended, consolidated, re-enacted or replaced from time to time.
“Processor to Processor Clauses” means (i) in respect of transfers of Personal Data subject to the GDPR, the standard contractual clauses for the transfer of personal data to third countries set out in Commission Decision 2021/914 of 4 June 2021, specifically including Module 3 (Processor to Processor); and (ii) in respect of transfers of Personal Data subject to the UK GDPR, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (version B.1.0) issued by the UK Information Commissioner, in each case as amended, updated or replaced from time to time.
“Third Country” means any country or territory outside of the scope of the data protection laws of the European Economic Area or the UK, as relevant, excluding countries or territories approved as providing adequate protection for Personal Data by the relevant competent authority from time to time.
“US Privacy Laws” means, as applicable and effective under applicable law, the California Consumer Privacy Act (as amended by the California Privacy Rights Act) (the “CCPA”), Colorado Privacy Act, Connecticut Data Privacy Act, Delaware Personal Data Privacy Act, Florida Digital Bill of Rights, Iowa Consumer Data Protection Act, Maryland Online Data Privacy Act, Minnesota Consumer Data Privacy Act, Montana Consumer Data Privacy Act, Nebraska Data Privacy Act, New Hampshire Privacy Act, New Jersey Data Privacy Act, Oregon Consumer Privacy Act, Tennessee Information Protection Act, Texas Data Privacy and Security Act, Utah Consumer Privacy Act, and Virginia Consumer Data Protection Act, and any similar law of any other state related to the processing of Personal Data.
2. ROLES OF THE PARTIES.
The Parties acknowledge that for purposes of Privacy Laws:
Customer is the “controller,” “business,” or any similar term provided under Privacy Laws;
With respect to SoundStack Platform Services (as defined in the Order), SoundStack is a “service provider,” “processor” or any similar term provided under Privacy Laws; and
With respect to SoundStack Advertising & Monetization services including, without limitation, SoundStack Marketplace and SoundsStack Monetize, SoundStack is a “controller,” “business,” or any similar term provided under Privacy Laws.
3. DETAILS OF PROCESSING.
The Parties agree that the details of processing are as described in Annex 1.
4. CUSTOMER OBLIGATIONS.
Customer shall comply with all Privacy Laws in providing Personal Data to SoundStack in connection with the Services. Customer represents and warrants that: (a) the Privacy Laws applicable to Customer do not prevent SoundStack from fulfilling the instructions received from Customer and performing SoundStack’s obligations under this DPA; (b) with respect to Personal Data provided by Customer to SoundStack, the Personal Data was collected and at all times processed and maintained by or on behalf of Customer in compliance with all Privacy Laws, including with respect to any obligations to provide notice to and/or obtain consent from individuals; and (c) Customer has a lawful basis for disclosing the Personal Data to SoundStack and enabling SoundStack to process the Personal Data as set out in this DPA. Customer shall notify SoundStack without undue delay if Customer determines that the processing of Personal Data under the Agreement does not or will not comply with Privacy Laws, in which case, SoundStack shall not be required to continue processing such Personal Data.
5. PROCESSOR OBLIGATIONS.
Where SoundStack operates as a “service provider” or “processor” SoundStack shall comply with this section 5.
Processing of Personal Data. In processing Personal Data as a “service provider” or “processor” under the Agreement, SoundStack shall:
only process Personal Data on documented instructions provided by email from Customer, for the limited and specific purpose described in Annex 1, and at all times in compliance with Privacy Laws, unless required to process such Personal Data by applicable law to which SoundStack is subject; in such a case, SoundStack shall inform Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
notify Customer (i) without undue delay if it makes a determination that it can no longer meet its obligations under applicable US Privacy Laws, and (ii) immediately if SoundStack, in its opinion, on the instruction of Customer, infringes applicable EU/UK Privacy Laws;
to the extent required by Privacy Laws, and upon receipt of reasonable written notice (of at least 30 calendar days) that Customer reasonably believes SoundStack is using Personal Data in violation of Privacy Laws or this DPA, grant Customer the right to take reasonable and appropriate steps to help ensure that SoundStack uses the Personal Data in a manner consistent with Customer’s obligations under Privacy Laws, and stop and remediate any unauthorized use of the Personal Data; and
require that each employee or other person processing Personal Data is subject to an appropriate duty of confidentiality with respect to such Personal Data.
CCPA. To the extent any data processed by SoundStack as a “Service Provider” is deemed “Personal Information” (as such term is defined under the CCPA) and is subject to the CCPA, SoundStack agrees not to: (a) “sell” or “share” the Personal Information as such terms are defined under the CCPA; (b) retain, use, or disclose Personal Information for any purpose other than for the specific purpose of performing the Services or as otherwise expressly permitted under the Agreement including retaining, using or disclosing the Personal Information for a commercial purpose other than the business purposes specified in this DPA or the Agreement, or as otherwise permitted by the CCPA; (c) retain, use or disclose the Personal Information outside of the direct business relationship with Customer; (d) combine Personal Information it receives from Customer with Personal Information it receives from or on behalf of another person or collects from its own interactions with consumers, except where required to provide the Services provided it is permitted under the CCPA.
Business Purposes. In accordance with the CCPA, Service Provider may engage in the following Business Purposes:
Auditing consumer transactions, including, but not limited to, measuring advertising performance to unique visitors.
Detecting and protecting against malicious, deceptive, fraudulent, or illegal advertising activity.
Identifying and repairing errors that impair existing intended functionality.
Short-term, transient use, provided that the personal information is not disclosed to another third party and is not used to build a profile about a consumer.
Providing analytic, advertising, or marketing-related services.
Undertaking internal research for technological development and demonstration.
Use of Sub-processors. To the extent SoundStack engages any sub-processors to process Personal Data on its behalf:
Customer authorizes SoundStack to appoint Subprocessors in accordance with this section 5.3 and any restrictions in the Agreement. SoundStack may continue to use those Sub-processors already engaged by SoundStack as at the date of this DPA. To the extent required by applicable Data Protection Law, SoundStack will provide Customer with a list of its Sub-processors upon request.
If SoundStack appoints a new sub-processor or intends to make any changes concerning the addition or replacement of any sub-processor, it shall provide Customer with 30 business days’ prior written notice, during which Customer can object to the appointment or replacement on reasonable and documented grounds related to the confidentiality or security of Personal Data or the sub-processor’s compliance with Privacy Laws (and if Customer does not so object, SoundStack may proceed with the appointment or replacement).
SoundStack shall engage sub-processors only pursuant to a written agreement that contains obligations on the sub-processor which are substantially similar to those on the relevant sub-processor than the obligations on SoundStack under this DPA.
In the event SoundStack engages a sub-processor to carry out specific processing activities on behalf of Customer pursuant to applicable Privacy Laws where that sub-processor fails to fulfill its obligations, SoundStack shall remain fully liable under applicable Privacy Laws to Customer for the performance of that sub-processor’s obligations.
Assistance. To the extent required by Privacy Laws, and taking into account the nature of the processing, SoundStack shall, in relation to the processing of Personal Data and to enable Customer to comply with its obligations which arise as a result thereof, provide reasonable assistance to Customer, through appropriate technical and organizational measures, in:
upon Customer’s request, responding to requests from individuals pursuant to their rights under Privacy Laws, including by providing, deleting, or correcting the relevant Personal Data, or by enabling Customer to do the same, insofar as this is possible;
implementing reasonable security procedures and practices appropriate to the nature of the Personal Data to protect the Personal Data from unauthorized or illegal access, destruction, use, modification, or disclosure;
notifying relevant competent authorities and/or affected individuals of Personal Data breaches; and
conducting data protection impact assessments and, if required, prior consultation with relevant competent authorities.
6. CONTROLLER OBLIGATIONS.
Where SoundStack operates as a “controller” or “business” (hereinafter referred to as “Controller”), SoundStack shall comply with this section 6. Each Party:
is an independent Controller of Personal Data under the Privacy Laws, and will not process Personal Data as joint controllers.
will individually determine the purposes and means of its processing of Personal Data.
is responsible for its own compliance with applicable Privacy Laws, including as relates to notifying Data Subjects of its processing of their Personal Data and how they may exercise their rights, and obtaining any required consents.
will comply with the obligations applicable to it under the Privacy Laws with respect to the processing of Personal Data.
7. ANONYMIZED DATA.
SoundStack may aggregate and/or anonymize Personal Data such that it no longer constitutes Personal Data under Privacy Laws and process such data for its own purposes. To the extent SoundStack receives de-identified data (as such term is defined under applicable Privacy Laws) from Customer and to the extent required by Privacy Laws, SoundStack shall: (i) take commercially reasonable measures to ensure that the data cannot be associated with an identified or identifiable individual; (ii) publicly commit to maintain and use the data only in a de-identified form and not attempt to re-identify the data; and (iii) otherwise comply with applicable Privacy Laws with respect to such de-identified data.
8. SECURITY MEASURES.
SoundStack shall, taking into account the technology, costs of implementation and the nature, scope, context and purpose of the processing, implement appropriate technical and organizational measures designed to provide a level of security appropriate to the risk, as set out in Annex 2, or otherwise agreed and documented between Customer and SoundStack from time to time. To the extent required by Privacy Laws, SoundStack shall without undue delay and at the latest within 72 hours of becoming aware the Data Breach (as defined below) notify Customer in writing of any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data (“Data Breach”), with further information about the breach provided in phases as more details become available.
9. ACCESS AND AUDITS.
Upon reasonable request of Customer, SoundStack shall make available to Customer such information in its possession as is reasonably necessary to demonstrate SoundStack’s compliance with its obligations under this DPA, and allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer and reasonably accepted by SoundStack. Customer shall be permitted to conduct such an assessment no more than once every 12 months, upon 30 days’ advance written notice to SoundStack, and only after the Parties come to agreement on the scope of the audit and the auditor is bound by a duty of confidentiality. As an alternative to an audit performed by or at the direction of Customer, to the extent permitted by Privacy Laws, SoundStack may arrange for a qualified and independent auditor to conduct, at SoundStack’s expense, an assessment of SoundStack’s policies and technical and organizational measures in support of its obligations under Privacy Laws using an appropriate and accepted control standard or framework and assessment procedure for such assessment (e.g., SOC 2), and will provide a report of such assessment to Customer upon reasonable request. Notwithstanding the foregoing, in no event shall SoundStack be required to give Customer access to information, facilities or systems to the extent doing so would cause SoundStack to be in violation of confidentiality obligations owed to other customers or its legal obligations.
10. DELETION OF PERSONAL DATA.
At Customer’s written direction, SoundStack shall delete or return all Personal Data to Customer as requested at the end of the provision of the Services, unless retention of the Personal Data is required by law.
11. DATA TRANSFERS.
If the Services involves the transfer of Personal Data of Data Subjects in the EEA or the UK, to a country or territory outside of those regions which has not received an applicable adequacy decision, the Parties hereby incorporate, and agree to comply with, the Standard Contractual Clauses set out by the European Commission Decision 2021/914/EU and approved for use in data transfers under the UK GDPR, located at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX%3A32021D0914&locale=en#ntc12-L_2021199EN.01003701-E0012 (the “SCCs”) which are hereby incorporated by reference.
Ex-EEA Transfers. The Parties agree that the transfer of Personal Data, outside the EEA that is not governed by an adequacy decision made by the European Commission in accordance with the relevant provisions of the GDPR will be made pursuant to the EU SCCs, which are deemed entered into (and incorporated this DPA by this reference) and completed as follows:
Where Sounstack is a “processor”, module 2 shall apply, and where SoundStack is a “Controller” module 1 shall apply;
The optional docking clause in Clause 7 does not apply;
In Clause 9 of Module 2, Option 2 (general written authorization) applies, and the minimum time period for prior notice of sub-processor changes shall be thirty (30) business days;
In Clause 11 of Module 2, the optional language does not apply;
All square brackets in Clause 13 are hereby removed;
In Clause 17 (Option 1), the EU SCCs will be governed by the laws of the member state of Ireland;
In Clause 18(b), disputes will be resolved before the courts of member state of Ireland;
Annex I of the EU SCCs shall be deemed completed with the information set out in Annex 1A, Annex 1B, and Annex 1C attached hereto; and
Annex II of the EU SCCs shall be deemed completed with the information set out in Annex 2 attached hereto; and
Annex III of the EU SCCS shall be deemed completed with the information set out in Annex 3 attached hereto.
Ex-UK Transfers. The Parties agree that transfer of Personal Data of UK Data Subject outside the UK, and such transfer is not governed by an adequacy decision made by the Secretary of State in accordance with the relevant provisions of the UK GDPR and the Data Protection Act 2018 are made pursuant to the SCCs as well as the International Data Transfer Addendum to the European Commission’s Standard Contractual Clauses for International Data Transfers located at https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-and-guidance/ (the “IDTA”). The IDTA is hereby incorporated by reference.
The Parties shall complete Annex 4 of this DPA.
‘Part I: Tables’ of the IDTA shall be deemed completed with the information set out in Annex 4 attached hereto.
12. GENERAL TERMS.
Amendments. SoundStack may modify this DPA at any time if changes are required for SoundStack to continue to process the Personal Data as contemplated by the Agreement or this DPA in compliance with Privacy Laws, or to address the legal interpretation of the Privacy Laws. SoundStack will post notice of such modification on Customer’s individual account in the Platform or provide Customer written notice of such modification, including via email, and any such modification shall automatically go into effect thirty (30) days after it is so posted or such written notice is provided.
Termination and Survival. This DPA and all provisions herein shall so long as the Agreement is in effect.
Counterparts. This DPA may be executed in any number of counterparts and any Party (including any duly authorized representative of a Party) may enter into this DPA by executing a counterpart.
Non-compliance. Each Party shall promptly inform the other if it is unable to comply with this DPA. If the non-complying Part cannot comply within a reasonable period of time, or is in substantial or persistent breach of this DPA, the complying Party shall be entitled to remediate the non-compliant action and/or terminate the DPA and the Agreement insofar as it concerns processing of Personal Data.
Ineffective Clause. If individual provisions of this DPA are or become ineffective, the effectiveness of the remaining provisions shall not be affected. The Parties shall replace the ineffective clause with a legally allowed clause, which will accomplish the intended commercial intention as closely as possible.
Conflicts. In case of contradictions between this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail.
Applicable Law and Jurisdiction. The applicable law and jurisdiction as set forth in the Agreement apply to this DPA.
ANNEX 1 TO DATA PROCESSING ADDENDUM
LIST OF PARTIES, DESCRIPTION OF TRANSFER
& SUPERVISORY AUTHORITY
LIST OF PARTIES:
Data exporter(s): As described in Annex 4.Data importer(s): As described in Annex 4.
DESCRIPTION OF TRANSFER:
Categories of data subjects whose personal data is transferred
Customer’s personnel, staff, and contractors
Customer’s end-users (i.e. Customer’s listeners) accessing the Digital Properties
Categories of personal data transferred
For Customer’s personnel, staff and contractors:
Full name, email address and other contact details; IP address, device type and other technical information.For Customer’s end-users (i.e. Customer’s listeners):
Where providing SoundStack Engine services (SS is a Processor): Streaming log data and browser activity data.
Where providing SoundStack Insights services (SS is a Processor): User IP address and User Device type (“User-Agent”)
Where providing SoundStack Marketplace and/or SoundStack Monetize (SS is a Controller): Session ID, Listener ID, User-resettable Advertising ID (g., IDFA, AAID, MAID), and User Device approximate GPS coordinates.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
N/A. Customer shall not provide, and SoundStack shall not process on behalf of Customer, any data that is considered “sensitive” or “special category” under Privacy Laws.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Continuous basis
Nature of the processing
Access, collect, use, disclose, and store Personal Data by SoundStack in providing the applicable services.
Purpose(s) of the data transfer and further processing
To provide the Services as detailed in the Agreement and this DPA. Namely, if applicable, to provide the SoundStack Engine (to provide the broadcasting/streaming platform), the SoundStack Insights (to provide analytics and measurement services), and SoundStack Marketplace and SoundStack Monetize (to provide monetization and advertising services).
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
For the duration of the Agreement and any post-termination retention period as set out in the Agreement.
COMPETENT SUPERVISORY AUTHORITY
The Parties designate Ireland as the supervisory authority in accordance with Clause 13.
ANNEX 2 TO DATA PROCESSING ADDENDUM
SECURITY MEASURES
Physical Access Control:
To prevent unauthorized individuals from accessing data processing systems within premises and facilities, including databases, application servers, and related hardware where Personal Data is processed, various technical and organizational measures are implemented. These measures encompass:
Establishment of security areas and restriction of access paths.
Implementation of access authorizations for both employees and third parties.
Deployment of access control systems such as ID readers, magnetic cards, and chip cards.
Management of keys and card-key procedures.
Employment of door locking mechanisms like electric door openers.
Utilization of security staff.
Installation of surveillance facilities, video/CCTV monitors, and alarm systems.
Securing decentralized data processing equipment and personal computers.
Virtual Access Control:
Measures to prevent unauthorized use of data processing systems include:
User identification and authentication procedures.
Implementation of ID/password security procedures with specific requirements.
Automatic blocking features, such as password or timeout settings.
Monitoring and responding to break-in attempts, including automatic user ID turn-off after multiple erroneous password attempts.
Creation of one master record per user and user-master data procedures for each data processing environment.
Encryption of archived data media.
Company protected CAS (Central Access System) required for remote workers.
Data Access Control:
To ensure confidentiality and proper access to Personal Data according to access rights, technical and organizational measures involve:
Internal policies and procedures.
Control authorization schemes.
Default configuration settings.
Differentiated access rights using profiles, roles, transactions, and objects.
Monitoring and logging of accesses.
Disciplinary actions against employees accessing Personal Data without authorization.
Reports of access, access procedures, change procedures, and deletion procedures.
Encryption for added security.
Disclosure Control:
Measures to prevent unauthorized access during electronic transmission, transport, or storage of Personal Data, and to track disclosures, include:
Encryption, pseudonymization, and tunneling.
Logging mechanisms.
Transport security measures.
Entry Control:
To monitor data entries, changes, and removals from data processing systems, technical and organizational measures include:
Logging and reporting systems.
Audit trails and documentation.
Control of Instructions:
Ensuring Personal Data is processed according to the Controller's instructions involves:
Unambiguous contract wording.
Clear written instructions via a scope of work document or MSA addendum.
Formal commissioning through a request form.
Criteria for selecting the Processor.
Availability Control:
Measures to ensure system integrity, availability, and resilience, protecting Personal Data against accidental destruction or loss, include:
Backup procedures.
Disk mirroring (e.g., RAID technology).
Uninterruptible power supply (UPS).
Remote storage solutions.
Software patching procedures and policies.
Anti-virus/firewall systems.
Disaster recovery plans for physical or technical incidents.
Separation Control:
To process Personal Data collected for different purposes separately, measures include:
Separation of databases.
Implementation of the "Internal client" concept/limitation of use.
Segregation of functions (production/testing).
Procedures for storage, amendment, deletion, and transmission of data for different purposes.
Testing Controls:
Measures to test, assess, and evaluate the effectiveness of security measures include:
Periodical review and testing of disaster recovery plans.
Testing and evaluating software updates before installation.
Authenticated (with elevated rights) vulnerability scanning.
IT Governance:
Measures to enhance overall IT management and ensure alignment with compliance efforts include:
Certification/assurance of processes and products.
Processes for data minimization.
Processes for data quality.
Processes for limited data retention.
Processes for ensuring accountability.
Data subject rights policies.
These measures apply to all transfers described in this DPA.
ANNEX 3 TO DATA PROCESSING ADDENDUM
LIST OF SUB-PROCESSORS
Customer can request a list of subprocessors by emailing [email protected]
ANNEX 4 TO DATA PROCESSING ADDENDUM
IDTA ADDENDUM
Table 1: Parties
Start date | Effective Date of the Agreement | Effective Date of the Agreement |
---|---|---|
The Parties | Exporter (who sends the Restricted Transfer) | Importer (who receives the Restricted Transfer) |
Parties’ details | Full legal name: Customer Legal Name as detailed in the Order Main address: As detailed in the Order | Full legal name: SoundStack, Inc. Main address: 6360 Broad Street #5398, Pittsburgh, PA 15206 |
Key Contact | As detailed in the Order | [email protected] |
Table 2: Selected SCCs, Modules and Selected Clauses
Addendum EU SCCs | The version of the Approved EU SCCs which this Addendum is appended to, including the Appendix Information, with the modules, clauses, or optional provisions of the Approved EU SCCs as detailed in section 11 of the DPA. Date: The Effective Date of the Agreement |
---|
Table 4: Ending this Addendum when the Approved Addendum Changes
Ending this Addendum when the Approved Addendum changes | Either Party may end this Addendum as set out in Section 19 |
---|