top of page

Controller-to-Controller (Inbound)
Data Protection Addendum

Effective date: December 1, 2022

 

1. Scope, Definitions and Applicable Law. This Data Protection Addendum (“DPA”), to the extent it is expressly incorporated by reference into an agreement between you (“you”) and Superfeed, forms part of such agreement and all further agreements executed under it with respect to the subject matter thereof (collectively the “Agreement”) and applies to the Personal Data you provide to Superfeed, as specifically set out in the Agreement. “Personal Data” means any personal data or personal information you share with Superfeedor that Superfeed processes pursuant to the Agreement. Terms and expressions used herein that are not otherwise defined, including without limitation “business,” “controller,” “personal data,” “personal information,” “processing,” and their respective derivative terms, shall have the meanings set forth in the data privacy and protection laws, regulations, and decisions applicable to a party to this DPA (“Applicable Data Protection Law”), which may include, without limitation, the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et seq. and its implementing regulations, the Brazilian General Data Protection Law of 2018, Brazil Federal Law 13.709/2018, Lei Geral de Proteção de Dados, the Japanese Act on the Protection of Personal Information Act No. 57 of 2003, and the EU General Data Protection Regulation (2016/679) (“GDPR”), in each case as amended, superseded or replaced from time to time. 

2. Roles and Restrictions. Each party to this DPA is an independent controller or business of Personal Data under Applicable Data Protection Law and shall be individually and separately responsible for complying with the obligations applicable to it under Applicable Data Protection Law.  Nothing in this DPA shall modify any restrictions applicable to Superfeed’s rights to use or otherwise process Personal Data under the Agreement.

 

3. Protection of Personal Data. Superfeed shall implement appropriate security measures (including organizational and technical measures) to protect Personal Data against the accidental, unlawful or unauthorized access to or use, transfer, destruction, loss, alteration, commingling, disclosure or processing of Personal Data, including all measures set out in the Agreement.

4. Notice and Cooperation. Superfeed will promptly give notice to and cooperate as necessary with you regarding (a) any material breach of security or unauthorized access to the Personal Data, and (b) any complaint, inquiry, or request from an individual or government or regulatory agency regarding the Personal Data, unless such notice is prohibited by law. If Superfeed receives a request from a government or regulatory agency, Superfeed may share the terms of this DPA, the Agreement, and other information necessary to demonstrate compliance with Applicable Data Protection Law.

5. Cross-Border Transfers of Personal Data.

a. Transfers of Non-European Data. Where Superfeed intends to transfer Personal Data cross-border and Applicable Data Protection Law requires certain measures to be implemented prior to such transfer, Superfeed agrees to implement such measures to ensure compliance with Applicable Data Protection Law. 

 

b. Transfers of European Personal Data. To the extent that Superfeed transfers Personal Data that is subject to Applicable Data Protection Law of European Economic Area (“EEA”), Switzerland, or the United Kingdom (“UK”) outside the EEA, Switzerland, or the UK to a jurisdiction which is not subject to an adequacy determination by the European Commission, UK or Swiss authorities (as applicable), then the standard contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 (“SCCs”) are hereby incorporated by reference and form an integral part of the Agreement in accordance with Section 5 of this DPA.

c. EEA Transfers. To the extent that Personal Data is subject to the GDPR, the SCCs apply as follows:

i.      you are the ‘data exporter’ and Superfeed is the ‘data importer’; 

ii.     the Module One terms apply; 

iii.    in Clause 7, the optional docking clause applies; 

iv.    in Clause 11, the optional language does not apply; 

 v.    in Clause 17, Option 1 applies, and the SCCs are governed by Irish law;

vi.    in Clause 18(b), disputes will be resolved before the courts of Ireland; 

vii.   in Annex I.A and I.B, the details of the parties and the transfer are set out in the Agreement;

viii.  in Clause 13(a) and Annex I.C, the Irish Data Protection Commissioner (“DPC”) will act as competent supervisory authority; and

ix.    in Annex II, the description of the technical and organizational security measures is set out in the Agreement. 

 

d. Swiss Transfers. To the extent that Personal Data is subject to Applicable Data Protection Law of Switzerland, the SCCs apply as set out in Section 5(c) of this DPA with the following modifications:

i.      references to ‘Regulation (EU) 2016/679’ are interpreted as references to the Swiss Federal Data Protection Act of 19 June 1992 or any successor thereof (“Swiss DPA”);

ii.     references to specific articles of ‘Regulation (EU) 2016/679’ are replaced with the equivalent article or section of the Swiss DPA;  

iii.    references to ‘EU’, ‘Union’ and ‘Member State’ are replaced with ‘Switzerland’; 

iv.    Clause 13(a) and Part C of Annex 2 is not used, and the ‘competent supervisory authority’ is the Swiss Federal Data Protection Information Commissioner (“FDPIC”) or, if the transfer is subject to both the Swiss DPA and the GDPR, the FDPIC (insofar as the transfer is governed by the Swiss DPA) or the DPC (insofar as the transfer is governed by the GDPR); 

v.     references to the ‘competent supervisory authority’ and ‘competent courts’ are replaced with the FDPIC and ‘competent Swiss courts’;

vi.    in Clause 17, the SCCs are governed by the laws of Switzerland;  

vii.   in Clause 18(b), disputes will be resolved before the competent Swiss courts; and

viii.  the SCCs also protect the data of legal entities until entry into force of the revised Swiss DPA.

 

e. UK Transfers. To the extent that Personal Data is subject to the Applicable Data Protection Law of the UK, the SCCs apply as amended by Part 2 of the UK Addendum to the SCCs issued by the Information Commissioner under section 119A(1) of the Data Protection Act 2018 (“UK Addendum”), and Part 1 of the UK Addendum is deemed completed as follows:

i.      in Table 1, the details of the parties are set out in the Agreement;

ii.     in Table 2, the selected modules and clauses are set out in Section 5(c) of this DPA;

iii.    in Table 3, the appendix information is set out in this DPA or the Agreement; and

iv.    in Table 4, ‘neither party’ is selected.

 

f. Alternative Transfer Mechanism. If Superfeed adopts an alternative data transfer mechanism to the mechanisms described in this DPA, including any new version of or successor to the SCCs (“Alternative Transfer Mechanism”), then such Alternative Transfer Mechanism shall apply automatically instead of the mechanisms described in this DPA, and you shall fully co-operate with Superfeed to sign an amendment to this DPA and/or take such other action as may be necessary to give legal effect to such Alternative Transfer Mechanism. In addition, in the event that a court of competent jurisdiction or supervisory authority orders (for whatever reason) that the measures described in this DPA cannot be relied on to lawfully transfer Personal Data cross-border, then you shall fully co-operate with Superfeed to take such action as may be necessary to remedy such non-compliance. 

6. Order of Precedence.  In the event of a conflict between the provisions of the Agreement, this DPA and (where applicable) the SCCs, the terms shall apply in the following order of precedence: (a) the SCCs, (b) the DPA, and then (c) the terms of the Agreement. Except as modified herein, all terms and conditions of the Agreement shall remain in full force and effect. 

Contact Us

If you have any questions about our Terms of Service, please contact us:

Superfeed Controller-to-Controller (Outbound) Data Protection Addendum

Effective date: December 1, 2022

 

1. Scope, Definitions and Applicable Law.  This Data Protection Addendum (“DPA”), to the extent it is expressly incorporated by reference into an agreement between you (“you”) and Superfeed, forms part of such agreement and all further agreements executed under it with respect to the subject matter thereof (collectively the “Agreement”) and applies to the extent that you receive, access or process Superfeed Data (defined below) from or on behalf of Superfeed in connection with the Agreement. For purposes of this DPA, “Superfeed Data” means any personal data, or personal information, including but not limited to customer, applicant, employee or user information or data, that you receive, access or process from or on behalf of Superfeed pursuant to the Agreement, and “Superfeed European Data” means Superfeed Data that is controlled by Superfeed International Unlimited Company (“TIUC”) or other Superfeed affiliates or subsidiaries located in the European Economic Area (“EEA”), Switzerland, or United Kingdom (“UK”) (“European Affiliate(s)”). For example, TIUC controls the personal data of users of its services, as described in the Superfeed Privacy Policy at http://www.Superfeed.com/privacy, while TIUC and European Affiliates control the personal data of (a) individuals who are employed by or have a working relationship with TIUC or European Affiliates, and (b) individual contacts of third parties with whom TIUC or European Affiliates have or may develop a commercial relationship. Terms and expressions used herein that are not otherwise defined, including, without limitation, “personal information,” “personal data,” “controller,” “processing,” and “processor,” and their respective derivative terms, shall have the meanings set forth in the privacy and data protection laws, regulations, and decisions applicable to a party to this DPA (“Applicable Data Protection Law”), which may include, without limitation, the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et seq. and its implementing regulations, the Brazilian General Data Protection Law of 2018, Brazil Federal Law 13.709/2018, Lei Geral de Proteção de Dados, the Japanese Act on the Protection of Personal Information, Act No. 57 of 2003 and the EU General Data Protection Regulation (2016/679) (the “GDPR”), in each case as amended, superseded or replaced from time to time.

 

2. Roles and Restrictions. Each party to this DPA: (a) is an independent controller of Superfeed Data under Applicable Data Protection Law; (b) will individually determine the purposes and means of its processing of Superfeed Data; and (c) will comply with the obligations applicable to it under Applicable Data Protection Law with respect to the processing of Superfeed Data. Nothing in this Section 2 shall modify any restrictions applicable to either party’s rights to use or otherwise process Superfeed Data under the Agreement, and you will process Superfeed Data solely and exclusively for the purposes specified in the Agreement. 

 

3. Protection of Superfeed Data. To the extent not otherwise provided for in the Agreement: (a) you will cooperate with Superfeed on and implement appropriate organizational, technical and security measures (including the measures set out in the Agreement) to protect Superfeed Data against the accidental, unlawful or unauthorized access to or use, transfer, destruction, loss, alteration, commingling, disclosure or processing of Superfeed Data and ensure a level of security appropriate to the risks presented by the processing of Superfeed Data and the nature of such Superfeed Data, and these measures shall remain in place throughout the duration of your processing of Superfeed Data as specified in the Agreement or until you cease to process Superfeed Data (whichever is later); (b) you will treat Superfeed Data with strict confidence and take all reasonable steps to ensure that persons you employ and/or persons engaged at your place(s) of business who will process Superfeed Data are aware of and comply with this DPA and are under a duty of confidentiality with respect to Superfeed Data no less restrictive than the duties set forth herein; (c) you will not transfer Superfeed Data to third parties except under written contracts that guarantee at least a level of data protection and information security as provided for herein, and you will remain fully liable to Superfeed for any third party’s failure to so comply; and (d) you will delete and securely erase all Superfeed Data (including any derivatives thereof) within the earlier of 10 days of Superfeed’s written request and when you no longer have a legitimate business need to retain it and in no event longer than the retention period required by applicable law.

 

4. Notice and Cooperation. You will promptly give written notice to and fully cooperate with Superfeed regarding (a) any breach of security or unauthorized access to the Superfeed Data that you detect or become aware of, and (b) any complaint, inquiry, or request from an individual or government or regulatory agency regarding Superfeed Data, unless such notice is prohibited by law. In such cases, without limiting the generality of the foregoing, you will refrain from notifying or responding to any data subject, government or regulatory agency, or other third party, for or on behalf of Superfeed or any Superfeed personnel, unless Superfeed specifically requests in writing that you do so, except as and when otherwise required by Applicable Data Protection Law. You agree and acknowledge that if Superfeed receives a request from a government or regulatory agency, Superfeed may share the terms of this DPA, the Agreement, and other information you provide to demonstrate compliance with this DPA or Applicable Data Protection Law.

 

5. Cross-Border Transfers of Superfeed Data.  

a. Transfers of Non-European Data. If you intend to transfer Superfeed Data, other than Superfeed European Data, cross-border and Applicable Data Protection Law requires certain measures to be implemented prior to such transfer, then you agree to implement such measures as shall be mutually agreed.

 

b. Transfers of European Data. If you transfer or process Superfeed European Data outside the EEA, Switzerland, or UK in a jurisdiction which is not subject to an adequacy determination by the European Commission, the UK or Swiss authorities (as applicable), then the Standard Contractual Clauses (“SCCs”) annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 are hereby incorporated by reference and form an integral part of the Agreement in accordance with this Section 5 of this DPA. Where Superfeed is the controller of such Superfeed Data, it enters the SCCs on its own behalf and where the ultimate controller is a third party (including, where applicable, TIUC, or other European Affiliates), Superfeed enters the SCCs on behalf of such third party.

c. EEA Transfers. To the extent that Superfeed European Data is subject to the GDPR, the SCCs apply as follows:

i.       the ‘data exporter’ is Superfeed and you are the ‘data importer’; 

ii.      the Module One terms apply; 

iii.     in Clause 7, the optional docking clause applies; 

iv.     in Clause 11, the optional language does not apply; 

v.      in Clause 17, Option 1 applies, and the SCCs are governed by Irish law

vi.     in Clause 18(b), disputes will be resolved before the courts of Ireland; 

vii.    in Annex I.A and Annex I.B, the details of the parties and the transfer are set out in the Agreement;

viii.   in Annex I.C and Clause 13(a), the Irish Data Protection Commissioner (“DPC”) will act as competent supervisory authority; and

ix.     in Annex II, the description of the technical and organizational security measures is set out as part of the Agreement. 

 

d. Swiss Transfers. To the extent the Superfeed European Data is subject to the Applicable Data Protection Law of Switzerland, the SCCs apply as set out in Section 5(c) of this DPA with the following modifications:

i.     references to ‘Regulation (EU) 2016/679’ are interpreted as references to the Swiss Federal Data Protection Act of 19 June 1992 or any successor thereof ("Swiss DPA”); 

ii.    references to specific articles of ‘Regulation (EU) 2016/679’ are replaced with the equivalent article or section of the Swiss DPA;  

iii.   references to ‘EU’, ‘Union’ and ‘Member State’ are replaced with ‘Switzerland’; 

iv.   Clause 13(a) and Part C of Annex 2 is not used, and the ‘competent supervisory authority’ is the Swiss Federal Data Protection Information Commissioner (“FDPIC”) or, if the transfer is subject to both the Swiss DPA and the GDPR, the FDPIC (insofar as the transfer is governed by the Swiss DPA) or the DPC (insofar as the transfer is governed by the GDPR);

v.    references to the ‘competent supervisory authority’ and ‘competent courts’ are replaced with the ‘FDPIC’ and ‘applicable courts of Switzerland’;

vi.    in Clause 17, the SCCs are governed by the laws of Switzerland; 

vii.   in Clause 18(b), disputes will be resolved before the competent Swiss courts; and 

viii.  the SCCs also protect the data of legal entities until entry into force of the revised Swiss DPA.

 

e. UK Transfers. To the extent the Superfeed European Data is subject to Applicable Data Protection Law of the UK, the SCCs apply as amended by Part 2 of the UK Addendum to the SCCs issued by the Information Commissioner under section 119A(1) of the Data Protection Act 2018 (“UK Addendum”), and Part 1 of the UK Addendum is deemed completed as follows:

i.     in Table 1, the details of the parties are set out in the Agreement;

ii.    in Table 2, the selected modules and clauses are set out in Section 5(c) of this DPA;

iii.   in Table 3, the appendix information is set out in the Agreement; and

iv.   in Table 4, the ‘Exporter’ is elected.

 

f. Alternative Transfer Mechanism. If Superfeed adopts an alternative data transfer mechanism to the mechanisms described in this DPA, including any new version of or successor to the SCCs or the Privacy Shield (“Alternative Transfer Mechanism”), then such Alternative Transfer Mechanism shall apply automatically instead of the mechanisms described in this DPA, and you shall fully co-operate with Superfeed to sign an amendment to this DPA and/or take such other action as may be necessary to give legal effect to such Alternative Transfer Mechanism. Further, to the extent that you and/or Superfeed have adopted and certified compliance with such Alternative Transfer Mechanism, you represent and warrant that you will comply with all legal principles and terms of such Alternative Transfer Mechanism. In addition, in the event that a court of competent jurisdiction or supervisory authority orders (for whatever reason) that the measures described in this DPA cannot be relied on to lawfully transfer Superfeed Data cross-border, then you shall fully co-operate with Superfeed to take such action as may be necessary to remedy such non-compliance.

6. Order of Precedence.  In the event of a conflict between the terms of this DPA, the SCCs, and those of the Agreement, the terms shall apply in the following order of precedence: the (i) SCCs, (ii) the DPA, and (iii) terms of the Agreement. Except as modified herein, all terms and conditions of the Agreement you have with Superfeed shall remain in full force and effect.

7. Survival. The obligations under this DPA shall survive so long as you process Superfeed Data, irrespective of whether the Agreement has been terminated or expired.

Contact Us

If you have any questions about our Terms of Service, please contact us:

bottom of page