Data Processing Addendum - Totem Dev

1. Purpose

This Data Processing Addendum (this “Addendum”) forms a part of, and is incorporated by reference into, the Totem Dev Software License Agreement (the “Agreement”) entered into between TOTEMDEV, Societate cu răspundere limitată registered in the Trade Registry of Chisinau, Moldova as number 1022609000314, with its head office at MD-3601, str. Alessandro Bernardazzi 17, ap.1, mun. Ungheni, Republica Moldova, represented by Sergiu Andrian in his capacity as Administrator and its subsidiaries and affiliates (collectively, the “Processor”) and you or the entity that you represent (the “Controller”) (together the “Parties”) .

Notwithstanding anything to the contrary in the Agreement, if there is a conflict between this Addendum and the Agreement, this Addendum will control. 

2. Definitions

Capitalized terms used but not defined have the meaning given in the Agreement.  Other terms in this Addendum, which are not defined in the Agreement or this Addendum, shall have meanings consistent with any corresponding terms in Data Protection Law.

a. “Data Protection Law” means any applicable law relating to data security, data protection and/or privacy including, without limitation, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to processing of personal data and the free movement of that data (“EU GDPR”), Retained Regulation (EU) 2016/679 (the “UK GDPR”, and together with the EU GDPR, the “GDPR”)) and the UK Data Protection Act of 2018, and the California Consumer Privacy Act (Cal. Civ. Code § 1798.100 et. seq.) (“CCPA”), and any implementing, derivative or related legislation, rule, regulation, and regulatory guidance, as amended, extended, repealed and replaced, or re-enacted.

b. “Personal Data” means any information relating to, that describes, is reasonably capable of being associated with, or could reasonably be linked to an identified or identifiable natural person (“Data Subject”), and which is Processed by the Processor on behalf of the Controller pursuant to the Agreement. An identifiable natural person is one who can be identified, directly or indirectly, in particular by referencing an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. 

c. “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

d. “Process”, “Processing” or “Processed” means any operation or set of operations which is performed upon Personal Data whether or not by automatic means, including collecting, recording, organizing, storing, adapting or altering, retrieving, consulting, using, disclosing, making available, aligning, combining, blocking, erasing and destroying Personal Data.

e. “Services” means the provision of Processor's products and services as set forth in the Agreement.

f. “Standard Contractual Clauses” means, with respect to (i) the UK GDPR, the standard contractual clauses (controller to processor module) set out in the European Commission’s Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 as modified by the  UK Addendum to the EU standard contractual clauses (effective 21 March 2022), and (ii) the EU GDPR, the standard contractual clauses (controller to processor module) set out in the European Commission’s Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament as may be amended or replaced by the European Commission from time to time.

g. “Subprocessor” means any third party which Processes Personal Data on behalf of the Processor.

3. Scope; Role of the Parties

a. This Addendum applies only to the extent Personal Data subject to Data Protection Laws is Processed by the Processor.  The Parties acknowledge and agree that for purposes of the GDPR, with regard to the Processing of Personal Data, (i) Controller is the Data Controller, (ii) Processor is a Data Processor, and (iii) Processor may engage Subprocessors pursuant to the requirements set forth in Section 5 below.  Further details of the Processing activities under this Addendum are set forth in Appendix 1.

b. Controller represents and warrants that it has a legal basis for Processing Personal Data, and the authority and right, including consent where required, to lawfully transfer Personal Data to the ProcessorController shall comply with all applicable Data Protection Laws in connection with the Personal Data, including without limitation in connection with providing all required notices, and obtaining all required consents, regarding the Processing and transfer of Personal Data.  Controller acknowledges and agrees that the Services are designed to be for content-neutral, general use and are not designed to Process sensitive or special category data.

4. Obligations of the Processor

a. Limitations on Use; Instructions. The Processor shall, and shall require that Subprocessors shall, Process Personal Data only: (i) on behalf of the Controller and in accordance with Controller’s documented instructions (which shall, for purposes of this DPA, constitute the instruction to Process Personal Data for purposes of performing the Services in accordance with the Agreement, or such other instructions as may be agreed in writing between the Parties), including with regard to transfers of Personal Data to a third country or an international organization; (ii) when required to do so by applicable law to which Processor is subject.  In such case, Processor will inform the Controller of that legal requirement before processing, unless prohibited by applicable law; and (iii) in compliance with this Addendum and all applicable Data Protection Law.

b. Security. The Processor has implemented and will maintain commercially reasonable technical and organizational measures to protect Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access.  Having regard to the state of the art and the cost of their implementation, Processor agrees that such measures shall ensure a level of security appropriate to the risks represented by the Processing and the nature of Personal Data to be protected. Processor may update the technical and organizational measures from time to time in light of technical development.

c. Confidentiality. The Processor will treat all Personal Data as confidential information in accordance with the Agreement. Processor will take reasonable steps to ensure that its personnel who have access to the Personal Data are bound by a Non-Disclosure Agreement and are obligated to keep such Personal Data confidential.

d. Notice of Certain Events. The Processor will promptly notify the Controller about: (i) any instruction which, in its opinion, infringes Data Protection Law; (ii) any complaint, communication or request received directly by the Processor or a Subprocessor from a Data Subject and pertaining to their Personal Data, or from a regulatory authority in connection with the Personal Data, in each case without responding to that request unless it has been otherwise instructed and authorized to do so by the Controller or is required to do so by applicable law; or (iii) any change in legislation applicable to the Processor or a Subprocessor which is likely to have a substantial adverse effect on Processor’s ability to comply with its obligations under this Addendum.

e. Breach Response.  The Processor shall notify the Controller without undue delay after becoming aware of a Personal Data Breach, and Processor shall take reasonable steps to prevent any further Personal Data Breach and to mitigate any resulting damage to Personal Data resulting from the same.  Processor shall take appropriate steps to provide the Controller with prompt cooperation and assistance in relation to any notifications that the Controller is required to make as a result of the Personal Data Breach.  Further, upon written request, Processor shall provide the Controller with reasonable assistance in relation to any data protection impact assessment or regulatory consultation that the Controller is legally required to make in respect of Personal Data.

f. Data Subject/Supervisory Authority Request. The Processor will provide the Controller with reasonable cooperation and assistance in relation to any complaint, communication or request received from a Data Subject or a data protection supervisory authority. Notwithstanding any provision herein to the contrary, the Processor’s obligations as set forth in this Section shall apply only to the extent the Controller does not have the ability to access the required information directly through the applicable Processor’s service.

g. Audit and Certifications.  To the extent required by applicable Data Protection Laws, and upon Controller’s reasonable written request (not less than 120 days in advance) and at mutually agreed upon times no more than once in any 12 month period, and subject to the confidentiality obligations set forth in the Agreement, Processor shall make available to the Controller reasonable written information, in the form of access to Processor’s books and records, regarding Processor’s compliance with the obligations set forth in this Addendum. The Controller shall use its best efforts to minimize disruption to Processor and its business operations.

h. Return or Disposal. The Parties agree that upon termination of the Services in so far as they relate to Personal Data, Processor shall, and shall require all Subprocessors to, at the choice of the Controller, return all Personal Data and copies thereof to the Controller, or securely destroy all Personal Data, unless prohibited by applicable law.

5. Sub-Processors.

a. The Controller hereby generally authorizes Processor to appoint Subprocessors for purposes of Processing Personal Data pursuant to the Agreement. 

b. Upon Controller’s request, or as otherwise required by applicable Data Protection Laws, Processor shall make available information about Subprocessors which, to Processor’s actual knowledge, will Process Personal Data.  This information may be made available by Processor online via a URL provided by Processor to the Controller and shall be updated by Processor from time to time. 

c. Processor will inform the Controller of any new Subprocessor which, to Processor’s actual knowledge, will be Processing Personal Data and is engaged during the term of the Agreement, including by updating the URL or the Controller portal or account information or by emailing the Controller before the new Subprocessor commences Processing of Personal Data. If the Controller can reasonably show that the appointment of a new Subprocessor will have a material adverse effect on the Controller’s ability to comply with applicable Data Protection Laws, then Controller must promptly notify Processor in writing within fifteen (15) business days thereafter of its reasonable basis for objection to the use of the applicable new Subprocessor. Upon receipt of Controller’s written objection, Controller and Processor will work together without unreasonable delay to agree upon an alternative arrangement.  If a mutually acceptable and reasonable alternative arrangement is not found,, then Controller may terminate the Agreement only with respect to those Services that cannot be provided by the Processor without the use of the new Subprocessor. Unless prohibited by applicable Data Protection Laws, in the event of such early termination by Controller, Processor may retain or require payment under the Agreement through the end of Controller current contract term for the terminated Services.

d. In the event Processor engages Sub-Processors in connection with the Services, Processor shall place the same or similar obligations as those in this Addendum on such Sub-Processors or other obligations required by applicable Data Protection Law, and shall remain fully liable to Controller for the acts or omissions of such Sub-Processors, as if they were the acts or omissions of the Processor.

6. International Transfers of Personal Data.

Any transfers (whether between Controller and , or the Processor and a Sub-Processor) of Personal Data protected by the GDPR, and/or the UK GDPR, to a country outside the European Economic Area (“EEA”) or United Kingdom ("UK") that does not offer adequate protection for such Personal Data, shall be subject to the applicable Standard Contractual Clauses, which are incorporated herein by reference.

In the event of inconsistencies between the provisions of the Standard Contractual Clauses and this Addendum or other agreements between the Parties, the Standard Contractual Clauses shall take precedence, but only with respect to Personal Data transferred outside of the EEA or UK.  

The information set forth in Appendix 1 constitutes the information required to be included in the schedules and appendices to the Standard Contractual Clauses, and the Parties’ signatures to this Addendum are deemed to also constitute signature of the Standard Contractual Clauses to the extent the same may be required to be separately executed.

7. CCPA Compliance

To the extent applicable and pursuant to the CCPA, with respect to “personal information” as defined by the CCPA which Processor may Process in connection with its performance of the Services, Processor agrees and certifies that it will not:

a. Sell, rent, release, disclose, disseminate, make available, transfer, or otherwise communicate orally, in writing, or by electronic or other means, such personal information to another business or a third party for monetary or other valuable consideration; or

b. Retain, use, disclose, collect, sell, use, or otherwise process such personal information (i) for any purpose other than for the specific purpose of, and as necessary for, performing Services for Controller pursuant to the Agreement, or (ii) as otherwise permitted by the CCPA.

Processor further agrees to cooperate and assist Controller in fulfilling and complying with any consumer rights request pursuant to the CCPA.

Unless prohibited by applicable law, in the event that Processor is required by law, court order, warrant, subpoena, or other legal judicial process (“Legal Request”) to disclose any Personal Data to any person or entity other than Controller (including, without limitation, pursuant to any US government surveillance order of which Processor is aware), Processor shall notify Controller promptly and shall provide all reasonable assistance to Controller, at Controller’s cost, to enable Controller to respond or object to, or challenge, any such Legal Requests. Processor shall not disclose Personal Data pursuant to a Legal Request unless it is required to do so under applicable law and has otherwise complied with the obligations in this Section.

9. Miscellaneous

The Parties acknowledge and agree that the limitations and exclusions of liability set forth in the Agreement shall also apply with respect to this Addendum.

Upon termination of the Agreement, Processor’s relevant obligations under this Addendum shall survive to the extent Processor continues to Process Personal Data. To the extent a conflict exists between this Addendum and the Agreement, the terms of this Addendum shall prevail.

Appendix 1: Details of the Processing of Personal Data

The nature and purpose of the Processing:

Processor’s performance of its Services under the Agreement.

The duration of the Processing:

The duration of the Processing is for so long as the Processor performs the Services for Controller, or Processes Personal Data received from Controller, or in the context of providing the Services under the Agreement. 

The types of personal data:

Personal Data Processed relating to the following categories of data: all categories of data related to the Processing associated with the Services provided by the Processor for or on behalf of Controller.  Personal Data Processed does not include special categories of Personal Data.

The categories of data subjects:

Personal Data Processed relating to the following categories of Data Subjects:  Employees and other personnel of Controller.

Processing Instructions:

Personal Data Processed shall be subject to the following Processing activities in addition to any activities set forth the Agreement:  Processing by the Processor (or Sub-Processors) related to the provision of the Services to the Controller, in accordance with the terms and conditions of this Addendum and the Agreement.

Obligations and Rights Of Controller:

The obligations and rights of the Controller are set forth in the Agreement and this Addendum.

Technical and Organizational Measures:

Processor implements and maintains industry standard technical and organizational measures to protect the security of Personal Data that it processes in connection with its Services.  Such measures include, as appropriate to the nature of the Personal Data processed and within the capabilities and controls offered by a hosting platform, but are not limited, to:

  • Access controls

  • Implementation of security settings

  • Implementation of updates to fix bugs and security vulnerabilities