Superside Data Processing Agreement

Last Updated: 29 September 2023

This Data Processing Agreement, together with the Schedules and Annexes thereto, (collectively the “DPA”) constitutes an integral part of all agreements between Konsus, Inc., a Delaware corporation (the “Processor” or “Superside”) and the Client (the “Controller”), including the Superside Terms of Use or under any Master Service Agreement or similar agreement (the “Agreement”), and reflects the parties’ agreement with respect to the processing of Personal Data. This DPA supplements the Agreement and in the event of any conflict between the terms of this DPA and the terms of the Agreement, the terms of this DPA prevail with regard to the specific subject matter of this DPA. This DPA amends, supersedes and replaces any prior agreement relating to data processing and/or data protection the parties entered into prior to entering into this DPA.

  1. DEFINITIONS

    Capitalized terms used in this DPA shall have the meanings given to them in the Agreement and below:
    1. Applicable Law” means (a) any data protection laws and regulations applicable to Superside’s processing of Controller Data, including the GDPR; (b) the UK Data Protection Act of 2018, and the UK GDPR (collectively “UK Data Protection Laws”); (c) CCPA; (d) VCDPA; (e) CPA; (f) CTDPA; (g) UCPA; and (f) any laws that replace, extend, re-enact, consolidate or amend any of the foregoing.
    2. Controller Data” means any Personal Data that the Processor processes on behalf of the Controller in providing the Services including all electronic data, text, messages or other materials submitted to the Service by Users in connection with the use of the Service.
    3. CCPA” means the California Consumer Privacy Act, Cal. Civ. Code §§ 1798.100 et seq., and its implementing regulations.
    4. CPA” means the Colorado Privacy Act, Colo. Rev. Stat.§ 6-1-1301 through 6-1-1313.
    5. CPRA” means the California Privacy Rights Act of 2020, and its implementing regulations which amends the California Consumer Privacy Act of 2018 (CCPA).
    6. CTPDA” means the Connecticut Data Privacy Act, Conn. Gen. Stat. §§ 42-515 through 42-526.
    7. Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Controller Data transmitted, stored or otherwise processed by Processor.
    8. Data Subject Requests” means a formal inquiry made to either the Controller or the Processor inquiring whether any of the data subject’s personal data has been collected, stored, and used, and if so, the Data Subject has the right to access that data, amend that data, or request that the data be erased.
    9. EEA Personal Data” means Personal Data collected from Data Subjects located in the European Economic Area.
    10. GDPR” means the General Data Protection Regulation, Regulation (EU) 2016/679, as it forms part of European Union or Member State Law, or domestic law in the United Kingdom by virtue of Section 3 of the European Union (Withdrawal) Act of 2018 (including as further amended or modified by the laws of the United Kingdom or of a part of the United Kingdom from time to time).
    11. Permitted Purpose” means the use of the Controller Data to the extent necessary for provision of the Services by Processor to the Controller.
    12. Regulator” means any supervisory authority with authority under Applicable Law over all or any part of the provision or receipt of the Services or the processing of Personal Data.
    13. Service” means the products and services that are ordered by the Controller through a link or via a Statement of Work (“SOW”) and made available online by the Processor.
    14. Sub-Processor” means any third-party data processor engaged by the Processor, who receives Personal Data from the Processor for processing on behalf of the Controller and in accordance with the Controller’s instructions (as communicated by the Processor) and the terms of its written subcontract.
    15. Swiss Personal Data” means Personal Data collected from Data Subjects located in Switzerland.
    16. UCPA” means the Utah Consumer Privacy Act, Utah Code Ann. § 133-61-101 et seq.
    17. UK Data Protection Laws” means the UK Data Protection Act of 2018 and the UK GDPR.
    18. UK Personal Data” means Personal Data collected from Data Subjects located in the United Kingdom.
    19. Users” means individuals who interact with or access the Processor’s Service or platform.
    20. VCDPA” means the Virginia Consumer Data Protection Act, Va. Code Ann. § 59.1-575 et seq.
    21. Terms such as “Data Subject”, “Personal Data”, “Processing”, “Controller”, “Processor”, “Service Provider”, and “Supervisory Authority”, as well as all other capitalized terms used in this DPA, shall have the meaning given ascribed to them in the Applicable Law.
  2. PURPOSE
    1. The Controller and the Processor have entered into the Agreement pursuant to which the Controller is granted a license to access and use the Service. In providing the Service, the Processor will engage, on behalf of the Controller, in the processing of Personal Data submitted to and stored within the Service by Controller.
    2. The parties are entering into this DPA to ensure that the processing by the Processor of Controller Data within the Service is done in a manner compliant with Applicable Law and its requirements regarding the collection, use, and retention of Personal Data of Data Subjects.
  3. OWNERSHIP OF THE CONTROLLER DATA
    All Controller Data Processed under the terms of this DPA shall remain the property of the Controller. Under no circumstances will the Processor act, or be deemed to act, as a “Controller” (or equivalent concept) of the Controller Data Processed within the Service under any Applicable Law.
  4. OBLIGATIONS OF DATA PROCESSOR
    The Processor shall process Personal Data in compliance with the obligations placed on it under Applicable Laws and the terms of this DPA. The parties agree that the subject-matter and duration of Processing performed by the Processor under this DPA, including the nature and purpose of Processing, the type of Personal Data, and categories of Data Subjects, shall be as described in Schedule 2 of this DPA and in the Agreement.
  5. OBLIGATIONS OF DATA CONTROLLER
    1. The Controller shall, at all times, comply with all Applicable Laws in connection with the collecting and processing of Personal Data. The Controller shall ensure all instructions given by it to the Processor (including the terms of this DPA) shall at all times be in accordance with all Applicable Laws. Nothing in this DPA relieves the Controller of any responsibilities or liabilities under any Applicable Laws; and
    2. The Controller represents and warrants that it has provided, and will continue to provide, all necessary notice and has obtained, and will continue to obtain, all consents and rights necessary for the Processor to process Controller Data for the purposes of this DPA.
  6. SECURITY
    1. The Processor shall implement and maintain the technical and organizational measures set out in Schedule 3 of this DPA to protect the Personal Data against accidental, unauthorized, or unlawful destruction, loss, alteration, disclosure, or access.
    2. During the period in which the Processor processes any Personal Data, the Controller shall undertake a documented assessment at least every 12 months of whether the security measures implemented in accordance with Schedule 3 of this DPA are sufficient, taking into account the state of technical development and the nature of processing, to protect the Personal Data against accidental, unauthorized or unlawful destruction, loss, alteration, disclosure or access. The Controller shall notify the Processor, within 10 days, of full details of the assessment and its outcome and of any additional measures the Controller believes are required as a result of the assessment. The Processor shall not be obliged to implement any further or alternative security measures except as agreed as a binding variation of this DPA.
  7. RETURN AND DESTRUCTION OF PERSONAL DATA
    Upon the termination of the Controller’s access to and use of the Service, the Processor will, for no less than thirty (30) days following such termination, permit the Controller to export its Controller Data, at its expense, in accordance with the capabilities of the Service. Following such a period, and upon request from the Controller, the Processor shall promptly delete all Controller Data Processed by the Processor on behalf of the Controller in accordance with the Processor’s deletion policies and procedures. The Controller expressly consents to such deletion.
  8. AUDITS AND PROCESSING
    The Processor shall, in accordance with Applicable Laws and at Controller’s cost, make available to the Controller such information that is in its possession or control as is necessary to demonstrate the Processor’s compliance with the obligations placed on it under this DPA to demonstrate compliance with obligations on each party imposed by Article 28 of the GDPR, and under any equivalent Applicable Laws equivalent to that Article 28 of the GDPR, and allow for and contribute to audits, including inspections, by the Controller, or another auditor mandated by the Controller, for this purpose, subject to maximum of one audit request in any 12 month period under this paragraph.
  9. DATA BREACH NOTIFICATION
    The Processor shall notify the Controller in writing and without undue delay, and in any case within 72 hours, on becoming aware of any Personal Data breach affecting the Controller’s Data.
  10. SURVIVAL
    1. This DPA shall survive the termination or expiry of the Agreement:
      1. indefinitely in the case of clauses 4 and 9; and
      2. in the case of all other paragraphs and provisions of this DPA, until the later of:
        1. the termination or expiry of the Agreement; or
        2. return or secure deletion or disposal of the last of the Personal Data in the Processor’s, or any of its Sub-Processors, possession or control in accordance with this DPA.
  11. INTEGRATIONS
    The Service may provide links to integrations with third party products in which the proprietary rights are held by a third party, including, without limitation, certain third party products which may be integrated directly into Controller’s account or instance in the Service (each a “Third Party Product”). If Controller elects to enable, access or use such Third Party Products, its access and use of such Third Party Products is governed solely by the terms and conditions and privacy policies of such Third Party Products, and Processor does not endorse, is not responsible or liable for, and makes no representations as to any aspect of such Third Party Products, including, without limitation, their content or the manner in which they handle Controller Data or any interaction between Controller and the provider of such Third Party Products. Processor is not liable for any damage or loss caused or alleged to be caused by or in connection with Controller’s enablement, access or use of any such Third Party Products, or Controller’s reliance on the privacy practices, data security processes or other policies of such Third Party Products. The providers of Third Party Products shall not be deemed Sub-processors for any purpose under this DPA.
  12. EEA, UK & SWISS PERSONAL DATA TRANSFERS EEA
    1. EU Standard Contractual Clauses (“EU SCC”). The parties agree, as evidenced by their signature on this DPA or any Agreement which incorporates this DPA by reference, that the EU SCC, attached to this DPA as Schedule 1, will apply to EEA Personal Data transferred from Controller, either directly from the European Economic Area or via onward transfer, to Processor. In the event that any provision of the EU SCC is held illegal or unenforceable in a judicial proceeding, such provision shall be severed and shall be inoperative, and the remainder of the SCC and the terms of this DPA shall remain operative and binding on the parties. The parties agree on the following clarifications in relation to the EU SCC:
      1. Pursuant to Clause 9(a) of the EU SCC, Controller acknowledges and expressly agrees that Processor will appoint and engage new Sub-Processors in accordance with Section 15 of this DPA.
      2. The audits described in Clause 8.9(c) and (d) of the EU SCC shall be carried out in accordance with Section 8 of this DPA.
      3. The certification of deletion of Controller Data that is described in Clause 16(d) of the EU SCC shall be provided by the Processor only upon the Controller’s request.
      4. The liability described in Section 16 shall in no event exceed the limitations set forth in the Agreement, and that under no circumstances and under no legal theory (whether in contract, tort, negligence or otherwise) will either party to this DPA, or their affiliates, officers, directors, employees, agents, service providers, suppliers, or licensors be liable to the other party or any third party for any lost profits, lost sales of business, lost data (being data lost in the course of transmission via Controller’s systems or over the Internet through no fault of Processor), business interruption, loss of goodwill, or for any type of indirect, incidental, special, exemplary, consequential or punitive loss or damages, regardless of whether such party has been advised of the possibility of or could have foreseen such damages. For the avoidance of doubt, this section shall not be construed as limiting the liability of either party with respect to claims brought by data subjects.
    2. Swiss Personal Data. The parties agree that the EU SCC attached at Schedule 1 will apply to Swiss Personal Data transferred from Controller, either directly from Switzerland or via onward transfer, to Processor to the extent Processor is located in the United States or any country not recognized by Switzerland as providing an adequate level of protection for Personal Data. The Parties agree that the following clarifications apply to Schedule 1 as to the processing of Swiss Personal Data:
      1. for purposes of Annex I.C under EU SCC Clause 13, insofar as the data transfer is governed by the Switzerland Federal Act on Data Protection of 19 June 1992 (SR 235.1; FADP) or the FADP’s revised 25 September 2020 version, the Supervisory Authority shall be Switzerland’s Federal Data Protection and Information Commissioner (FDPIC);
      2. for transfers of Swiss Personal Data the Applicable Law for contractual claims pursuant to EU SCC Clause 17 and the applicable place of jurisdiction pursuant to EU SCC Clause 18(b) shall be Ireland and the applicable place of jurisdiction shall be Ireland; and
      3. the term “member state” must not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of suing for their rights in Switzerland in accordance with EU SCC Clause 18(c). The EU SCC shall also protect the data of Switzerland legal entities until the entry into force of the 25 September 2020 revised version of the Federal Act on Data Protection (revised FADP).
    3. UK Standard Contractual Clauses (UK SCC). The parties agree, as evidenced by their signature on this DPA or any Agreement which incorporates this DPA by reference, that the UK SCC, attached to this DPA as Schedule 1, will apply to UK Personal Data transferred from Controller, either directly from the UK or via onward transfer, to Processor. In the event that any provision of the UK SCC is held illegal or unenforceable in a judicial proceeding, such provision shall be severed and shall be inoperative, and the remainder of the SCC and the terms of this DPA shall remain operative and binding on the parties. The parties agree on the following clarifications in relation to the SCCs:
      1. Pursuant to Clause 16 of the UK SCC, Controller acknowledges and expressly agrees that Processor will appoint and engage new Sub-Processors in accordance with Section 15 of this DPA.
      2. The audits described in Clauses 12.1.5 and 12.1.6 of the UK SCC shall be carried out in accordance with Section 8 of this DPA.
      3. The liability described in Clause 6 of the UK SCC shall in no event exceed the limitations set forth in the Agreement, and that under no circumstances and under no legal theory (whether in contract, tort, negligence or otherwise) will either party to this DPA, or their affiliates, officers, directors, employees, agents, service providers, suppliers, or licensors be liable to the other party or any third party for any lost profits, lost sales of business, lost data (being data lost in the course of transmission via Controller’s systems or over the Internet through no fault of Processor), business interruption, loss of goodwill, or for any type of indirect, incidental, special, exemplary, consequential or punitive loss or damages, regardless of whether such party has been advised of the possibility of or could have foreseen such damages. For the avoidance of doubt, this section shall not be construed as limiting the liability of either party with respect to claims brought by Data Subjects.
      4. If after the effective date of this DPA, the United Kingdom issues a UK Addendum to the EU SCC for Controller to Processor contracts, the Parties agree, as evidenced by their signatures on this DPA, or any Agreement which incorporates this DPA by reference that the new UK Addendum will automatically apply to any UK Personal Data, and replace Schedule 5, and the clarifications noted above in the EU Standard Contractual Clauses section will apply to UK Personal Data as well. Such action will not invalidate or render this DPA unenforceable.
  13. CCPA (including the CPRA) – CALIFORNIA RESIDENTS’ PERSONAL DATA
    1. The parties agree that, in addition to the other provisions in this DPA, the following provisions apply to the processing of California residents’ Personal Data under the CCPA (including the CPRA). Capitalized terms used but not otherwise defined in section 13 will have the meanings given to them in the DPA. Capitalized terms not otherwise defined in the DPA, will have the meaning given to them under the CCPA.
    2. No CCPA Sale. The Parties agree that for the purposes of CCPA, Processor acts as a CCPA Service Provider for Controller Personal Data. By executing the Agreement,
      1. Controller does not sell Controller Personal Data to Processor. Processor shall only Process Personal Data for the purposes permitted by the CCPA and as specified in this DPA. Processor agrees not to Sell or Share (as defined by the CCPA) Customer Personal Data.
      2. Processor agrees not to combine Controller Personal Data with other personal information except as permitted by the CCPA.
      3. To the extent that Processor receives information from Controller that has been deidentified, as defined under Applicable Laws, Processor agrees not to attempt to re identify the data, to take reasonable measures to maintain and use the information in a deidentified manner, except as permitted by law, and to contractually obligate any authorized recipients to comply with Applicable Laws for information that has been deidentified.
      4. Processor agrees to inform Controller within the time period under the CCPA if Processor determines that it is no longer able to meet its obligations under the CCPA.
  14. DATA SUBJECT REQUESTS AND REGULATOR REQUESTS
    Processor shall, to the extent legally permitted, promptly notify Controller in writing of any complaints, questions or requests received from Data Subjects or Regulators regarding the Controller Data. Controller shall be responsible for communications and leading any efforts to comply with all requests made by Data Subjects under the Applicable Laws and all communications from Regulators that relate to the Controller Data, in accordance with Applicable Laws. Processor shall cooperate with the Controller in responding to verifiable requests, including deleting Personal Data or enabling the Controller to do so, and notifying their own service providers or contractors to delete the Personal Data. Processor will provide the Controller with the Personal Data in their possession that was obtained in their capacity as a service provider for the business and correct any inaccurate Personal Data.
  15. USE OF SUB-PROCESSORS
    1. Controller agrees that Processor may appoint Sub-Processors to assist it in providing the Service and processing Controller Data provided that such Sub-Processors agree in writing to (a) act only on Processor’s instructions when processing the Controller Data (which instructions shall be consistent with Controller’s processing instructions to Processor); (b) protect the Controller Data to a standard consistent with the requirements of this DPA; and (c) the imposition of contractual obligations on the Sub-Processor that are at least equivalent to those obligations imposed on Processor under this DPA.
    2. In all cases, the Processor shall remain responsible for any acts or omissions of Sub-Processors.
    3. Processor shall maintain an up-to-date list of the names and location of all Sub-Processors used for the processing of Controller Data under this DPA at https://www.superside.com/subprocessors/. It is the Controller's responsibility to monitor this page for updates to Processor’s sub-processor list.
    4. To the extent Controller reasonably believes a new Sub-Processor processing of Controller Data may violate Applicable Laws or weaken the security of the Controller Data, the Controller may object in writing to Processor’s new Sub-Processor by notifying Processor. Any such written objection shall include Controller’s specific reasons for its objection and proposed options to mitigate alleged risk, if any. In such an event, Processor will instruct the Sub-Processor to cease any further processing of Controller Data, in which event this DPA shall continue unaffected. In the absence of a timely and valid objection by the Controller, such a Sub-Processor may be commissioned to process Controller Data.
  16. LIMITATION OF LIABILITY
    1. Notwithstanding anything to the contrary in this DPA or the Agreement, Processor’s aggregate liability to Controller or any third party arising out of this DPA shall in no event exceed the limitations set forth in the Agreement.
    2. Under no circumstances and under no legal theory (whether in contract, tort, negligence or otherwise) will either party to this DPA, or their affiliates, officers, directors, employees, agents, service providers, suppliers, or licensors be liable to the other party, or any third party, for any lost profits, lost sales, lost business, lost data (being data lost in the course of transmission via Controller’s systems or over the Internet through no fault of Processor), business interruption, loss of goodwill, or for any type of indirect, incidental, special, exemplary, consequential or punitive loss or damages, regardless of whether such party has been advised of the possibility of or could have foreseen such damages.
    3. For the avoidance of doubt, this section shall not be construed as limiting the liability of either party with respect to claims brought by Data Subjects.
  17. PRIVACY IMPACT ASSESSMENTS AND DATA PROTECTION ASSESSMENTS
    Taking into account the nature of the Processing and the information available, Processor will provide reasonable assistance to Controller in complying with its obligations under Applicable Laws.
  18. MISCELLANEOUS
    No change, modification, amendment, addition or waiver (each a “Modification”) of or to this DPA or any part thereof shall be valid unless in writing and signed by representatives of the Parties. In the case of Superside only its CEO, CFO, Finance Director, and Head of Legal are authorized to consent to Modifications and no other persons have the power to bind Superside to Modifications. This DPA may be executed in counterparts. The terms and conditions of this DPA are confidential and each party agrees and represents, on behalf of itself, its employees, contractors, and agents to whom it is permitted to disclose such information that it will not disclose such information to any third party; provided, however, that each party shall have the right to disclose such information to its officers, directors, employees, auditors, attorneys and third party contractors who are under an obligation to maintain the confidentiality thereof and further may disclose such information as necessary to comply with an order or subpoena of any administrative agency or court of competent jurisdiction or as reasonably necessary to comply with any Applicable Law or regulation. Neither party may, directly or indirectly, by operation of law or otherwise, assign all or any part of its rights under this DPA or delegate performance of its duties under this DPA without the other party’s prior consent, which consent will not be unreasonably withheld, provided that either party may assign this DPA to any affiliate or in connection with any merger or change of control or the sale of all or substantially all of its assets provided that any such successor agrees to fulfill its obligations pursuant to this DPA. Subject to the foregoing restrictions, this DPA will be fully binding upon, inure to the benefit of and be enforceable by the parties and their respective successors and assigns. This DPA, the SCC, and the Agreement constitute the entire understanding between the parties with respect to the subject matter herein, and shall supersede any other arrangements, negotiations or discussions between the parties relating to that subject-matter.
  19. SEVERABILITY
    Any provision of this DPA that is prohibited or unenforceable in any jurisdiction shall, as to that jurisdiction alone, be ineffective to the extent of such prohibition or unenforceability without invaliding the remaining provisions hereof, and any such prohibition or unenforceability in any jurisdiction shall not invalidate or render unenforceable such provision in any other jurisdiction. The parties will attempt in good faith to agree upon a valid and enforceable provision that is a reasonable substitute and shall incorporate such substitute provision into this DPA.
  20. GOVERNING LAW AND JURISDICTION
    This DPA shall be governed by the laws of the State of Delaware without regard to conflict of laws principles. The parties hereby expressly agree to submit to the exclusive personal jurisdiction of the federal and state courts of the State of Delaware, New Castle Country, for the purpose of resolving any dispute relating to this DPA.

SCHEDULE 1

EU STANDARD CONTRACTUAL CLAUSES

  1. If there is a Restricted Transfer of Personal Data from the Controller (as data exporter) to the Processor (as data importer), the parties will comply with the following requirements:
    1. If the Restricted Transfer is an EU Restricted Transfer, then the EU SCCs shall apply on the following basis:
      1. where both parties are Controllers of the Personal Data transferred, Module One will apply; where the Client is a Controller and Superside is a Processor of the Personal Data transferred, Module Two will apply; and where the Client is a Processor and Superside is also a Processor of the Personal Data transferred (i.e. the Client processes the personal data on behalf of a third party Controller), Module Three will apply;
      2. in Clause 7, the optional docking clause will not apply;
      3. for Modules Two and Three only, in Clause 9 (use of subprocessors), option 2 (general written authorisation) will apply, and Superside will:
        1. provide a current list of agreed subprocessors; and
        2. provide prior notice of any subprocessor changes in accordance with any notice period specified for subprocessor changes in the Agreement or, if no such period is specified, Company will provide thirty (30) days' prior notice of any subprocessor changes;
      4. in Clause 17, Option 1 will apply (the law of an EU Member State that allows for third-party beneficiary rights). The parties select the laws of the Republic of Ireland;
      5. in Clause 18(b), the parties select the courts of the Republic of Ireland;
      6. in Annex I:
        1. Part A shall be completed with the parties names, contact details and activities set out or otherwise described in the Agreement (with the Controller acting as the data exporter, and the Processor acting as the data importer), and execution of this agreement shall be deemed execution of the EU SCCs;
        2. Part B shall be completed by the Processor; and
        3. Part C shall be the supervisory authority determined in accordance with the criteria set out in Clause 13(a) of the EU SCCs; and
        4. Annex II: shall be deemed completed with the technical and organizational measures described in the Agreement.
    2. If the Restricted Transfer is a UK Restricted Transfer, then the EU and UK SCCs shall apply on the following basis:
      1. the EU SCCs, completed as set out above in section 1.1 above apply between the Controller and the Processor, and shall be modified by the UK SCC completed as set out in sub-paragraphs (b) to (d) below;
      2. Tables 1 to 3 of the UK SCC shall be deemed completed with relevant information from the EU SCCs, completed as set out in section 1.1 above;
      3. Table 4 of the UK SCC shall be filled with the details as contained in the agreement; and
      4. the start date of the UK Addendum (as set out in Table 1) shall be the Start Date specified in the Agreement.
    3. If the Restricted Transfer is a Swiss Restricted Transfer, then the EU SCCs shall apply on the following basis:
      1. the EU SCCs, completed as set out above in section 1.1 above apply between the Controller and the Processor, and shall be modified as set out in sub-paragraphs (ii) to (ix) below;
      2. references to "Regulation (EU) 2016/679" shall be interpreted as references to the Swiss DPA;
      3. references to specific Articles of "Regulation (EU) 2016/679" shall be replaced with the equivalent article or section of the Swiss DPA;
      4. references to "EU", "Union", "Member State" and "Member State law" shall be replaced with references to "Switzerland" or "Swiss law" (as applicable);
      5. the term "Member State" shall not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (i.e., Switzerland);
      6. Clause 13(a) and Part C of Annex I are not used and the "competent supervisory authority" is the Swiss Federal Data Protection and Information Commissioner;
      7. references to the "competent supervisory authority" and "competent courts" shall be replaced with references to the "Swiss Federal Data Protection and Information Commissioner" and "applicable courts of Switzerland";
      8. in Clause 17, the EU SCCs shall be governed by the laws of Switzerland; and
      9. the EU SCCs also protect the data of legal entities until the entry into force of the revised Swiss Federal Data Protection Act.
    4. If the Restricted Transfer is a non-Adequate Country Restricted Transfer, then the EU SCCs shall apply on the following basis:
      1. the EU SCCs, completed as set out above in section 1.1 above apply between the Controller and the Processor, and shall apply on a mutatis mutandis basis.
    5. the Supplementary Measures, if any, as set out in Annex II of this Addendum.
  2. In the event that any provision of this DPA conflicts, directly or indirectly, with the New Standard Contractual Clauses, the New Standard Contractual Clauses shall prevail.

SCHEDULE 2


A. LIST OF PARTIES

Data exporter(s):

Name of Data Exporter: As stated out in the Agreement

Address: As stated out in the Agreement

Contact Person’s Name: As stated out in the Agreement

Position: As stated out in the Agreement

Contact details: As stated out in the Agreement

Activities relevant to the data transferred under these Clauses: Controller of Personal Data as needed to effect Superside’s provision of the Services.

Role (controller/processor): Controller


Data importer(s):

Name of Data Importer: Superside

Address: 1201 N. Market Street, Suite 111, Wilmington, DE, 19801

Contact Person’s Name: Eveny Liu

Position: Legal Counsel

Contact details: legal@superside.com

Activities relevant to the data transferred under these Clauses: Responsible for overseeing data protection compliance in relation to data.

Role (controller/processor): Processor


B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred. 
Users, Controller’s employees, suppliers or subcontractors; and any other person who transmits data via the Services, including individuals collaborating and communicating with Users (as those terms are defined in the Master Service Agreement).

Categories of personal data transferred. 
Personal Data submitted, stored, sent or received by the Controller or Users via the Services , may include the following categories of data: name, email address, and IP address.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
Superside’s Services are not designed to process any sensitive data.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Continuous.

Nature of the processing.
Superside will process personal data submitted, stored, sent or received by the Controller of Users for the purposes of providing the Services and related technical support to Controller in accordance with the Master Service Agreement.

Purpose(s) of the data transfer and further processing.
Superside will transfer and further process such personal data for the purposes of providing the Services to the Data Exporter.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period.
The applicable Contract Term (as defined in the Master Service Agreement) plus the period from expiry of such Contract Term until deletion of all personal data by the Processor in accordance with such Agreement.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing.
Same as above.


C. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with Clause 13
The competent supervisory authority shall be that of the Member State in which the data exporter is established.


SCHEDULE 3

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Superside implements and maintains the security standards set out below. Superside may update or modify such security standards from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services.

Superside’s security and availability architecture is built on top of SOC 2 Focus Points to enable best practice protection controls, implemented based on industry standards.

  • Measures of pseudonymisation and encryption of personal data
    • All Controller Data is stored in an encrypted database, and access to Personal Data is only available to relevant personnel based on the function they serve in Superside.
  • Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services
    • Superside undergoes an annual SOC2 audit to ensure our security processes and controls are well documented and maintained.
  • Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
    • Superside has encrypted backups of all customer data stored in multiple AWS regions to allow us to rapidly restore access in the case of an incident.
  • Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing
    • Superside has a Security Steering Committee that does various quarterly and annual revisions to ensure that Superside’s technical and organisational measures are updated.
  • Measures for user identification and authorization
    • Users are identified by their email address and authenticate into Superside’s platform either through a password or Google single sign on.
  • Measures for the protection of data during transmission
    • Data is encrypted during transmission
  • Measures for the protection of data during storage
    • Data is encrypted during storage
  • Measures for ensuring physical security of locations at which personal data are processed
    • Superside uses Amazon AWS for our infrastructure hosting and reviews Amazon AWS’ most recent SOC2 report yearly to ensure their physical security measures meet Superside’s requirements.
  • Measures for ensuring events logging
    • Superside uses AWS services for service event logging and Datadog for application logging.
  • Measures for ensuring system configuration, including default configuration
    • Superside has two separate environments and uses Terraform to describe our infrastructure in code. This ensures system configurations are properly tested in a separate environment before going to production and allows changes to be peer-reviewed before going live.
  • Measures for internal IT and IT security governance and management, including establish and maintain network and internet security procedures, protocols, security gateways, and firewalls with respect to the Personal Data as may be appropriate
    • Superside’s infrastructure is managed by the Site Reliability Engineering team that is responsible for our infrastructure and its configuration. The configuration is managed through Terraform as Infrastructure as Code and changes are peer reviewed. Superside also works with third party vendors to validate that our infrastructure is securely set up.
  • Measures for certification/assurance of processes and products
    • Superside undergoes an annual SOC2 audit to validate our controls.
  • Measures for ensuring data minimization
    • Superside only requests and stores personal data required to deliver our Services.
  • Measures for ensuring data quality
    • Measures are in place to ensure data quality by having relevant Superside personnel on accounts verify and update data accuracy based on their experience working with an account.
  • Measures for ensuring limited data retention
    • Superside has data deletion policies in place to ensure data is only stored as long as it is needed.
  • Measures for ensuring accountability
    • Superside’s data protection policy ensures appropriate accountability.
  • Measures for allowing data portability and ensuring erasure
  • Measures for establishing and maintaining safeguards to permit access to the personal data only to those of its employees and representatives who (i) have a need to access the personal data for the purposes of providing services, and (ii) have agreed to maintain the personal data in confidence and only to use it for the purpose of providing the Services;
    • Superside’s Security Officer performs an annual review of access control to our internal system.
    • All personnel agree to confidentiality obligations when joining Superside.
  • Measures to ensure that appropriate technical and organization measures are in place to prevent unauthorized, unlawful, or accidental access to the Personal Data as may be appropriate.
    • Superside has measures in place to prevent breaches from happening. As part of our SOC2 audit process we are committed to undergoing a yearly penetration test from an external third party and our development processes, change management and infrastructure are audited to ensure they comply with industry standards.


Sub-processors

Assistance to Controller. Per Clause 9 of the SCCs to which this Annex is attached, Superside has entered into written contracts with all of its sub-processors wherein sub-processors agree to provide reasonable assistance to Superside in responding to Controller’s reasonable inquires relating to the Superside Services.


SCHEDULE 4

LIST OF SUB-PROCESSORS

See https://www.superside.com/subprocessors

SCHEDULE 5

UK ICO Standard Contractual Clauses – Controller to Processor

This International Data Transfer Agreement (IDTA) has been issued by the Information Commissioner for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.

Part 1: Tables

TABLE 1: PARTIES AND SIGNATURES

4f9e96b1c29c9173f67a935dc8edc4e21e4dfdcb

TABLE 2: TRANSFER DETAILS

0ce3f0d3d4d327582bef0d2b5b965972ccf4f2f0
467e2aaebeb52c0b2458ade59ea2c329cbd06098

TABLE 3: TRANSFERRED DATA

b854112ec775b993bbb253e29311a83a377aef04

TABLE 4: SECURITY REQUIREMENTS

7adcde7313dafbc2198938cafa1b170b59236a66

Part 2: Extra Protection Clauses

4e70e089cc785711ff6313213a50dec1c963ad86

Part 3: Commercial Clauses

53615de43f769136be2a1997abd3488d6a77d31a

Part 4: Mandatory Clauses

54caf976364d5fa483db1f620b7e35968ef0e286
Superside is a revolutionary way for businesses to get good design done at scale.Trusted by 450+ ambitious companies, Superside makes design hassle-free for marketing and creative teams. By combining the top 1% of creative talent from around the world with purpose-built technology and the rigor of design ops, Superside helps ambitious brands grow faster. Since inception, Superside has been a fully remote company, with more than 700 team members working across 57 countries and 13 timezones.
© 2023 Superside. All rights reserved.