Data Privacy & Security Addendum (DPSA)
Clear guidelines to ensure fair, safe, and effective use of our services.
1. Authorisation to Process Customer Personal Data
1.1 The parties acknowledge that in the performance of its obligations under the Terms of Service, ChatDaddy may Process Customer Personal Data in connection with Customer's storage of, access to and Processing of Customer Data as part of providing the Services. The purpose of this DPSA is to set out the respective obligations of the parties in relation to such Processing.
1.2 Each party warrants to the other that it will comply with all Data Protection Laws applicable to it in relation to the Customer Personal Data.
2. Controller and Processor
2.1 ChatDaddy and the Customer acknowledge that the Customer is the Controller and ChatDaddy is the Processor in respect of the Customer Personal Data.
3. Customer Instructions
3.1 The parties agree that this DPSA and the Terms of Service (including the provision of instructions via configuration tools such as the ChatDaddy mobile application and other APIs and functionalities made available by ChatDaddy for the Services) constitute the Customer’s documented instructions regarding ChatDaddy’s Processing Customer Personal Data (“Documented Instructions”).
3.2 ChatDaddy will Process the Customer Personal Data only for the purpose of the Terms of Service, in accordance with the Customer’s Documented Instructions, and will notify the Customer promptly if it is unable to comply with this DPSA or any of the Terms. Additional instructions outside the scope of the Documented Instructions (if any) require prior written agreement between ChatDaddy and the Customer.
3.3 ChatDaddy shall notify the Customer if, in its opinion, an instruction of Customer infringes the Data Protection Laws.
Return or Deletion of Customer Personal Data
4.1 ChatDaddy will enable the Customer to delete and retrieve Customer Personal Data in its possession during the Subscription Term in a manner consistent with the functionality of the Services, unless it is prohibited from doing so by Applicable Laws. Alternative, ChatDaddy will delete Customer Personal Data at the written request of the Customer.
4.2 Up to the termination of the Subscription Term or the Terms of Service, the Customer will continue to have the ability to retrieve or delete Customer Personal Data in accordance with this clause. For 90 days following the termination of the Subscription Term or the Terms of Service, the Customer may retrieve or delete any remaining Customer Personal Data from the Services, subject to the terms and conditions set out in the Terms, unless prohibited by the Applicable Laws.
5. Data Incident Notification
5.1 ChatDaddy will, promptly and without undue delay, notify the Customer, upon becoming aware of any Data Incident, and promptly take reasonable steps to minimise harm and secure the Customer Personal Data;
5.2 To assist the Customer in relation to any personal data breach notifications the Customer is required to make under the Applicable Laws, ChatDaddy will describe, to the extent possible, such information about the Data Incident as ChatDaddy is reasonable able to disclose to the Customer, taking into account the nature of the Services, the information available to ChatDaddy, and any restrictions on disclosing the information, such as confidentiality.
5.3 The Customer agrees that: (i) an unsuccessful Data Incident will not be subject to this Clause 5. An unsuccessful Data Incident is one that results in no unauthorised access to Customer Personal Data or to any of ChatDaddy’s equipment or facilities storing Customer Personal Data, and may include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorised access to traffic data that does not result in access beyond headers) or similar incidents.
5.4 Notwithstanding the foregoing, the Customer acknowledges and agrees that (1) ChatDaddy is under no obligation to assess the Customer Personal Data in order to identify information subject to any specific legal requirements; (2) ChatDaddy’s notification of or response to a Data Incident shall not be construed as an acknowledgement by ChatDaddy of any fault or liability with respect to the Data Incident.
5.5 Without prejudice to ChatDaddy’s obligations under Clause 5.3 and elsewhere in this DPSA, the Customer shall be is responsible for its use of the Services and its storage of any copies of Customer Personal Data outside ChatDaddy’s system or its Sub-processors’ systems, including:
(a) using the Services to ensure a level of security appropriate to the risk in respect of the Customer Personal Data;
(b) securing the account authentication credentials, systems and devices the Customer uses to access or use the Services; and
(c) backing up its Customer Personal Data as appropriate.
5.6 If the Customer becomes aware of any actual or suspected Data Incident relating to the Terms of Service, Customer shall:
(a) take reasonable steps to carry out, within 30 days, an assessment to determine whether the Data Incident is notifiable under the Data Protection Laws and promptly notify ChatDaddy in writing of the results of the assessment;
(b) if Customer notifies ChatDaddy that it considers the Data Incident to be noti able under the Data Protection Laws:
(i) Customer shall prepare a draft of any notification statements in respect of the Data Incident required under the Data Protection Laws (“Notification Statements”) and provide the draft Notification Statements to ChatDaddy for approval prior to disclosure to the applicable data protection regulators, Data Subjects or any other person;
(ii) ChatDaddy shall provide Customer with notice in writing:
(x) of any changes that ChatDaddy reasonably requires to the draft Notification Statement and Customer shall incorporate all such changes into the draft Notification Statement; or (y) that ChatDaddy approves the draft Notification Statement; and
(c) following ChatDaddy’s approval of a draft Notification Statement, Customer must provide a copy of the approved Notification Statement to the applicable data protection regulators, Data Subjects and any other person as required under the Data Protection Laws; and
(d) not, and must ensure that the third parties appointed by ChatDaddy and their respective personnel do not, make any public statement or disclosure relating to any suspected or actual Data Incident without the prior written consent of ChatDaddy.
6. Confidentiality Obligations of ChatDaddy Personnel
6.1 ChatDaddy shall ensure that the Customer Personal Data is accessible only to the duly authorized persons engaged by ChatDaddy and, subject to Clause 9, accessible only to its Sub-Processors and the personnel of such Sub-Processors who are duly authorized and who need to have access to the Customer Personal Data in order to perform ChatDaddy's obligations under the Terms of Service.
6.2 ChatDaddy shall also ensure that the personnel engaged and duly authorized by it to Process the Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, and ensure that the same obligations for data protection under this DPSA and the Customer's instructions are complied with by such persons, taking into account the nature of the Processing.
7. Data Security
7.1 ChatDaddy shall implement and maintain appropriate technical and organisational security measures against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access. The security measures include
(i) the pseudonymisation and encryption of Customer Personal Data;
(ii) ensuring the ongoing confidentiality, integrity, availability and resilience of Processing systems and service;
(iii) restoring the availability and access to Customer Personal Data in a timely manner in the event of a physical or technical incident; and
(iv) regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the Processing.
8. Data Subject Rights
8.1 During the Subscription Term, if ChatDaddy receives a request from a Data Subject in relation to Customer Personal Data, and the request identifies the Customer, ChatDaddy shall use commercially reasonable efforts to advise the Data Subject to submit their request to the Customer. The Customer shall be responsible for responding to any such request, including where necessary, by using the functionality of the Services.
8.2 Taking into account the nature of the Processing and the Services, ChatDaddy will use commercially reasonable efforts to assist Customer by appropriate technical and organisational measures, insofar as this is practicable, for the fulfilment of Customer’s obligation to respond to requests for exercising the Data Subject’s rights laid down in the Data Protection Laws.
9. Appointment of Sub-Processors
9.1 The Customer agrees that ChatDaddy may authorise any Sub-Processor to Process the Customer Personal Data on its behalf provided that, where (and to the extent) required by Data Protection Laws, ChatDaddy enters into a written agreement with the Sub- Processor containing terms which are substantially the same as those contained in this DPSA. The Customer hereby grants ChatDaddy general written authorisation to engage Sub-Processors, subject to the requirements of this Clause 9.
9.2 ChatDaddy shall, to the extent the Customer Personal Data Processed is EU Customer Personal Data or where the laws of any other jurisdiction require such notification, inform Customer by email of any intended changes concerning the addition or replacement of the Sub-Processors. In such a case, the Customer will have fourteen (14) days from the date of receipt of the notice to approve or reject the change. In the event of no response from the Customer, the Sub-Processor will be deemed accepted. If the Customer rejects the replacement sub-processor, ChatDaddy may terminate the Terms of Service with immediate effect on written notice to the Customer.
9.3 In the event that ChatDaddy engages a Sub-Processor for carrying out specific Processing activities on behalf of Customer, where that Sub-Processor fails to fulfil its data protection obligations, ChatDaddy will remain fully liable under the Data Protection Laws to Customer for the performance of that Sub-Processor's obligations.
10. Customer’s Representations, Warranties and Undertakings
10.1 The Customer represents, warrants and undertakes to ChatDaddy that throughout the Term that:
(a) the Customer Personal Data has been and will be collected in accordance with the Data Protection Laws;
(b) all instructions from the Customer to ChatDaddy will comply with the Data Protection Laws;
(c) the transfer of the Customer Personal Data to ChatDaddy, and (to the extent that ChatDaddy acts as a data processor in respect of such Customer Personal Data) the Processing of the Customer Personal Data by ChatDaddy as instructed by Customer or (to the extent that ChatDaddy acts as a data controller in respect of such Customer Personal Data) the receipt and use of Customer Personal Data by ChatDaddy, and Processing and use of Customer Personal Data as set out in this DPSA, is consented to by the relevant Data Subjects (where required by law) and otherwise permitted by and in accordance with the Data Protection Laws; and
(d) it is satisfied that:
(i) ChatDaddy’s processing operations are suitable for the purposes for which the Customer proposes to use the Services and engage ChatDaddy to process the Protected Data; and
(ii) ChatDaddy has sufficient expertise, reliability and resources to implement technical and organisational measures that meet the requirements of Data Protection Laws.
10.2 The Customer agrees that it will indemnify and hold harmless ChatDaddy on demand from and against all claims, liabilities, costs, expenses, loss or damage (including consequential losses, loss of pro t and loss of reputation and all interest, penalties and legal and other professional costs and expenses) incurred by ChatDaddy arising directly or indirectly from a breach of this clause.
10.3 Where ChatDaddy faces an actual or potential claim arising out of or related to any breach of Data Protection Laws relating to Customer Personal Data processed pursuant to this DPSA, the Customer will promptly provide all materials and information reasonably requested by ChatDaddy that is relevant to the defense of such claim.
11. Transfers of Customer Personal Data
11.1 ChatDaddy may store and Process Customer Personal Data anywhere ChatDaddy or its Sub-processors maintain facilities, subject to Clause 11.2 and Clause 12 with respect to the Controller-Processor Transfer Clauses.
11.2 If the shortage and/or Processing of Customer Personal Data involves transfer of EU Customer Personal Data outside the EEA, either directly or via onward transfer, to any Third Country, the Controller-Processor Transfer Clauses will apply. The Controller- Processor Transfer Clauses will not apply to Customer Personal Data that is not transferred, either directly or via onward transfer, outside the EEA. Notwithstanding the foregoing, the Controller-Processor transfer Clauses shall not apply if ChatDaddy has adopted Binding Corporate Rules for Processors or an alternative recognized compliance standard for the lawful transfer of personal data (as defined in the GDPR) outside the EEA.
12. Jurisdiction-specific Requirements
A. Europe
(a) ChatDaddy agrees that it will not Process EU Customer Personal Data in a Third Country except where ChatDaddy complies with the data importer’s obligations set out in the Controller-Processor Transfer Clauses.
(b) To the extent of any conflict between the Controller-Processor Transfer Clauses and the rest of this DPSA, the Controller-Processor Transfer Clauses will prevail in relation to any EU Customer Personal Data.
(c) For the purposes of the Controller-Processor Transfer Clauses, the following additional provisions will apply:
(i) the parties agree to observe the Controller-Processor Transfer Clauses without modification;
(ii) the names and addresses of Customer and ChatDaddy will be considered to be incorporated into the Controller-Processor Transfer Clauses and for the purposes of the Controller-Processor Transfer Clauses;
(iii) Customer is the data exporter and ChatDaddy is the data importer as defined in the Controller-Processor Transfer Clauses; and
(iv) each party’s signature to this DPSA will be considered a signature to the terms contained in the Controller-Processor Transfer Clauses.
(d) If so required by the laws or regulatory procedures of any jurisdiction, the parties will execute or re-execute the clauses contained in the Controller-Processor Transfer Clauses as a separate document setting out the proposed transfers of Customer Personal Data in such manner as may be required.
B. California
(a) In addition to ChatDaddy’s other obligations as set out elsewhere in this Terms of Service, where applicable for the purposes of the CCPA, ChatDaddy shall act as a “service provider” for Customer, pursuant to which the parties agree that all such Personal Information is disclosed to ChatDaddy for one or more business purpose(s) and its use or sharing by Customer with ChatDaddy is necessary to perform such business purpose(s).
(b) ChatDaddy agrees that it: (a) is prohibited from retaining, using, or disclosing Personal Information for any purpose other than for the specific purpose of performing the services specified in the Terms of Service for Customer, including, without limitation, from retaining, using, or disclosing such Personal Information for a commercial purpose other than providing the services specified in the Terms of Service.
(c) ChatDaddy will not further collect, sell, or use Personal Information except as necessary to perform the business purpose(s).
(d) For the purposes of this clause 12B, “personal information,” “service provider,” “business purpose,” “commercial purpose,” “collects,” and “sell” shall have the meanings given to them in the CCPA.
C. Macau
(a) The appointment of ChatDaddy as Processor, as well as the appointment of sub- processors where (and to the extent) permitted in this DPSA, shall be notified by the Customer to the local data protection office (GPDP - Gabinete para a Protecção de Dados Pessoais).
(b) ChatDaddy shall have the right to reasonably request the Customer provide evidence of compliance with an instruction under the relevant the Macau data protection laws, including such notification under (a) above.
(c) Customer shall expressly inform ChatDaddy, in writing, in case of processing of
sensitive data, as defined in article 7 of the Macau Data Protection Law (Law n. 8/2005), and shall ensure compliance with the particular requirements provided for under Macau data protection law for the processing of such data.
Technical and Organizational Security Measures
We have implemented a comprehensive privacy and security programme for the purpose of protecting your Customer Data. This program includes the following:
1. Data security. We have designed and implemented the following measures to protect customer's data against unauthorized access:
(a) standards for data categorization and classification;
(b) a set of authentication and access control capabilities at the physical, network, system and application levels; and
(c) a mechanism for detecting big data-based abnormal behavior.
2. Network security. We implement stringent rules on internal network isolation to achieve access control and border protection for internal networks (including of ce networks, development networks, testing networks and production networks) by way of physical and logical isolation.
3. Physical and environmental security. Stringent infrastructure and environment access controls have been implemented for ChatDaddy Cloud's data centers based on relevant regional security requirements. An access control matrix is established, based on the types of data center personnel and their respective access privileges, to ensure effective management and control of access and operations by data center personnel.
4. Incident management. We operate active and real-time service monitoring, combined with a rapid response and handling mechanism, that enables prompt detection and handling of security incidents.