Data Processing Addendum

This Data Processing Addendum ("DPA") forms a part of the Terms of Service accessible at https://www.bytescale.com/terms, unless the Customer ("Customer" or "You") has entered into a superseding written master subscription agreement with Bytescale Ltd ("Company", "We", "Ours" or "Us"), in which case this DPA forms a part of such written agreement (in either case, the "Agreement"). You and Us may hereinafter be referred to individually as a "Party" and collectively as the "Parties". This DPA is applicable where the Company is the Processor or Sub-processor of Personal Data. By entering into the Agreement with Us, you agree to be bound by this DPA.

1. Definitions

Terms not expressly defined in this document shall assume the meanings attributed to them in the Agreement.

In this DPA, the specified terms are assigned the meanings outlined below:

1.1 "Data Protection Laws" refers to the data protection laws of the country in which You are established and any data protection laws applicable to You in connection with the Agreement. This includes, but is not limited to, (a) the General Data Protection Regulation 2016/679 ("GDPR"), (b) the United Kingdom General Data Protection Regulation, as enforced by the Data Protection, Privacy and Electronic Communications (Amendments, etc.) (EU Exit) Regulations 2019 and the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2020 ("UK GDPR") ("UK GDPR"); (c) the Swiss Federal Data Protection Act and its execution regulations ("Swiss DPA"); (d) the California Consumer Privacy Act ("CCPA") modified by the California Privacy Rights Act ("CPRA"), together with all regulations issued by the California Attorney General and/or the California Privacy Protection Agency in implementation of the CCPA and CPRA ("CA Privacy Laws"); (e) Colorado Privacy Rights Act ("Colorado Privacy Laws"); (f) Connecticut Data Privacy Act ("CTDPA"); (g) Virginia Consumer Data Protection Act ("VCDPA"), and any additional data protection and privacy laws in the US.

1.2 "Applicable Laws" refers to (a) European Union or Member State laws applicable to any Customer Personal Data under EU Data Protection Laws for which the Customer is subject; and (b) any other relevant laws applicable to any Customer Personal Data for which the Customer falls under the jurisdiction of any other Data Protection Laws.

1.3 "Personal Data" means any data concerning an identified or identifiable natural person that the Company gathers or Processes on Your behalf as part of delivering the Services.

1.4 "Restricted Transfer" means a transfer of Personal Data to countries not recognized by the Data Protection Laws as providing adequate protection of Personal Data.

1.5 "Standard Contractual Clauses" or "SCCs" refer to (i) under the GDPR, the standard contractual clauses sanctioned by the European Commission (Implementing Decision (EU) 2021/914 of 04 June 2021), accessible at https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0914 ("EU SCCs"); (ii) for cases involving the UK GDPR, the International Data Transfer Addendum to the EU SCCs, promulgated by the Information Commissioner’s Office of the United Kingdom, with details available at https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/international-transfers/international-data-transfer-agreement-and-guidance/ ("UK SCCs"); and (iii) where the Swiss DPA is applicable, the standard data protection clauses that are issued, endorsed, or recognized by the Swiss Federal Data Protection and Information Commissioner ("Swiss SCCs"), each as they may be updated, revised, or replaced periodically.

1.6 "Sensitive Personal Information" refers to data associated with an individual's racial or ethnic background, political views, religious or philosophical convictions, membership in trade unions, genetic information, biometric identifiers intended for unique identification, health-related details, or particulars regarding a person's sex life or sexual preferences. Additionally, it encompasses data about a person's criminal offenses or judgments, as well as any other data classified as sensitive under relevant Data Protection Laws.

1.7 "Controller", "Data Subject", "Personal Data Breach", "Processor", "Sub-processor" and "Process" shall have the meaning given to them in the Data Protection Laws.

2. Scope and Responsibilities

2.1 We will Process Personal Data solely on Your behalf in line with this DPA. To clarify, You may act as either the Controller or Processor of the Personal Data. When You serve as the Controller, We assume the role of Processor; conversely, when You are the Processor, We act as the Sub-processor of Personal Data.

2.2 Within the scope of the Agreement, each party is accountable for fulfilling its respective duties as Controller and Processor in accordance with Data Protection Laws.

3. Term and Termination

3.1 This DPA takes effect when You subscribe to the Service(s) through acceptance of the Agreement. It remains valid and enforceable for the duration that We are Processing Personal Data under the Agreement and will automatically terminate once this Processing ceases.

3.2 If amendments are necessary to ensure this DPA complies with Data Protection Laws, both parties shall make reasonable efforts to agree on such amendments. If the parties cannot reach an agreement on these amendments, either party may terminate the Agreement following the termination procedures specified within it.

4. Processing Instructions

4.1 We shall not Process Personal Data other than on Your documented reasonable and customary instructions as specified in the Agreement or this DPA, unless such Processing is required by Applicable Laws to which We are subject.

4.2. You instruct Us and authorize Us to instruct each Sub-processor to (i) Process Personal Data; and (ii) in particular, transfer Personal Data to any country or territory, all as reasonably necessary for the provision of the Services and consistent with the Agreement (including the Privacy Policy, as defined under the Agreement) and in accordance with Applicable Laws.

5. Processor Personnel

We will limit Our personnel from Processing Personal Data without authorization. We will enforce suitable contractual obligations on Our personnel, encompassing necessary provisions about confidentiality, data protection, and data security.

6. Disclosure to Third Parties

6.1 Law enforcement and surveillance requests. We will examine any binding order from a governmental or regulatory body and contest any law enforcement or surveillance requests that are not valid. For requests that are valid, we will only disclose the least amount of Personal Data necessary as mandated by law and will inform You to enable You to seek protection against disclosures. It's important to note that We will always aim to inform You unless we are legally barred from doing so or if there is a definitive sign of illegal activity associated with the use of the Services.

7. Technical and Organizational Measures

We shall establish and uphold suitable technical and organizational measures ("TOMs") to ensure Personal Data is Processed in accordance with this DPA, to offer assistance, and to safeguard Personal Data against a Personal Data Breach. These measures are detailed in Schedule B.

8. Assistance with Data Protection Impact Assessment

8.1 If a Data Protection Impact Assessment ("DPIA") is mandated by applicable Data Protection Laws for the Processing of Personal Data, We shall offer, upon Your request, any information and assistance reasonably necessary for the DPIA. This includes help for any interactions with data protection authorities, where necessary, provided the requested information or assistance relates directly to Our responsibilities under this DPA.

8.2 You shall compensate Us for reasonable charges incurred in providing the assistance described in clause 8, in cases where such assistance extends beyond what can reasonably be included within the normal scope of the services.

9. Compliance Audit

9.1. Subject to Sections 9.2 and 9.3, upon receiving a prior written request from You, We will provide a reputable auditor appointed by You in coordination with Us, such information to reasonably show compliance with this DPA. Furthermore, We will permit audits, including inspections, conducted by the appointed reputable auditor concerning Our Processing of Personal Data, on the condition that this third-party auditor adheres to confidentiality agreements.

9.2. Costs associated with providing information and conducting audits shall be at Your sole expense. Such activities may only be initiated under Section 9.1 if the Agreement does not already grant You rights to information and audits that satisfy the necessary criteria of the applicable Data Protection Laws. All audits or inspections must adhere to the terms of the Agreement and Our commitments to third parties, especially regarding confidentiality.

9.3. You are required to provide Us with reasonable advance written notification of any audit or inspection to be carried out under Section 9.1. You must use (and ensure that each of your appointed auditors use) their best efforts to prevent (or, if prevention is not possible, to minimize) any harm, injury, or disturbance to Our operations. The scope, timing, and duration of the audit or inspection, as well as the rate of reimbursement for which You will be accountable, shall be determined through mutual agreement between You and Us. We need not give access to Our premises for the purposes of such an audit or inspection:

  1. If We were not given a written notice of such audit or inspection at least 2 weeks in advance;
  2. Outside normal business hours at those premises;
  3. To any individual, unless that person provides reasonable proof of their identity and authority;
  4. To premises outside of Our control (such as datacenters managed by AWS, and other such premises operated by Our Sub-processors);
  5. For the purposes of conducting more than one (1) audit or inspection initiated by You in a single calendar year, except for any extra audits or inspections that:
    1. You are required to conduct as per Data Protection Law, by a Supervisory Authority, or any similar regulatory authority tasked with enforcing Data Protection Laws in any country or territory, provided that You have specified your concerns or the relevant requirement or request in your prior written notice to Us about the audit or inspection.

9.4. You are obligated to compensate Us for any time spent on such audits, based on Our current rates at that time, which will be provided to You upon request. Prior to starting any such audit, You and We will jointly decide on its scope, timing, and length, along with the rate of reimbursement for which You will be liable. All rates for reimbursement must be fair, reflecting the resource and opportunity costs incurred by Us. You must immediately inform Us of any noncompliance found during an audit, and We will make commercially reasonable attempts to rectify any verified non-compliance.

10. Personal Data Breach Notification

10.1. In the event of a Personal Data Breach, whether actual or reasonably suspected, We shall:

  1. notify You without undue delay upon becoming aware of a Personal Data Breach involving Us or a Sub-processor;
  2. provide reasonable information, cooperation, and assistance to You regarding any measures to be undertaken in response to a Personal Data Breach under Data Protection Laws. This includes assistance concerning the communication of the Personal Data Breach to Data Subjects and national data protection authorities.

11. Sub-Processing

11.1. You agree to Our use of third-party Sub-processors to process Personal Data, as detailed in Schedule A. Should You have reasonable data protection concerns, You may object to Our selection or replacement of a Sub-processor before their appointment or replacement. In such cases, We will either refrain from appointing or replacing the Sub-processor, or, if avoidance is not feasible, either You or We may opt to suspend or terminate the Agreement, without affecting any fees You incurred prior to the suspension or termination.

12. International Data Transfers

12.1. Should You initiate an International Transfer of Personal Data to Us, or should We transfer Personal Data internationally to Our Sub-processors, with the Personal Data originating from the European Economic Area, United Kingdom, or Swiss Confederation, then the following transfer mechanism(s) shall apply, in the order of precedence as set out below, if applicable:

  1. Any valid transfer mechanism under the Applicable Laws and Data Protection Laws that We would subscribe to, certify, or participate in.
  2. In relation to transfers of Personal Data originating from the EEA and subject to the EU GDPR, the SCCs shall apply, completed as follows:
    1. Module 2 (Controller to Processor) shall apply where You are a Controller and We are a Processor. Module 3 (Processor to Processor) shall apply where You are a Processor and We are a Sub-processor;
    2. in Clause 7, the optional docking clause will apply;
    3. in Clause 8.9, Audits shall be carried out not more than once per year, in accordance with existing Audit terms of the DPA ("Compliance Audit"), at the Customer’s own cost.
    4. in Clause 9, general written authorisation of changes to Our Sub-processor list will apply. We commit to informing You of any intended changes concerning the addition or replacement of Sub-processors, thereby giving You the opportunity to object to such changes within a reasonable timeframe. In such cases, We will either refrain from appointing or replacing the Sub-processor, or, if avoidance is not feasible, either You or We may opt to suspend or terminate the Agreement, without affecting any fees You incurred prior to the suspension or termination;
    5. in Clause 11, the optional language will not apply;
    6. in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law;
    7. in Clause 18(b), disputes shall be resolved before the courts of Ireland;
    8. Annex I of the EU SCCs shall be deemed completed with the information set out in Schedule A to this Agreement; and
    9. Annex II of the EU SCCs shall be deemed completed with the information set out in Schedule B to this Agreement;
  3. In relation to transfers of Personal Data originating from the UK or Switzerland and subject to the UK GDPR or Swiss DPA, the EU SCCs as implemented under sub-paragraph (2) above will apply with the following modifications:
    1. references to Regulation (EU) 2016/679; shall be interpreted as references to UK Data Protection Laws or the Swiss DPA (as applicable);
    2. references to specific Articles of Regulation (EU) 2016/679; shall be replaced with the equivalent article or section of UK Data Protection Laws or the Swiss DPA (as applicable);
    3. references to "EU", "Union", "Member State", and "Member State law" shall be replaced with references to "UK", "Switzerland" "UK law"; or "Swiss law" (as applicable);
    4. the term "member state" shall not be interpreted in such a way as to exclude data subjects in the UK or Switzerland from the possibility of suing for their rights in their place of habitual residence (i.e., the UK or Switzerland);
    5. Clause 13(a) and Part C of Annex I are not used and the "competent supervisory" is the UK Information Commissioner or Swiss Federal Data Protection Information Commissioner (as applicable);
    6. references to the "competent supervisory authority" and "competent courts" shall be replaced with references to the "Information Commissioner" and the "courts of England and Wales" or the "Swiss Federal Data Protection In- formation Commissioner" and "applicable courts of Switzerland" (as applicable);
    7. in Clause 17, the Standard Contractual Clauses shall be governed by the laws of England and Wales or Switzerland (as applicable); and
    8. with respect to transfers to which UK Data Protection Laws apply, Clause 18 shall be amended to state "Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may bring legal proceeding against the Data Exporter and/or Data Importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts", and with respect to transfers to which the Swiss DPA applies, Clause 18(b) shall state that disputes shall be resolved before the applicable courts of Switzerland.
  4. In relation to transfers of Personal Data originating from the United Kingdom and subject to the UK GDPR, the UK SCCs are hereby incorporated as an amendment to the EU SCCs and updated to reflect the details set forth in Schedule C to this Agreement.

12.2. For the purposes of descriptions in the SCCs and the UK SCCs, You agree that You are the "Data Exporter" and We are the "Data Importer".

12.3. The Parties agree that if the SCCs are replaced, amended or no longer recognized as valid under Data Protection Laws, or if a Supervisory Authority and/or Data Protection Legislation requires the adoption of an alternative transfer solution, the Data Exporter and Data Importer will: (i) promptly take such steps requested including putting an alternative transfer mechanism in place to ensure the processing continues to comply with Data Protection Laws; or (ii) the Data Exporter will cease the transfer of Personal Data to the Data Importer, and (iii) upon request by the Data Exporter, the Data Importer will delete and/or return the Personal Data to the Data Exporter. In the event Personal Data needs to be returned to the Data Exporter, You shall compensate Us for reasonable charges incurred in returning Personal Data.

12.4. Furthermore, You warrant and represent that You are and will remain duly and effectively authorized to give the instruction set out in Section 4 and any additional instructions as provided pursuant to the Agreement and/or in connection with the performance thereof, on behalf of Yourself, Your affiliates, and Your end users, at all relevant times and at least for as long as the Agreement is in effect and for any additional period during which We are lawfully processing the Personal Data.

13. Deletion or Return of Personal Data

Upon termination of Your Account, We reserve the right to delete all Your Data, including Personal Data, following the procedure outlined in the Agreement. This obligation does not apply if We are authorized by Applicable Law to retain some or all of the Personal Data. In such cases, We will segregate and safeguard the Personal Data from any additional processing.

14. Obligations Under Other Privacy Laws in the US

A) In addition to the other provisions of this DPA, Clause 14 (A) shall govern the Processing of the Personal Information of residents of the State of California, USA, and shall take precedence over any conflicting terms in the remainder of the DPA. In this Clause, the terms "Business", "Business Purpose", "Commercial Purpose", "Service Provider", "Personal Information","Consumers", "Sell", and "Share" shall bear the meanings ascribed to them in the CA Privacy Laws.

Where We operate as a Service Provider on Your behalf in accordance with this DPA:

  1. You disclose Personal Information to Us solely for: (i) valid Business Purposes and (ii) to enable Us to Process the Personal Information for proving the Services under the Agreement.
  2. We shall not
    1. retain, use or disclose Personal Information We collect from You pursuant to the Agreement for any Commercial Purpose other than the Business Purpose(s) as specified in the Agreement (or in any applicable statement of work or similar document), unless expressly permitted by the CA Privacy Laws;
    2. retain, use or disclose Personal Information We collect from You pursuant to the Agreement for any purpose other than providing the Services specified in the Agreement or as otherwise permitted by the CA Privacy Laws;
    3. retain, use or disclose Personal Information We collect from You pursuant to the Agreement outside the direct business relationship between You and Us unless expressly permitted by the CA Privacy Laws. For instance, We shall not combine the Personal Information that is received from or on Your behalf with Personal Information that is received from any other except as permitted under the CA Privacy Laws.‍
  3. We acknowledge that You have the right upon notice to take reasonable and appropriate steps to stop and remediate the unauthorized use of the Personal Information.
  4. We shall comply with all applicable sections of the CA Privacy Laws, including with respect to providing the same level of privacy protection as required of You by the CA Privacy Laws to the Personal Information collected pursuant to the Agreement.
  5. We certify that We understand the restrictions in this Clause and will comply with such restrictions.

B) In addition to the other provisions of this DPA, in case of Processing of the Personal Data of the residents of the State of Colorado or State of Virginia USA, We shall provide reasonable assistance to You in meeting Your obligations under the applicable Data Protection Laws in relation to the security of Processing the Personal Data

15. Miscellaneous

15.1. In the event of any conflict, the provisions of this DPA shall supersede those of the Agreement or any other agreement with Us. In the event of any conflict between this DPA and the SCCs, the SCCs shall take precedence over the provisions of the remainder of the DPA.

15.2. No party shall receive any remuneration for performing its obligations under this DPA except as explicitly set out herein or in another agreement.

15.3. Where this DPA requires a "written notice" such notice can also be communicated per email to the other party. Notices shall be sent to the contact persons set out in Schedule A.

15.4. Should individual provisions of this DPA become void, invalid or non-viable, this shall not affect the validity of the remaining conditions of this DPA.

The following Schedules form an integral part of this DPA:

Schedule A

List of parties under the SCCs

Data exporter

The Data Exporter is the entity that has subscribed to the Agreement and their contact details are as provided by them while subscribing to the Agreement.

Signature and date:

By accepting the Agreement, the Data Exporter is deemed to have signed these SCCs incorporated herein, including their Annexes, as of the date of acceptance.

Role:

Controller or Processor

Data importer

Company name:

Bytescale Ltd

Company address:

1 Canada Sq 37th Floor, Canary Wharf, London, United Kingdom, E14 5AA

Contact person name:

Lawrence Wagerfield

Contact person designation:

Chief Executive Officer

Contact person email:

lawrence@bytescale.com

Signature and date:

By accepting the Agreement, the Data Importer is deemed to have signed these SCCs incorporated herein, including their Annexes, as of the date of acceptance.

Role:

Processor or Sub-processor

Description of Transfer

Categories of data subjects whose personal data is transferred:

Unless provided otherwise by the Data Exporter, transferred Personal Data relates to the following categories of Data Subjects: employees, contractors, business partners, customers, users, or other individuals having Personal Data stored, transmitted to, made available to, accessed or otherwise processed by the Data Importer.

Categories of personal data transferred:

The Data Exporter determines the categories of Personal Data which could be transferred per the Service(s) as stated in the Agreement. Such categories may include the following categories of data: name, phone numbers, browsing behaviours, occupational details, IP address, e-mail address, address data, e-mail data, system access / usage / authorization data, company name, plus any application-specific data transferred by the Data Exporter’s authorized personnel.

Categories of sensitive personal data transferred (if applicable) and restrictions or safeguards applied to this data:

No Sensitive Personal Information is to be transferred by the Data Exporter. The Data Exporter shall not disclose (and shall not permit any individual to disclose) any Sensitive Personal Information to the Data Importer for processing.

Frequency of transfer:

Personal Data is transferred on a continuous basis for the duration of subscription to the Services

Nature of the processing:

Collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of data (whether or not by automated means).

Purpose(s) of the data transfer and further processing:

Personal Data is transferred in the course of access and use by the Data Exporter of the Services so that the Data Importer may provide, support, maintain and improve the Services.

The Data Importer may additionally transfer Personal Data to third-party service providers responsible for hosting and maintaining applications, backups, storage, analytics, and other services as specified in the section on Sub-processors below. These third-party service providers may access or Process Personal Data to fulfill their service obligations.

Retention period for personal data:

Upon termination of the Data Exporter’s account, the Data Importer will delete all Personal Data in accordance with clause 13 of the DPA.

Competent Supervisory Authority

In respect of the SCCs:

Module 2: Transfer Controller to Processor

Module 3: Transfer Processor to Processor

Where You are the Data Exporter, the supervisory authority shall be the competent supervisory authority that has supervision over You in accordance with Clause 13 of the SCCs.

List of Sub-processors

Name of the Sub-processorActivityNature
Amazon Web Services, Inc.Cloud infrastructure where data is primarily stored, processed and hostedOngoing
Calendly, LLCMeeting schedulingOngoing
DocuSign, Inc.Document signing with customersOngoing
Peaberry Software, Inc. d/b/a Customer.ioEmail notifications and email marketingOngoing
Formagrid, Inc. d/b/a AirtableSpreadsheets and analyticsOngoing
Google LLCUnified advertising and analytics platformOngoing
Help Scout PBCCustomer support servicesOngoing
HubSpot, Inc.Customer relationship management (CRM)Ongoing
Linear Orbit, Inc.Project managementOngoing
Paddle Payments Limited, paddle.com Inc. and Paddle.com Market LimitedPayment infrastructureOngoing
PostHog, Inc.Analytics platformOngoing
Slack Technologies Limited and Slack Technologies, LLCInternal and external communicationOngoing
The Rocket Science Group LLC d/b/a MailchimpEmail notifications and email marketingOngoing
Thoropass, Inc.SOC 2 compliance and auditingOngoing
Zapier, Inc.Workflow automationOngoing
Zoom Video Communications, Inc.Video conferencingOngoing

Schedule B

Technical and Organisational Measures To Ensure the Security of the Data

For the purpose of safeguarding customer and end-user data ("Customer Data"), We are dedicated to adhering to industry-standard privacy and security practices, along with complying with all pertinent data privacy and security statutes and regulations. This includes ensuring that Our systems and infrastructure are protected against unauthorized or accidental access, loss, alteration, disclosure, or destruction. We have taken all necessary technical and operational measures to organize and protect its facilities, hardware, and software, personnel, storage and networks, access controls, monitoring and logging, vulnerability and breach detection, and incident response measures.

Schedule C

This UK SCCs shall stand included as an addendum to the EU SCCs set implemented under Clause 12.1 of this DPA.

Part 1: Tables

For data transfers from the United Kingdom that are subject to the UK SCCs, the UK SCCs will be deemed entered into (and incorporated into this Data Processing Addendum by this reference) and completed as follows:

  1. In Table 1 of the UK SCCs, the Parties’ details and key contact information shall be as set forth in Schedule A.

  2. In Table 2 of the UK SCCs, information about the version of the Approved EU SCCs, modules and selected clauses which this UK SCC is appended to shall be as set forth in Clauses 11.1 and 12.1 of this DPA.

  3. In Table 3 of the UK SCCs:

    1. Annex 1A: List of Parties: Parties are as set forth in Schedule A.

    2. Annex 1B: Description of Transfer: Description of Transfer is as set forth in Schedule A.

    3. Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: TOMs are as set forth in Schedule B.

    4. Annex III: List of Subprocessors: Subprocessors are as set forth in Schedule A.

  4. In Table 4 of the UK SCCs, both the Data Importer and the Data Exporter may end the UK SCCs in accordance with the terms of the UK SCCs.

Part 2: Mandatory Clauses

Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the Information Commission Office (ICO) and laid before the UK Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section ‎‎18 of those Mandatory Clauses.