Effective Date: August 22nd, 2022
Any capitalized term used but not defined in this Addendum has the meaning provided to it in the Agreement.
2. Relationship of the Parties
The parties acknowledge and agree that:
Fobi may process personal information in order to provide the Service in accordance with the Agreement. Schedule 1 (Details of Processing) sets out a detailed description of the duration of the processing, the nature and purpose of the processing, and the types of personal information and categories of data subjects.
Each party acknowledges that it has obligations under Applicable Data Protection Law, and that it is solely responsible for compliance with same.
For greater certainty, Customer is responsible for ensuring compliance with Applicable Data Protection Law in its use of the Service and its own processing of personal information, as well as for ensuring that it has and will continue to have the right to transfer, or provide access to, the personal information to Fobi for processing in accordance with the terms of the Agreement and this Addendum.
5. Processing Customer Content and Raw Data & Customer Instructions
Customer appoints Fobi as a processor to process Customer Content and, to the extent applicable, Raw Data, on behalf of Customer and in accordance with Customer's instructions (a) as set forth in the Agreement, this Addendum, and as otherwise necessary to provide the Service to Customer; (b) as necessary to comply with applicable law; and (c) as otherwise agreed in writing by the parties ("Permitted Purposes").
Customer will ensure that its instructions comply with Applicable Data Protection Law. Customer acknowledges that Fobi is not responsible for determining which laws are applicable to Customer nor whether Fobi's provision of the Service meets or will meet the requirements of such laws. Customer will ensure that Fobi's processing of Customer Content and Raw Data, when carried out in accordance with Customer's instructions, will not cause Fobi to violate any applicable law, regulation, or rule, including Applicable Data Protection Law.
Customer authorizes Fobi to appoint sub-processors as may be required to administer and provide the Service in accordance with this Section and any restrictions in the Agreement. Fobi shall contractually require each sub-processor to perform the obligations imposed upon sub-processor with respect to the processing of personal information pursuant to this Addendum (as applicable) as if it were a party to this Addendum in place of Fobi.
Fobi will ensure that any individual it authorizes to process the Customer Content or Raw Data has agreed to protect personal information in accordance with Fobi's confidentiality obligations under the Agreement.
In the event that any request from a data subject, regulatory authority, or third party is made directly to Fobi in connection with Fobi's processing of Customer Content or, in its role as processor, Raw Data, Fobi will promptly inform Customer of the same. Unless legally required to do so, Fobi will not respond to any such request without Customer's prior consent.
7. Return or Deletion of Customer Content and Raw Data.
Fobi will, in accordance with Section 1 of Schedule 1 (Details of Processing), delete or return to Customer any Customer Content and Raw Data (for which it acts as processor) stored in the Service.
Upon termination of the Agreement, Fobi may retain Customer Content and Raw Data in storage for the time periods set forth in Schedule 1 (Details of Processing), provided that Fobi will ensure that Customer Content and Raw Data is processed only as necessary for the Permitted Purposes, and Customer Data remains protected in accordance with the terms of the Agreement, this Addendum, and Applicable Data Protection Law.
Notwithstanding anything to the contrary, Fobi may retain Customer Content, Raw Data, or any portion of it if required by applicable law, provided that it remains protected in accordance with the terms of the Agreement, this Addendum, and Applicable Data Protection Law.
8. Security and Security Incidents
Taking into account current industry practices, the costs of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity relating the rights and freedoms of natural persons, Fobi shall in relation to the personal information implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures outlined below.
Fobi has developed and maintains reasonable data and organizational security measures that are designed to secure personal information, including for example:
In the event of a Security Incident, Fobi will, to the extent permitted by applicable law, promptly notify Customer (in no event later than seventy-two (72) hours) after Fobi's confirmation or reasonable suspicion, of a Security Incident impacting Customer Data.
Fobi will make commercially reasonable efforts to identify and, to the extent such Security Incident is caused by a violation of the requirements of this Addendum by Fobi, remediate the cause of any such Security Incident. Fobi will provide reasonable assistance to Customer in the event that Customer is required under Applicable Data Protection Law to notify a regulatory authority or any data subjects of a Security Incident.
Customer acknowledges that Fobi, as a controller, may be required by Applicable Data Protection Law to notify the regulatory authority of Security Incidents involving Customer Data. If the regulatory authority requires Fobi to notify impacted data subjects with whom Fobi does not have a direct relationship (e.g., Customer's end users), Fobi will notify Customer of this requirement. Customer will provide reasonable assistance to Fobi to notify the impacted data subjects.
Fobi shall permit Customer and/or its authorized agents to audit its records to the extent reasonably required in order to confirm that Fobi is complying with its obligations under this Addendum, provided always that any such audit does not involve the review of any third party data and that the records and information accessed in connection with such audit are treated as Fobi's confidential and proprietary information in accordance with the Agreement. Customer shall bear the costs of any such audit.
10. Cross-Border Data Transfers
To the extent Fobi processes personal information originating from and protected by Applicable Data Protection Law in one of the jurisdictions listed in Schedule 4, then the terms specified in Schedule 4 with respect to the applicable jurisdiction(s) ("Jurisdiction Specific Terms") apply in addition to the terms of this Addendum. In case of any conflict or ambiguity between the Jurisdiction Specific Terms and any other terms of this Addendum, the applicable Jurisdiction Specific Terms will take precedence.
To the extent that Customer's use of the Service requires transfer of personal information out of the European Economic Area ("EEA"), Switzerland, or a jurisdiction set forth in Schedule 4, then Fobi will take such measures as necessary to ensure the transfer is in compliance with Applicable Data Protection Law. Correspondingly, this Addendum hereby incorporates by reference the Standard Contractual Clauses under Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection, provided that Appendices 1 and 2 of the Standard Contractual Clauses shall be deemed completed as set forth in Schedules 2 and 3 to this Addendum.
In the event that either party receives: (a) any request from a data subject to exercise any of its rights under Applicable Data Protection Law (including its rights of access, correction, objection, erasure and data portability, as applicable) or (b) any other correspondence, enquiry, or complaint received from a data subject, regulator or other third party, (collectively, "Correspondence") then it will promptly inform such other party and the parties agree to cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Applicable Data Protection Law.
In the event that changes in law or regulation render performance of this Addendum impossible or commercially unreasonable, the parties may renegotiate this Addendum in good faith. If renegotiation would not cure the impossibility, or the parties cannot reach an agreement, the parties may terminate the Agreement in accordance with the Agreement's termination provisions.
Fobi may update the terms of this Addendum from time to time; provided, however, Fobi will provide at least thirty (30) days prior written notice to Customer when an update is required as a result of (a) changes in Applicable Data Protection Law; (b) a merger, acquisition, or other similar transaction; or (c) the release of new products or services or material changes to any of the existing Service.
This Schedule 1 includes certain details of the processing of personal information as required by Article 28(3) GDPR.
1. Subject Matter and Duration of the Processing of Personal Information
The subject matter and duration of the processing of the personal information are set out in the Agreement and this Addendum.
2. Nature and Purpose of the Processing
Fobi will process personal information as necessary to provide the Service under the Agreement. Fobi does not sell identifiable personal information and does not share Customer's end users' identifiable information with third parties for any purpose.
3. Categories of Data Subjects
4. Type of Personal Information
Fobi processes personal information contained in Customer Account Data, Customer Content, and Raw Data as defined in Section 1(Definitions) of the Addendum.
Any customer or end-user has the right to access the information held by Fobi by submitting a formal Subject Access Request.
The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix 1.
The data exporter is the Customer and the users of the Service.
The data importer is Fobi Ai Inc., a provider of data intelligence services using artificial intelligence to help customers turn real-time data into actional insights and personalized end user engagement.
The personal information transferred concern the following categories of data subjects:
Data exporter's end-users. The data importer will receive any personal information in the form of Customer Data that the data exporter instructs it to process through its Service. The personal information that the data exporter will transfer to the data importer is necessarily determined and controlled solely by the data exporter.
Categories of Data
The personal information transferred concern the following categories of data (please specify):
Customer Content, Customer Account Data, and Raw Data, all as defined in Section 1 (Definitions) of this Addendum.
Special categories of data (if appropriate)
The personal data transferred concern the following special categories of data:
The personal information transferred will be subject to the following basic processing activities (please specify):
The personal data transferred will be transferred in order to fulfil the objectives of the Agreement, and will be subject to basic processing activities related to the Service.
This Appendix 2 forms part of the Clauses and must be completed and signed by the parties.
Description of the technical and organizational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or documentation/legislation attached):
See description in Section 8 (Security and Security Incidents) of the Addendum.