Data Processing Addendum (DPA)

This Data Processing Addendum (“DPA”) forms part of the Terms and Conditions (the “Terms”) between you (“Customer”) and PixieBrix.

1.1. Subject Matter. This DPA reflects the parties’ commitment to abide by Data Protection Laws concerning the Processing of Customer Personal Data in connection with PixieBrix’s performance of its obligations under the Terms and Conditions. All capitalized terms that are not expressly defined in this DPA will have the meanings given to them in the Terms and Conditions. If and to the extent language in this DPA conflicts with the Terms, this DPA shall control.

1.2. Duration and Survival. This DPA will become legally binding upon the effective date of the Terms. PixieBrix will Process Customer Personal Data until the relationship terminates as specified in the Terms. PixieBrix’s obligations and Customer’s rights under this DPA will continue in effect so long as PixieBrix Processes Customer Personal Data.

2.1. “Customer Personal Data” means Personal Data within Customer Business Data (and Uploaded Customer Data, if applicable) Processed by PixieBrix on behalf of Customer.

2.2. “Data Protection Laws” means all applicable data privacy, data protection, and cybersecurity laws, rules and regulations to which the Customer Personal Data are subject. “Data Protection Laws” shall include, but not be limited to, the California Consumer Privacy Act of 2018 (“CCPA”) and the EU General Data Protection Regulation 2016/679 (“GDPR”); in each case, to the extent applicable.

2.3. “Personal Data” has the meaning assigned to the term “personal data” or “personal information” under applicable Data Protection Laws.

2.4. “Process” or “Processing” means any operation or set of operations which is performed on Personal Data or sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.

2.5. “Security Incident(s)” means the breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data attributable to PixieBrix.

2.6. “Services” means the services that PixieBrix performs under the Terms.

2.7. “Third Party(ies)” means PixieBrix’s authorized vendors and service providers (i.e., sub-processors) that Process Customer Personal Data.

3.1 Documented Instructions. PixieBrix and its Third Parties shall Process Customer Personal Data only in accordance with the documented instructions of Customer or as specifically authorized by this DPA, the Terms, or any applicable Order. PixieBrix will, unless legally prohibited from doing so, inform Customer in writing if it reasonably believes that there is a conflict between Customer’s instructions and applicable law or otherwise seeks to Process Customer Personal Data in a manner that is inconsistent with Customer’s instructions.

3.2. Authorization to Use Third Parties. To the extent necessary to fulfill PixieBrix’s contractual obligations under the Terms, Customer hereby authorizes (i) PixieBrix to engage Third Parties and (ii) Third Parties to engage sub-processors.

3.3 PixieBrix and Third-Party Compliance. PixieBrix agrees to (i) enter into a written agreement with Third Parties regarding such Third Parties’ Processing of Customer Personal Data that imposes on such Third Parties data protection and security requirements for Customer Personal Data that are compliant with Data Protection Laws; and (ii) remain responsible to Customer for PixieBrix’s Third Parties’ failure to perform their obligations with respect to the Processing of Customer Personal Data.

3.4. Right to Object to Third Parties. Where required by Data Protection Laws, PixieBrix will notify Customer prior to engaging any new Third Parties that Process Customer Personal Data by updating its subprocessor list at: https://www.pixiebrix.com/privacy. If Customer has legitimate objections to the appointment of any new Third Party related to privacy or data protection, the Parties will work together in good faith to resolve the grounds for the objection for no less than thirty (30) days.

3.5. Confidentiality. Any person or Third Party authorized to Process Customer Personal Data must be subject to a duty of confidentiality, contractually agree to maintain the confidentiality of such information, or be under an appropriate statutory obligation of confidentiality.

3.6. Personal Data Inquiries and Requests. Where required by Data Protection Laws, PixieBrix agrees to provide reasonable assistance and comply with reasonable instructions from Customer related to any requests from individuals exercising their rights in Customer Personal Data granted to them under Data Protection Laws (e.g., access, rectification, erasure, data portability, etc.). If a request is sent directly to PixieBrix, v shall notify Customer without undue delay.

3.7. Data Protection Assessment, Data Protection Impact Assessment and Prior Consultation. Where required by Data Protection Laws, PixieBrix agrees to provide reasonable assistance at Customer’s expense to Customer where, in Customer’s judgement, the type of Processing performed by PixieBrix requires a data protection assessment, data protection impact assessment, and/or prior consultation with the relevant data protection authorities.

3.8. Demonstrable Compliance. PixieBrix agrees provide information that is reasonably necessary to demonstrate compliance with this DPA upon reasonable request.

3.9. California Specific Terms. To the extent that PixieBrix’s Processing of Customer Personal Data is subject to the CCPA, this Section shall also apply. Customer discloses or otherwise makes available Customer Personal Data to PixieBrix for the limited and specific purpose of PixieBrix providing the Services to Customer in accordance with the Terms and this DPA. PixieBrix shall: (i) comply with its applicable obligations under the CCPA; (ii) provide the same level of protection as required under the CCPA; (iii) notify Customer if it can no longer meet its obligations under the CCPA; (iv) not “sell” or “share” (as such terms are defined by the CCPA) Customer Personal Data; (v) not retain, use, or disclose Customer Personal Data for any purpose (including any commercial purpose) other than to provide the Services under the Terms or as otherwise permitted under the CCPA; (vi) not retain, use, or disclose Customer Personal Data outside of the direct business relationship between Customer and PixieBrix; and (vii) unless otherwise permitted by the CCPA, not combine Customer Personal Data with Personal Data that PixieBrix (a) receives from, or on behalf of, another person, or (b) collects from its own, independent consumer interaction. Customer may: (1) take reasonable and appropriate steps agreed upon by the parties to help ensure that PixieBrix Processes Customer Personal Data in a manner consistent with Customer’s CCPA obligations; and (2) upon notice, take reasonable and appropriate steps agreed upon by the parties to stop and remediate unauthorized Processing of Customer Personal Data by PixieBrix.

PixieBrix agrees to implement commercially reasonable technical and organizational measures designed to protect Customer Personal Data consistent with Data Protection Laws.

Upon becoming aware of a Security Incident, PixieBrix agrees to provide written notice without undue delay and within the time frame required under Data Protection Laws to Customer by email to the email address associated with Customer’s account. Where possible, such notice will include all available details required under Data Protection Laws for Customer to comply with its own notification obligations to regulatory authorities or individuals affected by the Security Incident.

6.1. Cross-Border Transfers of Customer Personal Data. Customer authorizes PixieBrix and its Third Parties to transfer Customer Personal Data across international borders, including from the European Economic Area, Switzerland, and/or the United Kingdom to the United States.

6.2. EEA, Swiss, and UK Standard Contractual Clauses. If Customer Personal Data originating in the European Economic Area, Switzerland, and/or the United Kingdom is transferred by Customer to PixieBrix in a country that has not been found to provide an adequate level of protection under applicable Data Protection Laws, the parties agree that the transfer shall be governed by the Annex to the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“Standard Contractual Clauses”) as supplemented by Attachment 1 attached hereto, the terms of which are incorporated herein by reference. Where the Standard Contractual Clauses are applicable and Customer acts as a controller of Customer Personal Data with PixieBrix acting as a processor of Customer Personal Data, each party shall comply with its obligations under Module Two of the Standard Contractual Clauses. Where the Standard Contractual Clauses are applicable and Customer acts as a processor of Customer Personal Data with PixieBrix acting as a (sub)processor of Customer Personal Data, each party shall comply with its obligations under Module Three of the Standard Contractual Clauses. Each party’s execution of the Terms shall be considered a signature to the Standard Contractual Clauses to the extent that the Standard Contractual Clauses apply hereunder.

7.1. Where Data Protection Laws afford Customer an audit right, Customer (or its appointed representative) may, not more than once annually, carry out an audit of PixieBrix’s Processing of Customer Personal Data by having PixieBrix complete a data protection questionnaire of reasonable length. Any such audit shall be subject to PixieBrix’s security and confidentiality terms and guidelines.

8.1. At the expiry or termination of the Terms, PixieBrix will, at Customer’s option, delete or return all Customer Personal Data (excluding any back-up or archival copies which shall be deleted in accordance with PixieBrix’s data retention schedule), except where PixieBrix is required to retain copies under applicable laws, in which case PixieBrix will isolate and protect that Customer Personal Data from any further Processing except to the extent required by applicable laws.

Subject Matter: The subject matter of the Processing is the Services pursuant to the Terms.

Duration: The Processing will continue until the expiration or termination of the Terms.

Categories of Data Subjects: Data subjects whose Personal Data will be Processed pursuant to the Terms.

Nature and Purpose of the Processing: The purpose of the Processing of Customer Personal Data by PixieBrix is the performance of the Services.

Types of Customer Personal Data: Customer Personal Data that is Processed pursuant to the Terms.

This Attachment 1 forms part of the DPA and supplements the Standard Contractual Clauses. Capitalized terms not defined in this Attachment 1 have the meaning set forth in the DPA.The parties agree that the following terms shall supplement the Standard Contractual Clauses: