Data Processing Addendum

Version 16.1 • Nov 23 2024        View Previous Versions

This Data Processing Addendum (this “Addendum”) is part of the Master Terms of Service Agreement (“MSA”) between Skycore LLC, the “Service Provider” and “Client” or any other signed agreement between the Parties that incorporates this Addendum by reference and governs the Service Provider’s processing of Personal Data in its capacity as a Processor in connection with the Service Provider’s provision of the Cloud Service it provides pursuant to the MSA. This Addendum shall only apply if the Service Provider and Client have not entered into a separate data processing agreement or similar contractual arrangement with respect to the processing of Personal Data. All capitalized terms used but not defined in this Addendum have the meanings given to them in the MSA. The terms “personal data”, “data subject”, “processing”, “controller”, “processor”, “representative” and “supervisory authority” shall have the meanings given in the GDPR or UK GDPR, as applicable, in each case irrespective of whether Data Protection Law applies. Terms not otherwise defined herein shall have the meaning as set forth in the Agreement.

“Data Subject” means any individual that has Personal Information Processed under this Addendum.

“Data Protection Legislation” means the EU Data Protection Directive 95/46/EC, the GDPR, together with all applicable legislation relating to data protection and privacy including all local laws and regulations which amend or replace them, as well as any national implementing laws in any Member State of the European Union or, to the extent applicable, in any other country, as amended, repealed, consolidated or replaced from time to time.

“Personal Information” means any data relating to an identified or identifiable individual where such data is provided to us or collected in connection with provision of the Service under the Agreement and is protected similarly as personal data or personally identifiable information under applicable Data Protection Law.

“GDPR” means the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.

“Instruction” means the written, documented instruction, issued by Controller to Processor, and directing the same to perform a specific action with regard to Personal Data (including, but not limited to, depersonalizing, blocking, deletion, making available).

“Security Incident” means a breach of security of the Service or our systems which are used to Process Personal Information leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Information which is processed by us in the context of this Addendum.

“Processing” means any operation or set of operations performed on Personal Information, encompassing the collection, recording, organization, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction of Personal Information.

“Processor” means a natural or legal person, public authority, agency, or other body that processes Personal Data on behalf of the Controller.

“Standard Contractual Clauses” means the clauses attached hereto pursuant to the European Commission’s decision (C(2010)593) of 5 February 2010 on Standard Contractual Clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection.

The Controller appoints the Service Provider as Processor to receive and process Personal Data on the Controller’s behalf only as is necessary to provide the Cloud Service and as may subsequently be agreed to by the parties in writing. The Controller’s instructions for the Processing of Personal Data under or in relation to this Addendum shall comply with Data Protection Laws, as applicable. The Controller is responsible for ensuring a valid legal basis for processing the Personal Data. The legal entity agreeing to this Addendum as Controller represents that it is authorized to agree to and enter into this Addendum for, and is agreeing to this Addendum solely on behalf of, the Controller.

The Processor, shall collect, receive, process and use Personal Data on behalf of and as instructed by the Client as the Controller, in accordance with Data Protection Legislation, as applicable and will not use or process Customer Personal Data for any purpose other than in its capacity as Processor appointed by the Controller.

Processing. The subject matter and details of processing are described in “Section IV Appendix 1” of this Addendum.

Before the Controller transfers Personal Data to the Processor, or permits the Processor to access Personal Data located in a jurisdiction that requires an International Data Transfer Mechanism, the Controller shall verify whether the relevant requirements are met. If they are not met, the parties shall work together in good faith to fulfill the requirements of that International Data Transfer Mechanism. The parties shall institute and comply with any International Data Transfer Mechanism that may be required by applicable Data Protection Law.

If the Controller is established in the European Economic Area (“EEA”), Switzerland or the United Kingdom (“UK”) and transfers Personal Data to the Processor, then the Data Transfer Addendum shall: (i) apply to such transfers; (ii) take precedence over all other terms, including the terms of this Agreement, in respect of such transfers; (iii) form a legally binding contract between the data exporter and Processor as or on behalf of the data importer; and (iv) be hereby incorporated into the MSA.

With respect to Personal Data of EEA, Switzerland and UK data subjects, the Parties agree that the Processor may process Personal Data outside the EEA, Switzerland, and the UK only where the Data Protection Law requirements (including, where applicable, Articles 44 through 47 GDPR) are fulfilled, or an exception (including, where applicable, those listed in Article 49 GDPR) applies. With respect to personal data of Brazilian data subjects, the Data Controller agrees that the Service Provider may process Customer Personal Data outside of Brazil, and represents and warrants that such transfer of Customer Personal Data is compliant with the Brazilian data protection law (LGPD).

The parties will comply with their respective obligations under Data Protection Law and their respective privacy notices.

The Processor will restrict access to Personal Data to those authorized persons who need such information to provide the Services. Such authorized persons are obligated to maintain the confidentiality of any Personal Data. The Processor will not publish, disclose, or divulge (and will ensure that its personnel do not publish, disclose, or divulge) Personal Data to a third party unless the Controller has given its prior written consent.

The Processor will implement appropriate technical, administrative and organizational measures, as applicable, and as described in “Section V Appendix 2” of this Addendum, required to: (i) ensure a level of confidentiality and security appropriate to the risks represented by the processing and the nature of Personal Data; and (ii) prevent unauthorized or unlawful processing of Personal Data, accidental loss, disclosure or destruction of, or damage to, Personal Data provided by Controller and processed by the Processor. Such security measures will be at least as protective as the security requirements set forth in the MSA. When choosing security controls, the Processor will consider the state of the art, the cost of implementation, the nature, scope, context, and purposes of Personal Data processing, and the risk to data subjects of a security incident or Personal Data Breach affecting Personal Data.

Personal Data received from Client will be retained only for so long as may be reasonably required in connection with the Processor’s performance of the MSA or as otherwise required under Data Protection Law. The Processor’s obligations related to returning or deleting Personal Data will survive termination until all Personal Data has been returned or deleted in accordance with this Addendum.

The Processor will cooperate to the extent reasonably necessary in connection with the Controller’s requests related to data security, data breach notifications, data protection impact assessments and consultation with supervisory authorities and for the fulfillment of the Controller’s obligation to respond to requests for exercising a data subject’s rights under Data Protection Law. The Processor reserves the right to charge the Controller for its reasonable time for such cooperation and for the costs incurred for any special arrangements requested.

If the Processor receives a request from a data subject or a third party in connection with any government investigation or court proceeding that the Processor believes would require it to produce any Personal Data, the Processor will inform the Controller promptly in writing of such inquiry, request or complaint and cooperate with the Controller if it wishes to limit, challenge or protect against such disclosure, to the extent permitted by applicable Law. The Processor will assist the Controller, insofar as it is commercially reasonable, to fulfill Controller’s obligation to respond to requests from Data Subjects and supervisory authorities as required by Data Protection Law. The Controller shall be solely responsible for responding to any Data Subjects’ requests and if such request is made directly to the Processor, the Processor will promptly inform the Controller and will advise the Data Subjects to submit their request to the Controller.

Notwithstanding anything in the MSA to the contrary, the Processor will only process Personal Data in order to provide the Services to the Controller, in accordance with the Controller’s written instructions, as permitted by the last sentence of Section 8 below, or as required by applicable Law. The Processor will promptly inform the Controller if following an instruction would result in a violation of Data Protection Law or where the Processor must disclose Personal Data in response to a legal obligation (unless the legal obligation prohibits the Processor from making such disclosure).

The Processor is prohibited from: (a) Selling (as such term is defined in the CCPA) Personal Data, (b) retaining, using, or disclosing Personal Data for any purpose other than for the specific business purpose of performing the Controller’s documented instructions for the business purposes defined in this Addendum, including retaining, using, or disclosing the Personal Data for a commercial purpose other than performing Controller’s instructions, or (c) retaining, using, or disclosing the Personal Data outside of the direct business relationship between the parties as defined in this Agreement. The Processor certifies that it understands these restrictions. Notwithstanding the foregoing, the Processor may process Personal Data to retain or employ another person as a sub-Processor (as defined in Section10 below) in accordance with this Addendum, for internal use by the Processor to improve the quality of its services (provided that the Processor does not use the Personal Data to perform services on behalf of another person), or to detect data security incidents or protect against malicious, deceptive, fraudulent or illegal activity.

The Controller will inform the Processor if Personal Data is Sensitive Data and Controller shall obtain explicit consent from Data Subjects for the transfer of Sensitive Data for processing the extent such consent is required under Data Protection Law.

The Controller grants the Processor general authorization, as a processor, to engage other processors (“Sub-processors”) to assist in providing the Services consistent with the Agreement. The Processor will ensure each Sub-processor only accesses and uses Personal Data to the extent required to perform the obligations subcontracted to it and in accordance with this Addendum. In accordance with Data Protection Laws, the Processor will make a list of such Sub-processors accessible to the Controller in Appendix 3 prior to transferring any Personal Data to such Sub-processors. The Controller may opt-in to be notified by email in writing by the Processor of any changes to the list of Sub-processors by updating such list from time to time in order to give the Controller an opportunity to object to such changes within 30 days after being notified. If the Controller and the Processor are unable to resolve such objection, either Party may terminate the Agreement by providing written notice to the other party. The Controller shall have the right to review all sub-Processor’s activities in accordance with the Data Protection Legislation, including the right to obtain information from the Processor, upon written request, on the implementation of the data protection obligations under each Sub-Processing contract.

Where the Processor engages a Sub-processor for carrying out specific processing activities on behalf of the Controller, substantially similar data protection obligations as set out in this Addendum will be imposed on that Sub-processor by way of a contract, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of Data Protection Law. The Processor will be liable for the acts or omissions of its Sub-processors to the same extent as the Processor would be liable if performing the services of the Sub-processor directly.

Upon a request issued by a supervisory authority for records regarding Personal Data, the Processor will cooperate to provide the supervisory authority with records related to processing activities performed on the Controller’s behalf, including information on the categories of Personal Data processed and the purposes of the processing, the use of service providers with respect to such processing, any data disclosures or transfers to third parties and a general description of technical and organizational measures to protect the security of such data.

The Controller authorizes the Processor to transfer, store or process Personal Data in the United States or any other country in which the Processor or its Sub-processors maintain facilities. The Controller appoints the Processor to perform any such transfer of Personal Data to any such country and to store and process Personal Data in order to provide the Services. The Processor will conduct all such activity in compliance with the MSA, this Addendum, Data Protection Law, any applicable International Data Transfer Mechanism and Controller instructions.

Upon completion of Processors obligations in relation to processing of Personal Data under this Agreement or when instructed by the Controller, the Processor will delete any Personal Data or return it to the Controller in a secure manner and delete all remaining copies of Personal Data after such return except where otherwise required under applicable Law. Process will render any Personal Data that cannot be deleted or returned will be anonymous in such a manner that the data no longer constitutes Personal Data. The Processor will relay the Controller’s instructions to all Sub-processors. The Controller may, before termination or expiration and by way of issuing an Instruction, stipulate the reasonable secure method and format to return of any Personal Data before it is deleted. The Controller will be responsible for any additional cost arising in connection with the secure method instructed for the return of Personal Data.

In accordance with Section 7.8.1 of the MSA, after becoming aware of a Personal Data Breach, the Processor will notify the Controller without undue delay of: (a) the nature of the Personal Data Breach; (b) the number and categories of data subjects and data records affected; and (c) the name and contact details for the relevant contact person at the Processor. The Processor shall immediately investigate the Personal Data Breach, to identify, prevent, and mitigate the effects of any such Personal Data Breach, and carry out any recovery or other action necessary to remedy the Personal Data Breach. At the Controller’s request, we will promptly provide all reasonable assistance necessary to enable the notification competent authorities and/or affected Data Subjects of the relevant Security Incident, if Controller is required to do so under Data Protection Legislation.

Upon request and at the Controller’s expense, the Processor will make available to the Controller all information necessary, and allow for and contribute to audits, including reasonable inspections, conducted by the Controller or another auditor mandated by the Controller, to demonstrate compliance with Data Protection Law. For clarity, such audits or inspections are limited to the Processor’s processing of Personal Data for Client only, not any other aspect of the Processor’s business or information systems. If the Controller requires the Processor to contribute to audits or inspections that are necessary to demonstrate compliance, the Controller will provide the Processor with written notice at least 60 days in advance of such audit or inspection. Such written notice will specify the things, people, places or documents to be made available. Such written notice, and anything produced in response to it, will be considered Confidential Information and, notwithstanding anything to the contrary in the MSA, will remain Confidential Information in perpetuity or the longest time allowable by applicable Law after termination of the MSA. Such materials and derivative work product produced in response to the Controller’s request will not be disclosed to anyone without the prior written permission of the Service Provider unless such disclosure is required by applicable Law. If disclosure is required by applicable Law, the Controller will give the Processor prompt written notice of that requirement and an opportunity to obtain a protective order to prohibit or restrict such disclosure except to the extent such notice is prohibited by applicable Law or order of a court or governmental agency. The Controller will make every effort to cooperate with the Processor to schedule audits or inspections at times that are convenient to the Processor. The Processor may charge a reasonable fee for such requests except where such investigation arises from a breach of its obligations herein, to the extent permitted by applicable law. If, after reviewing the Processor’s response to Client’s audit or inspection request, the Controller requires additional audits or inspections, the Controller acknowledges and agrees that it will be solely responsible for reasonable fees and all costs incurred in relation to such additional audits or inspections.

If there is a conflict or inconsistency between this Data Processing Addendum, the Data Transfer Addendum, MSA, Product Addendum, the order of priority will be: the Data Transfer Addendum (but only to the extent it applies under section 6.a above), this Data Processing Addendum, the MSA, Product Addendum. Where individual provisions of this Addendum are invalid or unenforceable, the validity and enforceability of the other provisions of this Addendum shall not be affected.

The Service Provider may update any part or all of the terms of the Addendum as needed to comply with Data Protection Legislation and will become effective and binding upon on the renewal date of the Client’s next Product Subscription or upon Service Provider’s written agreement, whichever is sooner. If this Addendum is incorporated by reference as a web page URL, the updated version of the Addendum will be posted at the same URL and Controller will be shared with the Controller for approval in writing. If this Addendum is incorporated as part of a commercial agreement executed by the Parties, the updated version of the Addendum will be shared with the Controller for approval in writing. If the Controller does not agree with a modification in writing, the Controller shall notify the Processor in writing and the Parties will work together in good faith form a new mutually acceptable Data Processing Addendum.

The data exporter is the Disclosing Party and shall be a Controller, as defined in this Agreement, with the name, address, and contact details as provided to the Service Provider through the provision or support of the Services. The activities relevant to the data transferred under these Standard Contractual Clauses include the use of the relevant Services in accordance with the MSA and applicable Product Addendum. The data exporter shall be in the Controller role.

The data importer is the Receiving Party and shall be the Service Provider, as defined in this MSA, with the name, address and contact details as follows:

Skycore LLC, with its address at 397 Moody St. Suite 202 Waltham MA 02453

The data importer shall be in the Processor role when the activities relevant to the data transferred under these Standard Contractual Clauses include the provision of the relevant Services to Client in accordance with the MSA and applicable Product Addendum.

The data importer shall be in the Controller role where the both the exporter and importer are each an independent data controller of Personal data and independently determine the purpose and means of processing Personal Data under Data Protection Law when the activities relevant to the data transferred under these Standard Contractual Clauses include the support of the relevant Services to Client in accordance with the MSA and applicable Product Addendum.

The data processing activities carried out by Receiving Party under this Addendum are as follows:

Service Providers provision and support of the Services under the MSA and applicable Product Addendum.

For the term of this Agreement plus the period from expiry until the anonymization, return, or deletion of data in accordance with this Agreement.

Receiving Party will process Personal Data for the purposes of providing the Services in accordance with and as described in the MSA and applicable Product Addendum.

Personal Data relating to individuals provided to Receiving Party as Processor in the performance and provision of the Services to Client, by (or at the direction of) the Disclosing Party, which may include:

• Mobile Wallet Services: Personal Data processed via Mobile Wallet Services may include the following categories:
  • Contact Information is processed to facilitate the creation and issuance of digital passes, such as loyalty cards, coupons, event tickets, boarding passes, or gift cards. Contact Information includes email address, telephone number, and mailing address.
  • Personal Information is processed to enable the Controller to create, issue, and manage mobile wallet passes for end users as well as integrate with other systems. This data allows the Data Subject to display their Personal Information with the Controller or third parties when using a mobile wallet
  • Pass, including digital loyalty cards, coupons, and event tickets. Personal Information includes name, gender, age, date of birth, location data, education information, employment information, face photos, and membership information.
  • Usage Information is processed to support the use of the Mobile Wallet Services by Data Subjects and Controllers. This data helps to monitor performance and track interactions with the platform. Usage information includes device information, network information, interactions and event data such as barcode scans, installs, or uninstalls, platform data, system logs, integration data, and other electronic data or communications submitted, stored, sent, or received by end users through the platform.
• Text Messaging Services: Personal Data processed via Text Messaging Services may include the following categories:
  • Contact Information is processed to authenticate and communicate with Data Subjects through SMS and MMS messages. This includes sending, receiving, and collecting responses from Data Subjects through two-way text messaging. Contact Information includes email address, telephone number, mailing address.
  • Personal Information is processed to enable the use of the text messaging service by the Controller and its end users. This data allows the Data Subject to display, transfer, verify, or share all or part of their Personal Information with the Controller or third parties. It also includes information shared through two-way messaging (e.g., responses to questions, preferences, feedback). Personal Information includes name, gender, age, date of birth, payment information, location data, education information, membership information, employment information, family relationships, pets, certifications, licenses, credentials, entitlements, identity documents, and responses provided through two-way messaging interactions.
  • Usage Information is processed to support the functionality and user experience of Text Messaging Services. This includes monitoring system performance and tracking message interactions. Usage Information includes device information, network information, message interaction data, system logs, application integration data, platform usage information, data related to actions and events on the platform, other electronic data or communications submitted, stored, sent, or received by end users.

Personal Data relating to individuals provided to Receiving Party as a Controller in a Controller to Controller transfer for the purpose of sale of Services to Client or support of the Services for Client, by (or at the direction of) the Disclosing Party, which may include:

• Contact Information of Client representatives, agents, referrals or partners which is processed in order to authenticate and communicate with Data Subjects in order to sell the Service to Client or support the Service for Client. Contact Information includes email address, telephone number.
• Personal Information of Client representatives, agents, referrals or partners is processed in order to enable the Controller to sell the Service to Client or support the Service for Client. Personal Information includes these representatives name, employment information, certifications, licenses, credentials, entitlements, identity documents, identity proofs, and face photos.

Sensitive Data that may be transferred to the Processor Service Provider as Processor via the Services, by or at the direction of the Data Controller, may include the following categories:

• Mobile Wallet Services: Sensitive Data may be processed through the Mobile Wallet Services to enable the storage, display, and sharing of health-related passes and other sensitive information. This may include:
  • Health Data may be processed for the purposes of preventive or occupational medicine. Mobile wallet passes can store and display health data in a variety of scenarios including disability information, patient status or caregiver role, health insurance credentials, health insurance coverage information, health insurance provider contact information, vaccination records, and medical test results.
  • If pseudonymization of sensitive health data is not possible, processing is permitted only if the Controller has obtained explicit consent from the Data Subject. Processing must also comply with relevant legal requirements.
• Text Messaging Services: Sensitive Data processing for Text Messaging Services is typically less common than for Mobile Wallet Services, but it may occur in certain contexts. The processing of health data or other sensitive information through SMS or MMS is subject to strict controls.
  • Health-related Sensitive Data may be processed for communication purposes, including sending and receiving sensitive health-related information through SMS or MMS, but only when necessary and explicitly authorized. Health-related Sensitive Data includes health status updates, reminders for medical appointments, follow-ups after treatment, vaccination or medical test information, health insurance coverage information and health insurance provider contact information, but only where consent is explicitly provided.
  • Sensitive Data, such as health information, may only be processed through the Text Messaging Services if explicit consent has been obtained from the
  • Data Subject, and the Controller ensures that such data is processed in compliance with applicable laws.

Continuous

Data subjects include EEA, Switzerland, UK, and Brazilian individuals about whom personal data is provided to Processor via the Services by (or at the direction of) the Controller. Data Subjects may be any individual with a business, personal, affiliation or institutional relationship with the Controller or customer of Controller including their customers, end users, members, suppliers, collaborators, volunteers, licensees, vendors, prospects, employees, subcontractors, guests, relatives, guardians, patients, instructors, constituents, friends, representatives.

The competent supervisory authority will be the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP).

1. The Processor shall implement and comply with a written information security program consistent with established industry standards and appropriate to the nature of the Personal Data. This program shall include administrative, technical, and physical safeguards designed to protect such information from unauthorized access, destruction, use, modification, or disclosure, as well as any anticipated threats or hazards to the security or integrity of such information. The program shall also include safeguards against unauthorized access or use that could result in substantial harm or inconvenience to the Controller, the Controller’s customers, or the Controller’s employees.
2. The Processor shall adopt and implement reasonable policies and standards related to security.
3. The Processor shall assign responsibility for information security management.
4. The Processor shall devote adequate personnel resources to information security.
5. The Processor shall carry out verification checks on permanent staff who will have access to the Personal Data.
6. The Processor shall conduct appropriate background checks and require employees, vendors, and others with access to the Personal Data to enter into written confidentiality agreements.
7. The Processor shall conduct training to make employees and others with access to the Personal Data aware of information security risks and to enhance compliance with Processor’s policies and standards related to data protection.
8. The Processor shall prevent unauthorized access to the Personal Data through the use, as appropriate, of physical and logical entry controls, secure areas for data processing, procedures for monitoring the use of data processing facilities, built-in system audit trails, use of secure passwords, network intrusion detection technology, encryption and authentication technology, secure log-on procedures, and virus protection, monitoring compliance with Processor’s policies and standards related to data protection on an ongoing basis. In particular, Processor shall implement and comply with:• Physical access control measures to prevent unauthorized access to data processing systems
   • Denial-of-use control measures to prevent unauthorized use of data protection systems
   Authorization scheme and access rights to ensure that persons entitled to use a data processing system have access only to the data to which they have a right of access, and that the Personal Data cannot be read, copied, modified, or removed without authorization
   • Data transmission control measures to ensure that the Personal Data cannot be read, copied, modified, or removed without authorization during electronic transmission, transport, or storage on data media, and transfer and receipt of records
   • Encryption in storage of any data sets in Processor’s possession, including sensitive personal data, using appropriate encryption levels based on industry-leading encryption standards
   • Ensuring that any sensitive personal data transmitted electronically (other than by facsimile) to a person outside Processor’s IT system or transmitted over a public network is encrypted using the newest supported versions of TLS 1.2 protocol to protect the security of the transmission
   • Data entry control measures to ensure Processor can check and establish whether and by whom the Customer Personal Data has been input into data processing systems, modified, or removed
   • Continuous security testing measures to ensure information security practices remain relevant, effective, and up to date, including annual penetration testing, use of system scanning tools, backup restoration tests, pre-production failovers, and conducting post-mortems on any actual incidents in order to update the relevant disaster recovery plans
   • Sub-processor supervision measures to ensure that, if Processor is permitted to use sub-processors, the Personal Data is processed strictly in accordance with the Data Controller’s instructions
9. The Processor shall take such other steps as may be appropriate under the circumstances.

To enable Service Provider deliver the Subscription, Sub-Processors are engaged to assist with certain necessary data processing activities. A list of the Sub-Processors used and the purpose for engaging them is located below may be updated from time to time subject to the terms herein.