DATA PROCESSING ADDENDUM
This Data Processing Addendum(“DPA”) is incorporated by referenceinto Botika’s Terms of Service available at https://botika.io/legal/terms-of-service or other agreement governing the use of Botika’s services(“Agreement”) entered by and betweenyou, the Customer (as defined in the Agreement) (collectively, “you”, "your”, “Customer”), and Botika E.Y LTD. (“Botika”, “us”, “we”, “our”) to reflect the parties’ agreement with regard to theProcessing of Personal Data by Botika solely on behalf of the Customer. Bothparties shall be referred to as the “Parties”and each, a “Party”.
Capitalized terms not defined herein shall havethe meanings assigned to such terms in the Agreement.
By using the Services, Customer accepts this DPA and you represent andwarrant that you have full authority to bind the Customer to this DPA. If youcannot, or do not agree to, comply with and be bound by this DPA, or do nothave authority to bind the Customer or any other entity, please do not providePersonal Data to us.
In the event of any conflictbetween certain provisions of this DPA and the provisions of the Agreement, theprovisions of this DPA shall prevail over the conflicting provisions of theAgreement solely with respect to the Processing of Personal Data.
1. DEFINITIONS
1.1 Definitions:
(a) “Affiliate”means any entity that directly or indirectly controls, is controlled by, or isunder common control with the subject entity. “Control”, for purposes of thisdefinition, means direct or indirect ownership or control of more than 50% ofthe voting interests of the subject entity.
(b) “AuthorizedAffiliate” means any of Customer's Affiliate(s) which is explicitlypermitted to use the Services pursuant to the Agreement between Customer and Botikabut has not signed its own agreement with Botika and is not a"Customer" as defined under the Agreement.
(c) “CCPA” means theCalifornia Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100 et. seq, and its implementing regulations, as may be amended from time totime.
(d) The terms, "Controller","Member State", "Processor", "Processing" and "Supervisory Authority" shall havethe same meaning as in the GDPR.
(e) “Data ProtectionLaws” means all applicable and binding privacy and data protection laws andregulations, including such laws and regulations of the European Union, theEuropean Economic Area and their Member States, Switzerland, the UnitedKingdom, Israel and the United States of America, as applicable to theProcessing of Personal Data under the Agreement including (without limitation)the GDPR, the UK GDPR, the FADP and the CCPA, as applicable to the Processingof Personal Data hereunder and in effect at the time of Botika’s performancehereunder.
(f) “Data Subject”means the identified or identifiable person to whom the Personal Data relates.
(g) “FADP” means theSwiss Federal Act on Data Protection of 19 June 1992.
(h) “GDPR” means theRegulation (EU) 2016/679 of the European Parliament and of the Council of 27April 2016 on the protection of natural persons with regard to the processingof personal data and on the free movement of such data, and repealing Directive95/46/EC (General Data Protection Regulation).
(i) “Personal Data”means any information that identifies, relates to, describes, is capable ofbeing associated with, or could reasonably be linked, directly or indirectly,to or with an identified or identifiable natural person, to the extent suchinformation is processed by Botika solely on behalf of Customer,under this DPA and the Agreement between Customer and Botika.
(j) “Services” meansthe services provided to Customer by Botika in accordance with the Agreement.
(k) “Security Documentation” means the SecurityDocumentation applicable to the Services purchased by Customer, as updated fromtime to time, and made reasonably available to Customer by Botika.
(l) “Sensitive Data”means Personal Data that is protected under a special legislation and requiresunique treatment, such as “special categories of data”, “sensitive data” orother materially similar terms under applicable Data Protection Laws.
(m) “StandardContractual Clauses” means (a) where the GDPR applies, the standardcontractual clauses set out in the Annex of Commission Implementing Decision(EU) 2021/914 of 4 June 2021 (“EU SCCs”),or (b) where the UK GDPR applies, the International Data Transfer Addendum tothe EU Commission Standard Contractual Clauses as issued by the InformationCommissioner’s Officer under S119A(1) of the UK’s Data Protection Act 2018 andin force as of 21 March 2022 (“UKAddendum”).
(n) “Sub-processor”means any third party that Processes Personal Data under the instruction orsupervision of Botika.
(o) "UK GDPR"means the Data Protection Act 2018, as well as the GDPR as it forms part of thelaw of England and Wales, Scotland and Northern Ireland by virtue of section 3of the European Union (Withdrawal) Act 2018 and as amended by the DataProtection, Privacy and Electronic Communications (Amendments etc.) (EU Exit)Regulations 2019 (SI 2019/419).
2. PROCESSING OF PERSONAL DATA
2.1 Roles of the Parties. The Parties acknowledge and agree that with regard to theProcessing of Personal Datasolely on behalf of Customer, (i) Customer is the Controller of Personal Data,(ii) Botika is theProcessor of such Personal Data. The terms “Controller” and “Processor” belowhereby signify Customer and Botika, respectively.
2.2 Customer’s Processing of Personal Data. Customer, in its useof the Services, and Customer’s instructions to Botika,shall comply with Data Protection Laws. Customer shall establish and have anyand all required legal bases in order to collect, Process and transfer to Botika the Personal Data, and toauthorize the Processing by Botika, and for Botika’s Processing activities on Customer’s behalf.
2.3 Botika’s Processing of Personal Data. When Processing on Customer’s behalf under the Agreement,Botika shall Process Personal Data for the following purposes: (i) Processingin accordance with the Agreement and this DPA; (ii) Processing for Customer aspart of its provision of the Services; (iii) Processing to comply withCustomer’s reasonable and documented instructions, where such instructions areconsistent with the terms of the Agreement, regarding the manner in which theProcessing shall be performed; (iv) rendering Personal Data fully anonymous,non-identifiable and non-personal in accordance with applicable standardsrecognized by Data Protection Laws and guidance issued thereunder; (v)Processing as required under the laws applicable to Botika, and/or as requiredby a court of competent jurisdiction or other competent governmental orsemi-governmental authority, provided that Botika shall inform Customer of thelegal requirement before Processing, unless such law or order prohibit suchinformation on important grounds of public interest.
In the event that Customer discloses or otherwise makesavailable to Processor Deidentified Data (as defined by applicable DataProtection Laws), Processor shall (i) take reasonable measures to ensure suchdata cannot be associated with a natural person, and (ii) maintain and use suchdata without attempting to re-identify it. Botika shall inform Customer withoutundue delay if, in Botika’s opinion, an instruction for the Processing ofPersonal Data given by Customer infringes applicable Data Protection Laws. Tothe extent that Botika cannot comply with an instruction from Customer, Botika(i) shall inform Customer, providing relevant details of the issue, (ii) Botikamay, without liability to Customer, temporarily cease all Processing of theaffected Personal Data (other than securely storing such data) and/or suspendCustomer’s access to the Services, and (iii) if the Parties do not agree on aresolution to the issue in question and the costs thereof, Customer may, as itssole remedy, terminate the Agreement and this DPA with respect to the affectedProcessing, and Customer shall pay to Botika all the amounts owed to Botika ordue before the date of termination. Customer will have no further claimsagainst Botika (including, without limitation, requesting refunds for Services)pursuant to the termination of the Agreement and the DPA as described in thisparagraph.
2.4 Details of the Processing. The subject-matter of Processing of Personal Data by Botikais the performance of the Services pursuant to the Agreement. The duration of the Processing,the nature and purpose of the Processing, the types of Personal Data andcategories of Data Subjects Processed under this DPA are further specified in Schedule 1 (Details ofProcessing) to this DPA.
2.5 Sensitive Data. The Parties agree that the Services are not intended forthe processing of Sensitive Data, and that if Customer wishes to use theServices to process Sensitive Data, it must first obtain the Botika’s explicitprior written consent and enter into any additional agreements as required by Botika.
2.6 CCPA Terms. If Customer is a Business under the CCPA, and BotikaProcesses Personal Data hereunder that is subject to the CCPA, the terms setforth in Schedule 3 (CCPATerms) hereto shall apply and bind the Parties with regard to such PersonalData and the Processing thereof.
3. DATA SUBJECT REQUESTS
Botika shall, to the extent legally permitted, notify Customer or refer DataSubject to Customer, if Botika receives a request from a Data Subject toexercise their rights (to the extent available to them under applicable DataProtection Laws) of access, right to rectification, restriction of Processing,erasure, data portability, objection to the Processing, their right not to besubject to automated individual decision making, or the right not to bediscriminated against (“Data SubjectRequest”). Taking into account the nature of the Processing, Botika shall assist Customer by implementingappropriate technical and organizational measures, insofar as this is possibleand reasonable, for the fulfillment of Customer’s obligation to respond to aData Subject Request under Data Protection Laws.
4. CONFIDENTIALITY
Botika shall ensure that its personneland advisors engaged in the Processing of Personal Data have committedthemselves to confidentiality.
5. SUB-PROCESSORS
5.1 Appointment of Sub-processors. Customer acknowledges and agrees that (a) Botika may engageSub-processors to Process Personal Data on behalf of Customer; (b) Botika’sAffiliates may be engaged as Sub-processors; and (c) Botika and Botika’sAffiliates on behalf of Processor may each engage third-party Sub-processors inconnection with the provision of the Platform and underlying Services.
5.2 List of Current Sub-processorsand Notification of New Sub-processors.
5.2.1 The current list of Sub-processors used by Botika toprocess Personal Data is available at: https://botika.io/legal/sub-processors. Such Sub-processor list includes the identities of thoseSub-processors, the entity’s country and type of service (“Sub-ProcessorList”). The Sub-Processor List is hereby deemed authorized upon first useof the Platform and underlying Services.
5.2.2 Botika shall provide notification of any newSub-processor(s) before authorizing such new Sub-processor(s) to ProcessPersonal Data in connection with the provision of the Services.
5.3 Objection to NewSub-processors. Customer may reasonably objectto Botika’s use of a new Sub-processor, for reasonable and explained grounds relatingto the protection of Personal Data intended to be Processed by suchSub-processor, by notifying Botika promptly in writing within seven (7) daysafter receipt of a Botika notification. Such written objection shall be sent to[email protected]include the reasons for objecting to Botika’s use of such new Sub-processor.Failure to object to such new Sub-processor in writing within seven (7) daysfollowing Botika’s notice shall be deemed as acceptance of the newSub-Processor. In the event Customer reasonably objects to a new Sub-processor,Botika will use reasonable efforts to make available to Customer a change inthe Services or recommend a commercially reasonable change to Customer’sconfiguration or use of the Services to avoid Processing of Personal Data bythe objected-to new Sub-processor without unreasonably burdening the Customer.If Botika is unable to make available such change within thirty (30) days,Customer may, as a sole remedy, terminate the applicable Agreement and this DPAwith respect only to those Services which cannot be provided by Botika withoutthe use of the objected-to new Sub-processor, by providing written notice to Botika.All amounts due under the Agreement before the termination date with respect tothe Processing at issue shall be duly paid to Botika. Until a decision is maderegarding the new Sub-processor, Botika may temporarily suspend the Processingof the affected Personal Data and/or suspend access to the Services. Customerwill have no further claims against Botika due to the termination of theAgreement (including, without limitation, requesting refunds) and/or the DPA inthe situation described in this paragraph.
5.4 Agreements with Sub-processors. Botika commits to enter into a written agreement with eachSub-processor containing appropriate safeguards for the protection of PersonalData. Where Botika engages a Sub-processor for carrying out specific Processingactivities on behalf of the Customer, the same or materially similar dataprotection obligations as set out in this DPA shall be imposed on such newSub-processor by way of a contract, in particular, obligations to implementappropriate technical and organizational measures in such a manner that theProcessing will meet the requirements of applicable Data Protection Laws. Wherea Sub-processor fails to fulfil its data protection obligations concerning itsProcessing of Personal Data, Botika shall remain responsible for theperformance of the Sub-processor's obligations.
6. SECURITY & AUDITS
6.1 Controls for the Protection ofPersonal Data. Botika shall maintainindustry-standard technical and organizational measures for protection ofPersonal Data Processed hereunder (including protection against unauthorized orunlawful Processing and against accidental or unlawful destruction, loss oralteration or damage, unauthorized disclosure of, or access to, Personal Data,confidentiality and integrity of Personal Data, including those measures setout in the Security Documentation), as may be amended from time to time. Uponthe Customer’s reasonable request, Botika will reasonably assist Customer, atCustomer’s cost and subject to the provisions of Section 11.1 below, in ensuring compliance with the obligationspursuant to Articles 32 to 36 of the GDPR taking into account the nature of theProcessing and the information available to Botika.
6.2 Audits and Inspections. Upon Customer’s 14 days prior written request atreasonable intervals (no more than once every 12 months), and subject to strictconfidentiality undertakings by Customer, Botika shall make available toCustomer that is not a competitor of Botika (or Customer’s independent,reputable, third-party auditor that is not a competitor of Botika and not inconflict with Botika, subject to their confidentiality and non-competeundertakings) information necessary to demonstrate compliance with this DPA,and allow for and contribute to audits, including inspections, conducted bythem (provided, however, that such information, audits, inspections and theresults therefrom, including the documents reflecting the outcome of the auditand/or the inspections, shall only be used by Customer to assess compliancewith this DPA, and shall not be used for any other purpose or disclosed to anythird party without Botika’s prior written approval. Upon Botika's firstrequest, Customer shall return all records or documentation in Customer'spossession or control provided by Botika in the context of the audit and/or theinspection).
6.3 In the event of an audit or inspections as set forth above,Customer shall ensure that it (and each of its mandated auditors) will notcause (or, if it cannot avoid, minimize) any damage, injury or disruption to Botika’spremises, equipment, personnel and business while conducting such audit orinspection.
6.4 In the event that such audit or inspection uncoversunauthorized Processing of Personal Data, Customer shall have the right to,upon notice, take reasonable and appropriate steps to stop and remediate suchunauthorized Processing.
6.5 The audit rights set forth in 6.2 above, shall only apply to the extent that the Agreementdoes not otherwise provide Customer with audit rights that meet the relevantrequirements of Data Protection Laws (including, where applicable, article28(3)(h) of the GDPR or the UK GDPR).
7. DATA INCIDENT MANAGEMENT AND NOTIFICATION
Botika maintains security incident management policies andprocedures and, to the extent required under applicable Data Protection Laws,shall notify Customer without undue delay after becoming aware of theaccidental or unlawful destruction, loss, alteration, unauthorized disclosureof, or access to Personal Data Processed by Botika on behalf of the Customer (a“Data Incident”). Botika shall makereasonable efforts to identify and take those steps as Botika deems necessaryand reasonable in order to remediate and/or mitigate the cause of such DataIncident to the extent the remediation and/or mitigation is within Botika’sreasonable control. The obligations herein shall not apply to incidents thatare caused by Customer or anyone who uses the Services on Customer’s behalf.Customer will not make, disclose, release or publish any finding, admission ofliability, communication, notice, press release or report concerning any DataIncident which directly or indirectly identifies Botika (including in any legalproceeding or in any notification to regulatory or supervisory authorities oraffected individuals) without Botika’s prior written approval, unless, andsolely to the extent that, Customer is compelled to do so pursuant toapplicable Data Protection Laws. In the latter case, unless prohibited by suchlaws, Customer shall provide Botika with reasonable prior written notice toprovide Botika with the opportunity to object to such disclosure and in anycase, Customer will limit the disclosure to the minimum scope required.
8. RETURN AND DELETION OF PERSONAL DATA
Following termination of the Agreement and subject thereto,Botika shall, at the choice of Customer (indicated through the Services, or inwritten notification to Botika within 60 daysfollowing termination), delete or return, atCustomer’s cost, to Customer all the Personal Data it Processes solely onbehalf of the Customer in the manner described in the Agreement, and Botikashall delete existing copies of such Personal Data unless Data Protection Lawsrequire otherwise. To the extent authorized or required by applicable law, Botikamay also retain one copy of the Personal Data solely for evidence purposesand/or for the establishment, exercise or defense of legal claims and/or forcompliance with legal obligations.
9. CROSS-BORDER DATA TRANSFERS
9.1 Transfers from the EEA, theUnited Kingdom and Switzerland to countries that offer adequate level of dataprotection. Personal Data may betransferred from EU Member States, the three other EEA member countries(Norway, Liechtenstein and Iceland) (collectively, “EEA”), the United Kingdom (“UK”)and Switzerland to countries that offer an adequate level of data protectionunder or pursuant to the adequacy decisions published by the relevant dataprotection authorities of the EEA, the European Union, the Member States or theEuropean Commission, the UK, and/or Switzerland (“Adequacy Decisions”), as applicable, without any further safeguardbeing necessary.
9.2 Transfers from the EEA, theUnited Kingdom and Switzerland to other countries. If the Processing of Personal Data includes a transfer(either directly or via onward transfer) from the EEA (“EEA Transfer”), the UK (“UKTransfer”), and/or Switzerland (“SwissTransfer”) to other countries which have not been subject to a relevantAdequacy Decision, and such transfers are not performed through an alternativerecognized compliance mechanism as may be adopted by Botika for the lawfultransfer of personal data (as defined in the GDPR, the UK GDPR, the FADP, asrelevant) outside the EEA, the UK or Switzerland, as applicable, then (i) theterms set forth in Part 1 of Schedule2 (EEA Cross Border Transfers) shall apply to any such EEA Transfer;(ii) the terms set forth in part 2 of Schedule2 (UK Cross Border Transfers) shall apply to any such UK Transfer (“UK Addendum”); (iii) the terms setforth in Part 3 of Schedule 2(Swiss Cross Border Transfers) shall apply to any such Swiss Transfer; and (iv)the terms set forth in Part 4 of Schedule2 (Additional Safeguards) shall apply to any such transfers.
10. AUTHORIZED AFFILIATES
10.1 Contractual Relationship. The Parties acknowledge and agree that, by executing theDPA, the Customer enters into the DPA on behalf of itself and, as applicable,in the name and on behalf of its Authorized Affiliates, in which case eachAuthorized Affiliate agrees to be bound by the Customer’s obligations underthis DPA, if and to the extent that Botika Processes Personal Data on the behalf of suchAuthorized Affiliates, thus qualifying them as the “Controller”. All access to and use of the Services byAuthorized Affiliates must comply with the terms and conditions of theAgreement and this DPA and any violation of the terms and conditions therein byan Authorized Affiliate shall be deemed a violation by Customer.
10.2 Communication. Customer shall remain responsible for coordinating allcommunication with Botika under the Agreement and this DPA and shall beentitled to make and receive any communication in relation to this DPA onbehalf of its Authorized Affiliates.
11. OTHER PROVISIONS
11.1 Data Protection ImpactAssessment and Prior Consultation.Upon Customer’s reasonable request, Botika shall provide Customer, atCustomer’s cost, with reasonable cooperation and assistance needed to fulfilCustomer’s obligation under Applicable Data Protection Laws to carry out a dataprotection impact assessment related to Customer’s use of the Services, to theextent Customer does not otherwise have access to the relevant information, andto the extent such information is available to Botika. Botika shall provide, atCustomer’s cost, reasonable assistance to Customer in the cooperation or priorconsultation with the Supervisory Authority in the performance of its tasksrelating to this Section 11.1, to the extent required under the applicable DataProtection Laws.
11.2 Modifications. Each Party may by at least forty-five (45) calendar days'prior written notice to the other Party, request in writing any variations tothis DPA if they are required as a result of any change in, or decision of acompetent authority under, any Data Protection Laws, to allow Processing ofCustomer Personal Data to be made (or continue to be made) without breach ofthose Data Protection Laws. Pursuant to such notice: (a) The Parties shall makecommercially reasonable efforts to accommodate such modification requested byCustomer or that Botika believes is necessary; and (b) Customer shall notunreasonably withhold or delay agreement to any consequential variations tothis DPA proposed by Botika to protect the Botika against additional risks, orto indemnify and compensate Botika for any further steps and costs associatedwith the variations made herein at Customer’s request. The Parties shallpromptly discuss the proposed variations and negotiate in good faith with aview to agreeing and implementing those or alternative variations designed toaddress the requirements identified in Customer’s or Botika’s notice as soon asis reasonably practicable. In the event that the Parties are unable to reachsuch an agreement within 30 days of such notice, then Customer or Botika may,by written notice to the other Party, with immediate effect, terminate theAgreement to the extent that it relates to the Services which are affected bythe proposed variations (or lack thereof). Customer will have no further claimsagainst Botika (including, without limitation, requesting refunds for theServices) pursuant to the termination of the Agreement and the DPA as describedin this Section.
SCHEDULE 1 - DETAILS OF THE PROCESSING
Nature and Purpose of Processing
1. Providing the Services to Customer;
2. Performing the Agreement, this DPA and/or other contractsexecuted by the Parties;
3. Acting upon Customer’s instructions, where suchinstructions are consistent with the terms of the Agreement;
4. Complying with applicable laws and regulations;
5. All tasks related with any of the above.
Duration of Processing
Subject to any section of the DPA and/or the Agreementdealing with the duration of the Processing and the consequences of theexpiration or termination thereof, Botika will Process Personal Data pursuantto the DPA and Agreement for the duration of the Agreement, unless otherwiseagreed upon in writing.
Types of Personal Data
Customer may submit Personal Data to the Services, theextent of which is determined and controlled by Customer in its solediscretion.
· Any personal information contained in photos uploaded tothe Services, which may depict individuals
Categories of Data Subjects
Customer maysubmit Personal Data to the Services which may include, but is not limited to,Personal Data relating to the following categories of Data Subjects:
· Individuals appearing in uploaded photos
SCHEDULE 2 – CROSS BORDER TRANSFERS
PART 1 – EEA Cross Border Transfers
1. The parties agree that the terms of the EU SCCs are herebyincorporated by reference and shall apply to an EEA Transfer.
2. Module Two (Controller to Processor) of the EU SCCs shallapply where the EEA Transfer is effectuated by Customer as the data controllerof the Personal Data and Botika is the data processor of the Personal Data.
3. Clause 7 of the EU SCCs (Docking Clause) shall not apply.
4. Option 2: GENERAL WRITTEN AUTHORISATION in Clause 9 of the EUSCCs shall apply, and the method for appointing and time period for priornotice of Sub-processor changes shall be as set forth in Section 5.3 of theDPA.
5. In Clause 11 of the EU SCCs, the optional language will notapply.
6. In Clause 17 of the EU SCCs, Option 1 shall apply, and theParties agree that the EU SCCs shall be governed by the laws of the Republic ofIreland.
7. In Clause 18(b) of the EU SCCs, disputes will be resolvedbefore the courts of the Republic of Ireland.
8. Annex I.A of the EU SCCs shall be completed as follows:
Data Exporter: Customer.
Contact details: As detailed in the Agreement.
Data Exporter Role: The Data Exporter is a data controller.
Signature and Date: By entering into the Agreement and DPA, DataExporter is deemed to have signed these EU SCCs incorporatedherein, including their Annexes, as of the Effective Date of the Agreement.
Data Importer: Botika E.Y LTD.
Contact details: As detailed in the Agreement.
Data Importer Role: The Data Importer is a data processor.
Signature and Date: By entering into the Agreement and DPA, DataImporter is deemed to have signed these EU SCCs,incorporated herein, including their Annexes, as of the Effective Date of theAgreement.
9. Annex I.B of the EU SCCs shall be completed as follows:
The categories of data subjects are described in Schedule 1 (Details ofProcessing) of this DPA.
The categories of personal data are described in Schedule 1 (Details ofProcessing) of this DPA.
The Parties do not intend for Sensitive Data to betransferred.
The frequency of the transfer is a continuous basis for the duration ofthe Agreement.
The nature of the processing is described in Schedule 1 (Details of Processing) of this DPA.
The purpose of the processing is described in Schedule 1 (Details of Processing) of this DPA.
The period for which the personal data will be retained is for theduration of the Agreement, unless agreed otherwise in the Agreement and/or theDPA.
In relation to transfers to Sub-processors, the subject matter, nature,and duration of the processing is set forth in Schedule 1 of theDPA.
10. Annex I.C of the EU SCCs shallbe completed as follows:
The competent supervisory authority in accordance withClause 13 is the supervisory authority in the Member State stipulated inSection 6 above.
11. The Security Documentation referred to in the DPA serves asAnnex II of the Standard Contractual Clauses.
12. To the extent there is anyconflict between the EU SCCs and any other terms in this DPA or the Agreement,the provisions of the EU SCCs will prevail.
PART 2 – UK Cross BorderTransfers
TheParties agree that the UK Addendum is hereby incorporated by reference andshall apply to UK Transfers as set forth in this Part 2, together with the EUSCCs as set forth in Part 1 of this Schedule2.
1. Table 1: The Parties: as stipulated in Section 8 of Part 1 of this Schedule 2.
Table2: Selected SCCs, Modules and Selected Clauses: as stipulated in Part 1 of this Schedule 2.
Table3: Appendix Information: meansthe information which must be provided for the selected modules as set out inthe Appendix of the Standard Contractual Clauses (other than the Parties), andwhich for this Part 2 is set out in Part 1 to this Schedule 2.
Table4: Ending this Addendum when the Approved Addendum Changes: Either Party may end the UK Addendum incorporated herein inthe manner set out in Section 19 thereto.
2. The Alternative Part 2Mandatory Clauses of the UK Addendum shall apply, as follows:
Part 2: Mandatory Clauses of the Approved Addendum, beingthe template Addendum B.1.0 issued by the Information Commission Office (ICO)and laid before the UK Parliament in accordance with s119A of the DataProtection Act 2018 on 28 January 2022, as it is revised under Section 18 ofthose mandatory clauses.
Part 3 –Swiss Cross Border Transfers
TheParties agree that the EU SCCs as detailed in Part 1 of this Schedule 2, shall be adjusted asset out below where the FADP applies to Swiss Transfers:
1. References to the Standard Contractual Clauses mean the EUSCCs as amended by this Part 3;
2. The Swiss Federal Data Protection and InformationCommissioner shall be the sole Supervisory Authority for Swiss Transfersexclusively subject to the FADP;
3. The terms “General Data Protection Regulation” or“Regulation (EU) 2016/679” as utilized in the Standard Contractual Clausesshall be interpreted to include the FADP with respect to Swiss Transfers;
4. References to Regulation (EU) 2018/1725 are removed;
5. Swiss Transfers subject to both the FADP and the GDPR, shall be dealt withby the Swiss Federal Data Protection and Information Commissioner insofar asthe Swiss Transfer is governed by the FADP, and by the EU Supervisory Authoritynamed in Part 1 of this Schedule 2, insofar as the Swiss Transferis governed by the GDPR;
6. References to the “Union”, “EU” and “EU Member State” shallnot be interpreted in such a way as to exclude Data Subjects in Switzerlandfrom the possibility of exercising their rights in their place of habitualresidence (Switzerland) in accordance with Clause 18(c) of the EU SCCs;
7. Where Swiss Transfers are exclusively subject to the FADP,all references to the GDPR in the EU SCCs are to be understood to be referencesto the FADP;
8. Where Swiss Transfers aresubject to both the FADP and the GDPR, all references to the GDPR in the EUSCCs are to be understood to be references to the FADP insofar as the SwissTransfers are subject to the FADP.
Part 4 – Additional Safeguards
1. In the event of an EEATransfer, a UK Transfer or a Swiss Transfer, the Parties agree to supplementthese with the following safeguards and representations, where appropriate:
a. The Processor shall have inplace and maintain in accordance with good industry practice measures toprotect the Personal Data from interception (including in transit from theController to the Processor and between different systems and services). Thisincludes having in place and maintaining network protection intended to denyattackers the ability to intercept data and encryption of Personal Data whilstin transit and at rest intended to deny attackers the ability to read data.
b. The Processor will makecommercially reasonable efforts to resist, subject to applicable laws, anyrequest for bulk surveillance relating to the Personal Data protected underGDPR or the UK GDPR, including under section 702 of the United States Foreign IntelligenceSurveillance Act (“FISA”);
c. If the Processor becomes awarethat any government authority (including law enforcement) wishes to obtainaccess to or a copy of some or all of the Personal Data, whether on a voluntaryor a mandatory basis, then unless legally prohibited or under a mandatory legalcompulsion that requires otherwise:
I. The Processor shall inform therelevant government authority that the Processor is a processor of the PersonalData and that the Controller has not authorized the Processor to disclose thePersonal Data to the government authority, and inform the relevant governmentauthority that any and all requests or demands for access to the Personal Datashould therefore be notified to or served upon the Controller in writing;
II. The Processor will usecommercially reasonable legal mechanisms to challenge any such demand foraccess to Personal Data that is under the Processor’s control. Notwithstandingthe above, (a) the Controller acknowledges that such challenge may not always bereasonable or possible in light of the nature, scope, context and purposes ofthe intended government authority access, and (b) if, taking into account thenature, scope, context and purposes of the intended government authority accessto Personal Data, the Processor has a reasonable and good-faith belief thaturgent access is necessary to prevent an imminent risk of serious harm to anyindividual or entity, this subsection (c)(II) shall not apply. In such event,the Processor shall notify the Controller, as soon as possible, following theaccess by the government authority, and provide the Controller with relevantdetails of the same, unless and to the extent legally prohibited to do so.
2. Once in every 12-month period,the Processor will inform the Controller, at the Controller’s written request,of the types of binding legal demands for Personal Data it has received andsolely to the extent such demands have been received, including nationalsecurity orders and directives, which shall encompass any process issued undersection 702 of FISA.
SCHEDULE 3 – CCPA TERMS
1. SCOPE, APPLICATION & INTERPRETATION
1.1 This Schedule 3shall apply and bind the Parties if and to the extent that (i) Customer is aBusiness under the CCPA, and (ii) Botika Processes Personal Information (asdefined below) that is subject to the CCPA in the course of providing theServices to Customer pursuant to the Agreement.
1.2 This Schedule 3prevails over any conflicting terms of the Agreement or the DPA but does nototherwise modify the Agreement or the DPA.
1.3 This Schedule 3shall be interpreted in favor of the Parties’ intent to comply with the CCPA,and therefore any ambiguity shall be resolved in favor of a meaning thatcomplies and is consistent with the CCPA.
1.4 Capitalized terms not specifically defined herein shallhave the meanings ascribed to them in the DPA, as amended by this Schedule 3.
2. DEFINITIONS
For the purposes of this Schedule3:
2.1 The terms “Business”,“Collects” (and “collected” and“collection”), “Consumer”, “Business Purpose”, “Sell” (and “selling”, “sale”, and“sold”), “Share” (and “shared”, or“sharing”), and “Service Provider”shall each have the same meaning as in the CCPA.
2.2 "PersonalInformation" means any information that identifies, relates to,describes, is capable of being associated with, or could reasonably be linked,directly or indirectly, to or with an identified or identifiable Consumer orhousehold of a Consumer, which is processed by Botika solely on behalf ofCustomer under this Schedule 3and the Agreement.
3. PROCESSING OF PERSONAL INFORMATION
3.1 Customer hereby appoints Botika as a Service Provider toProcess Personal Information on behalf of Customer. Customer, in its use of theServices, and Customer’s instructions to Botika, shall comply with the CCPA.Customer represents and warrants that it has provided notice consistent withSection 1798.130 of the CCPA, and has obtained consents to the extent requiredunder the CCPA for Botika to lawfully Collect and Process the PersonalInformation in pursuit of the Permitted Purposes (as defined in Section 3.2 below).
3.2 Botika shall Process Personal Information solely for thepurposes set forth in Section 2.3 of the DPA and as necessary to comply with this Schedule 3 and the CCPA. For theavoidance of doubt, such Processing shall include the pursuit of BusinessPurposes, including providing Customer with Botika’s AI fashion model generatorplatform (collectively: the "PermittedPurposes").
3.3 Sections 3-8, 10 and 11.2 of the DPA shall apply to the Processing of PersonalInformation and the following terms shall be replaced as follows: "DataProtection Laws" shall mean the CCPA; “DPA” shall mean this Schedule 3; "PersonalData" shall mean "Personal Information"; “Data Subject” shallmean “Consumer”; "Controller" shall mean "Business";"Processor" shall mean "Service Provider"; andSub-processor shall refer to the concept of a Subcontractor engaged by Botikato Process Personal Information.
3.4 Botika shall Process Personal Information in accordancewith the provisions of the CCPA, and in a manner that provides the same levelof privacy protection to Personal Information as required by the CCPA. Botikacertifies that it understands the rules, requirements, and definitions of theCCPA and this Schedule 3, andshall comply with them.
3.5 Botika acknowledges and confirms that it does not receivenor process any Personal Information as consideration for any services or otheritems that Botika provides to Customer under the Agreement. Botika agrees torefrain from Selling and/or Sharing any Personal Information Processedhereunder without Customer’s prior written consent, nor taking any action thatwould cause any transfer of Personal Information to or from Botika under theAgreement or this Schedule 3to qualify as Selling and/or Sharing such Personal Information. Botika shallnot have, derive, or exercise any rights or benefits regarding the PersonalInformation, and shall not retain, use, or disclose any Personal Information(i) for any purpose other than the Permitted Purposes, and/or (ii) outside ofthe direct business relationship between the Parties.
3.6 Botika shall not combine Personal Information with anyother data if and to the extent that this would be inconsistent with thelimitations on Service Providers under the CCPA.
3.7 If Botika receives any Personal Information in Deidentifiedform, Botika shall take reasonable measures to ensure that such DeidentifiedPersonal Information cannot be associated with a Consumer or household.
3.8 Botika shall notify Customer if Botika makes adetermination that it can no longer meet its obligations under this Schedule 3 and/or the CCPA.