DistillerSR GDPR Data Processing Addendum

Note to applicable Customers: Should your Organization require a signed copy of a DPA to be incorporated into the Agreement between DistillerSR Inc. and you, please inform your Account Executive.

Version 1.1 | May 15, 2024

This Data Processing Addendum (this “DPA”), governs the Vendor’s processing of Uploaded Personal Data and Collected Personal Data (together “Customer Personal Data”) to the extent such Uploaded Personal Data or Collected Personal Data relates to natural persons in the European Economic Area (“EEA”) in connection with Vendor’s provision of the Vendor’s Services (defined below) as described in the Agreement. This DPA, once fully executed, shall be incorporated into and made a part of, either (i) the Proposal with DistillerSR Subscription Terms, (ii) DistillerSR Terms of Service, or (iii) the Master Subscription Agreement (each of which to be referred to herein as the “Contract”) which together shall encompass the entirety of the “Agreement” by and between _______________________________________________________________ (“Customer”) and DistillerSR Inc. (“Vendor”).

Except as expressly stated otherwise, in the event of a conflict between the terms of the Agreement and the terms of this DPA, the terms of this DPA will govern. This DPA applies to each subscription for Services between Customer and Vendor pursuant to the Agreement, under which Vendor processes Uploaded Personal Data and/or Collected Personal Data as part of performing the applicable Services.

Definitions:

Contract” means the main binding terms of the Agreement between the Parties, whichever of the following is applicable to the Customer: (i) the Proposal with DistillerSR Subscription Terms, (ii) DistillerSR Terms of Service, or (iii) the Master Subscription Agreement.
Collected Personal Data” means Personal Data collected by Vendor that is required for Customer and its Users to register for and access the Service as well as contact, notification and other legitimate business purposes.
controller” has the meaning given to it in the GDPR.
Controller-to-Processor Clauses” means Module Two of the Standard Contractual Clauses between controllers and processors for Data Transfers, as approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
“Data Protection Laws” means applicable data protection or privacy laws and regulations of the relevant country in which the Services are being performed, including, but not limited to and in each case to the extent applicable, the European Union General Data Protection Regulation 2016/679 (“GDPR”), the Data Protection Laws in such form as incorporated into the laws of the United Kingdom and the United Kingdom Data Protection Act 2018, the Swiss Federal Act of 19 June 1992 on Data Protection, the Ordinance to the Swiss Federal Act on Data Protection and the revised Swiss Federal Act of 25 September 2020 on Data Protection (together the “Swiss FADP”), the California Consumer Privacy Act (“CCPA”) and the Personal Information Protection Law (“PIPL”).
processing” has the meaning given to it in the GDPR and “process”, “processes” and “processed”
will be interpreted accordingly.
processor” has the meaning given to it in the GDPR.
Processor-to-Controller Clauses” means Module Four of the Standard Contractual Clauses between controllers and processors for Data Transfers, as approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
Security Incident” means an incident of Vendor’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Cusomer Personal Data.
Service(s)” means any and all services and Software provided by Vendor to the Customer as described in one or more Proposals (including the Vendor’s Web-based applications, DistillerSR™, CuratorCR™, DAISY AI Classifiers, or any other services or applications that may be offered from time to time), including associated offline components. Each service applicable to the Customer may be described in an applicable proposal, order form, or invoice.
Standard Contractual Clauses” means the Controller-to-Processor.
Third Country” means a country outside the EEA not recognized by the European Commission as providing an adequate level of protection for personal data (as described in the GDPR).
Uploaded Personal Data” means Personal Data uploaded by Customer, or its User, to projects and workflows within the Service.
Users” means individuals, including You, who are authorized by Customer to use the Service(s), for whom subscriptions to the Service(s) have been purchased, and who have been supplied user identifications and passwords by Customer (or by Vendor at Customer’s request). Users may include employees, consultants, contractors and Customer Agents of Customer or its affiliates.

Unless otherwise indicated, all capitalized terms used but not defined in this Addendum shall have the meanings given to them in Regulation (EU) 2016/679, the General Data Protection Regulation (“GDPR”).

1. Data Processing.

1.1. Scope and Roles. This DPA applies when Customer Personal Data is processed by Vendor. In relation to Uploaded Personal Data, Vendor will act as processor to Customer, who acts as controller of Uploaded Personal Data. In relation to Collected Personal Data, Vendor acts as controller of Collected Personal Data and Customer acts as processor.

1.1.1. Customer acknowledges and agrees that Vendor does not generally access Uploaded Personal Data uploaded to the Service without express consent prior to such access, and as such Vendor is not aware of the categories of data uploaded to the Service by Customer. Customer agrees that it shall be solely responsible for the protection of such Uploaded Personal Data. Other than Vendor’s obligations set out under this Addendum and the Agreement, Vendor shall have no additional or other obligations to secure Uploaded Personal Data received by Vendor from Customer or uploaded by Customer to the Service without the knowledge or consent of Vendor.

1.1.2. Pursuant to section 6.1 of the Contract, Customer acknowledges and agrees that the uploading of any Prohibited Personal Data is strictly prohibited. Customer shall ensure that Customer and Users do not transmit or transfer any Prohibited Personal Data. Any uploading of such Prohibited Personal Data to Vendor’s Service shall be deemed a violation of the Agreement and this DPA, and shall be considered a material breach in accordance with the section 11 of the Contract.

1.2. Inaccurate or Outdated Customer Personal Data. Taking into account the nature of the processing, Customer agrees that it is unlikely that Vendor would become aware that Customer Personal Data transferred under the Standard Contractual Clauses is inaccurate or outdated. Nonetheless, if Vendor becomes aware that Customer Personal Data transferred under the Standard Contractual Clauses is inaccurate or outdated, it will inform Customer without undue delay. Vendor will make commercially reasonable efforts to cooperate with Customer to erase or rectify inaccurate or outdated Customer Personal Data transferred under the Standard Contractual Clauses.

1.3. Details of Data Processing.

1.3.1. Subject matter. The subject matter of the data processing under this DPA is Uploaded Personal Data and/or Collected Personal Data, as applicable.

1.3.2. Duration. As between Vendor and Customer, the duration of the data processing under this DPA is determined by Customer.

1.3.3. Purpose. The purpose of the data processing under this DPA is the provision of the Service(s) subscribed for by Customer in the Agreement from time to time.

1.3.4. Nature of the processing. Intake, store, archive, delete, process in accordance with Customer designed workflow and perform such other Services relating to Customer Personal Data as described in the Agreement and initiated by Customer’s express instructions from time to time.

1.3.5. Type of Customer Personal Data processed. Uploaded Personal Data uploaded to the Service under the Agreement and Collected Personal Data of Customer collected pursuant to Vendor’s Privacy Statement.

1.3.6. Categories of Data Subjects. The data subjects may include employees, suppliers, Users, or other individuals whose information Customer or its Users have obtained lawfully.

1.4. Compliance with Laws. Each party will comply with all Data Protection Laws, rules and regulations applicable to it and binding on it in the performance of this DPA, including the GDPR.

2. Customer Instructions.

2.1. Notwithstanding anything in the Agreement to the contrary, Vendor will only process Customer Personal Data on documented instructions from Customer, including transfers of Customer Personal Data to a third country or an international organization, unless required to do so by applicable law to which Vendor is subject. For avoidance of doubt, Customer’s documented instructions include the Agreement and this DPA.

2.2. Vendor may process data provided by Customer to Vendor outside the scope of this DPA or Agreement if accompanied by documented instructions from Customer directing Vendor to do so. Customer shall be responsible for any additional fees incurred by Vendor in carrying out such documented instructions on behalf of Customer.

2.3. Vendor will promptly inform Customer if following Customer’s documented instructions would result in a violation of applicable data protection law or where Vendor must disclose Customer Personal Data in response to a legal obligation (unless the legal obligation prohibits Vendor from making such disclosure).

3. Confidentiality. Vendor will restrict access to Customer Personal Data to those authorized persons who need the Customer Personal Data in connection with the provision of the Services provided by Vendor. Vendor will ensure such authorized persons are obligated to maintain the confidentiality of any Customer Personal Data.

4. Security of Data Processing. The parties will implement and maintain appropriate technical and organizational measures designed to ensure the confidentiality, reliability, and integrity of the Customer Personal Data they each process and/or control, and any systems, facilities, or software that are used, accessed, or supported in connection with the Agreement, taking into account industry standards, implementation costs, the nature, scope, context, and Processing purposes, as well as the risk of varying likelihood, and severity, for the rights and freedoms of the Data Subjects.

5. Sub-processing.

5.1. Approved Sub-processors. Customer hereby authorizes Vendor to use the Sub-processors set forth in Vendor’s list of Approved Sub-processors (“Approved Sub-processors”). If Vendor intends to change, modify, or replace an Approved Sub-processor providing Services under the Agreement, Vendor shall provide Customer with advance notice of such change via email notification, provided that Customer has instructed Vendor to include Customer on its email notification list for updates to the Approved Sub-processors by following the instructions at the following link: https://help.distillersr.com/hc/en-us/articles/9859945531277-DistillerSR-Inc-Sub-Processor-List, or has otherwise indicated to Vendor that it should be included on the notification list. Customer will have an opportunity to review the implications of Vendor engaging such Sub-processor. Where Sub-processors are categorized as “optional” in the Sub-processor List, Customer may inform Vendor that it objects to the use of such Sub-Processor and Vendor will accommodate this request. Where Sub-processors are not categorized as “optional”, Customer may terminate the relevant Proposal and/or the Agreement and receive a pro-rata refund of any pre-paid fees. If Customer does not object to the proposed Sub-processor in accordance with section 5.2 below, such Sub-processor will be considered an Approved Sub-processor under the Agreement and this DPA without need for further amendment.

5.2. Customer may object to Vendor’s use of a new Sub-processor by notifying Vendor in writing within ten (10) business days of receiving notice under this Section 5. In the event of such objection by Customer, Vendor will take commercially reasonable steps to address the objections raised by Customer and provide Customer with a reasonable written explanation of the steps taken to address such objection. During such efforts, Vendor will still be required to provide the Services in a manner that is consistent with the Agreement, this DPA and its contractual obligations thereunder.

5.3. Where Vendor engages a Sub-processor for carrying out specific processing activities on behalf of Customer, Vendor shall ensure that equivalent data protection obligations as described in this DPA are followed by such Sub-processor by way of a contract or other legal act under European Union (“EU”) or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the EU data protection law.

5.4. Where its Sub-processor fails to fulfil its data protection obligations, Vendor will remain fully liable to Customer for the performance of that Sub-processor’s obligations.

6. Vendor Assistance with Data Subject Requests. If a data subject makes a request to Vendor, Vendor will promptly forward such request to Customer once Vendor has identified that the request is from a data subject for whom Customer is responsible. Customer authorizes Vendor, on Customer’s behalf, to respond to any data subject who makes a request to Vendor, to confirm that Vendor has forwarded the request to Customer. With regards to Uploaded Personal Data, the parties agree that Vendor forwarding data subjects’ requests to Customer in accordance with this Section, represent the scope and extent of assistance required from Vendor. Vendor will make commercially reasonable efforts to assist Customer in fulfilling a data subject request where the Personal Data is Collected Personal Data only.

7. Optional Security Features. Vendor offers optional security features in the Service that Customer may implement for greater security, including multi-factor authentication and single sign-on authentication. User is responsible for maintaining adequate security and control of all User IDs, Passwords, hints, personal identification numbers (PINs), or any other codes used to access the Service.

8. Security Incident Notification. After becoming aware of a data Security Incident affecting the Customer’s Customer Personal Data under the Agreement or this DPA, the party experiencing the Incident will notify the other party within forty-eight (48) hours of: (a) the nature of the data Incident; (b) the number and categories of data subjects and data records affected; (c) the name and contact details for the relevant contact person, and (d) any other information related to the Incident as required by law or applicable supervisory authority.

9. Audits. Upon request but only to the extent required by the GDPR, Vendor will make available to Customer all information necessary, and allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer, to demonstrate compliance with this DPA, Data Protection Laws, and any other regulatory compliance requirements. Such audits or inspections shall be limited to Vendor’s processing of Customer Personal Data in its capacity as a Processor or Controller only, not any other aspect of Vendor’s business or information systems, unless otherwise agreed upon within the applicable Contract. If Customer requires Vendor to submit to audits or inspections that are necessary to demonstrate compliance, Customer will provide Vendor with written notice at least 60 days in advance of such audit or inspection. Such written notice will specify the things, people, places or documents to be made available. Such written notice, and anything produced in response to it (including any derivative work product such as notes of interviews), will be considered Vendor’s “Confidential Information” pursuant to section 7 of the Contract. Customer will make every effort to cooperate with Vendor to schedule audits or inspections at times that are convenient to Vendor. Customer shall be solely responsible for all costs incurred in relation to audits or inspections, including the reasonable costs incurred by Vendor as a result of time spent assisting with the audit.

10. Transfers of Customer Personal Data.

10.1. Application of Standard Contractual Clauses. The Standard Contractual Clauses will only apply to Customer Personal Data that is transferred, either directly or via onward transfer, to any Third Country, (each a “Data Transfer”).

10.1.1. With regards to Uploaded Personal Data, the Controller-to-Processor Clauses apply, where the Customer is the controller and Vendor is the processor. In the case of Collected Personal Data, the Vendor is an independent controller, and has established relevant safeguards with its third-party service providers engaged to process such Collected Personal Data, such as Binding Corporate Rules and applicable Standard Contractual Clauses.

10.1.2. Customer authorizes Vendor to store and/or process Customer Personal Data in the United States or any other country in which they or their Sub-processors (as defined below) maintain facilities or provide services. Customer represents and warrants that Customer’s collection of any Customer Personal Data is conducted in accordance with Chapter 2, Article 6 of the GDPR. The parties appoint each other to perform any such transfer of Customer Personal Data to any such country and to store and process Customer Personal Data in connection with the provision of the Services by Vendor. The parties will conduct all such activity in accordance with Chapter 2, Article 6 of the GDPR, the terms of the Agreement, and any applicable law.

11. Termination of the DPA. This DPA will continue in force until terminated in accordance with the Agreement (the “Termination Date”).

12. Return or Deletion of Customer Personal Data. Customer shall have the ability to request Vendor to return or delete all Customer Personal Data processed in connection with the Services at any time, including upon termination of the Agreement and for 60 days thereafter, subject to Vendor’s internal procedures, and Vendor’s obligations under any applicable laws requiring the preservation of such Customer Personal Data. Notwithstanding Customer’s right to request the return or deletion of Customer Personal Data under the GDPR, Customer represents and warrants that Customer is aware and acknowledges that Vendor is subject to Canadian and American laws requiring the retention of certain records and audit trails. Notwithstanding any provision to the contrary, nothing in this DPA shall be construed to require the deletion of any items of Customer Personal Data that are contained in electronic form on archive systems or other disaster recovery systems from which such items cannot reasonably be accessed or deleted.

13. Duties to Inform. Where Customer Personal Data becomes subject to confiscation during bankruptcy or insolvency proceedings, or similar measures by third parties while being processed by Vendor, Vendor will inform Customer without undue delay. Vendor will, without undue delay, notify all relevant parties in such action (for example, creditors, bankruptcy trustee) that any Customer Personal Data subjected to those proceedings is Customer’s property and area of responsibility and that Customer Personal Data is at Customer’s sole disposition.

14. Entire Agreement; Conflict. This DPA incorporates Module Two of the Standard Contractual Clauses by reference. Except as amended by this DPA, the Agreement will remain in full force and effect. Nothing in this document varies or modifies the Standard Contractual Clauses.

SCHEDULE 1

TRANSFER MECHANISMS FOR EUROPEAN DATA TRANSFERS

1. Standard Contractual Clauses Operative Provisions And Additional Terms

1.1. For the purposes of the Controller-to-Processor Clauses, Customer is the data exporter and Vendor is the data importer, and the parties agree to the following.

1.2. Reference to the Standard Contractual Clauses. Then relevant provisions contained in the Standard Contractual Clauses are incorporated by reference and are an integral part of this DPA. The information required for the purpose of the Appendix to the Standard Contractual Clauses is set out in Schedule 2.

1.3. Docking Clause. This option under clause 7 shall not apply.

1.4. Instructions. This DPA and Agreement are Customers complete instructions at the time of execution of the DPA for the Processing of Customer Personal Data. Any additional instructions must be consistent with the terms of this DPA and the Agreement. For the purposes of Clause 8.1(a), the instructions by Customer to process Uploaded Personal Data and Collected Personal Data are set out in section 2 of this DPA and include onward transfers to third parties located outside Europe for the purpose of providing the Service.

1.5. Security of Processing. For the purposes of Clause 8.6(a) as it applies to Module Two, the Parties agree that the technical and organizational measures implemented and maintained by Vendor provide a level of security appropriate to the risk with respect to its Personal Data. Customer is solely responsible for independently determining whether the technical and organizational measures implemented by Vendor meet Customer’s requirements.

1.6. General Authorization to use Sub-Processors. With regards to Module Two only, option 2 under Clause 9 shall apply, and Pursuant to Clause 9(a), Vendor has Customer’s general authorization to engage Sub-processors in accordance with section 5 of this DPA.

1.7. Notification of New Sub-Processors and Customer’s Objection Rights. Customer acknowledges that, pursuant to Clause 9(a), Vendor may engage new Sub-processor. As described in sections 5.1 to 5.3 of this DPA. Vendor shall follow the notification procedure as set out in section 5.2 of the DPA.

1.8. Audits under the Standard Contractual Clauses. The Parties agree that the audits described in Clause 8.9 shall be carried out in accordance with section 9 of this DPA.

1.9. Redress. Pursuant to Clause 11, Customer may contact Vendor at [email protected], or as otherwise provided in Vendor’s Privacy Statement. Vendor shall inform Customer if it receives a complaint or request from a Data Subject with respect to Customer Personal Data, in accordance with section 6 of this DPA. Optional Clause 11 shall not apply.

1.10. Supervision. For the purpose of Clause 13 under Module Two, the competent supervisory authority is the Data Protection Commission of Ireland.

1.11. Notification of Government Access Request. In accordance with Clause 15(1), Vendor shall only notify Customer of government access requests, for transfers pursuant to Module Two.

1.12. Governing Law and Choice of Forum. For the purposes of clauses 17 and 18, the governing law shall be the law of the Republic of Ireland.

SCHEDULE 2
ANNEX I
A. LIST OF PARTIES
Data exporter(s):
Name: [CUSTOMER to insert]
Address: [CUSTOMER to insert]
Contact person’s name, position and contact details: [CUSTOMER to insert]
Data Protection officer’s (if any) name, position, and contact details: [CUSTOMER to insert]
EU representative’s (if any) name, position, and contact details: [CUSTOMER to insert]
Activities relevant to the data transferred under these Clauses: Upload to the Service Uploaded Personal Data, lawfully obtained by Customer and such other activities as required access the Service from time to time.

Customer Signature and date:

______________________________________
Role (controller/processor): Controller of Uploaded Personal Data and Processor of Collected Personal Data

Data importer(s):
Name: DistillerSR Inc.
Address: 505 March Road, Ottawa ON, K2K 3A4
Contact person’s name, position and contact details: Naomi Morisawa De Koven
Activities relevant to the data transferred under these Clauses: Intake, store, archive, delete, process in accordance with Customer designed workflow and perform such other Services relating to Customer Personal Data as described in the Agreement and initiated by Customer’s express instructions from time to time.
Signature and date:
_______________________________________
Role (controller/processor): Processor of Uploaded Personal Data and Controller of Collected Personal Data

B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred:
The data subjects may include employees, suppliers, Users, or other individuals whose information Customer or it’s Users have obtained lawfully.
Categories of personal data transferred:
Uploaded Personal Data uploaded to the Services under the Agreement and Collected Personal Data of Customer collected pursuant to Vendor’s Privacy Statement.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures:
n/a
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):
Continuous, depending on use of the Service by Customer and Users.
Nature of the processing:
Intake, store, archive, delete, process in accordance with Customer designed workflow and perform such other Services relating to Customer Data as described in the Agreement and initiated by Customer’s express instructions from time to time.
Purpose(s) of the data transfer and further processing:
The purpose of the data processing under this DPA is the provision of the Services subscribed for by Customer in the Agreement from time to time.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:
Collected Personal Data will be deleted once it is no longer required to provide the Services or for legitimate business interests.
Uploaded Personal Data must be deleted by Customer once it is no longer required by Customer. Vendor has implemented stringent least privilege access and controls, limiting its access to Uploaded Personal Data and unless specifically requested by Customer will not access Uploaded Personal Data.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:
Sub-Processors process Customer Personal Data in accordance with section 5 of this DPA to provide the Services, pursuant to the Agreement. Sub-Processors will process Customer Personal Data for the duration of the Agreement, subject to section 5.
The identities of Sub-Processors are available here

C. COMPETENT SUPERVISORY AUTHORITY
The competent supervisory authority is Data Protection Commission, Ireland.

ANNEX II
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Vendor will maintain administrative, physical, and technical safeguards for the protection, confidentiality, security and integrity of Collected Personal Data and Uploaded Personal Data, as further described in Vendor’s SOC II Type II report, which is available upon request. Vendor will not materially decrease the overall security of the Services during a subscription term.