This Data Privacy and Security Addendum (“DPSA”) supplements the Terms of Service or such other agreement entered into between the Customer and ChatDaddy governing the Customer’s use of Services provided by ChatDaddy. This DPSA governs the Processing of Customer Personal Data. Customer Personal Data that is Administrative Information is Processed in accordance with the ChatDaddy’s Privacy Policy and this DPSA shall not apply to the Processing of Administrative Information. This Addendum including its appendices shall be deemed to have been accepted by the Customer on and shall take effect from the date on which the Customer accepted or otherwise agreed to the Terms of Service (“Terms”). In the event of any conflict or inconsistency between the Terms of Service and this DPSA, this DPSA will prevail. This DPSA shall continue in force until the termination of the Terms of Service.
Unless stated otherwise the following terms will have the meanings ascribed to them below. Capitalised terms used in this DPSA but not defined below will have the meaning ascribed to them in the Terms of Service.
“Administrative Information” refers to personal information that Customer provides to ChatDaddy to set up and manage Customer’s account for the Services, and any personal information generated in connection with Customer’s use of the Services;
“ChatDaddy Privacy Policy” refers to the policy located at Privacy Policy as updated by ChatDaddy and notified to Customer from time to time;
“ChatDaddy Security Policy” refers to such reasonable and appropriate technical and organisational measures determined by ChatDaddy from time to time, to protect Customer Personal Data against unauthorised or accidental access, Processing, erasure, loss or use. The details of the ChatDaddy Security Policy are set out in Annex 1;
“Customer” refers to the entity or person that has agreed to the Terms of Service. For the purposes of this DPSA (including its attachments), a reference to “Customer” shall, in the case of an agreement with an individual that is not acting on behalf of a Customer, be deemed to be a reference to that individual;
“Customer Data” has the meaning given to it in the Terms of Service or, if no such meaning is given, refers to any data, including personal information, that Customer submits, uploads, transmits or displays using the services provided by ChatDaddy;
“Customer Personal Data” refers to the personal data contained within the Customer Data. For the purpose of this PDSA, “personal data” refers to any information relating to an identified or identifiable natural person, including ‘personal information’ as those terms are defined in the Data Protection Laws;
“Controller” refers to a person who either alone or jointly in common with one or more other persons controls the collection, holding, processing or use of Customer Personal Data;
“Controller-Processor Transfer Clauses” refers to the Standard Contractual Clauses (Controller to Processor) as set out in the Commission Decision of 5 February 2010 (C(2010) 593);
“Data Incident” refers to a breach of ChatDaddy’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Personal Data that is Processed by ChatDaddy in connection with Terms of Service;
“Data Protection Laws” refers to the data protection law(s) applicable in respect of the collection, storage, processing, transfer, disclosure, and use of any Customer Personal Data which apply from time to time to the person or activity in the circumstances in question, including the California Civil Code sections 1798.100 – 1798.199 (2020), the California Consumer Privacy Act (“the CCPA”), the Directive, the e-Privacy Directive, the GDPR and the Personal Data (Privacy) Ordinance (Cap.486)(“PDPO”);
“Data Subject” shall mean (1) “Data Subject” as the term is defined in the GDPR; (2) “Consumer” as the term is defined in the CCPA; or (3) any other individual who is the subject of Customer Personal Data;
“Directive” refers to Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the Processing of Customer Personal Data and on the free movement of such data;
e-Privacy Directive” refers to Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the Processing of Customer Personal Data and the protection of privacy in the electronic communications sector;
“EEA” refers to the European Economic Area;
“EU Customer Personal Data” refers to Customer Personal Data of a Data Subject that is located in the EEA;
“GDPR” refers to Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of Customer Personal Data and on the free movement of such data;
“Processing” refers to performing any operation or set of operations on Customer Personal Data, including any collection, use, storage or disclosure, or as otherwise defined in the relevant Data Protection Laws;
“Processor” refers to a person who Processes Customer Personal Data on behalf of one or more Controller(s);
“Services” refers to the Services provided by ChatDaddy, as specified in the Terms of Service;
“Sub-Processor” refers to any third party appointed from time to time by ChatDaddy to Process Customer Personal Data on its behalf in accordance with clause 7.4;
“Supervisory Authority” refers to a regulatory authority having competent jurisdiction in respect of a Data Protection Law;
“Terms of Service” refers to the Terms of Service and
“Third Countries” refers to all countries outside of the scope of the data protection laws of the European Economic Area (the “EEA”), excluding countries approved as providing adequate protection for Customer Personal Data by the European Commission from time to time, which at the date of this DPSA include Andorra, Argentina, Canada, Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay.
1.1 The parties acknowledge that in the performance of its obligations under the Terms of Service, ChatDaddy may Process Customer Personal Data in connection with Customer's storage of, access to and Processing of Customer Data as part of providing the Services. The purpose of this DPSA is to set out the respective obligations of the parties in relation to such Processing.
1.2 Each party warrants to the other that it will comply with all Data Protection Laws applicable to it in relation to the Customer Personal Data.
2.1 ChatDaddy and the Customer acknowledge that the Customer is the Controller and ChatDaddy is the Processor in respect of the Customer Personal Data.
3.1 The parties agree that this DPSA and the Terms of Service (including the provision of instructions via configuration tools such as the ChatDaddy mobile application and other APIs and functionalities made available by ChatDady for the Services) constitute the Customer’s documented instructions regarding ChatDaddy’s Processing Customer Personal Data (“Documented Instructions”).
3.2 ChatDaddy will Process the Customer Personal Data only for the purpose of the Terms of Service, in accordance with the Customer’s Documented Instructions, and will notify the Customer promptly if it is unable to comply with this DPSA or any of the Terms. Additional instructions outside the scope of the Documented Instructions (if any) require prior written agreement between ChatDaddy and the Customer.
3.3 ChatDaddy shall notify the Customer if, in its opinion, an instruction of Customer infringes the Data Protection Laws.
4.1 ChatDaddy will enable the Customer to delete and retrieve Customer Personal Data in its possession during the Subscription Term in a manner consistent with the functionality of the Services, unless it is prohibited from doing so by Applicable Laws. Alternative, CHatDaddy will delete Customer Personal Data at the written request of the Customer.
4.2 Up to the termination of the Subscription Term or the Terms of Service, the Customer will continue to have the ability to retrieve or delete Customer Personal Data in accordance with this clause. For 90 days following the termination of the Subscription Term or the Terms of Service, the Customer may retrieve or delete any remaining Customer Personal Data from the Services, subject to the terms and conditions set out in the Terms, unless prohibited by the Applicable Laws.
5.1 ChatDaddy will, promptly and without undue delay, notify the Customer, upon becoming aware of any Data Incident, and promptly take reasonable steps to minimise harm and secure the Customer Personal Data;
5.2 To assist the Customer in relation to any personal data breach notifications the Customer is required to make under the Applicable Laws, ChatDaddy will describe, to the extent possible, such information about the Data Incident as ChatDaddy is reasonable able to disclose to the Customer, taking into account the nature of the Services, the information available to ChatDaddy, and any restrictions on disclosing the information, such as confidentiality.
5.3 The Customer agrees that: (i) an unsuccessful Data Incident will not be subject to this Clause 5. An unsuccessful Data Incident is one that results in no unauthorised access to Customer Personal Data or to any of ChatDaddy’s equipment or facilities storing Customer Personal Data, and may include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorised access to traffic data that does not result in access beyond headers) or similar incidents.
5.4 Notwithstanding the foregoing, the Customer acknowledges and agrees that (1) ChatDaddy is under no obligation to assess the Customer Personal Data in order to identify information subject to any specific legal requirements; (2) ChatDaddy’s notification of or response to a Data Incident shall not be construed as an acknowledgement by ChatDaddy of any fault or liability with respect to the Data Incident.
5.5 Without prejudice to ChatDaddy’s obligations under Clause 5.3 and elsewhere in this DPSA, the Customer shall be is responsible for its use of the Services and its storage of any copies of Customer Personal Data outside ChatDaddy’s system or its Sub-processors’ systems, including:
(a) using the Services to ensure a level of security appropriate to the risk in respect of the Customer Personal Data;
(b) securing the account authentication credentials, systems and devices the Customer uses to access or use the Services; and
(c) backing up its Customer Personal Data as appropriate.
5.6 If the Customer becomes aware of any actual or suspected Data Incident relating to the Terms of Service, Customer shall:
(a) take reasonable steps to carry out, within 30 days, an assessment to determine whether the Data Incident is notifiable under the Data Protection Laws and promptly notify ChatDaddy in writing of the results of the assessment;
(b) if Customer notifies ChatDaddy that it considers the Data Incident to be notifiable under the Data Protection Laws:
(i) Customer shall prepare a draft of any notification statements in respect of the Data Incident required under the Data Protection Laws (“Notification Statements”) and provide the draft Notification Statements to ChatDaddy for approval prior to disclosure to the applicable data protection regulators, Data Subjects or any other person;
(ii) ChatDaddy shall provide Customer with notice in writing:
(x) of any changes that ChatDaddy reasonably requires to the draft Notification Statement and Customer shall incorporate all such changes into the draft Notification Statement; or
(y) that ChatDaddy approves the draft Notification Statement; and
(c) following ChatDaddy’s approval of a draft Notification Statement, Customer must provide a copy of the approved Notification Statement to the applicable data protection regulators, Data Subjects and any other person as required under the Data Protection Laws; and
(d) not, and must ensure that the third parties appointed by ChatDaddy and their respective personnel do not, make any public statement or disclosure relating to any suspected or actual Data Incident without the prior written consent of ChatDaddy.
6.1 ChatDaddy shall ensure that the Customer Personal Data is accessible only to the duly authorized persons engaged by ChatDaddy and, subject to Clause 9, accessible only to its Sub-Processors and the personnel of such Sub-Processors who are duly authorized and who need to have access to the Customer Personal Data in order to perform ChatDaddy's obligations under the Terms of Service.
6.2 ChatDaddy shall also ensure that the personnel engaged and duly authorized by it to Process the Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, and ensure that the same obligations for data protection under this DPSA and the Customer's instructions are complied with by such persons, taking into account the nature of the Processing.
7.1 ChatDaddy shall implement and maintain appropriate technical and organisational security measures against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access. The security measures include
(i) the pseudonymisation and encryption of Customer Personal Data;
(ii) ensuring the ongoing confidentiality, integrity, availability and resilience of Processing systems and service;
(iii) restoring the availability and access to Customer Personal Data in a timely manner in the event of a physical or technical incident; and
(iv) regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the Processing.
8.1 During the Subscription Term, if ChatDaddy receives a request from a Data Subject in relation to Customer Personal Data, and the request identifies the Customer, ChatDaddy shall use commercially reasonable efforts to advise the Data Subject to submit their request to the Customer. The Customer shall be responsible for responding to any such request, including where necessary, by using the functionality of the Services.
8.2 Taking into account the nature of the Processing and the Services, ChatDaddy will use commercially reasonable efforts to assist Customer by appropriate technical and organisational measures, insofar as this is practicable, for the fulfilment of Customer’s obligation to respond to requests for exercising the Data Subject’s rights laid down in the Data Protection Laws.
9.1 The Customer agrees that ChatDaddy may authorise any Sub-Processor to Process the Customer Personal Data on its behalf provided that, where (and to the extent) required by Data Protection Laws, ChatDaddy enters into a written agreement with the Sub-Processor containing terms which are substantially the same as those contained in this DPSA. The Customer hereby grants ChatDaddy general written authorisation to engage Sub-Processors, subject to the requirements of this Clause 9.
9.2 ChatDaddy shall, to the extent the Customer Personal Data Processed is EU Customer Personal Data or where the laws of any other jurisdiction require such notification, inform Customer by email of any intended changes concerning the addition or replacement of the Sub-Processors. In such a case, the Customer will have fourteen (14) days from the date of receipt of the notice to approve or reject the change. In the event of no response from the Customer, the Sub-Processor will be deemed accepted. If the Customer rejects the replacement sub-processor, ChatDaddy may terminate the Terms of Service with immediate effect on written notice to the Customer.
9.3 In the event that ChatDaddy engages a Sub-Processor for carrying out specific Processing activities on behalf of Customer, where that Sub-Processor fails to fulfil its data protection obligations, ChatDaddy will remain fully liable under the Data Protection Laws to Customer for the performance of that Sub-Processor's obligations.
10.1 The Customer represents, warrants and undertakes to ChatDaddy that throughout the Term that:
(a) the Customer Personal Data has been and will be collected in accordance with the Data Protection Laws;
(b) all instructions from the Customer to ChatDaddy will comply with the Data Protection Laws;
(c) the transfer of the Customer Personal Data to ChatDaddy, and (to the extent that ChatDaddy acts as a data processor in respect of such Customer Personal Data) the Processing of the Customer Personal Data by ChatDaddy as instructed by Customer or (to the extent that ChatDaddy acts as a data controller in respect of such Customer Personal Data) the receipt and use of Customer Personal Data by ChatDaddy, and Processing and use of Customer Personal Data as set out in this DPSA, is consented to by the relevant Data Subjects (where required by law) and otherwise permitted by and in accordance with the Data Protection Laws; and
(d) it is satisfied that:
(i) ChatDaddy’s processing operations are suitable for the purposes for which the Customer proposes to use the Services and engage ChatDaddy to process the Protected Data; and
(ii) ChatDaddy has sufficient expertise, reliability and resources to implement technical and organisational measures that meet the requirements of Data Protection Laws.
10.2 The Customer agrees that it will indemnify and hold harmless ChatDaddy on demand from and against all claims, liabilities, costs, expenses, loss or damage (including consequential losses, loss of profit and loss of reputation and all interest, penalties and legal and other professional costs and expenses) incurred by ChatDaddy arising directly or indirectly from a breach of this clause.
10.3 Where ChatDaddy faces an actual or potential claim arising out of or related to any breach of Data Protection Laws relating to Customer Personal Data processed pursuant to this DPSA, the Customer will promptly provide all materials and information reasonably requested by ChatDaddy that is relevant to the defense of such claim.
11.1 ChatDaddy may store and Process Customer Personal Data anywhere ChatDaddy or its Sub-processors maintain facilities, subject to Clause 11.2 and Clause 12 with respect to the Controller-Processor Transfer Clauses.
11.2 If the shortage and/or Processing of Customer Personal Data involves transfer of EU Customer Personal Data outside the EEA, either directly or via onward transfer, to any Third Country, the Controller-Processor Transfer Clauses will apply. The Controller-Processor Transfer Clauses will not apply to Customer Personal Data that is not transferred, either directly or via onward transfer, outside the EEA. Notwithstanding the foregoing, the Controller-Processor transfer Clauses shall not apply if ChatDaddy has adopted Binding Corporate Rules for Processors or an alternative recognized compliance standard for the lawful transfer of personal data (as defined in the GDPR) outside the EEA.
A. Europe
(a) ChatDaddy agrees that it will not Process EU Customer Personal Data in a Third Country except where ChatDaddy complies with the data importer’s obligations set out in the Controller-Processor Transfer Clauses.
(b) To the extent of any conflict between the Controller-Processor Transfer Clauses and the rest of this DPSA, the Controller-Processor Transfer Clauses will prevail in relation to any EU Customer Personal Data.
(c) For the purposes of the Controller-Processor Transfer Clauses, the following additional provisions will apply:
(i) the parties agree to observe the Controller-Processor Transfer Clauses without modification;
(ii) the names and addresses of Customer and ChatDaddy will be considered to be incorporated into the Controller-Processor Transfer Clauses and for the purposes of the Controller-Processor Transfer Clauses;
(iii) Customer is the data exporter and ChatDaddy is the data importer as defined in the Controller-Processor Transfer Clauses; and
(iv) each party’s signature to this DPSA will be considered a signature to the terms contained in the Controller-Processor Transfer Clauses.
(d) If so required by the laws or regulatory procedures of any jurisdiction, the parties will execute or re-execute the clauses contained in the Controller-Processor Transfer Clauses as a separate document setting out the proposed transfers of Customer Personal Data in such manner as may be required.
B. California
(a) In addition to ChatDaddy’s other obligations as set out elsewhere in this Terms of Service, where applicable for the purposes of the CCPA, ChatDaddy shall act as a “service provider” for Customer, pursuant to which the parties agree that all such Personal Information is disclosed to ChatDaddy for one or more business purpose(s) and its use or sharing by Customer with ChatDaddy is necessary to perform such business purpose(s).
(b) ChatDaddy agrees that it: (a) is prohibited from retaining, using, or disclosing Personal Information for any purpose other than for the specific purpose of performing the services specified in the Terms of Service for Customer, including, without limitation, from retaining, using, or disclosing such Personal Information for a commercial purpose other than providing the services specified in the Terms of Service.
(c) ChatDaddy will not further collect, sell, or use Personal Information except as necessary to perform the business purpose(s).
(d) For the purposes of this clause 12B, “personal information,” “service provider,” “business purpose,” “commercial purpose,” “collects,” and “sell” shall have the meanings given to them in the CCPA.
C. Macau
(a) The appointment of ChatDaddy as Processor, as well as the appointment of sub-processors where (and to the extent) permitted in this DPSA, shall be notified by the Customer to the local data protection office (GPDP - Gabinete para a Protecção de Dados Pessoais).
(b) ChatDaddy shall have the right to reasonably request the Customer provide evidence of compliance with an instruction under the relevant the Macau data protection laws, including such notification under (a) above.
(c) Customer shall expressly inform ChatDaddy, in writing, in case of processing of sensitive data, as defined in article 7 of the Macau Data Protection Law (Law n. 8/2005), and shall ensure compliance with the particular requirements provided for under Macau data protection law for the processing of such data.
Technical and Organisational Security Measures
We have implemented a comprehensive privacy and security programme for the purpose of protecting your Customer Data. This program includes the following:
(a) standards for data categorisation and classification;
(b) a set of authentication and access control capabilities at the physical, network, system and application levels; and
(c) a mechanism for detecting big data-based abnormal behaviour.