This Data Processing Addendum (“DPA”), by and between Customer and P6 TECHNOLOGIES, INC. (“Provider”) (together the “Parties”), shall reflect the Parties’ agreement with respect to the processing of personal data in connection with the Software Services Agreement by and between Customer and Provider (“Agreement”). This DPA is supplemental to, and forms apart of, the Agreement and is effective upon its incorporation into the Agreement, which may be specified in the Agreement.
1.1 Controller means the party which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data. Where Customer makes Personal Data available to Provider pursuant to the Agreement, Customer is the Controller. Where Provider makes Personal Data available to Customer pursuant to the Agreement, Provider is the Controller.
1.2 Data Privacy Laws means all laws and regulations related to the collection, use, disclosure, or protection of personal information applicable to the Parties in connection with the Services or the Agreement, which may include, withoutlimitation, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation or GDPR) and other laws and regulations of the European Union (EU), the European Economic Area (EEA), and their member states relating to data protection; the UK GDPR; and the California Consumer Protection Act of 2018 as amended by the California Privacy Rights Act of 2020, and implementing regulations (CCPA).
1.3 Data Subject means the individual to whom Personal Data relates, and shall include Customer’s representatives and employees or Provider’s representatives or employees.
1.4 Data Subject Request means a Data Subject’s request to exercise any rights that person has under Data Privacy Laws in respect of that person’s Personal Data, including any right to access, delete, correct, rectify, restrict or limit the use of such Personal Data.
1.5 Deidentified Data means data that cannot reasonably identify, relate to, describe, or be linked, directly or indirectly to, a particular individual.
1.6 Aggregated Data means data that relates to a group or category of individuals from which identifying information has been removed such that it is not, and cannot be, linked or reasonably linkable to any particular individual. Aggregated Data includes Aggregated Statistics, as defined in the Agreement.
1.7 Personal Data means any information relating to an identified or identifiable natural person made available to Provider by Customer in connection with the Services. This information includes name, email address, IP address, browser type and version, location, operating system/platform, and usage data. Personal Data may also, in some circumstances, include information relating to an identified or identifiable natural person made available to Customer by Provider, such as information pertaining to Provider’s employees or representatives. Personal Data does not include Deidentified Data, Aggregated Data, or data that is publicly available.
1.8 Process or Processing means any operation or set of operations which is performed upon Personal Data, whether or not by automated means, such as collection, storage, use, disclosure, dissemination, combination, blocking, or destruction.
1.9 Processor means the party which Processes Personal Data on behalf of the Controller. Where Customer makes Personal Data available to Provider pursuant to the Agreement, Provider is the Processor. Where Provider makes Personal Data available to the Customer pursuant to the Agreement, Customer is the Processor.
1.10 Purpose means the purpose of enabling Provider to provide, maintain, and improve the quality of the Services provided to Customer.
1.11 Security Incident means the unauthorized and unlawful loss destruction, or theft,acquisition of, or access to, Personal Data that materially compromises the confidentiality, integrity, or availability of Personal Data. Security Incidents do not include attempted, but unsuccessful, acquisition or access to Provider’s systems or Personal Data.
1.12 Services means the services provided by Provider to Customer as set forth in the Agreement, which shall include software services to assist Customer’s creation of life cycle assessments (LCA).
Annexes to European Union Standard Contractual Clauses (MODULE II: Transfer Controller to Processor)
ANNEX I
Name: The Customer, as defined in the Agreement.
Address: The Customer’s address, as set forth in the Agreement.
Contact person’s name, position and contact details: The representative of the Customer, as set forth in the applicable order form.
Activities relevant to the data transferred under these Clauses: Processing Personal Data to perform the Services, as set forth in the DPA and the Agreement.
Role: Controller
Address: 1502 Pace Bend Rd S, Spicewood, TX 78669
Contact person’s name, position and contact details: Joseph Berti, Chief Executive
Officer, joe@p6technologies.com
Activities relevant to the data transferred under these Clauses: Processing Personal Data to perform the Services, as set forth in the DPA and the Agreement.
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred:
The categories of data subjects are set forth in the definition of “Data Subjects” in the DPA.
Categories of personal data transferred:
The categories of personal data are set forth in the definition of “Personal Data” in the DPA.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures:
The Parties do not anticipate the transfer of sensitive data.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):
Continuous.
The nature of the processing will be accordance with the Agreement and this DPA, as set forth in the definition of “Processing” in this DPA.
Purpose(s) of the data transfer and further processing:
The purpose of the data transfer and further processing will be in accordance with the Agreement and this DPA, as set forth in the definition of “Purpose” in the DPA.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:
Subject to the obligations set forth in this Agreement, personal data will be processed for the duration of the Agreement.
ANNEX II
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Processor’s technical and organizational measures to ensure the security of the data are set forth in the DPA.
ANNEX III
Attachment 2
Tables to International Data Transfer Addendum to the
EU Commission Standard Contractual Clauses
This Addendum has been issued by the Information Commissioner for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.
Start date
|
Agreement effective date
|
|
The Parties
|
Exporter (who sends the Restricted Transfer)
|
Importer (who receives the Restricted Transfer)
|
Parties’ details
|
Full legal name: The representative of the Customer, as set forth in the online order form.
Main address (if a Customerregistered address): Customer’s address.
Official registration number (if any) (Customer number or similar identifier): N/A
|
Full legal name: P6 Technologies, Inc.
Trading name (if different): N/A
Main address (if a Customerregistered address): 1502 Pace Bend Rd S, Spicewood, TX 78669 Official registration number (if any) (Customer number or similar identifier): N/A
|
Key Contact
|
Full Name (optional):
Job Title:
Contact details including email:
|
Full Name (optional): Joseph Berti
Job Title: Chief Executive Officer
Contact details including email: joe@p6technologies.com
|
Addendum EU SCCs
|
The version of the Approved EU SCCs which this Addendum is appended to, detailed below, including the Appendix Information:
Date:
Reference (if any):
Other identifier (if any):
Or
The Approved EU SCCs, including the Appendix Information and with only the following modules, clauses or optional provisions of the Approved EU SCCs brought into effect for the purposes of this Addendum:
Module 2: Controller-to-Processor Transfers
|
Module
|
Module in operation
|
Clause 7 (Docking Clause)
|
Clause 11
(Option) |
Clause 9a (Prior Authorisationor General Authorisation)
|
Clause 9a (Time period)
|
Is personal data received from the Importer combined with personal data collected by the Exporter?
|
1
|
|
|
|
|
|
|
2
|
X
|
X
|
No Independent Dispute Resolution Body
|
General Authorisation
|
60 days
|
|
3
|
|
|
|
|
|
|
4
|
|
|
|
|
|
|
Annex 1A: List of Parties: See Annex 1A above
|
Annex 1B: Description of Transfer: See Annex 1B above.
|
Annex II: See Annex II above.
|
Annex III: List of Sub processors (Modules 2 and 3 only): See Annex III above.
|
Ending this Addendum when the Approved Addendum changes
|
Which Parties may end this Addendum as set out in Section:
Importer
Exporter
neither Party
|