This Data Processing Addendum (“Addendum”) is entered into by and between Doppler Technologies, Inc., a California corporation with its primary place of business at 340 S. Lemon Avenue #5880 Walnut, CA 91789 (“Doppler”), and the legal entity using Doppler’s platform (“Customer”) pursuant to the Doppler Terms of Service executed concurrently herewith available at https://doppler.com/legal/terms, as updated from time to time, or any other agreement between Customer and Doppler governing Customer’s use of the Services (defined below), as applicable (the “Agreement”). Doppler and Customer are hereinafter referred to from time to time individually as “party” and collectively as “parties.”
The parties acknowledge that the terms of this Addendum, including the Appendices, are incorporated into and form part of the Agreement. Capitalized terms have the meaning given to them in the Agreement unless defined elsewhere in this Addendum. Where this Addendum uses terms that are defined in Applicable Data Protection Law (defined below), those terms shall have the same meaning as given to those terms (or an equivalent term) in the applicable law.
In the event and to the extent of a conflict between the provisions of the Agreement and this Addendum, this Addendum will prevail. Except as expressly set forth in this Addendum, all other provisions of the Agreement will remain in full force and effect. To the extent that the 2021 SCCs (defined below) or the 2010 SCCs (defined below) are incorporated herein, such SCCs shall take precedent over both this Addendum and the Agreement to the extent necessary to resolve the conflict or inconsistency. For the avoidance of doubt, execution of the Agreement shall be deemed to constitute signature and acceptance of this Addendum and any SCCs incorporated herein.
- 1.1.“Affiliate” means any business entity that, directly or indirectly, through one or more intermediaries, controls, is controlled by, or is under common control with a party to the Agreement. For purposes of this definition, “control” means an ownership, voting, or similar interest representing fifty percent (50%) or more of the total interests then outstanding of the entity in question.
- “Applicable Data Protection Law” means all laws and regulations applicable to the processing of personal data under the Agreement. For the sake of clarity, Applicable Data Protection Law includes, without limitation (1) data protection laws and regulations of the European Union, the European Economic Area and their member states and Switzerland; (2) data protection laws and regulations of the United Kingdom; and (3) data protection laws and regulations of the United States and its individual states.
- “Authorized Users” means individuals who have created an account to access the Services pursuant to the Agreement. Authorized Users include employees and contractors designated by Customer to receive access to the Services as well as employees and contractors of any Affiliates authorized to access the Services under the Agreement.
- “Controller-to-Processor Clauses” means the standard contractual clauses between controllers and processors for Data Transfers (module 2), as approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
- “Customer” means the Customer entities or Affiliates that are party to the Agreement.
- “Customer Account Data” means personal data that relates to Customer’s relationship with Doppler and for which Doppler determines the means and purposes of processing.
- “Customer Information” means any personal data that is (i) provided or made available or accessible to Doppler or its Sub-processors by or on behalf of Customer or a controller for whom Customer acts as a processor; and/or (ii) generated by Doppler or its Sub-processors in the performance of the Agreement.
- “Customer Usage Data” means any data relating to Customer’s use, support, and/or operation of the Services which is used by Doppler in an aggregated and anonymous manner.
- “Data Protection Supervisory Authority” means a supervisory authority or other government body responsible for the administration, implementation, and/or enforcement of Applicable Data Protection Law and includes, without limitation, competent supervisory authorities of the European Union (“EU”) and its member states, the Swiss Federal Data Protection Authority, and the United Kingdom (“UK”) Information Commissioner’s Office.
- 1.10.“Data Transfer” means any situation in which Customer Information is transferred, either directly or via onward transfer to a Third Country.
- 1.11.“Elections” means, with respect to the 2021 SCCs, (i) for purposes of clause 9(a), option 2 applies and the specified time period is the time period required under Section 5 (Sub-processing) of this Addendum for notice of change of a Sub-processor; (ii) for purposes of clause 11, the independent dispute resolution option does not apply; (iii) for purposes of clause 17, option 2 is selected, provided if the EU Member State in which the data exporter is established does not allow for third-party beneficiary rights, then the law of Ireland shall govern; and (iv) as pertains to clause 18(b), the courts of the EU Member State in which the data exporter is established shall be the choice of forum and jurisdiction.
- 1.12.“European Data Protection Law” means all data protection laws and regulations applicable to Europe, including (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation, or “GDPR”); (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector; (iii) applicable national implementations of (i) and (ii); and (iii) in respect of the United Kingdom (“UK”) any applicable national legislation that replaces or converts in domestic law the GDPR or any other law relating to data and privacy as a consequence of the UK leaving the European Union.
- 1.13.“Europe” means, for the purposes of this Addendum, the European Union (“EU”), the European Economic Area (“EEA”), and/or their member states, Switzerland, and the United Kingdom (“UK”).
- 1.14.“Processor-to-Processor Clauses” means the standard contractual clauses between processors for Data Transfers (module 3), as approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
- 1.15.“Security Incident” means any confirmed or reasonably suspected unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, or alteration of, or unauthorized disclosure of or access to, Customer Information on systems managed or otherwise controlled by Doppler.
- 1.16.“Sensitive Data” means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, data relating to criminal convictions or offenses, or other information that falls within the definition of “special categories of data” (or an equivalent term) under Applicable Data Protection Law.
- 1.17.“Services” means the Services Doppler is providing pursuant to the Agreement.
- 1.18.“Sub-processor(s)” means any person or entity engaged by Doppler or its Aﬃliates to perform Doppler’s obligations under the Agreement.
- 1.19.“Third Country” means a country outside of Europe not recognized by the European Commission as providing an adequate level of protection for personal data under European Data Protection Law.
- 1.20.“UK Personal Data” means Customer Information, the processing of which is within the territorial scope of the data protection, privacy, or security laws of the UK.
- 1.21.“2010 SCCs” means the standard contractual clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection adopted pursuant to the European Commission’s decision of 5 February 20210 on Standard Contractual Clauses, excluding the option clauses, and on the basis that Appendix 1 of this Addendum operates as Annex I to the 2010 SCCs and Appendix 2 of this Addendum operates as Annex II to the 2010 SCCs.
- 1.22.“2021 SCCs” means (i) the Controller-to-Processor Clauses, or (ii) the Processor-to-Processor Clauses, as applicable in accordance with Section 2.1 (Scope and Role of the Parties), including the Elections and on the basis that Appendix 1 of this Addendum operates as Annex I to the 2021 SCCs and Appendix 2 of this Addendum operates as Annex II to the 2021 SCCs.
2. Processing of Personal Data:
- Scope and Roles of the Parties. The parties acknowledge and agree that with regard to the processing of Customer Information, Doppler will act as processor to Customer, who may act as either a controller or a processor. Each party shall comply with its obligations under Applicable Data Protection Law, and this Addendum, when processing Customer Information. When Customer is acting as a controller, the Controller-to-Processor Clauses will apply to any Data Transfer that occurs pursuant to the Agreement. When Customer is acting as a processor, the Processor-to-Processor Clauses will apply to any Data Transfer that occurs pursuant to the Agreement. Customer agrees that it is unlikely that Doppler will know the identity of Customer’s controllers, if any, because Doppler has no direct relationship with Customer’s controllers. Therefore, Customer agrees that it will fulfill Doppler’s obligations to Customer’s controllers under the Processor-to-Processor Clauses. For the avoidance of doubt, this Addendum does not apply to Customer Usage Data or Customer Account Data.
- Customer Instructions. Doppler shall process Customer Information only in accordance with Customer’s documented lawful instructions as set forth in (i) the Agreement, including this Addendum and any applicable order forms; (ii) as necessary to comply with applicable law; (ii) or as otherwise agreed in writing or as initiated by Authorized Users in their use of the Services (including via configuration tools and APIs made available through the Services (“Permitted Purposes”). Customer may give additional instructions throughout the term of the Agreement. Doppler shall immediately inform Customer if it is unable to follow those instructions.
- Customer Obligations. Customer represents and warrants that (i) it has complied, and will continue to comply, with all applicable laws, including Applicable Data Protection Law, in respect of its processing of Customer Information and any processing instructions it issues to Doppler; and (ii) it has, and will continue to have, the right to transfer, or provide access to, the personal data to Doppler for processing in accordance with the terms of the Agreement and this Addendum. Customer shall have the sole responsibility for the accuracy, quality, and legality of Customer Information and the means by which Customer acquired Customer Information. Without prejudice to the generality of the foregoing, Customer agrees that it shall be responsible for complying with all laws (including Applicable Data Protection Law) applicable to any content created, sent, or managed through the Services. Customer specifically acknowledges and agrees that its use of the Services will not violate the rights of any data subject that has opted-out from the sale or other disclosure of his or her personal data.
- Lawfulness of Instructions. Customer acknowledges that Doppler is neither responsible for determining which laws or regulations are applicable to Customer’s business nor whether Doppler’s provision of the Services meets or will meet the requirements of such laws or regulations. Customer will ensure that its instructions comply with Applicable Data Protection Law and Doppler’s processing of the Customer Information in accordance with Customer’s instructions will not cause Doppler to violate any applicable law, regulation, or rule, including without limitation Applicable Data Protection Law. Doppler will inform Customer if it becomes aware or reasonably believes that Customer’s data processing instructions violate Applicable Data Protection Law.
- Doppler Personnel. Doppler shall grant access to Customer Information to members of its personnel only to the extent strictly necessary for the implementation, management, and monitoring of the agreement. It will further ensure that any person it authorizes to process the Customer Information shall be under an appropriate obligation of conﬁdentiality (whether a contractual or statutory duty).
- Accuracy. Customer agrees that it is unlikely that Doppler would become aware that Customer Information it has received is inaccurate or outdated. Nonetheless, if Doppler does become aware that Customer Information it has received is inaccurate, or has become outdated, it shall inform Customer without undue delay and shall cooperate with Customer to erase or rectify the data.
- Return or Deletion of Customer Information. Doppler shall only process Customer Information for the duration specified in Appendix 1.B. Upon Customer's request or upon termination or expiration of the Agreement, Doppler agrees, at Customer’s option, exercised by delivery to Doppler in writing of its instruction, to either deliver to Customer or destroy in a manner that prevents Customer Information from being reconstructed any Customer Information and any copies thereof in Doppler's control or possession, except that this requirement shall not apply to the extent Doppler is required by applicable law to retain some or all of the Customer Information or to Customer Information it has archived on back-up systems, which Customer Information Doppler shall securely isolate, protect from any further processing, and eventually delete in accordance with Doppler’s deletion policies, except to the extent required by applicable law.
- No Sale of Information. Doppler will not sell Customer Information, nor retain, use, or disclose Customer Information for any commercial purpose other than providing the Services. Doppler will not disclose Customer Information outside the scope of the Agreement. Doppler understands its obligations under Applicable Data Protection Law and will comply with them.
3. Responding to Data Subjects and Other Requests:
- Assistance Provided to Customer. Doppler provides Customer with several self-help features and tools within the Services. Customer may use these self-help features and tools to honor requests from data subjects to exercise their rights under Applicable Data Protection Law. To the extent Customer, in its ordinary use of the Services, does not have the ability to address a data subject request to exercise their rights under Applicable Data Protection Law, Doppler shall, upon Customer’s written request, provide commercially reasonable assistance to Customer in responding to such data subject request. If complying with Customer’s request for assistance will require Doppler to expend significant resources, such assistance shall be at Customer’s expense (scoped in advance).
- Handling Requests Made Directly to Doppler. In the event that any request, correspondence, enquiry or complaint from a data subject, regulator, or third party, including, but not limited to law enforcement, is made directly to Doppler in connection with Doppler’s processing of Customer Information, Doppler shall promptly inform Customer providing details of the same, to the extent legally permitted. Unless legally obligated to do so, Doppler shall not respond to any such request, inquiry, or complaint without Customer’s prior written consent. In the case of a legal demand for disclosure of Customer Information in the form of a subpoena, search warrant, court order or other compulsory disclosure request, Doppler shall attempt to redirect the requesting party or agency to request disclosure from Customer. Customer agrees that Doppler may provide Customer’s basic contact information for this purpose. If Doppler is unable to redirect the requesting party or agency, Doppler shall act in accordance with its obligations under the 2010 SCCs or 2021 SCCs, as applicable, incorporated herein. For the avoidance of doubt, nothing in the Agreement, including this Addendum shall restrict or prevent Doppler from responding to any data subject or other requests in relation to personal data for which Doppler is a controller.
- Data Protection Impact Assessments. If Doppler believes or becomes aware that its processing of Customer personal data is likely to result in a high risk to the data protection rights and freedoms of data subjects, Doppler shall inform Customer and (taking into account the nature of the processing and the information available to Doppler) provide commercially reasonable cooperation to Customer in connection with any data protection impact assessment or consultations with Data Protection Supervisory Authorities that may be required under Applicable Data Protection Law. Doppler shall comply with the foregoing by: (i) complying with Section 4.7 (Audits); (ii) providing the information contained in the Agreement, including this Addendum; and (iii) if the foregoing sub-sections (i) and (ii) are insuﬃcient for Customer to comply with such obligations, upon request, providing additional reasonable assistance at Customer’s expense (scoped in advance).
- Technical and Organizational Measures. Doppler has implemented and will maintain appropriate technical and organizational security measures designed to preserve the security and conﬁdentiality of Customer Information in accordance with Doppler’s security standards described in Appendix 2 (“Security Measures”).
- Updates to Security Measures. Customer is responsible for reviewing the information Doppler makes available regarding its data security and making an independent determination as to whether the Services meet Customer’s requirements and legal obligations, including its legal obligations under Applicable Data Protection Law. Customer acknowledges that the Security Measures are subject to technical progress and development and that Doppler may update or modify the Security Measures from time to time, provided that such updates and modiﬁcations do not materially decrease the overall security of the Services provided to Customer.
- Security Incident Response. Doppler shall, to the extent permitted by law, notify Customer without undue delay of any reasonably suspected or actual Security Incident which aﬀects Customer Information. Such notification will be delivered to one or more of Customer’s business or administrative contacts by any means Doppler selects, including via email. It is Customer’s sole responsibility to ensure it maintains accurate contact information in the Services and under the Agreement at all times. The notice shall summarize in reasonable detail the nature and scope of the Security Incident, to the extent known, and the corrective action already taken or to be taken by Doppler. Furthermore, Doppler shall provide timely information relating to the Security Incident as it becomes known or as reasonably requested by Customer and shall promptly take reasonable steps to remedy or mitigate the eﬀect of any Security Incident. Doppler’s notiﬁcation of or response to a Security Incident shall not be construed as an acknowledgement by Doppler of any fault or liability with respect to the Security Incident. The parties will collaborate on whether any notice of breach is required to be given to any person, and if so, the content of that notice. Unless prohibited by an applicable statute or court order, Doppler shall also notify Customer of any third-party legal process relating to any Security Incident, including, but not limited to, any legal process initiated by any governmental entity.
- Unsuccessful Security Incidents. Customer agrees that an unsuccessful Security Incident will not be subject to Section 4.3 (Security Incident Response). An unsuccessful Security Incident is one that results in no unauthorized access to Customer Information or to any of Doppler’s equipment or facilities used to store or process Customer Information and could include, without limitation, pings and other broadcast attacks on firewalls, port scans, unsuccessful log-in attempts or invalid URLs, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond IP addresses or headers) or similar incidents.
- Customer Responsibilities. Notwithstanding the above, Customer agrees that except as provided in this Addendum, Customer is responsible for its secure use of the Services, including securing its account authentication credentials, using the Services strictly as permitted under the Agreement, and using features and functionalities made available by Doppler to maintain appropriate security in light of the nature of the data processed.
- Documentation and Compliance. The parties acknowledge that Customer must be able to assess Doppler’s compliance with its obligations under Applicable Data Protection Law and this Addendum. To facilitate such assessment, Doppler will keep appropriate documentation on the processing activities carried out on behalf of Customer under the Agreement, and upon written request, make available to Customer all information reasonably necessary to demonstrate compliance with the obligations set out in this Addendum.
- Audits. To the extent that Doppler is unable to demonstrate its compliance with Applicable Data Protection Law and this Addendum through appropriate documentation as described in Section 4.6 (Documentation and Compliance) above, then, upon Customer’s written request and subject to the confidentiality obligations set forth in the Agreement, Doppler shall allow for and contribute to audits and inspections conducted by Customer (or Customer’s independent, third-party auditor that is not a competitor of Doppler). Audits shall occur at most annually or more frequently (i) in response to a demand from a Data Protection Supervisory Authority, (ii) following notice of a Security Incident, or (iii) as a follow-up to a duly conducted annual audit. Audits must be preceded by thirty (30) days advance written notice, must be conducted during Doppler’s normal business hours, and must be limited to systems and procedures within Doppler’s control and relevant to Doppler’s processing of Customer Information. Doppler will make its personnel, records, and similar items available upon fewer than thirty (3) days advance notice, but no less than reasonable notice if (i) requested by a Data Protection Supervisory Authority pursuant to an audit or Customer or (ii) following notice of a Security Incident. In lieu of such an audit, in the event that Doppler independently obtains third-party annual audits of its privacy and security program, Customer agrees that Doppler may satisfy its obligations under this Section 4.7 (Audits), by making available to Customer a copy of Doppler’s then most recent third-party audit report. Such audit reports will be made available to Customer upon Customer’s written requests, at reasonable intervals, and subject to the confidentiality obligations set forth in the Agreement. If any audit reveals any material vulnerability, Doppler shall take commercially reasonable steps to correct such vulnerability.
- Authorized Sub-processors. Doppler has Customer’s general authorization to engage third-party Sub-processors to fulfill its contractual obligations under this Addendum or to provide certain services on its behalf. The Sub-processors Doppler currently engages to carry out processing activities can be found here. At least ten (10) business days prior to engaging or removing any Sub- processor, Doppler will update this list and provide Customer with a mechanism to obtain notice of that update. Customer may object to in writing to Doppler's appointment or replacement of a Sub-processor prior to its appointment or replacement, provided such objection is based on reasonable grounds relating to data protection. In such event, the parties shall discuss commercially reasonable alternative solutions in good faith. If the parties cannot reach resolution, Doppler will, in its sole discretion, either not appoint such Sub-processor, or permit Customer to suspend or terminate the Agreement without liability to either party, in which case, however, and notwithstanding anything to the contrary in this Addendum, the applicable SCCs or the Agreement, Doppler shall refund Customer any prepaid fees covering the remainder of the term of the Agreement from the date of suspension/termination of the Agreement as per the foregoing.
- Sub-processor obligations. Doppler shall: (i) conduct appropriate due diligence on each Sub-processor it engages to perform services on its behalf; (ii) enter into a written agreement with each Sub-processor containing data protection obligations that provide at least the same level of protection for Customer Information as those in this Addendum, to the extent applicable to the nature of the service provided by such Sub-processor; and (iii) remain responsible for such Sub-processor’s compliance with the obligations of this Addendum and for any acts or omissions of such Sub-processor that cause Doppler to breach any of its obligations under this Agreement.
6. International Data Transfers:
- Data Center Locations. Customer understands and acknowledges that Customer Information may be transferred to and processed in the United States or in any country in which Doppler or its Sub-processors have operations. Doppler shall notify Customer at least ten (10) business days prior to adding or replacing a Sub-processor in the same manner provided for notification under Section 5.1 (Authorized Sub-processors) above. Customer may object in writing to Doppler’s changes as per the above, provided such objection is based on reasonable grounds relating to data protection (including, but not limited to, changes of location for processing (including access) from within Europe to the United States or another non-Europe country). In such event, the parties shall discuss commercially reasonable alternative solutions in good faith. If the parties cannot reach resolution, Doppler will, in its sole discretion, either not proceed with the change, or permit Customer to suspend or terminate the Agreement without liability to either party in which case, however, and notwithstanding anything to the contrary in this Addendum, the applicable SCCs, or the Agreement, Doppler shall refund Customer any prepaid fees covering the remainder of the term of the Agreement from the date of suspension/termination of the Agreement as per the foregoing. Doppler shall ensure that such transfers comply with the requirements of Applicable Data Protection Law.
- European Data Transfers. To the extent that Doppler receives Customer Information protected by European Data Protection Laws, Doppler agrees to abide by and process such data in compliance with the 2010 or 2021 SCCs, as applicable, which are incorporated herein in full and form an integral part of this Addendum. For the purposes of such SCCs: (i) Doppler is the “data importer” and Customer is the “data exporter” (notwithstanding that Customer may be an entity located outside of Europe); (ii) Appendixes 1 and 2 of this Addendum shall replace Appendixes 1 and 2 (or Annexes I and II to the Appendix, as applicable) and (iii) if the 2021SCCs apply, then they shall be applied giving effect to the Elections. For the avoidance of doubt, the 2010 SCCs shall apply to any Data Transfer pursuant to the Agreement that involves UK Personal Data.
7. Limitation of Liability:
- Liability Cap. Each party and all of its Aﬃliates’ liability to the other party and its Affiliates, taken together arising out of or related this this Addendum, including the 2010 or 2021 SCCs, as applicable, shall be subject to the exclusions and limitations of liability set forth in the Agreement. For the avoidance of doubt, Doppler and its Affiliates’ total liability for all claims from Customer arising out of or relating to the Agreement or this Addendum shall apply in aggregate.
- Liability to Data Subjects. Nothing in Section 7.1 (Liability Cap) shall alter the parties’ liability to data subjects as provided for in either the 2010 or 2021 SCCs (as applicable). Each party agrees that it will be liable to data subjects for the entire damage resulting from a violation by it of Applicable Data Protection Law. If one party paid full compensation for the damage suﬀered, it is entitled to claim back from the other party that part of the compensation corresponding to the other party’s part of the responsibility for the damage. Notwithstanding the foregoing, with respect to processing of personal data subject to either the 2010 or 2021 SCCs as provided herein, the allocation of liability to data subjects as between the parties shall be governed by the applicable SCCs taking into consideration that both parties agree that Customer will be liable to data subjects for the entire damage resulting from a violation of European Data Protection Law with regard to processing of personal data for which it is a controller, and that Doppler will only be liable to data subjects for the damage resulting from a violation of the obligations of European Data Protection Law directed to processor where it has acted outside of or contrary to Customer’s lawful instructions or violated this Addendum. Doppler will be exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage.
8. Modiﬁcation and Termination of this Addendum: This Addendum shall remain in eﬀect until the later of (i) termination of the Agreement or (ii) such time as Doppler no longer processes any Customer Information on behalf of Customer. Failure to comply with any of the material provisions of this Addendum is considered a material breach of the Agreement. In the event of termination, Doppler will return or destroy data pursuant to Section 2.7 (Return or Deletion of Customer Information). Doppler may update the terms of this Addendum from time to time; provided, however, Doppler will provide at least thirty (30) days prior written notice to Customer of any proposed update. In the event that a competent Data Protection Supervisory Authority for the UK issues alternative SCCs for Data Transfers, (i) Doppler may, upon giving notice in accordance with this Section 8 (Modification and Termination of this Addendum) amend this Addendum to replace the 2010 SCCs referred to herein with such alternative SCCs and any such amendments or supplemental provisions as deemed necessary by Doppler for the purposes of this Addendum and (ii) from the date of such notice, any reference in this Addendum to the 2010 SCCs shall be deemed to refer to such alternative SCCs. The then-current terms of this Addendum are available at [URL].
9. Entire Agreement; Conﬂict: This Addendum supersedes and replaces all prior and contemporaneous agreements, oral and written, with regard to the subject matter of this Addendum, including any prior data processing addenda entered into between Customer and Doppler. If there is any conﬂict between this Addendum and any agreement, including the Agreement, the provisions of the following documents (in order of precedence) shall prevail: (a) the 2010 or 2021 SCCs (as applicable) and their Annexes; then (b) this Addendum and its Appendices; then (c) the Agreement.
10. Invalidity and Severability:
10.1 General. If any provision of this Addendum is found by any court or administrative body of competent jurisdiction to be invalid and unenforceable, the invalidity or unenforceability of such provision shall not aﬀect any other provision of this Addendum and all provisions not aﬀected by such invalidity or unenforceability will remain in full force and eﬀect.
10.2 Invalidity of SCCs. If the SCCs cease to or do not (including due to insufficient supplementary measures) meet the requirements under European Data Protection Law or otherwise cease to or do not provide a valid legal basis to transfer personal data outside the EEA, EU, UK, or Switzerland, Doppler shall (i) promptly notify Customer using the email address on file; (ii) upon request (whether or not Doppler has provided notice to Customer) immediately stop and, as applicable procedure the cessation of the processing by its Sub-processors of the affected personal data promptly after the occurrence of any such notifiable event outside the relevant countries (except to the extent directed otherwise by Customer), and as soon as possible put in place commercially reasonable measures to mitigate the impact of such; and (iii) discuss with Customer commercially reasonable alternative measures in order to ensure an adequate level of protection with respect to the privacy rights of individuals and the lawful transfer of, or access to, personal data outside the relevant countries whilst continuing the provision of the Services with minimum disruption to Customer. If the parties cannot reach resolution, Customer may suspend or terminate the Agreement without liability to either party, in which case, notwithstanding anything to the contrary in this Addendum or the Agreement, Doppler shall refund Customer any prepaid fees covering the remainder of the term of the Agreement from the date of suspension/termination of the Agreement as per the foregoing.
- LIST OF PARTIES
The data exporter is the legal entity identified as “Customer” in the Agreement. Customer may be a controller or a processor with respect to Customer Information.
The data importer is Doppler Technologies, Inc. located at 340 S. Lemon Avenue #5880 Walnut, CA 91789.
Joel Watson is Doppler’s contact person with responsibility for data protection. He can be reached at firstname.lastname@example.org or (888) 737-9987.
Doppler Technologies, Inc. provides a platform for engineering teams to manage their digital authentication credentials, including passwords, API keys, certificates, tokens, and encryption keys across all of their environments, tools, and processes. Doppler is either a processor or a sub-processor with respect to Customer Information processed pursuant to the Agreement.
- DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred
Customer upload, submit, or otherwise provide personal data concerning the following categories of data subjects:
- Customer and Customer’s Authorized Users
Categories of personal data transferred
Customer may upload, submit, or otherwise provider certain personal data to Doppler, the extent of which is typically determined and controlled by Customer in its sole discretion, and may include the following types of personal data:
- Full name and contact information
- Company name and job title
- Billing and payment information
- Any other personal data uploaded, submitted, or otherwise provided to Doppler by Customer in its sole discretion.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance, strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
Doppler does not want to, nor does it intentionally, collect or process any Sensitive Data in connection with the provision of the Services. To the extent that Sensitive Data is nevertheless introduced into Customer Information, Customer agrees that it is solely responsible for ensuring that sufficient safeguards are in place to protect such Sensitive Data and Doppler shall have no liability whatsoever in relation to such data.
The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis)
Customer Information will be transferred on a continuous basis for the duration of the Agreement.
Nature of the processing
Customer Information will be processed in accordance with the Agreement (including this Addendum) and may be subject to the following processing activities:
- Computing, storage and other processing necessary to provide, maintain, and improve the service provided to Customer pursuant to the Agreement; and/or
- Disclosures in accordance with the Agreement, Customer’s instructions, and/or as compelled by applicable law.
Purpose(s) of the data transfer and further processing
Doppler shall only process Customer Information for the Permitted Purposes outlined in Section 2.2 (Customer Instructions).
The period for which the personal data will be retained, or if that is not possible, the criteria used to determine that period
Customer Information will be retained for the duration of the Agreement plus thirty (30) days after expiration or termination unless expressly instructed by Customer to delete or destroy Customer Information sooner or as otherwise required or permitted by law.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
For all transfers to Sub-processors the subject matter, nature, and duration of the processing are as follows:
- Subject matter: The subject matter of the transfer and processing is the Customer Information.
- Nature of processing: The nature of the processing varies by Sub-processor. Detailed information for each Sub-processor can be found at [ur].
- Duration of the processing: The duration of the processing is for so long as is necessary for the purpose for which the information was transferred to the Sub-processor and in any event, for no longer than the duration of the agreement between Doppler and the relevant Sub-processor.
C. DATA PROTECTION SUPERVISORY AUTHORITY
The applicable Data Protection Supervisory Authority for purposes of this Addendum shall be established in accordance with any applicable SCCs incorporated herein.
APPENDIX 2 - SECURITY MEASURES
Description of the technical and organizational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.
Doppler will, at a minimum, implement the following types of security measures:
- Virtual Access Control
Technical and organizational measures to prevent data processing systems from being used by unauthorized persons include the following:
- User identification and authentication procedures;
- ID/password security procedures (e.g., minimum length and multifactor authentication features);
- Automatic blocking (e.g., password or timeout); and
- Encryption of archived data media.
- Data Access Control
Technical and organizational measures to ensure that persons entitled to use a data processing system gain access only to such Customer Information in accordance with their access rights, and that Customer Information cannot be read, copied, modified, or deleted without authorization include the following:
- Internal policies and procedures;
- Control authorization schemes;
- Differentiated access rights (profiles, roles, transactions, and objects);
- Monitoring and logging of accesses;
- Disciplinary action against employees who access Customer Information without authorization;
- Reports of access;
- Access procedure;
- Change procedure;
- Deletion procedure; and
- Disclosure Control
Technical and organizational measures to ensure that Customer Information cannot be read, copied, modified, or deleted without authorization during electronic transmission, transport, or storage on storage media (manual or electronic), and that it can be verified to which companies or other legal entities Customer Information is disclosed, include the following:
- Logging; and
- Transport security.
- Entry Control
Technical and organizational measures to monitor whether Customer Information have been entered, changed, or removed and by whom from data processing systems, include the following:
- Logging and reporting systems.
- Control of Instructions
Technical and organizational measures to ensure that Customer Information is processed solely in accordance with the instructions of the Customer/controller include the following:
- Availability Control
Technical and organizational measures to ensure that Customer Information is protected against accidental destruction or loss (physical/logical) include the following:
- Backup procedures
- Redundant storage; and
- Remote storage.
- Separation Control
Technical and organizational measures to ensure that Customer Information collected for different purposes can be processed separately include the following:
- Separation of databases;
- Segregation of functions (production/testing); and
- Procedures for storage, amendment, deletion, transmission of data for different purposes.