DATA PROCESSING ADDENDUM
This Data Processing Addendum (“Addendum“) forms part of the SaaS Agreement (“A(i)greement“) entered into between:
OGY Docs Inc., a company incorporated under and by virtue of the provisions of the General Corporation Law of the State of Delaware (“OGY” or “Data Processor”); and
(“Customer” or “Data Controller“) acting on its own behalf and as an agent for each Customer Affiliate.
This Addendum and its provisions should apply only if the Applicable Data Protection Legislation requires the Parties to sign such Addendum.
The terms used in this Addendum shall have the meanings set forth in this Addendum. Capitalised terms not otherwise defined herein shall have the meaning given to them in the Agreement. Except as modified below, the terms of the Agreement shall remain in full force and effect.
In consideration of the mutual obligations set out herein, the parties agree that the terms and conditions set out below shall be added as an Addendum to the Agreement. Except where the context requires otherwise, references in this Addendum to the Agreement are to the Agreement as amended, and including, this Addendum.
Definitions
In this Addendum, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:
“Contracted Processor” means OGY’s Sub-processor;
“Customer Personal Data” means any Personal Data which may be processed by OGY or a Contracted Processor on behalf of Customer, pursuant to or in connection with the Agreement; For the avoidance of doubt, Costumer’s business contact information is not by itself deemed to be Personal Data subject to this DPA.
“Data Protection Legislation” GDPR Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, (“GDPR“) and repealing Directive 95/46/EC (General Data Protection Regulation) as amended from time to time or any regulation replacing the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, and the relevant Israeli applicable law.
“EU” means the European Union;
“EEA” means the European Economic Area. The GDPR applies to the European Economic Area (EEA), which includes all EU countries as well as Iceland, Liechtenstein and Norway;
“Services” means the services as defined in the Agreement;
“Sub-processor” means any person (excluding an employee of OGY or any of its sub- contractors) appointed by or on behalf of OGY to Process Personal Data on behalf of Customer in connection with the Agreement;
“Supervisory Authority” means (a) an independent public authority which is established by a member state of the European Union pursuant to Article 51 GDPR; and (b) any similar regulatory authority responsible for the enforcement of Data Protection Legislation; and
The terms “Controller“, “Processor“, “Data Subject“, “Member State“, “Personal Data“, “Personal Data Breach“, and “Processing” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.
Processing of Customer Personal Data
The parties acknowledge that Customer is the Controller and that OGY is acting in the capacity of a Processor. In some circumstances, Customer may additionally or alternatively be a Processor, in which case Customer appoints OGY as an authorised sub-processor, which shall not change the obligations of the parties under this Addendum as OGY will remain a Processor in any such event. Customer will comply with all obligations applicable to a Controller pursuant to the Data Protection Legislation. For clarity, this DPA shall not apply with respect to OGY processing activity as a Data Controller with respect to OGY’s data as defined in the Agreement which is subject to Privacy Policy on WAVE BL Website https://wavebl.com/wave-bl-privacy-policy/.
OGY shall process Customer’s Personal Data on the documented instructions of Customer, unless otherwise required by an Data Protection Legislation to which OGY is subject. In which case, OGY shall notify Customer if, in its opinion, any instruction infringes the GDPR or other Union or Member State data protection provisions, unless that law prohibits such notification. Such notification will not constitute a general obligation on the part of OGY to monitor or interpret the laws applicable to Customer, and such notification will not constitute legal advice to Customer.
Customer warrants and represents that it is and will, at all relevant times, remain duly and effectively authorised to give the instruction set out in Section 2.2, including on behalf of each relevant Customer Affiliate.
Customer warrants that it has all the necessary rights to provide the Personal Data to OGY for the Processing to be performed in relation to the Services, and that one or more lawful bases set forth in the Data Protection Legislation support the lawfulness of the Processing. To the extent required by the Data Protection Legislation, Customer is responsible for ensuring that all necessary privacy notices are provided to Data Subjects, and unless another legal bases set forth in the Data Protection Legislation supports the lawfulness of the processing, that any necessary Data subject consents to the Processing are obtained, and for ensuring that a record of such consent is maintained. Should such consent be revoked by a Data Subject, Customer is responsible for communicating the fact of such revocation to OGY, and OGY will act pursuant to Customer’s instructions as seems appropriate.
Annex 1 to this Addendum sets out certain information as required by Article 28(3) of the GDPR according to, Personal Data may be processed by OGY. Customer warrants it is an accurate reflection of the Processing activities pursuant to this Addendum and the Agreement. The nature of the Processing operations will depend on the scope of the Services and the nature of the Personal Data that Customer provides in its sole discretion, in a manner by which OGY finds appropriate to provide the required Services.
Personnel
Without prejudice to any existing contractual arrangements between the parties, OGY shall ensure that any person that it authorises to Process the Personal Data on its behalf, shall be subject to a duty of confidentiality.
Security
Taken into account the measures required by Article 32 of the GDPR, and the state of the art, the costs of implementation and nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural person, OGY shall implement appropriate technical and organizational measures to ensure a level of security of the Processing of Personal Data appropriate to the risk. Such measures may be updated by OGY from time to time, provided that such updates shall not materially decrease the protection of Personal Data for Data Subjects.
Customer acknowledges that the security requirements are constantly changing and that effective security requires frequent evaluation and regular improvements of outdated security measures. Customer will therefore evaluate the measures as implemented in accordance with section 4 on an on-going basis in order to maintain compliance with the requirements set forth in this section. The parties will negotiate in good faith, the cost, if any, to implement changes required by specific updated security requirements set forth in the Data Protection Legislation or by data protection authorities of competent jurisdiction.
Sub-processing
Customer authorises OGY to appoint (and permit each Sub-processor to appoint) Sub-processors in accordance with this Addendum and any restrictions in the Agreement.
Customer hereby authorises OGY to continue to use Sub-processors already engaged by OGY, as of the date of this Addendum and as listed under Annex 2 (“Authorised Sub-Processors“).
OGY shall inform Customer as soon as reasonably practicable of any intended changes concerning the addition or replacement of any of the Authorised Sub-Processors that will Process any Customer Personal Data (“New Sub-Processor“). If, within 14 calendar days of receipt of that notice, Customer notifies OGY in writing of any objections made on reasonable grounds, to the proposed appointment of a New Sub-Processor, the parties will endeavour to agree (acting reasonably), without undue delay, the commercially reasonable steps to be taken to ensure that the new Sub-processor is compliant with Article 28(4) of the GDPR.
In the absence of a resolution, OGY will make commercially reasonable efforts to provide Customer with the same level of Service described in the Agreement, without using the objected Sub-Processor to process Customer’s Personal Data.
Where Customer reasonably argues, that the risks involved with the sub-processing activities are still unacceptable, in the context of Article 28(4) and in relation to the appropriate steps, within the requisite time frame, the parties shall promptly seek to resolve the issues. Where the parties are unable to resolve the issues within such time frame, Customer’s sole remedy will be to terminate the Agreement.
With respect to each Sub-processors, OGY shall ensure that the sub-processor is bound by data protection obligations compatible with those of the Data Processor under this Addendum.
Data Subject Rights
Customer shall comply with requests received from Data Subjects to exercise their rights pursuant to Chapter III of the GDPR, with regard to accessing Customer’s Personal Data held by Customer.
When Customer is unable to perform according to section 6.1, and therefore requires OGY’s assistance, while taking into account the nature of the Processing, OGY shall assist Customer, upon Customer’s request and at the Customer’s cost, by using appropriate technical and organisational measures, insofar as this is possible to comply with requests to exercise Data Subject rights, under the Data Protection Legislation.
Personal Data Breach
When OGY becomes aware of an incident that has a material impact on the Processing of Personal Data that is the subject to the Agreement, it shall notify Customer about the incident. OGY shall cooperate with Customer and follow Customer’s instructions with regard to such incidents, to enable Customer to perform an investigation into the incident, formulate a correct response and take suitable further steps in respect to the incident.
Where the incident is reasonably likely to require a data breach notification by Customer under the Data Protection Legislation, OGY will assist Customer with the notification process.
On the basis of such notification, where applicable Customer shall notify the Personal Data Breach to the competent Supervisory Authority in accordance with Article 33 of the GDPR and communicate such a breach affected Data Subjects in accordance with Article 34 of the GDPR.
OGY shall, at Customer’s cost, cooperate with Customer and take the reasonable commercial steps which shall reasonably be instructed by Customer, to assist in the investigation and mitigation of every occurring Personal Data Breach.
Deletion or Return of Customer Personal Data
Subject to section 8.3, Customer may in its discretion by written notice to OGY within 30 calendar days of the cessation date, require OGY to (a) return a complete copy of all Customer’s Personal Data to the Customer; and (b) delete all other copies of Customer’s Personal Data Processed by any Contracted Processor. OGY shall comply with any such written request within 60 calendar days of the cessation date.
OGY shall notify the relevant Contracted Processors, processing Personal Data on its behalf, of the termination of the Addendum.
OGY and each Contracted Processor may retain Customer’s Personal Data to the extent and for such period as required by Data Protection Legislation.
Audit Rights
Subject to section 9.2 and 9.3, OGY shall make available to Customer upon a reasonable request, information which is reasonably necessary to demonstrate compliance with Article 28(3) of the GDPR.
Where applicable, if Customer is not otherwise satisfied by its audit rights pursuant to the Agreement, OGY shall, at the Customer’s costs, allow for audits, including inspections, by an auditor mandated by Customer (subject to section 9.3 where auditor shall be subject to written confidentiality obligations in relation to such information) in relation to the Processing of the Customer’s Personal Data by OGY or a Contracted Processors, provided that:
Customer shall give OGY a reasonable notice of any audit or inspection to be conducted; and
Customer shall take reasonable steps to ensure (and shall procure that each of its mandated auditors) to minimize disruption to OGY or the Contracted Processors’ business, in the
course of such audit or inspection, while such audits or inspections shall be conducted during normal working hours.
OGY may object to an auditor mandated by Customer if the auditor is, in OGY’s opinion, not suitably qualified or independent, a competitor of OGY, or otherwise manifestly unsuitable. In the event of such an objection, Customer shall appoint another auditor or conduct the audit itself.
General Terms
Transfers
If the Processing of Personal Data includes transfers from the EEA to countries that do not offer an adequate level of data protection or which have not been subject to an Adequacy Decision (“Other Countries”), the Parties shall comply with the below terms shall apply:
With respect to the EU transfers of Personal Data, Customer as a Data Exporter (as defined in the SCCs) and OGY on behalf of itself and each OGY Affiliate (as applicable) as a Data Importer (as defined in the SCCs) hereby enter into the Standard Contractual Clauses set out in Annex 3. To the extent that there is any conflict or inconsistency between the terms of the Standard Contractual Clauses and the terms of this DPA, the terms of the Standard Contractual Clauses shall take precedence.
With respect to the UK transfers of Personal Data (from the UK to other countries which have not been subject to a relevant Adequacy Decision), Customer as a Data Exporter (as defined in the SCCs) and OGY on behalf of itself and each OGY Affiliate (as applicable) as a Data Importer (as defined in the SCCs), hereby enter into the UK Standard Contractual Clauses set out in Annex 3.
Limitation of liability
Notwithstanding anything to the contrary in the Agreement and/or in any agreement between the parties and to the maximum extent permitted by law: (A) OGY’s (including OGY’s Affiliates’) entire, total and aggregate liability, related to personal data or information, privacy, or for breach of, this Addendum and/or Data Protection Legislation, including, without limitation, if any, any indemnification obligation or applicable law regarding data protection or privacy, shall be limited to the amounts paid to OGY under the Agreement within twelve (12) months preceding the event that gave rise to the claim. This limitation of liability is cumulative and not per incident; (B) In no event will OGY and/or OGY affiliates and/or their third-party providers, be liable under, or otherwise in connection with this Addendum for: (i) any indirect, exemplary, special, consequential, incidental or punitive damages; (ii) any loss of profits, business, or anticipated savings; (iii) any loss of, or damage to data, reputation, revenue or goodwill; and/or (iv) the cost of procuring any substitute goods or services; and (C) the foregoing exclusions and limitations on liability set forth in this Section shall apply: (i) even if OGY, OGY affiliates or third-party providers, have been advised, or should have been aware, of the possibility of losses or damages; (ii) even if any remedy in this Addendum fails of its essential purpose; and (iii) regardless of the form, theory or basis of liability (such as, but not limited to, breach of contract or tort).
Order of Precedence
With regard to the subject matter of this Addendum, in the event of inconsistencies between the provisions of this Addendum and any other agreements between the parties, including the Agreement, the provisions of this Addendum shall prevail.
Changes in Data Protection Legislation
If any variation is required to this Addendum as a result of a change in Data Protection Legislation, then either party may provide written notice to the other party of that change of law. The parties shall discuss the change in Data Protection Legislation and negotiate in good faith with a view to agreeing on any necessary variations to this Addendum to address such changes, including any resulting charges.
Governing Law and Jurisdiction
This Addendum is governed by the laws of England and Wales. Any disputes arising from or in connection with this Addendum, shall be brought exclusively before the competent courts in England, to the exclusion of any other jurisdiction.
Severance
Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
ANNEX 1: DETAILS OF PROCESSING OF CUSTOMER PERSONAL DATA
This Annex 1 includes certain details of the Processing of Customer’s Personal Data as required by Article 28(3) GDPR.
Subject Matter and Duration of the Processing of Customer’s Personal Data
The subject matter and duration of the Processing of Customer’s Personal Data are set out in the Agreement and this Addendum.
The nature and purpose of the Processing of Customer’s Personal Data
OGY owns and develops the Wave BL IP and operates the Wave BL Network (“Wave BL”) which is a business to business network which gives Users the ability to issue, exchange and apply a Signature to Documents (including electronic bills of lading), in an encrypted, direct peer to peer transmission, while utilizing the Blockchain ledger for the management of the Chain of Possession and Chain of Title associated with these Documents, without the need for a central registry and without the Service Provider becoming a principal to any of the transactions conducted by the Users. This service is also provided by OGY via an its SaaS platform (“WAVE BL SaaS Platform”) which allows OGY’ customers to access and manage their hosted account on the OGY’s WAVE BL SaaS Platform. In the course of OGY’s customer’s use of the Platform, customers may upload data that contains Personal Data. OGY shall only process such data to provide its Services.
Special Categories of Personal Data to be Processed [i.e. g racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation]
No special category Personal Data is processed
The Categories of Data Subject to whom the Customer’s Personal Data Relates
Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects:
Customer’s customers and/or clients
Customer’s users authorized by Customer to use the Services
Employees, agents, advisors, freelancers of Customer (who are natural persons)
Prospects, clients, business partners and vendors of Customer (who are natural persons)
Employees or contact persons of Customer’s prospects, Customer, business partners and vendors
The Obligations and Rights of Customer and Customer Affiliates
The obligations and rights of Customer and Customer affiliates are set out in the Agreement and this Addendum.
The frequency of the transfer.
Continuous basis
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period.
As described in this Addendum (as described under Section 8) and/or the Agreement
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing.
As detailed in Annex 2.
ANNEX 2 – LIST OF SUB-PROCESSORS
Entity Name | Sub-Processing Activities | Entity Country |
Amazon Web Services EMEA SARL | WAVE BL SaaS service is hosted in the region of Ireland on the AWS Cloud | a company incorporated in Luxemburg |
Directeam Cloud Solutions Ltd. | AWS reseller; provides, develops, and optimizes services. | a company incorporated in Israel |
ANNEX 3 – STANDARD CONTRACTUAL CLAUSES
EU SCCs. If the Processing of Personal Data includes transfers from the EU to countries outside the EEA which do not offer adequate level of data protection or which have not been subject to an Adequacy Decision, the Parties shall comply with Chapter V of the GDPR. The Parties hereby agree to execute the Standard Contractual Clauses as follows:
a) The Standard Contractual Clauses Controller-to-Processor, will apply, with respect to restricted transfers between Customers and OGY that are subject to the EU GDPR.
b) The Parties agree that for the purpose of transfer of Personal Data between Customer (as Data Exporter) and OGY (as Data Importer), the following shall apply: (i) Clause 7 of the Standard Contractual Clauses shall be applicable; (ii) In Clause 9, option 2 shall apply and the method described in Section 5 of the DPA (Authorization Regarding Sub-Processors) shall apply; (iii) Clause 11 of the Standard Contractual Clauses shall be not applicable; (iv) In Clause 13: the relevant option applicable to the Customer, as informed by Customer to OGY; (v) In Clause 17, option 1 shall apply. The Parties agree that the Standard Contractual Clauses shall be governed by the laws of Ireland; and (vi) In Clause 18(b) the Parties choose the courts of Ireland, as their choice of forum and jurisdiction.
c) Annex I.A: With respect to Module Two: (i) Data Exporter is Customer as a data controller and (ii) the Data Importer is OGY as a data processor. Data Exporter and Data Importer Contact details: As detailed in the Agreement. Signature and Date: By entering into the Agreement and this DPA, each Party is deemed to have signed these Standard Contractual Clauses incorporated herein, including their Annexes, as of the Effective Date of the DPA.
d) Annex I.B of the Standard Contractual Clauses shall be completed as described in Schedule 1 (Details of the Processing) of this DPA.
e) Annex I.C of the Standard Contractual Clauses shall be completed as follows: The competent supervisory authority is the Irish supervisory authority.
f) Annex II of the Standard Contractual Clauses shall be completed as described and agreed between the parties in the Agreement and/or this DPA.
g) Annex III of the Standard Contractual Clauses shall be completed with the authorized sub-processors detailed in Schedule 2 (Sub-processor list) of this DPA.
UK SCCs. If the Processing of Personal Data includes transfers from the UK to countries which do not offer adequate level of data protection or which have not been subject to an Adequacy Decision, the Parties shall comply with Article 45(1) of the UK GDPR and Section 17A of the Data Protection Act 2018. The Parties hereby agree to execute the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses as follows:
a) The UK Standard Contractual Clauses Controller-to-Processor, will apply with respect to restricted transfers between Customer and OGY that are subject to the UK GDPR.
b) The Parties agree that for the purpose of transfer of Personal Data between Customer (as Data Exporter) and OGY (as Data Importer), the following shall apply: (i) Clause 7 of the Standard Contractual Clauses shall be applicable; (ii) In Clause 9, option 2 shall apply and the method described in Section 5 of the DPA (Authorization Regarding Sub-Processors) shall apply; (iii) Clause 11 of the Standard Contractual Clauses shall be not applicable; (iv) In Clause 17, option 1 shall apply. The Parties agree that the Standard Contractual Clauses shall be governed by the laws of England and Wales; and (v) In Clause 18(b) the Parties choose the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts, as their choice of forum and jurisdiction. Which Parties may end this Addendum as set out in Section 19: Importer and/or Exporter, in accordance with the agreed terms of the DPA.
c) Annex I.A: With respect to Module Two: Data Exporter is Customer as a data controller and the Data Importer is OGY as a data processor. Data Exporter and Data Importer Contact details: As detailed in the Agreement. Signature and Date: By entering into the Agreement and this DPA, each Party is deemed to have signed these UK Standard Contractual Clauses incorporated herein, including their Annexes, as of the Effective Date of the DPA.
d) Annex I.B of the UK Standard Contractual Clauses shall be completed as described in Schedule 1 (Details of the Processing) of this DPA.
e) Annex I.C of the UK Standard Contractual Clauses shall be completed as follows: The competent supervisory authority is the ICO.
f) Annex II of the UK Standard Contractual Clauses shall be completed as described and agreed between the parties in the Agreement and/or this DPA.
g) Annex III of the UK Standard Contractual Clauses shall be completed with the authorized sub-processors detailed in Schedule 2 (Sub-processor list) of this DPA.