Data Protection Addendum - Digital Barriers

This current consolidated Data Protection Addendum was published on March 2024. This Data Protection Addendum forms part of a written (including in electronic form) contract between Digital Barriers and the Customer (“Our Agreement”).

Definitions

1.1 In this Data Protection Addendum defined terms shall have the same meanings, and the same rules of interpretation shall apply as in the remainder of our Agreement. In addition, in this Data Protection Addendum the following definitions have the meanings given below:

Adequate Country means:

(a) in respect of Personal Data that is transferred from the European Union, a country outside the EEA which the European Commission has decided ensures an adequate level of protection for Personal Data in accordance with Data Protection Laws, or

(b) in respect of Personal Data that is transferred from the UK, a country outside the UK which the UK Secretary of State has decided ensures an adequate level of protection for Personal Data in accordance with the Data Protection Laws, and non-Adequate Country means a country that is outside the EEA or the UK and which is not an Adequate Country;

Digital Barriers Reseller means a third party approved by Digital Barriers to sell the Services.

Commissioner: the Information Commissioner (see Article 4(A3), UK GDPR and section 114, DPA 2018).

Controller, Personal Data, Processor, Processing, Data Subject, Personal Data, Personal Data Breach and Supervisory Authority: have the meaning given to that term in Data Protection Laws;

Data Protection Laws mean as applicable and binding on either party or the Services:

(a) the UK GDPR which has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the DPA 2018

(b) the EU GDPR, the General Data Protection Regulation ((EU) 2016/679),

(d) any laws which implement or supplement any such laws; and

(e) any laws that replace, extend, re-enact, consolidate or amend any of the foregoing

(f) and the guidance and codes of practice issued by the Commissioner or other relevant Supervisory Authority which are applicable to a party;

Data Protection Losses means all liabilities, including all:

(a) costs (including legal costs), claims, demands, actions, settlements, interest, charges, procedures, expenses, losses and damages (including relating to material or non-material damage); and

(b) to the extent permitted by Data Protection Laws:

(i) administrative fines, penalties, sanctions, liabilities or other remedies imposed by the Commissioner or a Supervisory Authority;

(ii) compensation which is ordered by a court, the Commissioner or a Supervisory Authority to be paid to a Data Subject; and

(iii) the reasonable costs of compliance with investigations by the Commissioner or a Supervisory Authority;

Data Subject Request means a request made by a Data Subject to exercise any rights of Data Subjects under Data Protection Laws;

EEA means the European Economic Area, namely the European Union Member States along with Iceland, Liechtenstein and Norway.

EU SCCs means the Model Clauses as set out in the Commission Implementing Decision on standard contractual clauses for the transfer of Personal Data to Third Countries pursuant to the EU GDPR;

International Recipient means the organisations, bodies, persons and other recipients located outside the EEA in Third Countries to which Transfers of the Protected Data are prohibited under paragraph 7.1 without the Customer’s prior written authorisation;

Lawful Safeguards means such legally enforceable mechanism(s) for Transfers of Personal Data as may be permitted under Data Protection Laws from time to time;

List of Sub-Processors means the latest version of the list of Sub-Processors used by Digital Barriers, as Updated from time to time, which is set out at Schedule 1

Processing Instructions has the meaning given to that term in paragraph 3.1 (a);

Protected Data means Personal Data in the Customer Data;

Sub-Processor means a Processor engaged by Digital Barriers or by any other Sub-Processor for carrying out processing activities in respect of the Protected Data on behalf of the Customer;

Third Countries means a country other than the EEA countries.

UK means the United Kingdom of Great Britain and Northern Ireland;

UK Addendum means the UK addendum to the EU SCCs, published by the Commissioner that incorporates and amends the EU SCCs to facilitate the international transfer of Personal Data in compliance with the UK GDPR, as amended from time to time; and

Processor and Controller

2.1 Where the Customer purchases Services directly from Digital Barriers, the parties agree that, for the Protected Data, the Customer shall be the Controller and Digital Barriers shall be the Processor.

2.2 Where the Customer purchases Services through a Digital Barriers Reseller, the Digital Barriers Reseller shall be the Processor and Digital Barriers shall be the Sub-Processor.

2.3 To the extent the Customer is not sole Controller of any Protected Data it warrants that it has full authority and authorisation of all relevant Controllers to instruct Digital Barriers to process the Protected Data in accordance with this Agreement.

2.4 Whether acting as a Processor or Sub-Processor, Digital Barriers shall process Protected Data in compliance with:

(a) the obligations of Processors under the Data Protection Laws in respect of the performance of its obligations under this Agreement; and

(b) the terms of our Agreement.

2.5 The Customer shall ensure that it, its Affiliates and each Authorised User shall at all times comply with:

(a) all Data Protection Laws in connection with the processing of Protected Data, the use of the Services (and each part) and the exercise and performance of its respective rights and obligations under this Agreement, including maintaining all relevant regulatory registrations and notifications as required under Data Protection Laws; and

(b) the terms of our Agreement.

2.6 The Customer warrants, represents and undertakes, that at all times:

(a) the processing of all Protected Data (if processed in accordance with this Agreement) shall comply in all respects with Data Protection Laws, including in terms of its collection, use and storage;

(b) fair processing and all other appropriate notices have been provided to the Data Subjects of the Protected Data (and all necessary consents from such Data Subjects obtained and at all times maintained) to the extent required by Data Protection Laws in connection with all processing activities in respect of the Protected Data that may be undertaken by Digital Barriers and its Sub-Processors in accordance with this Agreement;

(d) there are appropriate safeguards such as the EU SCCs and the UK Addendum in case of transfers of the Protected Data to International Recipients based in Third Countries made by Digital Barriers or any Sub-Processor, in accordance with Schedule 2 of this Addendum.

(e) it shall establish and maintain adequate security measures to safeguard the Protected Data in its possession or control (including from unauthorised or unlawful destruction, corruption, processing or disclosure) and maintain complete and accurate backups of all Protected Data provided to Digital Barriers (or anyone acting on its behalf) so as to be able to immediately recover and reconstitute such Protected Data in the event of loss, damage or corruption of such Protected Data by Digital Barriers or any other person;

(f) all instructions given by it to Digital Barriers in respect of Personal Data shall at all times be in accordance with Data Protection Laws; and

(g) it has undertaken due diligence in relation to Digital Barriers’ processing operations and commitments and it is satisfied (and at all times it continues to use the Services remains satisfied) that:

(i) Digital Barriers’ processing operations are suitable for the purposes for which the Customer proposes to use the Services and engage Digital Barriers to process the Protected Data;

(ii) the technical and organisational measures set out in this Agreement (each as Updated from time to time) shall (if Digital Barriers complies with its obligations our Agreement) ensure a level of security appropriate to the risk in regards to the Protected Data as required by Data Protection Laws; and

(iii) Digital Barriers has sufficient expertise, reliability and resources to implement technical and organisational measures that meet the requirements of Data Protection Laws.

Instructions and details of processings

3.1 Insofar as Digital Barriers processes Protected Data on behalf of the Customer, Digital Barriers:

(a) unless required to do otherwise by Data Protection Laws, shall (and shall take steps to ensure each person acting under its authority shall) process the Protected Data only on and in accordance with the Customer’s documented written instructions as set out in this Agreement (including with regard to Transfers of Protected Data to any International Recipient), as Updated from time to time (Processing Instructions);

(b) if applicable laws to a party requires it to process Protected Data other than in accordance with the Processing Instructions, shall notify the Customer of any such requirement before processing the Protected Data (unless applicable laws prohibits such information on important grounds of public interest); and

(c) shall promptly inform the Customer if Digital Barriers becomes aware of a Processing Instruction that, in the Digital Barriers’ opinion, infringes Data Protection Laws, provided that:

(i) this shall be without prejudice to paragraphs 2.5 and 2.6; and

(ii) to the maximum extent permitted by applicable laws to a party, Digital Barriers shall have no liability howsoever arising (whether in contract, tort (including negligence) or otherwise) for any losses, costs, expenses or liabilities (including any Data Protection Losses) arising from or in connection with any processing in accordance with the Processing Instructions following the Customer’s receipt of the information required by this paragraph3.1 (c).

3.2 The Customer agrees that:

(a) Digital Barriers (and each Sub-Processor) is not obliged to undertake any processing of Protected Data that Digital Barriers reasonably believes infringes any of the Data Protection Laws and shall not be liable (or subject to any reduction or set-off of any Fees otherwise payable to Digital Barriers) to the extent that it (or any Sub-Processor) is delayed in or fails to perform any obligation under this Agreement as a result of not undertaking any processing in such circumstances; and

(b) without prejudice to any other right or remedy of Digital Barriers, in the event the Customer has not resolved any Processing Instruction notified to it under paragraph 3.1 (c) such that it is lawful in Digital Barriers’ reasonable opinion within 30 days of such notification then such circumstances are a material breach of this Agreement by the Customer that cannot be remedied and Digital Barriers may terminate this Agreement in accordance with its terms.

3.3 The Customer shall be responsible for ensuring all Authorised Affiliates’ and Authorised User’s read and understand the Privacy Policy (as Updated from time to time) https://digitalbarriers.com/privacy-policy/

3.4 The Customer acknowledges and agrees that the execution of any computer command to process (including deletion of) any Protected Data made in the use of any of the Subscribed Services by an Authorised User will be a Processing Instruction (other than to the extent such command is not fulfilled due to technical, operational or other reasons, including as set out in the User Manual). The Customer shall ensure that Authorised Users do not execute any such command unless authorised by the Customer (and by all other relevant Controller(s)) and acknowledges and accepts that if any Protected Data is deleted pursuant to any such command Digital Barriers is under no obligation to seek to restore it.

3.5 Subject to applicable Subscribed Service Specific Terms or the Order Form the processing of the Protected Data by Digital Barriers under this Agreement shall be for the subject-matter, duration, nature and purposes and involve the types of Personal Data and categories of Data Subjects set out in schedule 1.
Technical and organisational measures

Digital Barriers shall implement and maintain technical and organisational measures to protect against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures:

(a) in relation to the processing of Protected Data by Digital Barriers; and

(b) to assist the Customer insofar as is possible (taking into account the nature of the processing) in the fulfilment of the Customer’s obligations to respond to Data Subject Requests relating to Protected Data, in each case at the Customer’s cost on a time and materials basis in accordance with the Digital Barriers then current rates. The parties have agreed that (taking into account the nature of the processing) Digital Barriers’ compliance with paragraph 6.1 shall constitute Digital Barriers’ sole obligations under this paragraph 4.1 (b).

4.2 The Customer shall promptly notify Digital Barriers of full details of any additional measures the Customer has identified as necessary for the processing of the Protected Data. The Customer acknowledges that Digital Barriers provides a commoditised one-to-many service and the security measure needs of other customers may differ. Digital Barriers shall not be obliged to implement any further or alternative security measures, but may otherwise accept the implementation of such security measures which will be at Customer’s cost. This is without prejudice to the Customer’s right to terminate our Agreement for convenience in accordance with the express provisions of our Agreement if it concludes the security measures adopted by Digital Barriers are no longer sufficient for its needs.

Using staff and other Processors

5.1 Subject to paragraph 5.2, Digital Barriers shall not engage (nor permit any other Sub-Processor to engage) any Sub-Processor for carrying out any processing activities in respect of the Protected Data in connection with this Agreement without providing the Customer with the opportunity to, acting reasonably, object to such changes by giving the Customer not less than one (1) month’s prior written notice (except where provision of such notice would interrupt the delivery of the data processing activities under this Agreement in which case the notice period shall be as much as is reasonably practicable). The Customer shall not unreasonably object to any new Sub-Processor (or any change to any of the Sub-Processors).

5.2 The Customer:

(a) authorises the appointment of each of the Sub-Processors identified on the List of Sub-Processors, as set out in Schedule 1, as at Order Acceptance; and

(b) authorises the appointment of each Sub-Processor (or any change to any of the Sub-Processors) identified on the List of Sub-Processors as Updated from time to time. Digital Barriers shall update the List of Sub-Processors where relevant. and send it to the Customer on any such change. The Customer may object on reasonable grounds to the appointment of a new Sub-Processor (or any change to any of the Sub-Processors) following the presentation by Digital Barriers of the updated List of Sub-Processors introducing that change. If the Customer reasonably objects to the change in Sub-Processor, Digital Barriers shall use commercially reasonably endeavours to provide an alternative solution acceptable to the parties. If this alternative solution is not acceptable to the Customer, acting reasonably, the Customer’s exclusive remedy shall be terminating our Agreement in accordance with its terms before that Update takes effect.

5.3 Digital Barriers shall:

(a) prior to the relevant Sub-Processor carrying out any processing activities in respect of the Protected Data, ensure each Sub-Processor is appointed under a written contract containing materially the same obligations as under paragraphs 2 to 12 (inclusive) (including those obligations relating to sufficient guarantees to implement appropriate technical and organisational measures);

(b) ensure each new Sub-Processor identified on the List of Sub-Processors further to paragraph 5.2 (b) meets the following criteria at the time the addition of that Sub-Processor is first made ISO27001 accreditation; and

5.4 Digital Barriers shall ensure that all natural persons authorised by it (or by any Sub-Processor) to process Protected Data are subject to a binding written contractual obligation to keep the Protected Data confidential (except where disclosure is required in accordance with applicable law, in which case Digital Barriers shall, where practicable and not prohibited by applicable law, notify the Customer of any such requirement before such disclosure).

Assistance with compliance and Data Subject rights requests

6.1 Digital Barriers shall refer all Data Subject Requests it receives to the Customer without undue delay. The Customer shall pay Digital Barriers for all work, time, costs and expenses incurred by Digital Barriers or any Sub-Processor(s) in connection with such activity, calculated on a time and materials basis at the Digital Barriers rates set out in Digital Barriers’ Standard Pricing Terms.

6.2 Digital Barriers shall provide such assistance as the Customer reasonably requires (taking into account the nature of processing and the information available to Digital Barriers) to the Customer in ensuring compliance with the Customer’s obligations under Data Protection Laws with respect to:

(a) security of processing;

(b) data protection impact assessments (as such term is defined in Data Protection Laws);

(d) notifications to the Supervisory Authority and/or communications to Data Subjects by the Customer in response to any Personal Data Breach,

provided the Customer shall pay Digital Barriers for all work, time, costs and expenses incurred by Digital Barriers or any Sub-Processor(s) in connection with providing the assistance in this paragraph 6.2 calculated on a time and materials basis at Digital Barriers’ rates set out in Digital Barriers’ Standard Pricing Terms.

International data Transfers

7.1 In respect of the transfers of the Protected Data by Digital Barriers, as and when applicable, from the UK or the EEA to a non-Adequate Country, Digital Barriers shall enter into a lawful data transfer mechanism under the Data Protection Laws (Lawful Safeguards) so that appropriate safeguards are in place to ensure an adequate level of protection with respect to the data protection rights of individuals as required by Article 46 of the UK GDPR (in the event of a transfer governed by the UK GDPR) and Article 46 of the EU GDPR (in the event of a transfer governed by the EU GDPR).

7.2 Subject to Clause 7, the Customer hereby authorises Digital Barriers (or any Sub-Processor) to Transfer any Protected Data for the purposes referred to in paragraph 3.5 to any International Recipient(s) based in a non-Adequate Country, in accordance with paragraph 7.3, provided all Transfers of Protected Data by Digital Barriers (or any Sub-Processor) to any such International Recipient shall (to the extent required under Data Protection Laws) be effected by way of Lawful Safeguards and in accordance with Data Protection Laws and this Agreement. The provisions of our Agreement (including this Data Protection Addendum) shall constitute the Customer’s instructions with respect to Transfers in accordance with paragraph 3.1 (a).

7.3 The Lawful Safeguards employed in connection with Transfers pursuant to paragraph 7.2 shall be as follows:

(a) The country to which data is being exported holds a current determination of adequacy; or

(b) appropriate safeguards such as Standard Contractual Clauses are in place between the party who is the data exporter and the party who is the data importer. Subject to the other terms set out in this clause 7, the Parties agree to implement the EU SCCs and subject to the other terms set out in this clause 7, the Parties agree to implement the EU SCCs and the UK Addendum in accordance with Schedule 2 of this Data Processing Addendum.

7.4 Each Party shall comply with obligations applicable to it under the EU SCCs and the UK Addendum. The Customer acknowledges that due to the nature of cloud services, the Protected Data may be Transferred to other geographical locations in connection with use of the Services further to access and/or computerised instructions initiated by Authorised Users. The Customer acknowledges that Digital Barriers does not control such processing and the Customer shall ensure that Authorised Users (and all others acting on its behalf) only initiate the Transfer of Protected Data to other geographical locations if Lawful Safeguards are in place and that such Transfer is in compliance with all Data Protection Laws.

7.5 If during the Term of this Agreement:

(a) either of the EU SCCs and/or the UK Addendum are varied or declared ‘inadequate’ by an applicable court, the Commissioner, or for any other reason they are no longer sufficient to legitimise the transfer of Personal Data or the European Commission withdraws the relevant adequacy decision applicable to a country recipient of the Protected Data; and/or

(b) there is any other change in law applicable to any Party to this Agreement (whether a Party at signature, or an acceding Affiliate) requiring an alternative data transfer mechanism to legitimise an international transfer,

the Parties agree to execute such other instrument, code, document or documents or do all things as are necessary to ensure the continued legitimate transfer of Protected Data.

Information and audit

8.1 Digital Barriers shall maintain, in accordance with Data Protection Laws binding on Digital Barriers, written records of all categories of processing activities carried out on behalf of the Customer.

8.2 On request, Digital Barriers shall provide the Customer (or auditors mandated by the Customer) with a copy of the third party certifications and audits to the extent made generally available to its customers. Such information shall be confidential to Digital Barriers and shall be Digital Barriers’ Confidential Information as defined in our Agreement, and shall be treated in accordance with applicable terms.

8.3 In the event that the Customer, acting reasonably, deems the information provided in accordance with paragraph 8.2 insufficient to satisfy its obligations under Data Protection Laws, Digital Barriers shall, on request by the Customer make available to the Customer such information as is reasonably necessary to demonstrate Digital Barriers’ compliance with its obligations under this Data Protection Addendum and Article 28 of the GDPR, and allow for and contribute to audits, including inspections, by the Customer (or another auditor mandated by the Customer) for this purpose provided:

(a) such audit, inspection or information request is reasonable, limited to information in the Digital Barriers’ possession or control and is subject to the Customer giving Digital Barriers reasonable (and in any event at least 60 days’) prior notice of such audit, inspection or information request;

(b) the parties (each acting reasonably and consent not to be unreasonably withheld or delayed) shall agree the timing, scope and duration of the audit, inspection or information release together with any specific policies or other steps with which the Customer or third party auditor shall comply (including to protect the security and confidentiality of other customers, to ensure Digital Barriers is not placed in breach of any other arrangement with any other customer and so as to comply with the remainder of this paragraph 8.3);

(c) the Customer shall ensure that any such audit or inspection is undertaken during normal business hours, with minimal disruption to the businesses of Digital Barriers;

(d) the duration of any audit or inspection shall be limited to one Business Day;

(e) all costs of such audit or inspection or responding to such information request shall be borne by the Customer, and Digital Barriers’ costs, expenses, work and time incurred in connection with such audit or inspection shall be reimbursed by the Customer on a time and materials basis in accordance with Digital Barriers then current rates;

(f) the Customer’s rights under this paragraph 8.3 may only be exercised once in any consecutive 12 month period, unless otherwise required by a Supervisory Authority or if the Customer (acting reasonably) believes Digital Barriersis in breach of this Data Protection Addendum;

(g) the Customer shall promptly (and in any event within one Business Day) report any non-compliance identified by the audit, inspection or release of information to Digital Barriers;

(h) the Customer agrees that all information obtained or generated by the Customer or its auditor(s) in connection with such information requests, inspections and audits shall be Supplier’s Confidential Information as defined in our Agreement, and shall be treated in accordance with applicable terms;

(i) the Customer shall ensure that each person acting on its behalf in connection with such audit or inspection (including the personnel of any third party auditor) shall not by any act or omission cause or contribute to any damage, destruction, loss or corruption of or to any systems, equipment or data in the control or possession of the Supplier while conducting any such audit or inspection; and

(j) this paragraph 8.3 is subject to paragraph 8.4.

8.4 The Customer acknowledges and accepts that relevant contractual terms agreed with Sub-Processor(s) may mean that Digital Barriersor Customer may not be able to undertake or facilitate an information request or audit or inspection of any or all Sub-Processors pursuant to paragraph 8.3 and:

(a) the Customer’s rights under paragraph 8.3 shall not apply to the extent inconsistent with relevant contractual terms agreed with Sub-Processor(s);

(b) to the extent any information request, audit or inspection of any Sub-Processor are permitted in accordance with this paragraph 8.4, equivalent restrictions and obligations on the Customer to those in paragraphs 8.3 (a) to 8.3 (j) (inclusive) shall apply together with any additional or more extensive restrictions and obligations applicable in the circumstances; and

8.5 Notwithstanding paragraph 8.4, Digital Barriers shall ensure that it has appropriate mechanisms in place to ensure its Sub-Processors meet their obligations under Data Protection Laws and Digital Barriers’ obligations in respect of Protected Data under this Agreement]. The Customer accepts that the provisions of paragraph 8.4 shall satisfy Digital Barriers’ obligations in that regard.

Breach notification

9.1 In respect of any Personal Data Breach, Digital Barriers shall, without undue delay (and in any event within 72 hours):

(a) notify the Customer of the Personal Data Breach; and

(b) provide the Customer with details of the Personal Data Breach.

Deletion of Protected Data and copies

Following the end of the provision of the Services (or any part) relating to the processing of Protected Data Digital Barriers shall dispose of Protected Data in accordance with its obligations under this Agreement. Digital Barriers shall have no liability (howsoever arising, including in negligence) for any deletion or destruction of any such Protected Data undertaken in accordance with this Agreement.

Compensation and claims

11.1 Digital Barriers shall be liable for Data Protection Losses (howsoever arising, whether in contract, tort (including negligence) or otherwise) under or in connection with this Agreement:

(a) only to the extent caused by the processing of Protected Data under this Agreement and directly resulting from Digital Barriers’ breach of this Agreement; and

(b) in no circumstances to the extent that any Data Protection Losses (or the circumstances giving rise to them) are contributed to or caused by any breach of our Agreement by the Customer (including in accordance with paragraph 3.1(c) (ii)).

11.2 If a party receives a compensation claim from a person relating to processing of Protected Data in connection with this Agreement or the Services, it shall promptly provide the other party with notice and full details of such claim.

11.3 The parties agree that the Customer shall not be entitled to claim back from Digital Barriers any part of any compensation paid by the Customer in respect of such damage to the extent that the Customer is liable to indemnify or otherwise compensate Digital Barriers in accordance with this Agreement.

11.4 This paragraph 11 is intended to apply to the allocation of liability for Data Protection Losses as between the parties, including with respect to compensation to Data Subjects, notwithstanding any provisions under Data Protection Laws to the contrary, except:

(a) to the extent not permitted by the Data Protection Laws; and

(b) that it does not affect the liability of either party to any Data Subject.

Survival

This Data Protection Addendum (as Updated from time to time) shall survive termination (for any reason) or expiry of our Agreement and continue until no Protected Data remains in the possession or control of Digital Barriers or any Sub-Processor, except that paragraphs 10 to 12 (inclusive) shall continue indefinitely.

Data protection contact

The Supplier’s Data Protection Officer may be contacted at dataofficer@digitalbarriers.com

Schedule 1

Data processing details

Subject-matter of processing:

Digital Barriers may process Personal Data on behalf of the Customer in performing its obligations under this Agreement.

Duration of the processing:

Digital Barriers will only process Personal Data for as long as reasonably necessary to fulfil Digital Barriers’ obligations under this Agreement. Audio and video data processed as part of the Services will be retained for a period of 30 days unless the Customer, as the Controller, requests a different retention period. Digital Barriers will process Personal Data for as long as the Customer’s account is active or as needed to provide the Customer with access to the Services.

Nature and purpose of the processing:

processing in accordance with the rights and obligations of the parties under this Agreement;
processing as reasonably required to provide the Services;
processing as initiated, requested or instructed by Authorised Users in connection with their use of the Services, or by the Customer, in each case in a manner consistent with this Agreement; and/or
in relation to each Subscribed Service.
Type of Personal Data:

In providing the Services, Digital Barriers shall process the following Personal Data:

Identity Data includes first name, maiden name, last name, username or similar identifier, marital status, title, date of birth and gender.
Contact Data includes billing address, delivery address, email address and telephone numbers.
Financial Data includes bank account and payment card details.
Transaction Data includes details about payments to and from you and other details of Services you have purchased from Digital Barriers.
Technical Data includes internet protocol (IP) address, Customer login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices the Customer uses to access the Digital Barriers website.
Profile Data includes Customer usernames and passwords, purchases or orders made by the Customer, Customer interests, preferences and feedback and any issues that the Customer has encountered which Digital Barriers has been requested to fix.
Usage Data includes information about how the Customer uses the Services.
Marketing and Communications Data includes Customer preferences in receiving marketing from Digital Barriers and Digital Barriers Resellers and Customer communication preferences.
Video and Image Data includes video and images captured through use of the Services.

Categories of Data Subjects:

Authorised Users and individuals captured through use of the Services.

Authorised Sub-Processors

Amazon Web Services (AWS)

Schedule 2

International transfers of Personal Data from the EEA and/or the UK

Relationship of the Parties

1.1 The Parties identified in Annex I to this Schedule 2 are the Data Exporter and the Data Importer under this Agreement.

1.2 The transfer of Protected Data under this Agreement is by the Data Exporter to the Data Importer acting as Processor as set out in Annex I to this Schedule 2.

1.3 In the event that either Party considers that the information referenced in paragraph 1.2 above is not correct (in whole or in part) they shall notify the other Party in writing and the Parties shall in good faith amend this Schedule 2 to reflect that Processing pending which this Schedule 2 shall be deemed amended only to the extent necessary to maintain compliance with Data Protection Laws.

Clauses incorporated by this Agreement

2.1 This Schedule 2 incorporates by reference the terms of each of the following agreements:

(a) the EU SCCs, to the extent that EU Data Protection Laws applies to the Data Exporter’s Processing when making that transfer excluding:

(i) any transfer to the Data Importer where the import of Protected Data falls within the scope of EU Data Protection Laws as regards such Processing; and

(ii) any transfer to the Data Importer where the country the Data Importer is based on is a country (and where relevant the sector) at the relevant time treated by the Competent Authorities within the EU as benefiting from an adequacy decision for the transfer of the relevant Protected Data; and

(b) the UK Addendum to the EU SCCs, to the extent that UK Data Protection Laws apply to the Data Exporter’s Processing when making that transfer excluding:

(i) any transfer to the Data Importer where the import of Protected Data falls within the scope of UK Data Protection Laws as regards such Processing; and

(ii) any transfer to the Data Importer where the country the Data Importer is based is a country (and where relevant the sector) at the relevant time treated by the Competent Authorities within the UK as benefiting from an adequacy decision for the transfer of the relevant Protected Data.

Amendments to the EU SCCs as incorporated into this Agreement

3.1 The ‘module’ of the EU SCCs that shall apply is based on whether each of the Data Exporter and Data Importer acts as a Processor, as is identified in Annex I of this Schedule 2.

3.2 The terms of the EU SCCs shall apply varied as follows:

(a) Clause 7 (Docking Clause), which is optional, is included.

(b) Clause 9 (Use of sub-processors), which allows for (1) specific prior authorisation of sub-contracting or (2) general written authorisation of processing of Protected Data, is amended so that the general written sub-contracting authorisation is as set out in this Agreement. In either case, one month prior written notice shall be provided to the Data Exporter (other than where provision of such notice would interrupt the delivery of the data processing activities under this Agreement in which case the notice period shall be as much as is reasonably practicable). The Data Importer shall update the list of sub-processors in Annex III of this Schedule 2 and send it to the Data Exporter on any such change.

(d) Clause 13 (Supervision) provides for three alternative options to identify the relevant Supervisory Authority in an EU Member State depending on whether: (I) the Data Exporter is established in an EU Member State; or (II) the Data Exporter is not established in an EU Member State, but to whom the EU GDPR applies under Art. 3(2) EU GDPR and who has appointed an EU representative in accordance with Art. 27 EU GDPR; or (III) the Data Exporter is not established in an EU Member State, but is subject to the EU GDPR in accordance with Art. 3(2) EU GDPR and not required to appoint an EU representative in accordance with Art. 27 EU GDPR. The relevant drafting shall apply and shall be as reflected in clause C of Annex I.

(e) Clause 17 (Governing law) which shall be the law of the Data Exporter provided that it is an EU member state.

(f) Clause 18 (Choice of forum and jurisdiction) is amended so that the courts which have jurisdiction are the courts of the EU Member State referenced by Clause 17 (Governing law) as amended above.

Amendments to the UK Addendum as incorporated into this Agreement

4.1 The terms of the UK Addendum shall apply varied as follows:

(a) the date to be included in clause 1 of the UK Addendum is the Effective Date of this Agreement; and

(b) Clause 10 of the UK Addendum (allowing for the laws and/or courts of Scotland or Northern Ireland instead of the laws and courts of England and Wales) is not agreed by the Parties.

Interpretation

5.1 In the event of a conflict or inconsistency between this Schedule 2 and the provisions of the EU SCCs or the UK Addendum or other related agreements between the Parties, existing at the time this Schedule 2 is agreed or entered into thereafter, the provisions which provide the most protection to Data Subjects shall prevail.

ANNEX I

A. LIST OF PARTIES

Data importer(s):

Name: Digital Barriers Services Limited t/a Digital Barriers
Address: Milton Gate, 60 Chiswell Street, London, United Kingdom, United Kingdom, EC1Y 4AG
Contact person’s name, position and contact details: dataofficer@digitalbarriers.com
Activities relevant to the data transferred under these Clauses: The Data Exporter processes Personal Data on behalf of the Data Importer in providing the Services and performing its obligations under this Agreement
Role (processor): Processor

Data exporter(s):

Name: The Customer named on the Agreement
Address: The address of the Customer’s corporate headquarters
Contact person’s name, position and contact details: The primary administrative contact listed in the Agreement
Activities relevant to the data transferred under these Clauses: Processing of personal data to provide Products as set forth in the Agreement
Role (processor): Controller

B. DESCRIPTION OF TRANSFER

a) Categories of data subjects whose personal data is transferred: Authorised Users and individuals captured through use of the Services.

b) Categories of personal data transferred:

Identity Data includes first name, maiden name, last name, username or similar identifier, marital status, title, date of birth and gender
Contact Data includes billing address, delivery address, email address and telephone numbers.
Financial Data includes bank account and payment card details.
Transaction Data includes details about payments to and from you and other details of Services you have purchased from Digital Barriers.
Technical Data includes internet protocol (IP) address, Customer login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices the Customer uses to access the Digital Barriers website.
Profile Data includes Customer usernames and passwords, purchases or orders made by the Customer, Customer interests, preferences and feedback and any issues that the Customer has encountered which Digital Barriers has been requested to fix.
Usage Data includes information about how the Customer uses the Services.
Marketing and Communications Data includes Customer preferences in receiving marketing from Digital Barriers and Digital Barriers Resellers and Customer communication preferences.

c) Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

d) The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis). Transfers will be on a continuous basis for the duration of the Services.

e) Nature of the processing:

f) Purpose(s) of the data transfer and further processing: Digital Barriers processes Personal Data on behalf of the Customer for the purposes of providing the Services and performing its obligations under this Agreement.

The period for which the personal data will be retained, will be for the duration as defined in the terms of the Agreement. Digital Barriers will only process Personal Data for as long as reasonably necessary to fulfil its obligations under this Agreement. Audio and video data processed as part of the Services will be retained for a period of 30 days unless the Customer, as the Controller, requests a different retention period. Digital Barriers will process Personal Data for as long as the Customer’s account is active or as needed to provide the Customer with access to the Services.

g) For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing for the duration of ther term of the Agreement for the purposes of providing the Services/Products.

C. COMPETENT SUPERVISORY AUTHORITY

Information Commissioner’s Office (ICO), United Kingdom

ANNEX II – TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

This document outlines the technical and organizational security measures implemented by Digital Barriers to ensure the protection of personal data as part of our commitment to data privacy and security. These measures are designed to comply with applicable data protection laws and regulations, including but not limited to the General Data Protection Regulation (GDPR).

1. Access Controls

Access to personal data is restricted to authorized personnel only, based on the principle of least privilege.
Strong authentication mechanisms, such as passwords and multi-factor authentication, are employed to control access to systems and data.
Role-based access controls (RBAC) are implemented to ensure that users have access only to the data and systems necessary for their roles.

2. Data Encryption

Personal data is encrypted both at rest and in transit using industry-standard encryption algorithms.
Encryption keys are securely managed and stored to prevent unauthorized access.

3. Data Minimization

Only the minimum amount of personal data necessary for the intended purpose is collected, processed, and retained.
Regular reviews are conducted to identify and securely dispose of any unnecessary personal data.

4. Pseudonymisation and Anonymization

Where applicable, personal data is pseudonymized or anonymized to further protect individual privacy.
Pseudonymization techniques such as tokenization and hashing are employed to replace identifying information with pseudonyms.

5. Secure Transmission

Secure communication protocols, such as HTTPS/TLS, are used to transmit personal data over networks to prevent interception or tampering.

6. Incident Response and Management

An incident response plan is in place to address and mitigate any security incidents or breaches promptly to minimise impact to customers.
Regular security assessments and audits are conducted to identify and address vulnerabilities proactively.

7. Training and Awareness

Ongoing training and awareness programs are provided to employees to ensure they understand their roles and responsibilities regarding data privacy and security.
Employees are regularly updated on security best practices and any changes to data protection regulations.

8. Vendor Management

Third-party vendors and service providers are carefully vetted to ensure they adhere to the same high standards of data privacy and security.
Contracts with vendors include provisions for data protection and security obligations.

9. Compliance Monitoring

Compliance with data protection laws and regulations, as well as internal policies and procedures, is monitored regularly.
Compliance assessments and audits are conducted periodically to ensure adherence to security measures.

10. Review and Updates

This document is reviewed and updated periodically to reflect changes in technology, regulations, and organizational practices.
Any updates to security measures are communicated to relevant stakeholders promptly.

11. Contact Information

For any questions or concerns regarding the technical and organizational security measures outlined in this document, please contact dataofficer@digitalbarriers.com