Effective Date: August 12, 2021
- "Applicable Data Protection Law" refers to all laws and regulations applicable to Fobi's processing of personal information under the Agreement including, without limitation, the Canadian Personal Information Protection and Electronic Documents Act ("PIPEDA") and the General Data Protection Regulation (EU 2016/679) ("GDPR").
- "controller", "processor", "data subject", "personal information", and "process" have the meanings given to them in accordance with Applicable Data Protection Law.
- "Customer Account Data" means personal information that relates to Customer's relationship with Fobi, including the names and/or contact information of individuals authorized by Customer to access Customer's Account.
- "Customer Content" has the meaning given in the Agreement.
- "Customer Data" includes Customer Content, Customer Account Data, and Raw Data, as defined in this Addendum.
- "Raw Data" has the meaning given in the Agreement.
- "Security Incident" means a confirmed or reasonably suspected accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data.
- "Service" has the meaning given in the Agreement.
Any capitalized term used but not defined in this Addendum has the meaning provided to it in the Agreement.
2. Relationship of the Parties
The parties acknowledge and agree that:
- with respect to the processing of Customer Content, Customer may act either as a controller or processor and Fobi is a processor;
- with respect to the processing of Customer Account Data, Customer is a controller and Fobi is an independent controller, not a joint controller with Customer; and
- with respect to the processing of Raw Data, Customer may act either as a controller or processor and Fobi may act as an independent controller, not a joint controller with Customer, as well as a processor.
Fobi may process personal information in order to provide the Service in accordance with the Agreement. Schedule 1 (Details of Processing) sets out a detailed description of the duration of the processing, the nature and purpose of the processing, and the types of personal information and categories of data subjects.
Each party acknowledges that it has obligations under Applicable Data Protection Law, and that it is solely responsible for compliance with same.
For greater certainty, Customer is responsible for ensuring compliance with Applicable Data Protection Law in its use of the Service and its own processing of personal information, as well as for ensuring that it has and will continue to have the right to transfer, or provide access to, the personal information to Fobi for processing in accordance with the terms of the Agreement and this Addendum.
5. Processing Customer Content and Raw Data & Customer Instructions
Customer appoints Fobi as a processor to process Customer Content and, to the extent applicable, Raw Data, on behalf of Customer and in accordance with Customer's instructions (a) as set forth in the Agreement, this Addendum, and as otherwise necessary to provide the Service to Customer; (b) as necessary to comply with applicable law; and (c) as otherwise agreed in writing by the parties ("Permitted Purposes").
Customer will ensure that its instructions comply with Applicable Data Protection Law. Customer acknowledges that Fobi is not responsible for determining which laws are applicable to Customer nor whether Fobi's provision of the Service meets or will meet the requirements of such laws. Customer will ensure that Fobi's processing of Customer Content and Raw Data, when carried out in accordance with Customer's instructions, will not cause Fobi to violate any applicable law, regulation, or rule, including Applicable Data Protection Law.
Customer authorizes Fobi to appoint sub-processors as may be required to administer and provide the Service in accordance with this Section and any restrictions in the Agreement. Fobi shall contractually require each sub-processor to perform the obligations imposed upon sub-processor with respect to the processing of personal information pursuant to this Addendum (as applicable) as if it were a party to this Addendum in place of Fobi.
Fobi will ensure that any individual it authorizes to process the Customer Content or Raw Data has agreed to protect personal information in accordance with Fobi's confidentiality obligations under the Agreement.
In the event that any request from a data subject, regulatory authority, or third party is made directly to Fobi in connection with Fobi's processing of Customer Content or, in its role as processor, Raw Data, Fobi will promptly inform Customer of the same. Unless legally required to do so, Fobi will not respond to any such request without Customer's prior consent.
7. Return or Deletion of Customer Content and Raw Data.
Fobi will, in accordance with Section 1 of Schedule 1 (Details of Processing), delete or return to Customer any Customer Content and Raw Data (for which it acts as processor) stored in the Service.
Upon termination of the Agreement, Fobi may retain Customer Content and Raw Data in storage for the time periods set forth in Schedule 1 (Details of Processing), provided that Fobi will ensure that Customer Content and Raw Data is processed only as necessary for the Permitted Purposes, and Customer Data remains protected in accordance with the terms of the Agreement, this Addendum, and Applicable Data Protection Law.
Notwithstanding anything to the contrary, Fobi may retain Customer Content, Raw Data, or any portion of it if required by applicable law, provided that it remains protected in accordance with the terms of the Agreement, this Addendum, and Applicable Data Protection Law.
8. Security and Security Incidents
Taking into account current industry practices, the costs of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity relating the rights and freedoms of natural persons, Fobi shall in relation to the personal information implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures outlined below.
Fobi has developed and maintains reasonable data and organizational security measures that are designed to secure personal information, including for example:
- System access controls, and prevention of unauthorized persons from gaining access to information systems;
- User roles and need-to-know access, and prevention of authorized persons from accessing data, including personal information, that is not relevant to the performance of their job functions;
- Establishment and maintenance of audit trails in Fobi information systems that log who accesses data, what data is accessed, when it is accessed, how it is accessed, and where it is accessed from;
- Prevention of accidental destruction of personal information;
- Use of data encryption with respect to certain sensitive categories of data, including sensitive data such as payment data; and
- Use of non-disclosure and confidentiality agreements with employees and contractors as a condition of employment or engagement.
In the event of a Security Incident, Fobi will, to the extent permitted by applicable law, promptly notify Customer (in no event later than seventy-two (72) hours) after Fobi's confirmation or reasonable suspicion, of a Security Incident impacting Customer Data.
Fobi will make commercially reasonable efforts to identify and, to the extent such Security Incident is caused by a violation of the requirements of this Addendum by Fobi, remediate the cause of any such Security Incident. Fobi will provide reasonable assistance to Customer in the event that Customer is required under Applicable Data Protection Law to notify a regulatory authority or any data subjects of a Security Incident.
Customer acknowledges that Fobi, as a controller, may be required by Applicable Data Protection Law to notify the regulatory authority of Security Incidents involving Customer Data. If the regulatory authority requires Fobi to notify impacted data subjects with whom Fobi does not have a direct relationship (e.g., Customer's end users), Fobi will notify Customer of this requirement. Customer will provide reasonable assistance to Fobi to notify the impacted data subjects.
Fobi shall permit Customer and/or its authorized agents to audit its records to the extent reasonably required in order to confirm that Fobi is complying with its obligations under this Addendum, provided always that any such audit does not involve the review of any third party data and that the records and information accessed in connection with such audit are treated as Fobi's confidential and proprietary information in accordance with the Agreement. Customer shall bear the costs of any such audit.
10. Cross-Border Data Transfers
To the extent Fobi processes personal information originating from and protected by Applicable Data Protection Law in one of the jurisdictions listed in Schedule 4, then the terms specified in Schedule 4 with respect to the applicable jurisdiction(s) ("Jurisdiction Specific Terms") apply in addition to the terms of this Addendum. In case of any conflict or ambiguity between the Jurisdiction Specific Terms and any other terms of this Addendum, the applicable Jurisdiction Specific Terms will take precedence.
To the extent that Customer's use of the Service requires transfer of personal information out of the European Economic Area ("EEA"), Switzerland, or a jurisdiction set forth in Schedule 4, then Fobi will take such measures as necessary to ensure the transfer is in compliance with Applicable Data Protection Law. Correspondingly, this Addendum hereby incorporates by reference the Standard Contractual Clauses under Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection, provided that Appendices 1 and 2 of the Standard Contractual Clauses shall be deemed completed as set forth in Schedules 2 and 3 to this Addendum.
In the event that either party receives: (a) any request from a data subject to exercise any of its rights under Applicable Data Protection Law (including its rights of access, correction, objection, erasure and data portability, as applicable) or (b) any other correspondence, enquiry, or complaint received from a data subject, regulator or other third party, (collectively, "Correspondence") then it will promptly inform such other party and the parties agree to cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Applicable Data Protection Law.
In the event that changes in law or regulation render performance of this Addendum impossible or commercially unreasonable, the parties may renegotiate this Addendum in good faith. If renegotiation would not cure the impossibility, or the parties cannot reach an agreement, the parties may terminate the Agreement in accordance with the Agreement's termination provisions.
Fobi may update the terms of this Addendum from time to time; provided, however, Fobi will provide at least thirty (30) days prior written notice to Customer when an update is required as a result of (a) changes in Applicable Data Protection Law; (b) a merger, acquisition, or other similar transaction; or (c) the release of new products or services or material changes to any of the existing Service.
Schedule 1 – Details of Processing
This Schedule 1 includes certain details of the processing of personal information as required by Article 28(3) GDPR.
1. Subject Matter and Duration of the Processing of Personal Information
The subject matter and duration of the processing of the personal information are set out in the Agreement and this Addendum.
2. Nature and Purpose of the Processing
Fobi will process personal information as necessary to provide the Service under the Agreement. Fobi does not sell identifiable personal information and does not share Customer's end users' identifiable information with third parties for any purpose.
- Fobi will process Customer Content and Raw Data for which it acts as processor in accordance with the Addendum.
- Fobi will process Customer Account Data and Raw Data as a controller in order to (a) manage the relationship with Customer; (b) carry out Fobi's core business operations, such as accounting and filing taxes; and (c) in order to detect, prevent, or investigate Security Incidents, fraud and other abuse and/or misuse of the Service.
3. Categories of Data Subjects
- Customer Content: Customer's end users
- Customer Account Data: individuals authorized by Customer to access Customer's Account
- Raw Data: Customer's end users
4. Type of Personal Information
Fobi processes personal information contained in Customer Account Data, Customer Content, and Raw Data as defined in Section 1(Definitions) of the Addendum.
Any customer or end-user has the right to access the information held by Fobi by submitting a formal Subject Access Request.
Schedule 2 – Appendix 1 to the Standard Contractual Clauses
The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix 1.
The data exporter is the Customer and the users of the Service.
The data importer is Fobi Ai Inc., a provider of data intelligence services using artificial intelligence to help customers turn real-time data into actional insights and personalized end user engagement.
The personal information transferred concern the following categories of data subjects:
Data exporter's end-users. The data importer will receive any personal information in the form of Customer Data that the data exporter instructs it to process through its Service. The personal information that the data exporter will transfer to the data importer is necessarily determined and controlled solely by the data exporter.
Categories of Data
The personal information transferred concern the following categories of data (please specify):
Customer Content, Customer Account Data, and Raw Data, all as defined in Section 1 (Definitions) of this Addendum.
Special categories of data (if appropriate)
The personal data transferred concern the following special categories of data:
The personal information transferred will be subject to the following basic processing activities (please specify):
The personal data transferred will be transferred in order to fulfil the objectives of the Agreement, and will be subject to basic processing activities related to the Service.
Schedule 3 – Appendix 2 to the Standard Contractual Clauses
This Appendix 2 forms part of the Clauses and must be completed and signed by the parties.
Description of the technical and organizational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or documentation/legislation attached):
See description in Section 8 (Security and Security Incidents) of the Addendum.
Schedule 4 – Jurisdiction Specific Terms
- The definition of "Applicable Data Protection Law" includes the Federal Personal Information Protection and Electronic Documents Act (PIPEDA).
- Fobi's sub-processors are third parties under Applicable Data Protection Law with whom Fobi has entered into a written contract that includes terms substantially similar to this Addendum. Fobi has conducted appropriate due diligence on its sub-processors.
- Fobi will implement technical and organizational measures as set forth in Section 8 (Security and Security Incidents) of this Addendum.
- The definition of "Applicable Data Protection Law" includes the California Consumer Privacy Act (CCPA).
- The definition of "personal information" includes "Personal Information" as defined under Applicable Data Protection Law and, for clarity, includes any Personal Information contained within Customer Account Data, Customer Content, and Raw Data.
- The definition of "data subject" includes "Consumer" as defined under Applicable Data Protection Law. Any data subject rights apply to Consumer rights. In regard to data subject requests, Fobi can only verify a request from Customer and not from Customer's end user or any third party.
- The definition of "controller" includes "Business" as defined under Applicable Data Protection Law.
- The definition of "processor" includes "Service Provider" as defined under Applicable Data Protection Law.
- Fobi will process, retain, use, and disclose personal information only as necessary to provide the Service under the Agreement, which constitutes a business purpose. Fobi agrees not to (a) sell (as defined by the CCPA) Customer's personal information or Customer end users' personal information; (b) retain, use, or disclose Customer's personal information for any commercial purpose (as defined by the CCPA) other than providing the Service; or (c) retain, use, or disclose Customer's personal information outside of the scope of the Agreement. Fobi understands its obligations under the Applicable Data Protection Law and will comply with them.
- Fobi certifies that its sub-processors are Service Providers under Applicable Data Protection Law, with whom Fobi has entered into a written contract that includes terms substantially similar to this Addendum. Fobi conducts appropriate due diligence on its sub-processors.
- Fobi will implement and maintain reasonable security procedures and practices appropriate to the nature of the personal information it processes as set forth in Section 8 (Security and Security Incidents) of this Addendum.