DATA PROCESSING ADDENDUM
This Data Processing Addendum (including its Exhibits) (“Addendum”) is incorporated into and forms part of and is subject to the terms and conditions of the Gretel.ai Subscription Services Agreement available at https://gretel.ai/terms (the “Agreement”) by and between Customer and Gretel.ai. This Addendum will become legally binding upon the effective date of the Agreement. Capitalized or other terms not defined in this Addendum have the meaning set forth in the Agreement.
1. Subject Matter. This Addendum reflects the parties’ commitment to abide by Data Protection Laws concerning the transfer of Customer Personal Data originating in the European Economic Area, Switzerland, and/or the United Kingdom to a country that has not been found to provide an adequate level of protection under applicable Data Protection Laws. All obligations in this Addendum are in addition to, not in lieu of, any other contractual, statutory, and other obligations of Gretel.ai. Notwithstanding the foregoing, this Addendum shall supersede and replace any inconsistent or conflicting language related to international transfers of Customer Personal Data in the Agreement. We update the terms of this Addendum from time to time. If Customer has an active Gretel.ai subscription, Gretel.ai will let Customer know when it does via email (if Customer has subscribed to receive email notifications from Gretel.ai) or via notification through the Subscription Services.
2. Definitions.
For the purposes of this Addendum, the following terms apply.
- “Customer Personal Data” means Personal Data Processed by Gretel.ai on behalf of Customer.
- “Data Protection Laws” means, as applicable, the EU General Data Protection Regulation 2016/679 and its respective national implementing legislations; the Swiss Federal Act on Data Protection; the United Kingdom General Data Protection Regulation; and the United Kingdom Data Protection Act 2018 (in each case, as amended, adopted, or superseded from time to time).
- “Personal Data” means any information relating to an identified or identifiable natural person that is subject to applicable Data Protection Laws.
- “Process” or “Processing” means any operation or set of operations which is performed on Personal Data or sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.
- “Subprocessor(s)” means Gretel.ai’s vendors and third-party service providers that Process Customer Personal Data.
3. Processing Terms for Customer Personal Data.
- Documented Instructions. Gretel.ai shall Process Customer Personal Data to provide the Subscription Services in accordance with the Agreement, this Addendum, any applicable Statement of Work, and any instructions agreed upon by the parties. Gretel.ai will, unless legally prohibited from doing so, inform Customer in writing if it reasonably believes that there is a conflict between Customer’s instructions and applicable law or otherwise seeks to Process Customer Personal Data in a manner that is inconsistent with Customer’s instructions.
- Authorization to Use Subprocessors. To the extent necessary to fulfill Gretel.ai’s contractual obligations under the Agreement, Customer hereby authorizes Gretel.ai to engage the Subprocessors listed in Exhibit A attached hereto.
- Gretel.ai and Subprocessor Compliance. Gretel.ai shall (i) enter into a written agreement with Subprocessors regarding such Subprocessors’ Processing of Customer Personal Data that imposes on such Subprocessors data protection requirements for Customer Personal Data that are consistent with this Addendum; and (ii) remain responsible to Customer for Gretel.ai’s Subprocessors’ failure to perform their obligations with respect to the Processing of Customer Personal Data.
- Right to Object to Subprocessors. Where required by Data Protection Laws, Gretel.ai will notify Customer via email prior to engaging any new Subprocessors that Process Customer Personal Data and allow Customer ten (10) days to object. If Customer has legitimate objections to the appointment of any new Subprocessor, the parties will work together in good faith to resolve the grounds for the objection.
- Confidentiality. Any person authorized to Process Customer Personal Data must contractually agree to maintain the confidentiality of such information or be under an appropriate statutory obligation of confidentiality.
- Personal Data Inquiries and Requests. Where required by Data Protection Laws, Gretel.ai agrees to provide reasonable assistance and comply with reasonable instructions from Customer related to any requests from individuals exercising their rights in Customer Personal Data granted to them under Data Protection Laws.
- Data Protection Impact Assessment and Prior Consultation. Where required by Data Protection Laws, Gretel.ai agrees to provide reasonable assistance at Customer’s expense to Customer where, in Customer’s judgement, the type of Processing performed by Gretel.ai requires a data protection impact assessment and/or prior consultation with the relevant data protection authorities.
- Demonstrable Compliance. Gretel.ai agrees to provide information reasonably necessary to demonstrate compliance with this Addendum upon Customer’s reasonable request.
- Service Optimization. Where permitted by Data Protection Laws, Gretel.ai may Process Customer Personal Data: (i) for its internal uses to build or improve the quality of its services; (ii) to detect Security Incidents; and (iii) to protect against fraudulent or illegal activity.
- Aggregation and De-Identification. Gretel.ai may: (i) compile aggregated and/or de-identified information in connection with providing the Subscription Services provided that such information cannot reasonably be used to identify Customer or any data subject to whom Customer Personal Data relates (“Aggregated and/or De-Identified Data”); and (ii) use Aggregated and/or De-Identified Data for its lawful business purposes.
4. Information Security Program. Gretel.ai shall implement and maintain reasonable administrative, technical, and physical safeguards designed to protect Customer Personal Data.
5. Security Incidents. Upon becoming aware of a Security Incident, Gretel.ai agrees to provide written notice without undue delay and within the time frame required under Data Protection Laws to Customer’s Designated POC. Where possible, such notice will include all available details required under Data Protection Laws for Customer to comply with its own notification obligations to regulatory authorities or individuals affected by the Security Incident.
6. Cross-Border Transfers of Customer Personal Data.
- Cross-Border Transfers of Customer Personal Data. You authorize Gretel.ai and its Subprocessors to transfer Customer Personal Data across international borders, including from the European Economic Area, Switzerland, and/or the United Kingdom to the United States.
- EEA, Swiss, and UK Standard Contractual Clauses. If Customer Personal Data originating in the European Economic Area, Switzerland and/or the United Kingdom is transferred by you to Gretel.ai in a country that has not been found to provide an adequate level of protection under applicable Data Protection Laws, the parties agree that the transfer shall be governed by Module Two’s obligations in the Annex to the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (the “Standard Contractual Clauses”) as supplemented by Exhibit A attachere hereto . By accepting the Agreement, you enter into this DPA and the Standard Contractual Clauses to the extent that the Standard Contractual Clauses apply hereunder.
7. Customer Audits. Where Data Protection Laws afford Customer an audit right, Customer (or its appointed representative) may carry out an audit of Gretel.ai’s policies, procedures, and records relevant to the Processing of Customer Personal Data. Any audit must be: (i) conducted during Gretel.ai’s regular business hours; (ii) with reasonable advance notice to Gretel.ai; (iii) carried out in a manner that prevents unnecessary disruption to Gretel.ai’s operations; and (iv) subject to reasonable confidentiality procedures. In addition, any audit shall be limited to once per year, unless an audit is carried out at the direction of a government authority having proper jurisdiction.
8. Customer Personal Data Deletion. At the expiry or termination of the Agreement, Gretel.ai will delete all Customer Personal Data (excluding any back-up or archival copies which shall be deleted in accordance with Gretel.ai’s data retention schedule), except where Gretel.ai is required to retain copies under applicable laws, in which case Gretel.ai will isolate and protect that Customer Personal Data from any further Processing except to the extent required by applicable laws.
9. Customer’s Obligations. Customer represents and warrants that: (i) it has complied and will comply with Data Protection Laws; (ii) it has provided data subjects whose Customer Personal Data will be Processed in connection with the Agreement with a privacy notice or similar document that clearly and accurately describes Customer’s practices with respect to the Processing of Customer Personal Data; (iii) it has obtained and will obtain and continue to have, during the term, all necessary rights, lawful bases, authorizations, consents, and licenses for the Processing of Customer Personal Data as contemplated by the Agreement; and (iv) Gretel.ai’s Processing of Customer Personal Data in accordance with the Agreement will not violate Data Protection Laws or cause a breach of any agreement or obligations between Customer and any third party.
EXHIBIT A TO THE DATA TRANSFER ADDENDUM
DATA TRANSFER IMPACT ASSESSMENT QUESTIONNAIRE
This Exhibit A forms part of the Addendum. Capitalized terms not defined in this Exhibit A have the meaning set forth in the Addendum or in the Agreement.
The parties agree that the following terms shall supplement the Standard Contractual Clauses:
1. Supplemental Terms. The parties agree that: (i) a new Clause 1(e) is added the Standard Contractual Clauses which shall read: “To the extent applicable hereunder, these Clauses also apply mutatis mutandis to the Parties’ processing of personal data that is subject to the Swiss Federal Act on Data Protection. Where applicable, references to EU Member State law or EU supervisory authorities shall be modified to include the appropriate reference under Swiss law as it relates to transfers of personal data that are subject to the Swiss Federal Act on Data Protection.”; (ii) a new Clause 1(f) is added to the Standard Contractual Clauses which shall read: “To the extent applicable hereunder, these Clauses, as supplemented by Annex III, also apply mutatis mutandis to the Parties’ processing of personal data that is subject to UK Data Protection Laws (as defined in Annex III).”; (iii) the optional text in Clause 7 is deleted; (iv) Option 1 in Clause 9 is struck and Option 2 is kept, and data importer must notify data exporter of new subprocessors in accordance with Section 3(d) of the Addendum; (v) the optional text in Clause 11 is deleted; and (vi) in Clauses 17 and 18, the governing law and the competent courts are those of Ireland (for EEA transfers), Switzerland (for Swiss transfers), or England and Wales (for UK transfers).
2. Annex I. Annex I to the Standard Contractual Clauses shall read as follows:
A. List of Parties:
Data Exporter: Customer.
Address: The address for Customer associated with Customer’s Gretel.ai account or as otherwise specified in the Agreement.
Contact person’s name, position, and contact details: Customer’s contact details associated with Customer’s account or as otherwise specified in the Agreement.
Activities relevant to the data transferred under these Clauses: The Subscription Services.
Role: Controller.
Data Importer: Gretel.ai.
Address: PO Box 70097, Sunnyvale, California 94086.
Contact person’s name, position, and contact details: Gretel.ai’s contact details as set forth in the Agreement.
Activities relevant to the data transferred under these Clauses: The Subscription Services.
Role: Processor.
B. Description of the Transfer:
- Categories of data subjects whose personal data is transferred: Customer’s Authorized Users.
- Categories of personal data transferred: Customer Personal Data that is Processed pursuant to the Agreement including, but not limited to emails and user names (optional)
- Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures: To the parties’ knowledge, no sensitive data is transferred.
- The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): Personal data is transferred in accordance with the standard functionality of the Subscription Services, or as otherwise agreed upon by the parties.
- Nature of the processing: The Subscription Services.
- Purpose(s) of the data transfer and further processing: The Subscription Services.
- The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: Data importer will retain personal data in accordance with the Addendum.
- For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: For the subject matter, nature and duration identified in the Agreement and the Addendum.
C. COMPETENT SUPERVISORY AUTHORITY:
The supervisory authority mandated by Clause 13. If no supervisory authority is mandated by Clause 13, then the Irish Data Protection Commission (DPC), and if this is not possible, then as otherwise agreed by the parties consistent with the conditions set forth in Clause 13.
D. ADDITIONAL DATA TRANSFER IMPACT ASSESSMENT QUESTIONS:
- Will data importer process any personal data under the Clauses about a non-United States person that is “foreign intelligence information” as defined by 50 U.S.C. § 1801(e)?
Answer: Not to data importer’s knowledge. - What countries will Customer Personal Data that is transferred outside of the European Economic Area, Switzerland, and/or the United Kingdom be stored in or accessed from? If this varies by region, please specify each country for each region.
Answer: United States of America and those countries contemplated by Question 6 below. - What business sector is Gretel.ai involved in?
Answer: Artificial Intelligence and Machine Learning - Broadly speaking, what are the services to be provided and the corresponding purposes for which Customer Personal Data is transferred outside of the European Economic Area, Switzerland, and/or the United Kingdom?
Answer: Gretel.ai provides Subscription Services. Customer Personal Data is Processed in order to provide the Subscription Services in accordance with the Agreement. - When Customer Personal Data is transferred outside of the European Economic Area, Switzerland, and/or the United Kingdom to Gretel.ai, how is it transmitted to the Gretel.ai? Is the Customer Personal Data in plain text, pseudonymized, and/or encrypted?
Answer: The data is encrypted from the Customer's environment to Gretel's environment while in transit and also encrypted at rest. - Please list the Subprocessors that will have access to Customer Personal Data that is transferred outside of the European Economic Area, Switzerland, and/or the United Kingdom:
- Is Gretel.ai subject to any laws in a country outside of the European Economic Area, Switzerland, and/or the United Kingdom where Customer Personal Data is stored or accessed from that would interfere with Gretel.ai fulfilling its obligations under the attached Standard Contractual Clauses? For example, FISA Section 702. If yes, please list these laws.
Answer: As of the effective date of the Addendum, no court has found data importer to be eligible to receive process issued under the laws contemplated by this question, including FISA Section 702, and no such court action is pending. - Has Gretel.ai ever received a request from public authorities for information pursuant to the laws contemplated by Question 11 above (if any)? If yes, please explain.
Answer: As of the effective date of the Addendum, Gretel.ai has not received any national security orders of the type described in Paragraphs 150-202 of the judgment in the CJEU Case C-311/18, Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems, nor is Gretel.ai aware of any such orders in progress. - Has Gretel.ai ever received a request from public authorities for Personal Data of individuals located in European Economic Area, Switzerland, and/or the United Kingdom? If yes, please explain.
Answer: No. - What safeguards will Gretel.ai apply during transmission and to the processing of Customer Personal Data in countries outside of the European Economic Area, Switzerland, and/or the United Kingdom that have not been found to provide an adequate level of protection under applicable Data Protection Laws?
Answer: Those safeguards set forth in this Addendum and the Agreement.
3. Annex II. Annex II of the Standard Contractual Clauses shall read as follows:
Data importer shall use commercially reasonable efforts to implement and maintain appropriate technical and organisational measures designed to protect personal data in accordance with the Addendum.
Pursuant to Clause 10(b), data importer will provide data exporter assistance with data subject requests in accordance with the Addendum.
4. Annex III. A new Annex III shall be added to the Standard Contractual Clauses and shall read as follows:
The UK Information Commissioner’s Office International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (“UK Addendum”) is incorporated herein by reference.
Table 1: The start date in Table 1 is the effective date of the Addendum. All other information required by Table 1 is set forth in Annex I, Section A of the Clauses.
Table 2: The UK Addendum forms part of the version of the Approved EU SCCs which this UK Addendum is appended to including the Appendix Information, effective as of the effective date of the Addendum.
Table 3: The information required by Table 3 is set forth in Annex I and II to the Clauses.
Table 4: The parties agree that Importer may end the UK Addendum as set out in Section 19.