1.1. In this Data Processing Addendum the following terms shall have the meanings set out in this Paragraph 1.1, unless expressly stated otherwise:
(a) “Addendum Effective Date” means the date on which Customer first Makes Available an Input Dataset on or via the Platform.
(b) “Adequate Country” means a country or territory outside the European Economic Area that the European Commission has deemed to provide an adequate level of protection for Personal Data pursuant to a decision made in accordance Article 45(1) of the GDPR.
(c) “Anonymised Data” means any Personal Data (including Customer Personal Data), which has been anonymised such that the Data
Subject to whom it relates cannot be identified, directly or indirectly, by Synthesized or any other party reasonably likely to receive or access that anonymised Personal Data.
(d) “Business Day” means any day which is not a Saturday, Sunday or public holiday, and on which the banks are open for business, in England.
(e) “Cessation Date” has the meaning given in Paragraph 9.1.
(f) “Customer Personal Data” means any Personal Data comprised within Input Datasets Processed by or on behalf of Synthesized on behalf of Customer for the purpose of providing the Services.
(g) “Data Protection Laws” means the EU General Data Protection Regulation 2016/679 (the “GDPR”) and any implementing legislation or legislation having equivalent effect in the United Kingdom (references to “Articles” or “Chapters” of the GDPR shall be construed accordingly).
(h) “Data Subject Request” means the exercise by Data Subjects of their rights under, and in accordance with, Chapter III of the GDPR.
(i) “Data Subject” means the identified or identifiable natural person located in the European Economic Area to whom Customer Personal Data relates.
(j) “Delete” means to remove or obliterate Personal Data such that it cannot be recovered or reconstructed, and “Deletion” shall be construed accordingly.
(k) “Personnel” means a person’s employees, agents, consultants or contractors.
(l) “Restricted Country” means a country or territory outside the European Economic Area that is not an Adequate Country.
(m) “Restricted Transfer” means: (i) a transfer of Customer Personal Data from Customer to Synthesized in a Restricted Country; or (ii) an onward transfer of Customer Personal Data from Synthesized to a Subprocessor in a Restricted Country, (in each case) where such transfer would be prohibited by Data Protection Laws without a legal basis therefor under Chapter V of the GDPR.
(n) “Services” means those services to be supplied to or carried out by or on behalf of Synthesized for Customer via the Platform pursuant to the Terms of Service.
(o) “Standard Contractual Clauses” means the standard contractual clauses issued by the European Commission (from time-to-time) for the transfer of Personal Data from Controllers established inside the European Economic Area to Processors established in Restricted Countries.
(p) “Subprocessor” means any third party appointed by or on behalf of Synthesized to Process Customer Personal Data.
(q) “Terms of Service” means the Terms of Service.
1.2. In this Data Processing Addendum:
(a) the terms, “Controller”, “Processor”, “Personal Data”, “Personal Data Breach”, “Process” (and its derivatives) and “Supervisory Authority” shall have the meaning ascribed to the corresponding terms in the Data Protection Laws;
(b) unless otherwise defined in this Data Processing Addendum, all capitalised terms shall have the meaning given to them in the Terms of Service.
1.3. Customer warrants and represents that it is subject to the territorial scope of the Data Protection Laws as determined in accordance therewith (including pursuant to Article 3 of the GDPR). Customer further agrees that to the extent that it is not in fact subject to the territorial scope of the Data Protection Laws, this Data Processing Addendum shall be deemed automatically void with effect from the Addendum Effective Date without requirement of notice.
2.1. In respect of Customer Personal Data, the Parties acknowledge that:
(a) Synthesized acts as a Processor; and
(b) Customer acts as the Controller.
2.2. Synthesized shall:
(a) comply with all applicable Data Protection Laws in Processing Customer Personal Data; and
(b) not Process Customer Personal Data other than:
(i) on Customer’s instructions (subject always to Paragraph 2.9); and
(ii) as required by applicable laws.
2.3. To the extent permitted by applicable laws, Synthesized shall inform Customer of:
(a) any Processing to be carried out under Paragraph 2.2(b)(ii); and
(b) the relevant legal requirements that require it to carry out such Processing,
before the relevant Processing of that Customer Personal Data.
2.4. Customer instructs Synthesized to Process Customer Personal Data as necessary:
(a) to provide the Services to Customer; and
(b) to perform Synthesized’s obligations and exercise Synthesized’s rights under the Terms of Service.
2.5. Annex 1 (Data Processing Details) sets out certain information regarding Synthesized’s Processing of Customer Personal Data as required by Article 28(3) of the GDPR.
2.6. Customer may amend Annex 1 (Data Processing Details) on written notice to Synthesized from time to time as Customer reasonably considers necessary to meet any applicable requirements of Data Protection Laws.
2.7. Nothing in Annex 1 (Data Processing Details) (including as amended pursuant to Paragraph 2.6) confers any right or imposes any obligation on any Party to this Data Processing Addendum.
2.8. Synthesized receives an instruction from Customer that, in its reasonable opinion, infringes the GDPR, Synthesized shall inform Customer.
2.9. Customer acknowledges and agrees that any instructions issued by Customer with regards to the Processing of Customer Personal Data by or on behalf of Synthesized pursuant to or in connection with the Terms of Service:
(a) shall be strictly required for the sole purpose of ensuring compliance with Data Protection Laws;
(b) shall not relate to the scope of, or otherwise materially change, the Services to be provided by Synthesized under the Terms of Service; and
(c) unless otherwise agreed between the Parties shall be communicated by Customer to Synthesized by email to Synthesized at firstname.lastname@example.org.
2.10. Notwithstanding anything to the contrary herein, Synthesized may terminate the Terms of Service in its entirety upon written notice to Customer with immediate effect if Synthesized considers (in its reasonable discretion) that:
(a) it is unable to adhere to, perform or implement any instructions issued by Customer due to the technical limitations of its systems, equipment and/or facilities; and/or
(b) to adhere to, perform or implement any such instructions would require disproportionate effort (whether in terms of time, cost, available technology, manpower or otherwise).
2.11. Customer represents and warrants on an ongoing basis that, for the purposes of Article 6 of the GDPR, and (where applicable) Article 9 and/or Article 10 of the GDPR, there is, and will be throughout the term of the Terms of Service, a valid legal basis for the Processing by Synthesized of Customer Personal Data in accordance with this Data Processing Addendum and the Terms of Service (including, any and all instructions issued by Customer from time to time in respect of such Processing).
Synthesized shall take reasonable steps to ensure the reliability of any Synthesized Personnel who Process Customer Personal Data, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
4.1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk (which may be of varying likelihood and severity) for the rights and freedoms of natural persons, Synthesized shall in relation to Customer Personal Data implement appropriate technical and organisational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.
4.2. In assessing the appropriate level of security, Synthesized shall take account in particular of the risks presented by the Processing, in particular from a Personal Data Breach.
5.1. Customer authorises Synthesized to appoint Subprocessors in accordance with this Paragraph 5.
5.2. Synthesized may continue to use those Subprocessors already engaged by Synthesized as at the date of this Data Processing Addendum, subject to Synthesized meeting within a reasonable timeframe (or having already met) the obligations set out in Paragraph 5.4
5.3. Synthesized shall give Customer prior written notice of the appointment of any new Subprocessor, including reasonable details of the Processing to be undertaken by the Subprocessor. If, within ten (10) Business Days of receipt of that notice, Customer notifies Synthesized in writing of any objections (on reasonable grounds) to the proposed appointment:
(a) Synthesized shall use reasonable efforts to make available a commercially reasonable change in the provision of the Services which avoids the use of that proposed Subprocessor; and
(i) such a change cannot be made within ten (10) Business Days from Synthesized receipt of Customer’s notice;
(ii) no commercially reasonable change is available; and/or
(iii) Customer declines to bear the cost of the proposed change,
either Party may by written notice to the other Party with immediate effect terminate the Terms of Service and, for the avoidance of doubt, Customer shall cease all use of the Platform.
5.4. With respect to each Subprocessor, Synthesized shall ensure that the arrangement between Synthesized and the Subprocessor is governed by a written contract including terms which offer at least an equivalent level of protection for Customer Personal Data as those set out in this Data Processing Addendum (including those set out in Paragraph 4).
6.1. Taking into account the nature of the Processing, Synthesized shall provide Customer with such assistance as may be reasonably necessary and technically possible in the circumstances, to assist Customer in fulfilling its obligation to respond to Data Subject Requests.
6.2. Synthesized shall:
(a) promptly notify Customer upon becoming aware that it has received a Data Subject Request in respect of Customer Personal Data; and
(b) ensure that Synthesized does not respond to any Data Subject Request except on the written instructions of Customer (and in such circumstances, at Customer’s cost) or as required by applicable laws.
7.1. Synthesized shall notify Customer without undue delay upon Synthesized becoming aware of a Personal Data Breach affecting Customer Personal Data, providing Customer with sufficient information (insofar as such information is, at such time, within Synthesized’s possession) to allow Customer to meet any obligations under Data Protection Laws to report the Personal Data Breach to:
(a) affected Data Subjects; or
(b) the relevant Supervisory Authority(ies) (as may be determined in accordance with the Data Protection Laws).
7.2. Synthesized shall at Customer’s sole cost and expense co-operate with Customer and take such reasonable commercial steps as may be directed by Customer to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
Synthesized shall provide reasonable assistance to Customer, at Customer’s cost, with any data protection impact assessments, and prior consultations with Supervisory Authorities, which Customer reasonably considers to be required of Customer by Article 35 or Article 36 of the GDPR, in each case solely in relation to Processing of Customer Personal Data by, and taking into account the nature of the Processing by, and information available to, Synthesized.
9.1. Subject to Paragraph 9.4, upon the date of cessation of any Services involving the Processing of Customer Personal Data (the “Cessation Date”), Synthesized shall immediately cease all Processing of the Customer Personal Data for any purpose other than for storage.
9.2 Customer agrees that (for the purposes of Article 28(3)(g) of the GDPR) it is hereby deemed (at the Cessation Date) to have irrevocably selected Deletion, in preference of return, of the Customer Personal Data. Customer acknowledges and agrees that (i) its access to the Platform shall cease immediately upon termination of the Terms of Service (in accordance with "We may suspend or withdraw our Platform" above and "Breach of these Terms of Service"); (ii) it is solely responsible for securing and backing up any Input Datasets, Synthesized Data and Rebalanced Datasets during the term of the Terms of Service; and (iii) Synthesized shall not be required to provide to Customer any Input Datasets, Synthesized Data and/or Rebalanced Datasets on termination.
9.3 To the fullest extent technically possible in the circumstances, within ten (10) Business Days after the Cessation Date, Synthesized shall either (at its option):
(a) Delete; or
(b) irreversibly render Anonymised Data,
all Customer Personal Data then within Synthesized’s possession.
9.4. Synthesized and any Subprocessor may retain Customer Personal Data where required by applicable law, for such period as may be required by such applicable law, provided that Synthesized and any such Subprocessor shall ensure:
(a) the confidentiality of all such Customer Personal Data; and
(b) that such Customer Personal Data is only Processed as necessary for the purpose(s) specified in the applicable law requiring its storage and for no other purpose.
10.1. Synthesized shall make available to Customer on request such information as Synthesized (acting reasonably) considers appropriate in the circumstances to demonstrate its compliance with this Data Processing Addendum.
10.2. Subject to Paragraphs 10.3 and 10.4, in the event that Customer (acting reasonably) is able to provide documentary evidence that the information made available by Synthesized pursuant to Paragraph 10.1 is not sufficient in the circumstances to demonstrate Synthesized’s compliance with this Data Processing Addendum, Synthesized shall allow for and contribute to audits, including onpremise inspections, by Customer or an auditor mandated by Customer in relation to the Processing of the Customer Personal Data by Synthesized.
10.3. Customer shall give Synthesized reasonable notice of any audit or inspection to be conducted under Paragraph 10.1 (which shall in no event be less than ten (10) Business Days’ notice unless required by a Supervisory Authority pursuant to Paragraph 10.4(f)) and shall use its best efforts (and ensure that each of its mandated auditors uses its best efforts) to avoid causing, and hereby indemnifies Synthesized in respect of, any damage, injury or disruption to Synthesized’s premises, equipment, Personnel, data, and business (including any interference with the confidentiality or security of the data of Synthesized’s other customers or the availability of Synthesized’s services to such other customers) while its Personnel and/or its auditor’s Personnel (if applicable) are on those premises in the course of any onpremise inspection.
10.4. Synthesized need not give access to its premises for the purposes of such an audit or inspection:
(a) to any individual unless he or she produces reasonable evidence of their identity and authority;
(b) to any auditor whom Synthesized has not given its prior written approval (not to be unreasonably withheld);
(c) unless the auditor enters into a non-disclosure agreement with Synthesized on terms acceptable to Synthesized;
(d) where, and to the extent that, Synthesized considers, acting reasonably, that to do so would result in interference with the confidentiality or security of the data of Synthesized’s other customers or the availability of Synthesized’s services to such other customers;
(e) outside normal business hours at those premises; or
(f) on more than one occasion in any calendar year during the term of the Terms of Service, except for any additional audits or inspections which Customer is required to carry out by Data Protection Law or a Supervisory Authority, where Customer has identified the relevant requirement in its notice to Synthesized of the audit or inspection.
10.5. Customer shall bear any third party costs in connection with such inspection or audit and reimburse Synthesized for all costs incurred by Synthesized and time spent by Synthesized (at Synthesized’s then-current professional services rates) in connection with any such inspection or audit.
11.1. Subject to Paragraph 11.3, to the extent that any Processing by either Synthesized or any Subprocessor of Customer Personal Data involves a Restricted Transfer, the Parties agree that:
(a) Customer – as “data exporter”; and
(b) Synthesized or Subprocessor (as applicable) – as “data importer”,
shall enter into the Standard Contractual Clauses in respect of that Restricted Transfer and the associated Processing in accordance with Paragraph 11.3.
11.2. In respect of any Standard Contractual Clauses entered into pursuant to Paragraph 11.1:
(a) Clause 9 of such Standard Contractual Clauses shall be populated as follows:
“The Clauses shall be governed by the law of the Member State in which the data exporter is established.”
(b) Clause 11(3) of such Standard Contractual Clauses shall be populated as follows:
“The provisions relating to data protection aspects for sub-processing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.”
(c) Appendix 1 to such Standard Contractual Clauses shall be populated with the corresponding information set out in Annex 1 (Data Processing Details); and
(d) Appendix 2 to such Standard Contractual Clauses shall be populated as follows:
“The technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) are those established and maintained under Paragraph 4 of the Data Processing Addendum.”
11.3. The Standard Contractual Clauses shall be deemed to come into effect under Paragraph 11.1 automatically upon the commencement of the relevant Restricted Transfer provided that Paragraph 11.1 shall not apply to a Restricted Transfer unless its effect is to allow the relevant Restricted Transfer and the associated Processing to take place without breach of applicable Data Protection Laws.
Customer acknowledges and agrees that Synthesized shall be freely able to use and disclose Anonymised Data for Synthesized’s own business purposes without restriction.
13.1. This Data Processing Addendum shall be incorporated into and form part of the Terms of Service.
13.2. In the event of any conflict or inconsistency between:
(a) this Data Processing Addendum and the Terms of Service, this Data Processing Addendum shall prevail; or
(b) any Standard Contractual Clauses entered into pursuant to Paragraph 11 and this Data Processing Addendum and/or the Terms of Service, those Standard Contractual Clauses shall prevail provided that, it is agreed that the following shall apply:
(i) in the event of any request under Clause 5(j) of the Standard Contractual Clauses that Synthesized provide copies of any Subprocessor agreement(s) to the Customer, Synthesized may remove or redact all commercial information or all or part of any clauses, recitals, schedules annexes, appendices etc., unrelated to the Standard Contractual Clauses or their equivalent beforehand;
(ii) the audits described in Clause 5(f) and Clause 12(2) of the Standard Contractual Clauses shall be performed in accordance with Paragraph 10, and shall be subject to any relevant conditions, limitations or restrictions therein;
(iii) any authorisations or approvals of current and future Subprocessors given to Synthesized pursuant to Paragraph 5 will constitute Customer’s prior written consent to the subcontracting by Synthesized of the Processing of Customer Personal Data if and as such consent is required under Clause 5(h) of the Standard Contractual Clauses; and
(iv) certification of deletion of Customer Personal Data as described in Clause 12(1) of the Standard Contractual Clauses shall be provided only upon Customer’s written request.
This Annex 1 to the Data Processing Addendum includes certain details of the Processing of Customer Personal Data: as required by Article 28(3) GDPR; and (where applicable in accordance with Paragraph 11) to populate Appendix 1 to the Standard Contractual Clauses.
Subject matter and duration of the Processing of Customer Personal Data
The subject matter and duration of the Processing of the Customer Personal Data are set out in the Terms of Service and this Data Processing Addendum.
Nature and purpose of the Processing of Customer Personal Data
Synthesized Processes Customer Personal Data in order to perform the Services pursuant to the Terms of Service and as further instructed by Customer in accordance with this Data Processing Addendum.
The types of Customer Personal Data to be Processed
Personal Data (which may include Special Category Personal Data) as determined by Customer in its sole discretion and comprised within Input Datasets.
The categories of Data Subject to whom the Customer Personal Data relates
Data Subjects as determined by Customer in its sole discretion.
The obligations and rights of Customer
The obligations and rights of Customer are set out in the Terms of Service and this Data Processing Addendum.
Brief details of Processing activities:
Address of Subprocessor (and location(s) of Processing activities if different):
Amazon Web Services EMEA SARL
AWS Customer Agreement available at https://aws.amazon.com/agreement/
38 Avenue John F. Kennedy, L-1855, Luxembourg
10800 NE 8th Street, Suite 600, Bellevue, WA 98004, United States
101 Townsend St, San Francisco, CA 94107, United States
Google Ireland Limited
Google Cloud Platform Terms of Service available at https://cloud.google.com/terms
Gordon House, Barrow Street, Dublin 4, Ireland
Google APIs Terms of Service available at https://developers.google.com/terms
1600 Amphitheatre Parkway, Mountain View, California 94043, United States
Mailgun Technologies, Inc.
535 Mission St. – 14th Floor, San Francisco, CA 94105, United States