Last updated: February 14, 2023
This Data Sharing Addendum (“DSA”) is entered into by and between Impro.AI on behalf of itself and its Affiliates (“Impro.AI”), and (“Company”), to reflect the parties’ agreement with regard to the Processing of Personal Data by Impro.AI and Company. Both parties shall be referred to as the “Parties” and each, a “Party”.
In consideration of the mutual obligations set out herein, the Parties hereby agree that the terms and conditions set out below shall be added as an Addendum integral to the MSA agreement established between Impro.AI and Company (“Agreement”).
In the event of any conflict between certain provisions of this DSA and the provisions of the Agreement, the provisions of this DSA shall prevail over the conflicting provisions of the Agreement solely with respect to the Processing of Personal Data.
1.1 “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control”, for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
1.2 “CCPA” means the California Consumer Privacy Act of 2018, Cal. Civ. §§ 1798.100 et. Seq, and its implementing regulations, as may be amended from time to time.
1.3 The terms, “Controller“, “Member State, “Processing” and “Supervisory Authority” “Personal Data Breach” shall have the same meaning as in the GDPR. The terms “Business”, “Business Purpose”, and “Consumer” shall have the same meaning as in the CCPA.
1.4 For the purpose of clarity, within this DSA “Controller” shall also mean “Business”, to the extent the CCPA applies.
1.5 “Data Protection Laws” means all applicable and binding privacy and data protection laws and regulations, including such laws and regulations of the European Union, the European Economic Area and their Member States, Switzerland, the United Kingdom, Canada, Israel and the United States of America, as applicable to the Processing of the Shared Personal Data under the Agreement including (without limitation) the GDPR, the UK GDPR, the FADP and the CCPA, as applicable to the Parties in relation to the Shared Personal Data hereunder and in effect at the time of the Parties’ performance hereunder.
1.6“Data Subject” means the identified or identifiable person to whom the Personal Data relates.
1.7 “FADP” means the Swiss Federal Act on Data Protection of 19 June 1992, and as revised as of 25 September 2020.
1.8 “GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
1.9 “Personal Data” or “Personal Information” means any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, to or with an identified or identifiable natural person or Consumer, which is processed by a Party, under this DSA and the Agreement.
1.10 “Shared Personal Data” means the Personal Data shared by Company with Impro.AI under this DSA as further detailed in Schedule 1 attached hereto.
1.11 “Standard Contractual Clauses” shall mean (i) where the GDPR applies, the Standard Contractual Clauses set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (“EU Standard Contractual Clauses”) and (ii) where the UK GDPR applies, the International Data Transfer Addendum to the EU SCCs issued by the Commissioner of 21 March 2022 (“IDTA”).
1.12 “UK GDPR” means the Data Protection Act 2018, as well as the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (SI 2019/419).
2. PROCESSING OF PERSONAL DATA
2.1 Roles of the Parties. The Parties acknowledge and agree that with regard to the Shared Personal Data, each of Impro.AI and Company are separate and independent Data Controllers. The Parties acknowledge and agree that they will not be joint controllers (as defined in the GDPR or UK GDPR) with respect to the Shared Personal Data.
2.2 The Parties’ Processing of Shared Personal Data. When Processing the Shared Personal Data under the Agreement and this DSA, each Party shall Process the Shared Personal Data solely for the following purposes: (i) Processing in accordance with the Agreement and this DSA; and (ii) Processing as required under applicable Data Protection Laws. Notwithstanding the above, the Parties may use the Shared Personal Data for their own purpose provided that, the appropriate legal basis under applicable Data Protection Laws required for such Processing activities have been established by such Party prior to such additional Processing activities.
3. COMPLIANCE WITH DATA PROTECTION LAWS
Without derogating from the foregoing, each Party shall be responsible independently and separately for complying with the obligations that apply to it as a Data Controller under Data Protection Laws with regards to the Processing of the Shared Personal Data.
4. DATA SUBJECT RIGHTS
Taking into account the nature of the Processing, the Parties each agree to provide such assistance as is reasonably required and requested by the other Party to enable it to comply with requests received from Data Subjects to exercise their rights under Data Protection Laws with respect to the Shared Personal Data, within the time limits imposed by the Data Protection Law pursuant to which the Data Subject Request was made. Each Party is responsible for maintaining records of Data Subject Requests it receives and the decisions made with respect thereto, as required under Data Protection Laws.
5.1 Each Party shall have implemented and will maintain, appropriate technical and organizational measures for the protection of the Shared Personal Data Processed hereunder as required by Data Protection Laws (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to Shared Personal Data, confidentiality and integrity of the Shared Personal Data).
5.2 Without derogating from the foregoing, each Party shall be responsible to comply with security requirements apply to it as an independent and separate Data Controller under Data Protection laws, including with regards to the Processing of the Shared Personal Data.
The Parties shall ensure that the Shared Personal Data is kept confidential and their personnel and advisors engaged in the Processing of Shared Personal Data have committed themselves to confidentiality.
7. DATA INCIDENT MANAGEMENT AND NOTIFICATION
7. 1 Each Party shall:
7.1.1 without undue delay, notify the other party of the existence, nature and scope of any Personal Data Breach affecting Shared Personal Data; in any case within a sufficient timeframe to enable the other Party to comply with their respective obligations (if any) to make notification(s) of the Personal Data Breach under Data Protection Laws;
7.1.2 comply with its obligations under applicable Data Protection Laws in respect of all Personal Data Breaches affecting Shared Personal Data.
8. CROSS BORDER TRANSFERS
8.1 Transfers from the EEA, Switzerland and the United Kingdom to countries that offer adequate level of data protection. Personal Data may be transferred from EU Member States, the three EEA member countries (Norway, Liechtenstein and Iceland) (collectively, “EEA”), Switzerland and the United Kingdom (“UK”) to countries that offer an adequate level of data protection under or pursuant to the adequacy decisions published by the relevant data protection authorities of the EEA, the European Union, the Member States or the European Commission, Switzerland, and/or the UK as relevant (“Adequacy Decisions”), as applicable, without any further safeguards being necessary.
8.2 Transfers from the EEA, Switzerland and the United Kingdom to other countries. If the Parties’ sharing of the Shared Personal Data under this DSA includes a transfer (either directly or via an onward transfer) from the EEA (“EEA Transfer”), the UK (“UK Transfer”), and/or Switzerland (“Swiss Transfer”) to other countries which have not been subject to a relevant Adequacy Decision, and such transfers are not performed through an alternative recognized compliance mechanism for the lawful transfer of personal data (as defined in the GDPR, the UK GDPR, the FADP, as relevant) outside the EEA, the UK or Switzerland, as applicable, then (i) the terms set forth in Part 1 of Schedule 2 (EEA Cross Border Transfers) shall apply to any such EEA Transfer; (ii) the terms set forth in part 2 of Schedule 2 (UK Cross Border Transfers) shall apply to any such UK Transfer; (iii) the terms set forth in Part 3 of Schedule 2 (Swiss Cross Border Transfers) shall apply to any such Swiss Transfer; and (iv) the terms set forth in Part 4 of Schedule 2 (Additional Safeguards) shall apply to any such transfers
9. CCPA STANDARD OF CARE; NO SALE OF PERSONAL INFORMATION
Where the CCPA applies, each Party certifies that it understands the rules, requirements and definitions of the CCPA and agrees to refrain from selling and/or sharing (as such terms are defined in the CCPA) any Shared Personal Information Processed hereunder without the other Party’s prior written consent, nor taking any action that would cause any transfer of Shared Personal Information under the Agreement or this DSA to qualify as “selling” or “sharing” such Shared Personal Information under the CCPA. Each Party shall notify the other Party in the event it makes a determination that it can no longer meet its obligations under the CCPA.
10. OTHER PROVISIONS
10.1 Governing Law. To the maximum extent permitted by law, this DSA shall be governed by the laws governing the Agreement, except for those provisions of clauses which dictate the application of another law for particular purposes.
10.2 Modifications. Each Party may by at least forty-five (45) calendar days’ prior written notice to the other Party, request in writing any variations to this DSA if they are required as a result of any change in, or decision of a competent authority under Data Protection Laws, to allow Processing of Shared Personal Data to be made (or continue to be made) in accordance with the Agreement or this DSA without breach of those Data Protection Laws. The Parties shall make commercially reasonable efforts to accommodate such modification requested by a Party. The Parties shall promptly discuss the proposed variations and negotiate in good faith with a view to agreeing and implementing those or alternative variations designed to address the requirements identified in the notice as soon as is reasonably practicable. In the event that the Parties are unable to reach such an agreement within 30 days of such notice, then each Party may, by written notice to the other Party, with immediate effect, terminate this DSA and the Agreement.
10.3 Point of Contact. Each Party shall appoint a single point of contact or contact person who will be responsible for any issue arising under this DSA, including ensuring that such Party complies with this DSA.
10.4 Order of Precedence. In the event of any inconsistency between this DSA and Data Protection Laws, the Data Protection Laws shall prevail. In the event of any inconsistency between clauses or sections of this DSA and clauses or sections of the Standard Contractual Clauses (where applicable), the clauses or sections of the Standard Contractual Clauses most favorable to the affected Data Subject shall prevail.
SCHEDULE 1 - DETAILS OF THE SHARED PERSONAL DATA
Nature and Purpose of Data Sharing
Impro.AI and Company are parties to the Agreement, under which Impro.AI provides Company with its coaching platform intended to provide personalized, data-driven performance coaching to Company’s team members, and to help individuals elevate their performance at work by using advanced AI and data science technology (“Agreed Purpose”).
Duration of Processing
The Parties will Process Shared Personal Data for the Agreed Purpose pursuant to the DSA and Agreement for the duration of the Agreement, unless otherwise agreed upon in writing.
Categories of Data Subjects
- Company’s employees that use the Services (“User(s)”)
Type of Personal Data to be shared
For the Agreed Purpose, the parties may share, transfer and exchange the following Shared Personal Data:
- User profile information, including contact details;
- Business account information, which may include company name, industry and account classification;
- Information User shares in coaching sessions;
- Information Company shares about User to help facilitate effective coaching sessions;
- Direct communications between User and Impro.AI.
SCHEDULE 2 – CROSS BORDER TRANSFERS
PART 1 – EEA Transfers
1. The Parties agree that the terms of the EU Standard Contractual Clauses are hereby incorporated by reference and shall apply to an EEA Transfer.
2. Module One (Controller to Controller) of the EU Standard Contractual Clauses shall apply where the EEA Transfer is effectuated by Impro.AI as the data controller of the Shared Personal Data and Company is an independent and separate data controller of the Shared Personal Data.
3. Clause 7 of the EU Standard Contractual Clauses (Docking Clause) shall not apply.
4. In Clause 11 of the EU Standard Contractual Clauses, the optional language will not apply.
5. With respect to Clause 17 of the EU Standard Contractual Clauses the Parties agree that the EU Standard Contractual Clauses shall be governed by the laws of the Republic of Ireland.
6. In Clause 18(b) of the EU Standard Contractual Clauses, disputes will be resolved before the courts of the Republic of Ireland.
7. Annex I.A of the EU Standard Contractual Clauses shall be completed as follows:
Data Exporter: Impro.AI/Company
Contact details: As detailed in the Agreement.
Data Exporter Role:
Module One: The Data Exporter is a data controller.
Signature and Date: By entering into the Agreement and DSA, Data Exporter is deemed to have signed these EU Standard Contractual Clauses incorporated herein, including their Annexes, as of the Effective Date of the Agreement.
Data Importer: Impro.AI/Company
Contact details: As detailed in the Agreement.
Data Importer Role:
Module One: The Data Importer is an independent and separate data controller.
Signature and Date: By entering into the Agreement and DSA, Data Importer is deemed to have signed these EU Standard Contractual Clauses, incorporated herein, including their Annexes, as of the Effective Date of the Agreement.
8. Annex I.B of the EU Standard Contractual Clauses shall be completed as follows:
The categories of data subjects are described in Schedule 1 (Details of Processing) of this DSA.
The categories of personal data are described in Schedule 1 (Details of Processing) of this DSA.
The frequency of the transfer is a continuous basis for the duration of the Agreement.
The nature of the processing is described in Schedule 1 (Details of Processing) of this DSA.
The purpose of the processing is described in Schedule 1 (Details of Processing) of this DSA.
The period for which the personal data will be retained is for the duration of the Agreement, unless agreed otherwise between the Parties.
To the extent applicable, the subject matter, nature, and duration of the processing of transfers to Sub-processors, shall be set forth in Schedule 1 (Details of Processing) of this DSA.
9. Annex I.C of the EU Standard Contractual Clauses shall be completed as follows:
The competent supervisory authority in accordance with Clause 13 is the supervisory authority in the Member State stipulated in Section 5 above.
10. The security measures set forth in Section 5 of the DSA shall serve as Annex II of the EU Standard Contractual Clauses.
11. To the extent there is any conflict between the EU Standard Contractual Clauses and any other terms in this DSA or the Agreement, the provisions of the EU Standard Contractual Clauses will prevail.
PART 2 – UK Transfers
The parties agree that the terms of the IDTA are hereby incorporated by reference and shall apply to any UK Transfer. The relevant tables in the IDTA shall be deemed completed as follows:
Table 1: The Parties: as stipulated in Annex I.A of the EU Standard Contractual Clauses incorporated in Part. 1 of this Schedule 2.
Table 2: Selected SCCs, Modules and Selected Clauses: as detailed in Part 1 of this Schedule 2.
Table 3: Appendix Information: means the information which must be provided for the selected modules as set out in Annex II of the EU Standard Contractual Clauses, and which for this Part 2 is set out in Part 1 to this Schedule 2.Table 4: Ending this Addendum when the Approved Addendum Changes: neither Party may end this Part 2 as set out in Section 19 of this Part 2.
PART 3 – Swiss Cross Border Transfers
The Parties agree that the Swiss Standard Contractual Clauses are hereby incorporated by reference to the EU Standard Contractual Clauses as detailed in Part.1 of this Schedule 2 and adjusted with the necessary adaptations and amendments for use under the FADP.
PART 4 - Additional Safeguards
1. In the event of an EEA Transfer, a UK Transfer or a Swiss Transfer, the Parties agree to supplement these with the following safeguards and representations, where appropriate:
a. The Data Importer shall have in place and maintain in accordance with good industry practice measures to protect the Personal Data from interception (including in transit from the Data Exporter to the Data Importer and between different systems and services). This includes having in place and maintaining network protection intended to deny attackers the ability to intercept data and encryption of Personal Data whilst in transit and at rest intended to deny attackers the ability to read data.
b. The Data Importer will make commercially reasonable efforts to resist, subject to applicable laws, any request for bulk surveillance relating to the Personal Data protected under GDPR, the UK GDPR, or the FADP, including under section 702 of the United States Foreign Intelligence Surveillance Act (“FISA”);
c. If the Data Importer becomes aware that any government authority (including law enforcement) wishes to obtain access to or a copy of some or all of the Personal Data, whether on a voluntary or a mandatory basis, then unless legally prohibited or under a mandatory legal compulsion that requires otherwise:
I. The Data Importer shall inform Data Exporter in writing;
II. The Data Importer will use commercially reasonable legal mechanisms to challenge any such demand for access to Personal Data which is under the Data Importer’s control and notify the Data Exporter, immediately after first becoming aware of such demand for access and provide the Data Exporter with all relevant details of the same, unless and to the extent legally prohibited to do so.
Once in every 12-month period, the Data Importer will inform the Data Exporter, at the Data Exporter’s written request, of the types of binding legal demands for Personal Data it has received and solely to the extent such demands have been received, including national security orders and directives, which shall encompass any process issued under section 702 of FISA