This Data Processing Addendum and its applicable schedules forms part of the Agreement entered into between Customer and Beijing Volcano Engine Technology Co., Ltd.(“ VolcEngine ”) . This DPA applies to the Processing of Personal Data (“ Customer Personal Data ”) by VolcEngine on behalf of Customer when VolcEngine provides services under Agreement (“ Services ”) to Customer, to the extent that Processing is subject to Applicable Data Protection Laws. In the event of conflict, the DPA Exhibit prevails over the DPA and the DPA prevails over the rest of the Agreement.
1.1Customer and VolcEngine (each a “ Party ” and collectively “ Parties ”) hereby agree to be bound by the obligations in this DPA with the effective date.
2.1All terms capitalised but not defined in this DPA have the meaning set out in the Agreement or in the applicable data protection laws. For the purposes of this DPA, the following expressions bear the following meanings:
“ Alternative Safeguards ” means a solution, other than Standard Contractual Clauses, that enables the lawful transfer of Personal Data to a country which has not been deemed adequate by the European Commission (as updated from time to time) in accordance with Applicable Data Protection Law;
“ Applicable Data Protection Laws ” means GDPR, CCPA, LGPD and any other data protection laws as agreed by Parties (in each case as amended, consolidated, re-enacted or replaced from time to time);
“ Brexit ” means the UK leaving the European Union;
“ CCPA ” means California Consumer Privacy Act of 2018;
“ DPA ” means this data processing addendum and incorporates the terms and conditions set out in Schedules hereto;
“ GDPR ” means, as applicable, the General Data Protection Regulation 2016/679 and the GDPR as amended and incorporated into UK law by the Data Protection Act 2018 and under the UK European Union (Withdrawal Act) 2018, to the extent in force;
“LGPD” means Brazil's General Data Protection Law, Lei Geral de Proteção de Dados;
“ Personal Data ”, “ Personal Data Breach ”, “ Process ”, “ Processed ” or “ Processing ” and “ Data Subject ” have the meaning given to them in the GDPR or the meaning given to their equivalent in other Applicable Data Protection Laws;
“ Standard Contractual Clauses ” means the standard contractual clauses for the transfer of Personal Data to processors established in third countries set out in the European Commission Decision of 5 February 2010 (2010/87/EU) and any amendments or replacements to such decision; and
3.1Customer: (a) is a Controller of Customer Personal Data; or (b) has been instructed by and obtained the authorization of the relevant Controller(s) to agree to the Processing of Customer Personal Data by VolcEngine as Customer's subprocessor as set out in this DPA. VolcEngine is not responsible for determining the requirements of laws or regulations applicable to Customer's business, or that a Service meets the requirements of any such applicable laws or regulations. As between Parties, Customer is responsible for the lawfulness of the Processing of the Customer Personal Data. Customer will not use the Services in a manner that would violate Applicable Data Protection Laws.
3.2Customer warrants that:
the legislation applicable to it does not prevent VolcEngine from fulfilling the instructions received from the Customer and performing VolcEngine’s obligations under this DPA; and
it has complied and continues to comply with the Applicable Data Protection Laws, in particular that it has obtained any necessary consents or given any necessary notices, and otherwise has a legitimate ground to enable the Processing of the Personal Data by VolcEngine as set out in this DPA and as envisaged by Agreement.
VolcEngine's obligations to Customer under Applicable Data Protection Laws are only those express obligations imposed by Applicable Data Protection Laws on a Processor.
4.1Instructions. VolcEngine shall only Process Customer Personal Data (including with regard to data transfers) in accordance with, and for the purposes documented in Agreement, this DPA and/or any further written instructions documented and agreed by VolcEngine as constituting further instructions.
VolcEngine will comply with the instructions described in Clause 4.1 and Schedule 1 in this DPA unless otherwise required or permitted by Applicable Data Protection Laws to which the VolcEngine is subject and which requires other processing of Customer Personal Data by VolcEngine; in such a case, VolcEngine shall notify Customer (unless that law prohibits VolcEngine from doing so on important grounds of public interests) before Processing.
4.2Confidentiality. VolcEngine shall ensure those of its employees authorised to Process Customer Personal Data under this DPA have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
4.3Technical and organisational security measures. VolcEngine shall implement the technical and organisational security measures,
4.3.1 Data and Protection. Data transmission is encrypted using an AES256 algorithm. Rotating encryption key managed by KMS (Key Management Service). Management for user data security and decision strategy.
4.3.2 Built-In Security.24/7 service and emergency response. Security development lifecycle. Multi-layer protection: App, Network, Application, Data, and Physical Infrastructure.
4.4Personal Data Breaches. VolcEngine shall promptly notify Customer about any Personal Data Breach relevant to Customer Personal Data. At the time of notification or as soon as possible after notification, such notice shall include relevant details of the Personal Data Breach, where possible.
4.5Assist Customer in Compliance. VolcEngine shall assist Customer in ensuring compliance with its obligations under Applicable Data Protection Laws taking into account the nature of the Processing and the information which is available to VolcEngine.
4.6 Audit.
4.6.1VolcEngine shall, upon written request from Customer, provide that Customer with all information necessary to demonstrate compliance with the obligations laid down in this DPA, to the extent such provision is mandated by Applicable Data Protection Laws.
4.6.2In the event that the information provided in accordance with Clause 4.6.1 above is insufficient to reasonably demonstrate compliance, VolcEngine shall permit an industry standard audit to be conducted by an independent third party auditor chosen by the Customer on reasonable notice to audit VolcEngine’s compliance with VolcEngine’s obligations under this DPA. Such audits shall (i) be at Customer’s cost; (ii) be conducted between 9am-5pm on business days (excluding, for the avoidance of doubt, weekends and public holidays); (iii) not be conducted by any competitor of VolcEngine; (iv) not interfere with VolcEngine’s day-to-day business; and (v) shall, to the extent an inspection is required, be limited to an inspection of VolcEngine’s Processing facilities in order to review compliance with this DPA.
4.7Data Subject rights. VolcEngine will provide technical and organisational measures, in a manner consistent with the functionality of the Service, to enable Customer to fulfil its obligations to respond to requests for the exercise of rights by a Data Subject.
If a Data Subject brings a claim directly against VolcEngine for a violation of their Data Subject rights, Customer will reimburse VolcEngine for any cost, charge, damages, expenses or loss arising from such a claim, to the extent that VolcEngine has notified Customer about the claim and given Customer the opportunity to cooperate with VolcEngine in the defence and settlement of the claim. Subject to the terms of the Agreement, Customer may claim from VolcEngine damages resulting from Data Subject claims for a violation of their Data Subject rights caused by VolcEngine's breach of its obligations under this DPA and the respective DPA Schedule.
4.8 Data Transfers. Customer agrees thatVolcEngine may transfer Customer Personal Data to any country provided that Alternative Safeguards are in place or, if Alternative Safeguards are not in place, the Customer authorises VolcEngine to enter into the Standard Contractual Clauses on behalf of the Customer in the form set out in Schedule 2(with the processing details set out in Schedule 1( Processing Details ) applying for the purposes of Appendix 1 of the Standard Contractual Clauses and the technical and organisational security measures set out in VolcEngine security center and the transfer will be carried out in accordance with, and subject to, such Standard Contractual Clauses and Customer will comply with the Data Exporter’s obligations and the transferee shall comply with the data importer’s obligations set out in the Standard Contractual Clauses. The Customer agrees that VolcEngine may transfer the Customer Personal Data to a third party and in relation to any such onward transfer, the third party receiving the Customer Personal Data shall comply with the data importer obligations set out in the Standard Contractual Clauses in respect of that Customer Personal Data.
Notwithstanding the above, if the Customer is located in the European Economic Area, and following Brexit VolcEngine processes Customer Personal Data in the UK or any other country outside the EU, from the date Brexit takes effect VolcEngine shall ensure that Alternative Safeguards are in place or, if Alternative Safeguards are not in place, the transfer will be carried out in accordance with, and subject to, the Standard Contractual Clauses in the form set out in Schedule 2(with the processing details set out in Schedule 1( Processing Details ) applying for the purposes of Appendix 1 of the Standard Contractual Clauses and the technical and organisational security measures set out in VolcEngine security center, and Customer will comply with the Data Exporter’s obligations and VolcEngine shall comply with the data importer’s obligations set out in the Standard Contractual Clauses.
4.9Sub-Processors. Customer hereby authorises VolcEngine to subcontract its Processing obligations under this DPA to its Affiliates and to other third party Subcontractors listed a Schedule 4.VolcEngine ensures that it has a written agreement in place with all Subcontractors which contains obligations on the Subcontractor which are no less onerous on the relevant Subcontractor than the obligations on VolcEngine under this DPA, and VolcEngine shall remain liable for the Processing of such Subcontractors.
If VolcEngine appoints a new Subcontractor or intends to make any changes concerning the addition or replacement of the Subcontractors at Schedule 4, it shall provide the Customer withpriornotice through listing such Subcontractor at Schedule 4, during which the Customer can object against the appointment or replacement by terminating the DPA on written notice to VolcEngine. If Customer does not object, VolcEngine may proceed with the appointment or replacement.
4.10 Deletion Upon termination of this DPA in accordance with the Customer Terms of Service, Customer instructs VolcEngine to delete or return to the Customer all of the data and delete existing copies unless applicable laws requires storage of the Personal Data.
5.1The duration of the Processing corresponds to the duration of the Service, unless otherwise stated in the Schedules.
5.2This DPA may be executed in any number of counterparts, each of which is an original and all of which evidence the same agreement between the parties.
Schedule 1
Processing Details
Appendix 1 to the Standard Contractual Clauses
1. Nature and Purpose of the Processing. VolcEngine will process personal data as necessary to provide the Services under the Agreement.VolcEngine does not sell Customer’s personal data or Customer end users’ personal data and does not share end users’ information with third parties for compensation or for those third parties’ own business interests.
1.1 Customer Account Data. VolcEngine will process Customer Account Data as a controller (a) in order to manage the relationship with Customer; (b) carry out VolcEngine’s core business operations, such as accounting and filing taxes, and (c) in order to detect, prevent, or investigate security incidents, fraud and other abuse and/or misuse of the Services.
1.2 Customer Usage Data. VolcEngine will process Customer Usage Data as a controller in order to carry out necessary functions as a communications VolcEngine including, but not limited to, (a)VolcEngine’s accounting, tax, billing, audit, and compliance purposes; (b) to provide, optimize, and maintain the services and platform and security; (c) to investigate fraud, spam, wrongful or unlawful use of the Services; and/or (c) as required by applicable Law.
1.3 Customer Content. VolcEngine will process Customer Content in accordance with Customer Instructions.Customer appoints VolcEngine as a processor to process Customer Content on behalf of, and in accordance with, Customer’s instructions as set forth in the Agreement and this Addendum, as otherwise necessary to provide the Services (which may include investigating security incidents and preventing spam or fraudulent activity, and detecting and preventing network exploits and abuse), as necessary to comply with applicable Law, or as otherwise agreed in writing (“Permitted Purposes”). (a) Lawfulness of Instructions. Customer will ensure that its instructions comply with all laws applicable to the Customer Content, including without limitation, Applicable Data Protection Law. Customer will ensure that VolcEngine’s processing of the Customer Content in accordance with Customer’s instructions will not cause the VolcEngineto violate any applicable Law, including, without limitation, Applicable Data Protection Law. VolcEngine will inform Customer if it becomes aware or reasonably believes that Customer’s data processing instructions violate Applicable Data Protection Law. (b) Additional Instructions. Additional instructions outside the scope of the Agreement, Order Form, or this Addendum may result in additional fees payable by Customer to the VolcEnginefor carrying out those instructions.
2. Duration of the Processing.
2.1 Customer Account Data. VolcEngine will process Customer Account Data as long as needed to provide the Services to Customer. Customer Account Data stored inVolcEngine’s relationship management system(s) is generally stored for up to seven years following termination of the Agreement. Invoice and billing records may be retained for longer periods for accounting, tax, and audit purposes depending on and in accordance with applicable Law. Customer Account Data stored in communications withVolcEngine’s Customer Support Teams may be retained for up to three years after termination of the Agreement. Apart from the above, within sixty (60) days following termination of the Agreement,VolcEngine will delete or anonymize personal data contained in Customer Account Data.
2.2 Customer Content. VolcEngine will process Customer Content as outlined in (i) VolcEngine provides Customer the ability to obtain a copy of and delete Customer Content via the VolcEngine Services. Customer agrees that it is solely responsible for obtaining a copy of and deleting Customer Content via the VolcEngine Services. Upon termination of the Agreement, VolcEngine will (a) automatically delete any stored Customer Content One hundred eighty (180) days after the termination effective date; and (b) automatically delete any stored Customer Content on VolcEngine’s back-up systems One hundred eighty (180) days after the termination effective date. Any Customer Content archived on VolcEngine’s back-up systems will be securely isolated and protected from any further processing, except as otherwise required by applicable Law. (ii) Extension of Addendum. Upon termination of the Agreement, VolcEngine may retain Customer Content in storage for the periods stated in (i), provided that VolcEngine will ensure that Customer Content is processed only as necessary for the purpose specified in this Addendum and no other purpose, and Customer Content remains protected in accordance with the terms of the Agreement, this Addendum, and Applicable Data Protection Law. (iii) Retention Required by Law. Notwithstanding anything to the contrary, VolcEngine may retain Customer Content or any portion of it if required by applicable Law.
2.3 Customer Usage Data. Upon termination of the Agreement,VolcEngine may retain, use, and disclose Customer Usage Data for the purposes set forth in Section 1.2 of this Schedule, subject to the confidentiality obligations set forth in the Agreement.VolcEngine will anonymize or otherwise delete Customer Usage Data whenVolcEngine no longer requires it for the foregoing purposes.
3. Categories of Data Subjects.
3.1 Customer Account Data. Customer’s employees and individuals authorized by Customer to access Customer’s account.
3.2 Customer Content. Customer’s customers and end-users.
3.3 Customer Usage Data. Customer’s customers and end-users.
4. Type of Personal Data . VolcEngine processes personal data contained in Customer Account Data, Customer Content, and Customer Usage Data as defined in the Addendum.
Data exporter
The data exporter is using services provided by data importer. These services may include the processing of Customer Personal Data by data importer.
Data importer
The data importer is providing services and support to data exporter as described in the VolcEngineData Processing Addendum.
Special Categories of Data (if appropriate) : No sensitive data or special categories of data are intended to be transferred, but may be contained in the Customer’s contents (e.g. of the VolcEngine chat and call services and/or the VolcEngine’s calendar or document functions).
Subject Matter: VolcEngine’s provision of the Services to Customer.
Schedule 2
STANDARD CONTRACTUAL CLAUSES
For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection.
Customer
(in the Clauses hereinafter referred to as the ‘ data exporter’ )
And
Beijing Volcano Engine Technology Co., Ltd.,
incorporated in the People’s Republic of China having its registered office at
1309, 13/F, Building 4, Zijin Digital Park, Haidian District, Beijing;
(in the Clauses hereinafter referred to as the ‘data importer’)
each a ‘party’; together ‘the parties’,
HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Schedule 1.
Clause 1
Definitions
For the purposes of the Clauses:
(a) 'personal data', 'special categories of data', 'process/processing', 'controller', 'processor', 'data subject' and 'supervisory authority' shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
(b)' the data exporter' means the controller who transfers the personal data;
(c) 'the data importer' means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country's system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;
(d) 'the subprocessor' means any processor engaged by the data importer or by any other subprocessor of the data importer who agrees to receive from the data importer or from any other subprocessor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;
(e)' the applicable data protection law ' means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;
(f) 'technical and organisational security measures' means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
Clause 2
Details of the transfer
The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.
Clause 3
Third-party beneficiary clause
1.The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.
2.The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
3.The data subject can enforce against the subprocessor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
4.The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.
Clause 4
Obligations of the data exporter
The data exporter agrees and warrants:
(a)that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;
(b)that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only on the data exporter's behalf and in accordance with the applicable data protection law and the Clauses;
(c)that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;
(d)that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
(e)that it will ensure compliance with the security measures;
(f)that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;
(g)to forward any notification received from the data importer or any subprocessor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;
(h)to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for subprocessing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
(i)that, in the event of subprocessing, the processing activity is carried out in accordance with Clause 11 by a subprocessor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and
(j)that it will ensure compliance with Clause 4(a) to (i).
Clause 5
Obligations of the data importer
The data importer agrees and warrants:
(a)to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(b)that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(c)that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;
(d)that it will promptly notify the data exporter about:
(i)any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation,
(ii)any accidental or unauthorised access, and
(iii)any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;
(e)to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;
(f)at the request of the data exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;
(g)to make available to the data subject upon request a copy of the Clauses, or any existing contract for subprocessing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;
(h)that, in the event of subprocessing, it has previously informed the data exporter and obtained its prior written consent;
(i)that the processing services by the subprocessor will be carried out in accordance with Clause 11;
(j)to send promptly a copy of any subprocessor agreement it concludes under the Clauses to the data exporter.
Clause 6
Liability
1.The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or subprocessor is entitled to receive compensation from the data exporter for the damage suffered.
2.If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity.
The data importer may not rely on a breach by a subprocessor of its obligations in order to avoid its own liabilities.
3.If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the subprocessor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the subprocessor agrees that the data subject may issue a claim against the data subprocessorwith regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the subprocessor shall be limited to its own processing operations under the Clauses.
Clause 7
Mediation and jurisdiction
1.The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:
(a)to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;
(b)to refer the dispute to the courts in the Member State in which the data exporter is established.
2.The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.
Clause 8
Cooperation with supervisory authorities
1.The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
2.The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
3.The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any subprocessor preventing the conduct of an audit of the data importer, or any subprocessor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5 (b).
Clause 9
Governing Law
The Clauses shall be governed by the law of the Member State in which the data exporter is established.
Clause 10
Variation of the contract
The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.
Clause 11
Subprocessing
1.The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the subprocessor which imposes the same obligations on the subprocessor as are imposed on the data importer under the Clauses. Where the subprocessor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the subprocessor's obligations under such agreement.
2.The prior written contract between the data importer and the subprocessor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
3.The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.
4.The data exporter shall keep a list of subprocessing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5 (j), which shall be updated at least once a year. The list shall be available to the data exporter's data protection supervisory authority.
Clause 12
Obligation after the termination of personal data processing services
1.The parties agree that on the termination of the provision of data processing services, the data importer and the subprocessor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
2.The data importer and the subprocessor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.
SCHEDULE 3
JURISDICTION SPECIFIC TERMS
1.Australia:
1.1.The definition of “Applicable Data Protection Law” includes the Australian Privacy Principles and the Australian Privacy Act (1988).
1.2.The definition of “personal data” includes “Personal Information” as defined under Applicable Data Protection Law.
1.3.The definition of “sensitive data” includes “Sensitive Information” as defined under Applicable Data Protection Law.
2.California:
2.1.The definition of “Applicable Data Protection Law” includes the California Consumer Privacy Act (CCPA).
2.2.The definition of “personal data” includes “Personal Information” as defined under Applicable Data Protection Law.
2.3.The definition of “data subject” includes “Consumer” as defined under Applicable Data Protection Law. Any Data Subject Rights, as described in Section 4.7 of the Addendum, apply to Consumer rights. In regards to Data Subject Requests,VolcEngine can only verify a request from Customer and not from Customer’s end user or any third party.
2.4.The definition of “controller” includes “Business” as defined under Applicable Data Protection Law.
2.5.The definition of “processor” includes “VolcEngine” as defined under Applicable Data Protection Law.
2.6.The VolcEngine will process, retain, use, and disclose personal data only as necessary to provide the Services under the Agreement, which constitutes a business purpose.VolcEngine agrees not to sell Customer’s personal data or Customer end users’ personal data; retain, use, or disclose Customer’s personal data for any commercial purpose other than providing the Services; or retain, use, or disclose Customer’s personal data outside of the scope of the Agreement.VolcEngine understands its obligations under the Applicable Data Protection Law and will comply with them.
2.7.The VolcEngine certifies that its sub-processors, as described in Section 4.9 of the Addendum, are VolcEngine under Applicable Data Protection Law, with whomVolcEngine has entered into a written contract that includes terms substantially similar to this Addendum.VolcEngine conducts appropriate due diligence on its sub-processors.
2.8.The VolcEngine will implement and maintain the reasonable security procedures and practices appropriate to the nature of the personal data it processes as set forth in Section 4.3 of the Addendum.
3.Canada:
3.1.The definition of “Applicable Data Protection Law” includes the Federal Personal Information Protection and Electronic Documents Act (PIPEDA).
3.2.VolcEngine ’s sub-processors, as described in Section 4.9 of the Addendum, are third parties under Applicable Data Protection Law, with whom VolcEngine has entered into a written contract that includes terms substantially similar to this Addendum.VolcEngine has conducted appropriate due diligence on its sub-processors.
3.3.The VolcEngine will implement technical and organizational measures as set forth in Section 4.3 of the Addendum.
4.Chile:
4.1.The definition of “Applicable Data Protection Law” includes Law 19.628.
5.Israel:
5.1.The definition of “Applicable Data Protection Law” includes the Protection of Privacy Law (PPL).
5.2.The definition of “controller” includes “Database Owner” as defined under Applicable Data Protection Law.
5.3.The definition of “processor” includes “Holder” as defined under Applicable Data Protection Law.
5.4.The VolcEngine will require that any personnel authorized to process Customer Content comply with the principle of data secrecy and have been duly instructed about Applicable Data Protection Law. Such personnel sign confidentiality agreements with VolcEngine in accordance with Section 4.2 of the Addendum.
5.5.The VolcEngine must take sufficient steps to ensure the privacy of data subjects by implementing and maintaining the security measures as specified in Section 4.3 of the Addendum and complying with the terms of the Agreement.
5.6.The VolcEngine must ensure that the personal data will not be transferred to a sub-processor unless such sub-processor has executed an agreement with VolcEngine pursuant to Section 4.9 of this Addendum.
6.Japan:
6.1.The definition of “Applicable Data Protection Law” includes the Act on the Protection of Personal Information (APPI).
6.2.The definition of “personal data” includes “Personal Information” as defined under Applicable Data Protection Law.
6.3.The definition of “controller” includes “Business Operator” as defined under Applicable Data Protection Law. As a Business Operator, VolcEngine is responsible for the handling of personal data in its possession.
7.Mexico
7.1.The definition of “Applicable Data Protection Law” includes the Federal Law for the Protection of Personal Data Held by Private Parties and its Regulations (FLPPIPPE).
7.2.When acting as a processor,VolcEngine will:
(a)treat personal data in accordance with Customer’s instructions as outlined in Section 1.3 of the Addendum;
(b)process personal data only to the extent necessary to provide the Services;
(c)implement security measures in accordance with Applicable Data Protection Law and Section 4.3 of the Addendum;
(d)keep confidentiality regarding the personal data processed in accordance with the Agreement;
(e)delete all personal data upon termination of the Agreemen of the Addendum; and
(f)only transfer personal data to sub-processors in accordance with Section 4.9 of the Addendum.
8.Singapore:
8.1The definition of “Applicable Data Protection Law” includes the Personal Data Protection Act 2012 (PDPA).
8.2VolcEngine will process personal data to a standard of protection in accordance with the PDPA by implementing adequate technical and organizational measures as set forth in Section 4.3 of the Addendum and complying with the terms of the Agreement.
9.United Kingdom:
9.1The definition of “Applicable Data Protection Law” includes the Data Protection Act 2018.
SCHEDULE 4
SUBCONTRACTORSLIST
1. mitto
2.twilio
3.nexmo
4.telesign
5.cm
6.tyntec