Pixlee and TurnTo have merged - more here!

Data Processing Addendum

FAQs

To assist our customers in their understanding of how Pixlee processes personal data, and the nature of the personal data that Pixlee processes, we have created this short list of FAQs as a supplement to our standard data processing addendum, which you will find below. If you have any questions regarding Pixlee’s processing activities, please contact privacy@pixlee.com.

1. What personal data does Pixlee process? 

Pixlee is a visual marketing platform which helps brands to leverage user generated content from social media sites to improve their online marketing performance. The personal data processed by Pixlee, on behalf of its customers, is limited to social media content (photos, videos, social media handles, and public comments) and associated metadata. For further information regarding Pixlee’s functionality, please see https://www.pixlee.com/functionality-breakdown

2. Where is Pixlee located? 

Pixlee’s main operations are located in the United States. Most of Pixlee’s processing takes place in the United States, although Pixlee may from time to time processes personal data other countries. Our DPA talks more about data transfers and, in particular, the legal mechanism we rely on for transferring personal data outside of the European Economic Area.

3. Does Pixlee sell personal data or use it for its own purposes? 

No. With respect to personal data processed on behalf of its customers, Pixlee is a processor under the European Union’s General Data Protection Regulation (GDPR) and a service provider under the California Consumer Privacy Act (CCPA). Pixlee only uses this personal data for purposes of performing services on behalf of its customers and does not use it for its own purposes, or disclose it to third parties (other than third parties who perform services on Pixlee’s behalf).

4. Is Pixlee subject to US government surveillance laws? 

Yes. Like most US companies, Pixlee technically is subject to certain surveillance laws such as FISA 702. However, given the nature of the personal data we process, it is unlikely that we will be subject to demands under these laws and to date we have not received any such demands or requests. In the unlikely event we do receive a FISA 702 or similar demand or request, we will provide data only after we receive or are subject to a legally binding order or subpoena issued by a court or legal body with proper jurisdiction. If we receive a demand for data from a government body, we will attempt to redirect the government body to request that data directly from the applicable data exporter. If we are compelled to disclose data to a government body, we will give the applicable data exporter reasonable notice of the demand so that they can seek a protective order or other appropriate remedy, unless we are legally prohibited from doing so. We require our subcontractors, through our standard data processing agreement or other contractual terms, to apply limitations to data disclosure that are consistent with those we apply to our own disclosures.

Data Processing Addendum

This Data Protection Addendum ("Addendum") forms part of the Pixlee Terms of Use and/or Master Services Agreement (collectively, the "Agreement") between the applicable Pixlee customer which is a party to such Agreement ("Company"), and the applicable Pixlee Entity which is also a party to such Agreement ("Pixlee").  Company and Pixlee are each referred to as a “Party” and collectively as the “Parties”.

Except as modified below, the terms of the Agreement shall remain in full force and effect.   Notwithstanding anything to the contrary in the Agreement, if there is a conflict between this Addendum and the Agreement, this Addendum will control. In the event of any conflict or inconsistency between this Addendum and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.

1. Definitions. The terms used in this Addendum shall have the meanings set forth in this Addendum or as defined by Applicable Privacy Law, whichever is broader. Capitalized terms not otherwise defined herein or defined by Applicable Privacy Law shall have the meaning given to them in the Agreement.  The following terms have the meanings set forth below:

  1. “Affiliate” means an entity that owns or controls, is owned or controlled by, or is under common control or ownership with either Pixlee or Company, respectively.  
  2. Applicable Privacy Law” shall mean applicable data privacy, data protection, and cybersecurity laws, rules and regulations to which Pixlee is subject, including, but not limited to, (a) the California Consumer Privacy Act of 2018 (“CCPA”), (b) the EU General Data Protection Regulation 2016/679 (“GDPR”) including the applicable implementing legislation of each Member State, (c) the UK Data Protection Act 2018,  and the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019, (d) the Swiss Federal Act on Data Protection of 19 June 1992, (e) any other applicable law with respect to any Personal Data in respect of which the Pixlee is subject to, and (f) any other data protection law and any guidance or statutory codes of practice issued by any relevant Privacy Authority, in each case, as amended from time to time and any successor legislation to the same.
  3. Data Subject” shall mean an identified or identifiable natural person.
  4. Personal Data” shall mean (i) personal data, personal information, personally identifiable information, or similar term as defined by Applicable Privacy law or (ii) if not defined by Applicable Privacy Law, any information that relates to a Data Subject; in each case, to the extent Processed by Pixlee, on behalf of Company, in connection with Pixlee’s performance of the Services.
  5. “Pixlee Entity” shall mean Pixlee Inc., and/or any Pixlee Affiliate, including without limitation TurnTo Networks, Inc.
  6. Privacy Authority” shall mean any competent supervisory authority, attorney general, or other regulator with responsibility for privacy or data protection matters in the jurisdiction of Pixlee.
  7. “Process”, “Processing” or “Processed” shall mean any operation or set of operations, as defined in the Applicable Privacy Law, performed upon Personal Data whether or not by automatic means, including collecting, recording, organising, storing, adapting or altering, retrieving, consulting, using, disclosing, making available, aligning, combining, blocking, erasing and destroying Personal Data.
  8. Security Breach” shall mean an actual or reasonably suspected accidental, unauthorized, or unlawful destruction, loss, alteration, or disclosure of, or access to, Personal Data. 
  9. Services” shall mean the services as described in the Agreement or any related order form or statement of work.
  10. Standard Contractual Clauses” shall mean (a) with respect to restricted transfers (as such term is defined under Applicable Privacy Law) which are subject to the EU GDPR and other Applicable Privacy Laws pursuant to which the same have been adopted, the Controller-to-Processor standard contractual clauses, as set out in the European Commission’s Implementing Decision (EU)2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to GDPR, as may be amended or replaced by the European Commission from time to time (the “EU SCCs”),and (b) with respect to restricted transfers subject to the UK GDPR and other Applicable Privacy Laws pursuant to which the EU Clauses have not been adopted, such other transfer clauses as may be adopted from time to time under the UKGDPR (the “UK SCCs”) and other Applicable Privacy Laws.
  11. Subprocessor” shall mean any subcontractor (including any third party and/or Pixlee Affiliate) engaged by Pixlee to Process Personal Data on behalf of Company.

2. Processing Requirements

  1. Pixlee shall comply with Applicable Privacy Law in the Processing of Personal Data and only Process Personal Data for the purposes of providing the Services and in accordance with Company’s instructions, and as may subsequently be agreed between the Parties in writing.  Pixlee shall promptly inform Company if (a) in Pixlee’s opinion, an instruction from Company violates Applicable Privacy Law; or (b) Pixlee is required by applicable law to otherwise Process Personal Data, unless Pixlee is prohibited by that law from notifying Company under applicable law. 
  2. Pixlee shall implement and maintain reasonable and appropriate technical measures that will ensure that Company’s reasonable and lawful instructions can be complied with, including the following:

(a) updating, amending, correcting, or providing access to the Personal Data of any Data Subject upon written request of Company from time to time;

(b) cancelling, deleting, or blocking access to any Personal Data upon receipt of written instructions from Company; 

(c) otherwise facilitating Company’s responses to Data Subject requests as required under Applicable Privacy Law; and

(d) Pixlee shall promptly re-direct any request from a Data Subject to exercise any of its Data Subject rights to Company, and shall not respond directly to the Data Subject unless instructed so by Company in writing.

  1. Pixlee acknowledges that (a) Company discloses Personal Data to Company solely for the business purpose of Company, and (b) Pixlee has not and will not receive any monetary or other valuable consideration in exchange for their receipt of the Personal Data, and that any consideration paid by Company to Pixlee under the Agreement relates only to Pixlee’s provision of the Services. Pixlee shall not collect, retain, use, disclose, or otherwise Process the Personal Data (i) for any purpose other than for the specific purpose of providing the Services to Company, or (ii) outside of the direct business relationship between Pixlee and Company. In addition, Pixlee shall not ‘sell,’ as defined under Applicable Privacy Law (including, without limitation, CCPA), or otherwise disclose any Personal Data except to authorised Subprocessors needed to render the Services.
  2. Pixlee shall provide to Company such co-operation, assistance and information as Company may reasonably request to enable it to comply with its obligations under Applicable Privacy Law and co-operate and comply with the directions or decisions of a relevant Privacy Authority, in each case (a) solely to the extent applicable to Company’s provision of the Services, and (b) within such reasonable time as would enable Company to meet any time limit imposed by the Privacy Authority.

3. Security of Personal Data

  1. Pixlee shall maintain, during the term of the Agreement, appropriate technical and organizational security measures to protect the Personal Data against accidental or unlawful destruction or accidental loss, damage, alteration, unauthorized disclosure or access.
  2. Pixlee shall ensure the reliability of any employees who Process Personal Data.

4. Subprocessors

  1. Pixlee shall not, without Company’s prior written consent, sub-contract or outsource any Processing of Personal Data to any Subprocessor; provided that Company shall not unreasonably withhold or delay consent to Pixlee’s appointment of any Subprocessor. Without limiting the foregoing, Pixlee authorizes Company to engage the Subprocessors specified in Schedule 2 of this Addendum.
  2. Pixlee shall remain liable for any Processing of Personal Data by each such Subprocessor as if it had undertaken such Processing itself.
  3. Pixlee will contractually impose data protection obligations on its Subprocessors that are no less onerous than those imposed on Pixlee under this Addendum.

5. Breach Notification

  1. Notification to Company. Unless otherwise prohibited by applicable law, Pixlee shall notify Company without undue delay, and in any event within 24 hours after Pixlee becomes aware of a Security Breach. Such notification shall include, to the extent such information is available (a) a detailed description of the Security Breach, (b) the type of data that was the subject of the Security Breach and (c) the identity of each affected person (or, where not possible, the approximate number of Data Subjects and of Personal Data records concerned). In addition, Pixlee shall communicate to Company (i) the name and contact details of Pixlee’s data protection officer or other point of contact where more information can be obtained, (ii) a description of the likely consequences of the Security Breach, (iii) a description of the measures taken or proposed to be taken by Pixlee to address the Security Breach, including, where appropriate, measures to mitigate its possible adverse effects.
  2. Investigation. Pixlee shall take prompt action to investigate the Security Breach and shall use industry standard, commercially reasonable efforts to mitigate the effects of any such Security Breach in accordance with its obligations hereunder.

6. Privacy Impact Assessment. Pixlee shall, promptly upon receipt of written request by Company (a) make available to Company such information as is reasonably necessary to demonstrate Company’s compliance with Applicable Privacy Law to the extent applicable to the Services, and (b) reasonably assist Company in carrying out any privacy impact assessment and any required prior consultations with Privacy Authorities, taking into account the nature of the Processing and the information available to Pixlee. Pixlee shall reasonably cooperate with Company to implement such mitigation actions as are reasonably required to address privacy risks identified in any such privacy impact assessment. Unless such request follows a Security Breach or is otherwise required by Applicable Privacy Law, Company shall not make any such request more than once in any 12-month period.

7. Audit Rights. Pixlee shall permit Company and/or its authorized agents, at Company’s cost, to audit its records to the extent reasonably required in order to confirm that Pixlee is complying with its obligations under this Addendum, provided always that any such audit does not involve the review of any third party data and that the records and information accessed in connection with such audit are treated as Pixlee’s confidential and proprietary information.

8. Deletion of Personal Data. Pixlee shall, promptly and in any event within 90 days of expiration or termination of the Agreement, or following receipt of written notice from the Pixlee, (a) return a complete copy of all Personal Data to Company by secure file transfer in such format as is reasonably notified by Company to Pixlee; and (b) delete and procure the deletion of all other copies of Personal Data Processed by Pixlee. 

8. Third Party Disclosure Requests

  1. Unless prohibited by applicable law, Pixlee shall promptly notify Company of any inquiry, communication, request or complaint, to the extent relating to Pixlee’s Processing of Personal Data on behalf of Company, from:

(a) any governmental, regulatory or supervisory authority, including Privacy Authorities or the U.S. Federal Trade Commission; and/or

(b) any Data Subject,

and shall, taking into account the nature of the Processing, provide reasonable assistance to enable Company to respond to such inquiries, communications, requests or complaints and to meet applicable statutory or regulatory deadlines.  Pixlee shall not disclose Personal Data to any of the persons or entities in (a) or (b) above unless it is legally required to do so and has otherwise complied with the obligations in this Section 9.1 and Section 9.2.

  1. In the event that Pixlee is required by law, court order, warrant, or other legal judicial process (“Legal Request”) to disclose any Personal Data to any person or entity other than Company, including any national security authority or other government body, Pixlee shall attempt to redirect the government request to Company. If Pixlee is unable to redirect the request, Pixlee shall, unless prohibited by applicable law, notify Company promptly and shall provide all reasonable assistance to Company to enable Company to respond or object to, or challenge, any such Legal Requests and to meet applicable statutory or regulatory deadlines. If Pixlee is prohibited by applicable law from providing notice to Company of a Legal Request, Pixlee shall use commercially reasonable efforts to object to, or challenge, any such Legal Request to avoid or minimize the disclosure of Personal Data. Pixlee shall not disclose Personal Data pursuant to a Legal Request unless it is required to do so by applicable law and has otherwise complied with the obligations in this Section 9.2.

10. Restricted Transfers of Personal Data Outside of the European Economic Area, the United Kingdom, and Switzerland.  Where Personal Data originating in the European Economic Area is Processed by Pixlee outside the European Economic Area, in a territory that has not been designated by the European Commission as ensuring an adequate level of protection pursuant to Applicable Privacy Law, Company and Pixlee agree that the transfer shall be undertaken pursuant to Standard Contractual Clauses. For transfers from Switzerland only, the term “personal data” as used in the Standard Contractual Clauses, shall include, as applicable, personality profiles and the personal data of legal persons. Pixlee shall provide a copy of the signed version of the Standard Contractual Clauses to Company upon request.

11. Claims. Any claims brought under, or in connection with, this Addendum, shall be subject to the exclusions and limitations of liability set forth in the Agreement.

Schedule 1 to Addendum – Standard Contractual Clauses

STANDARD CONTRACTUAL CLAUSES

(MODULE 2 - CONTROLLER TO PROCESSOR)

SECTION 1

Clause 1

Purpose and scope

(a) The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU)2016/679 of the European Parliament and of the Council of 27April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) for the transfer of personal data to a third country.

(b) The Parties: 

  1. the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter ‘entity/ies’) transferring the personal data, as listed in Annex I.A (hereinafter each ‘data exporter’), and
  2. the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A (hereinafter each ‘data importer’)

(c) These Clauses apply with respect to the transfer of personal data as specified in Annex I.B.

(d) The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses.

Clause 1

For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection

Company,

as defined in the Addendum and further specified in the Agreement

(the data exporter)

And

Pixlee

as defined in the Addendum and further specified in the Agreement

(the data importer)

each a party; together the "parties",

The parties HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.

Background

The data exporter has entered into a data processing addendum (“Addendum”) with the data importer. Pursuant to the terms of the Addendum, it is contemplated that services provided by the data importer will involve the transfer of personal data to data importer. Data importer is located in a country not ensuring an adequate level of data protection. To ensure compliance with Directive 95/46/EC and applicable data protection law, the controller agrees to the provision of such Services, including the processing of personal data incidental thereto, subject to the data importer’s execution of, and compliance with, the terms of these Clauses.

Clause 1

DEFINITIONS

For the purposes of the Clauses: 

  1. ‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’ and ‘supervisory authority’ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the Processing of personal data and on the free movement of such data;
  2. 'the data exporter' means the controller who transfers the personal data;
  3. ‘the data importer’ means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;
  4. ‘the sub-processor’ means any processor engaged by the data importer or by any other sub-processor of the data importer who agrees to receive from the data importer or from any other sub-processor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;
  5. the applicable data protection law’ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the Processing of personal data applicable to a data controller in the Member State in which the data exporter is established;
  6. ‘technical and organisational security measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

Clause 2

DETAILS OF THE TRANSFER

The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.

Clause 3

THIRD-PARTY BENEFICIARY CLAUSE

  1. The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6.1 and 6.2, Clause 7, Clause 8.2, and Clauses 9 to 12 as third-party beneficiary.
  2. The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8.2, and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
  3. The data subject can enforce against the sub-Processor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8.2, and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses.
  4. The Parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.

Clause 4

OBLIGATIONS OF THE DATA EXPORTER

The data exporter agrees and warrants:

  1. that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;
  2. that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to Process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses;
  3. that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2;
  4. that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
  5. that it will ensure compliance with the security measures;that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;
  6. that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;
  7. to forward any notification received from the data importer or any sub-processor pursuant to Clause 5(b) and Clause 8.3 to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;
  8. to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for sub-processing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
  9. that, in the event of sub-processing, the processing activity is carried out in accordance with Clause 11 by a sub-processor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and
  10. that it will ensure compliance with Clause 4(a) to (i).


Clause 5

OBLIGATIONS OF THE DATA IMPORTER

The data importer agrees and warrants:

  1. to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
  2. that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
  3. that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;
  4. that it will promptly notify the data exporter about

(a) any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation,

(b) any accidental or unauthorised access, and

(c) any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;

  1. to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;
  2. at the request of the data exporter to submit its data Processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;
  3. to make available to the data subject upon request a copy of the Clauses, or any existing contract for sub-processing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;
  4. that, in the event of sub-processing, it has previously informed the data exporter and obtained its prior written consent;
  5. that the processing services by the sub-processor will be carried out in accordance with Clause 11;
  6. to send promptly a copy of any sub-processor agreement it concludes under the Clauses to the data exporter.

Clause 6

LIABILITY

  1. The Parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any Party or sub-processor is entitled to receive compensation from the data exporter for the damage suffered.
  2. If a data subject is not able to bring a claim for compensation in accordance with paragraph 6.1 against the data exporter, arising out of a breach by the data importer or his sub-processor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity. The data importer may not rely on a breach by a sub-processor of its obligations in order to avoid its own liabilities.
  3. If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 6.1 and 6.2, arising out of a breach by the sub-processor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the sub-processor agrees that the data subject may issue a claim against the data sub-processor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the sub-Processor shall be limited to its own processing operations under the Clauses.

Clause 7

MEDITATION AND JURISDICTION

  1. The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:

(a) to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;

(b) to refer the dispute to the courts in the Member State in which the data exporter is established.

  1. The Parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.

Clause 8

COOPERATION WITH SUPERVISORY AUTHORITIES

  1. The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
  2. The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any sub-processor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
  3. The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any sub-processor preventing the conduct of an audit of the data importer, or any sub-processor, pursuant to paragraph 8.2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5(b).

Clause 9

GOVERNING LAW

The Clauses shall be governed by the law of the Member State in which the data exporter is established.

Clause 10

VARIATION OF THE CONTRACT

The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clauses.

Clause 11

SUB-PROCESSING

  1. The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the sub-Processor which imposes the same obligations on the sub-processor as are imposed on the data importer under the Clauses. Where the sub-processor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the sub-processor’s obligations under such agreement.
  2. The prior written contract between the data importer and the sub-processor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in Clause 6.1 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses.
  3. The provisions relating to data protection aspects for sub-processing of the contract referred to in paragraph 11.1 shall be governed by the law of the Member State in which the data exporter is established.
  4. The data exporter shall keep a list of sub-processing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5(j), which shall be updated at least once a year. The list shall be available to the data exporter’s data protection supervisory authority.

Clause 12

OBLIGATION AFTER THE TERMINATION OF PERSONAL DATA PROCESSING SERVICES

  1. The parties agree that on the termination of the provision of data processing services, the data importer and the sub-processor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
  2. The data importer and the sub-processor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 7.

APPENDIX 1 TO THE STANDARD CONTRACTUAL CLAUSES

DESCRIPTION OF THE TRANSFERS (CONTROLLER TO PROCESSOR)

This Appendix forms part of these Clauses.

The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix.

Data exporter 

The Data Exporter is:

[Company]

Data importer 

The Data Importer is: 

[Pixlee Entity]

Data subjects

The personal data transferred concern the following categories of data subjects:

Data exporter may submit or otherwise provide access to Personal Data through the use of the Service, and which may include, but is not limited to Personal Data relating to the following categories of data subjects:

Users of Company’s websites and applications

Purchasers of Company’s good and services

Individuals submitting user generated content to Company’s, or its syndication partners’ websites and applications

End users or customers of Company

Categories of data

The personal data transferred concern the following categories of data:

Data exporter may submit or make available Personal Data to the Services and which may include, but is not limited to the following categories of Personal Data:

First and last name or initial (or nickname / screenname), contact information (email address and/or unique identifier)

IP address and/or other device ID

Any other Personal Data that Company elects to transmit, collect, or display on Pixlee’s platform


Special categories of data (if appropriate)

The personal data transferred concern the following special categories of data:

Pixlee does not intentionally Process any special category data in the provision of the Services.  Under the Addendum, Company agrees not to provide special category data to Pixlee at any time.


Processing operations

The personal data transferred will be subject to the following basic processing activities:

Use of personal data for the provision of the Services.

Duration of processing

Personal Data shall be Processed during the term of the Agreement, or as otherwise required by applicable law or as agreed between the Parties.

APPENDIX 2 TO THE STANDARD CONTRACTUAL CLAUSES

TECHNICAL AND ORGANISATIONAL SECURITY MEASURES

This Appendix 2 forms part of the Clauses.  

Data importer will maintain appropriate technical and organizational security measures to protect the Personal Data against accidental or unlawful destruction or accidental loss, damage, alteration, unauthorized disclosure or access in accordance with the Addendum and requirements under Applicable Privacy Laws. 

Schedule 2 to the Addendum – Subprocessors

The Subprocessors listed below have been engaged to by Pixlee and may assist in Processing within the scope of Services provided to Company under the Agreement.

Pixlee Subprocessors

Provider Address Purpose and Data Data Location
Redis Labs 1700 E El Camino, Mountain View, CA, 94041 Data Storage Solution: social media name, IP addresses USA
Keen 325 9th Street, San Francisco, CA, 94103 Analytics storage, aggregation, and tracking: social media profile, IP addresses, purchase data USA
AWS 410 Terry Ave, N. Seattle, WA 98109 General infrastructure and hosting for portions of application; social media name, image, IP address, purchase information USA
Salesforce/Heroku 1 Market Street Suite 300, San Francisco, CA 94105 Application Hosting by Heroku, who is owned by Salesforce: social media name, image, IP address USA
Fastly 475 Brannan Street #300, San Francisco, CA 94107 Content caching and delivery: social media profile, images USA
Intercom 55 2nd Street 4th Floor, San Francisco, CA 94105 In-app chat within the Pixlee platform for cusotmers: Name + Email USA
Fullstory 818 Marietta Street Suite A, Atlanta, Georgia 30318 In-app tracking to assist with bug discovery and remedy: Name + Email USA
Sentry 132 Hawthorne St, San Francisco, CA 94107 Javascript error detection and tracking: IP address USA
Honeybadger 11410 NE 124th Street #246, Kirkland, WA, 98034 Error Detection: IP Address USA
Logentries 100 Summer Street 13th Floor, Boston, MA, 02110-2115 Backend error detection and tracking: IP Address USA
Segment.io 100 California St Suite 700, San Francisco, CA, 94111 Analytics tracking and loading: IP Address USA
Twilio Inc. 01 Spear Street, First Floor, San Francisco, CA, 94105 Outgoing email notifications and content solicitations: first name, email address USA
GoodData Corporation 1 Post St, San Francisco, CA, 94104 Aggregate, statistical data about service performance USA

TurnTo Subprocessors

Provider Address Purpose and Data Data Location
Amazon AWS 410 Terry Ave, N.Seattle, WA 98109 General infrastructure and hosting for portions of application: social media name, image, IP address, purchase information USA (or Ireland - upon request)
Twilio, Inc. 101 Spear Street, First Floor, San Francisco, CA, 94105 Outgoing email notifications and content solicitations: first name, email address USA
GoodData Corporation 1 Post Street, San Francisco, CA, 94104 Aggregate, statistical data about service performance USA