Last Updated: December20, 2024
This Data Protection Addendum ("Addendum") forms part of the Terms of Service between FastField, Inc. ("FastField")
and FastField’s Customer acting on its own behalf and as agent for each Customer Affiliate.
Capitalized terms not otherwise defined herein shall have the meaning given to them in the Terms of Service.
In consideration of the mutual obligations set out herein, the parties hereby agree that the terms and conditions set out below shall be added to and incorporated in the Terms of Service. Except where the context requires otherwise, references in this Addendum to the Terms of Service are to the Terms of Service as amended by, and including, this Addendum.
1.1 In this Addendum, the following terms shall have the meanings set out below and cognate terms will be construed accordingly:
1.1.1 "Customer Affiliate" means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with Customer, where control is defined as the possession, directly or indirectly, of the power to director cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or other wise;
1.1.2 "Customer" has the same meaning attributed to the term in the Terms of Service and it includes any Customer Affiliates;
1.1.3 “Customer Employee Data” means any Personal Data of Customer’s employees, contractors, and other agents or representatives whose data is used with FastField for account maintenance and business relationship purposes.
1.1.4 "Customer Personal Data" means anyPersonal Data Processed by a Contracted Processor on behalf of Customer pursuant to or in connection with the Terms of Service, including Customer Employee Data;
1.1.5 "Contracted Processor" means FastField or a Subprocessor;
1.1.6 "Data Protection Laws" means all applicable laws applicable to FastField’s processing of personal data under the Terms of Service;
1.1.7 "Services" means the services and other activities to be supplied to or carried out by or on behalf of FastField for Customer pursuant to the Terms of Service;
1.1.8 "Subprocessor" means any person(including any third party, but excluding an employee of FastField or any of its sub-contractors) appointed by or on behalf of FastField to Process PersonalData on behalf of Customer in connection with the Terms of Service and shall include all parties listed at https://www.fastfieldforms.com/subprocessors-and-services.html, a successor website, or as may otherwise be agreed between the parties; and
1.2 The terms, "Commission", “Commissioner”, "Controller", "Data Subject", "Member State", "Personal Data", "Personal Data Breach", "Processing" and "Supervisory Authority" shall have the same meaning as in the applicable Data Protection Laws, and their cognate terms shall be construed accordingly.
2.1 FastField shall:
2.1.1 Comply with all applicable Data Protection Laws in the processing of Customer Personal Data;
2.1.2 Process Customer Personal Data (other than Customer Employee Data) only on Customer’s documented instructions unless processing is required by Data Protection Laws to which the relevant Contracted Processor is subject, in which case FastField will to the extent permitted by Data Protection Laws inform Customer of that legal requirement before the relevant processing of that Personal Data;
2.1.3 As to Customer Employee Data (excluding other Customer Personal Data), FastField will process such data as a controller in order to (a) manage the relationship with Customer; (b) carry out FastField’s core business operations, such as accounting and filing taxes; (c) detect, prevent, or investigate security incidents, fraud, and other abuse or misuse of the Services;(d) perform identity verification; (e) comply with FastField’s legal or regulatory obligation to retain Customer information; and (f) as otherwise permitted under Data Protection Laws, the Terms of Service, and FastField’s Privacy Policy; and
2.1.4 Process CustomerPersonal Data in order to provide the Services in accordance with the Agreement. Schedule 1 (Details ofProcessing) of this Addendum further specifies the nature and purpose of the processing, the processing activities, the duration of the processing, the types of personal data and categories of data subjects.
2.2 Customer hereby:
2.2.1 Acknowledges that with regard to Customer Employee Data, Customer is a controller and FastField is a controller, not a joint controller;
2.2.2 Acknowledges that with regard to Customer Personal Data (excluding Customer Employee Data),Customer may act either as a controller or a processor and FastField is a processor;
2.2.3 InstructsFastField (and authorizes FastField to instruct each Subprocessor) to Process Customer Personal Data as reasonably necessary for the provision of theServices and consistent with the Terms of Service;
2.2.4 Warrants and represents that its instructions comply with all Data Protection Laws and it will inform FastField immediately if it becomes aware, or reasonably believes, that Customer’s instructions violate any Data Protection Laws or any rights of third parties;
2.2.5 Warrants and represents that it is and will at all relevant times remain duly and effectively authorized to give relevant instructions on behalf of each relevant Customer Affiliate;
2.2.6 Warrants and represents that it has fully and truthfully identified to FastField in writing all categories of Personal Data to be processed by FastField (or its Subprocessors), including all special categories of such Personal Data;
2.2.7 Acknowledges that additional instructions outside the scope of the Terms of Service or this Addendum may be agreed to in writing between Customer and FastField, including any additional fees that may be payable by Customer to FastField for carrying out such additional instructions; and
2.2.8 Acknowledges that FastField is not responsible for (i) determining which laws or regulations are applicable to Customer’s business or (ii) whether FastField’s provision of the Services meets or will meet the requirements of such laws or regulations.
FastField shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Contracted Processor who may have access to the Customer Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know/access the relevant Customer Personal Data, as strictly necessary for the purposes of the Terms of Service, and to comply with Data Protection Laws in the context of that individual's duties to the Contracted Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, FastField shall, in relation to the Customer Personal Data, implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, no less protective than as set forth in Schedule 2 (Technical andOrganizational Security Measures).
5.1 Customer authorizes FastField to appoint(and permits each Subprocessor to appoint) Subprocessors in accordance with this section 5 and any restrictions in theTerms of Service.
5.2 FastField may continue to use those Subprocessors already engaged by FastField as at the date of this Addendum, subject to FastField in each case as soon as practicable meeting the obligations set out in section 5.4.
5.3 FastField shall make available a list of Sub processors pursuant to Section 1.1.8 above.FastField shall provide a mechanism by which Controller may register to be notified by email of any modifications to the Subprocessor List (“Notification”). Should Controller object on reasonable grounds to the use of a specific Subprocessor and inform FastField of such objection in writing (by email to privacy@fastfieldforms.com)within 15 days of such Notification, FastField will at its option (i) within a commercially reasonable timeframe find a replacement Subprocessor; or (ii)allow Controller to terminate the Terms of Service and receive a pro-rata refund of fees paid thereunder.
5.4 With respect to each Subprocessor, FastField agrees to the following:
5.4.1 Before the Subprocessor first Processes CustomerPersonal Data (or, where relevant, in accordance with section 5.2), carry out adequate due diligence to ensure that the Subprocessor is capable of providing the level of protection for Customer Personal Data required by the Terms of Service;
5.4.2 Ensure that the arrangement between FastField, and such Subprocessor, is governed by a written contract including terms which offer at least the same level of protection forCustomer Personal Data as those set out in this Addendum; and
5.4.3 Provide for Customer review of the form of agreement for such written contract, as Customer may request up to once per year.
5.5 FastField shall ensure that each Subprocessor performs the relevant obligations herein, as they apply to processing of CustomerPersonal Data carried out by that Subprocessor, as if it were party to this Addendum in place of FastField.
6.1 FastField will provide reasonable assistance to Customer to respond to requests to exercise Data Subject rights under the Data Protection Laws. Such reasonable assistance will include implementing appropriate technical and organizational measures. Additional measures may be at the expense of the Customer.
6.2 FastField will:
6.2.1 Promptly notify Customer if any Contracted Processor receives a request from a Data Subject under any Data Protection Law in respect of Customer Personal Data; and
6.2.2 Ensure that the Contracted Processor does not respond to that request except on the documented instructions of Customer or the relevant CustomerAffiliate or as required by Data Protection Laws to which the Contracted Processor is subject, in which case FastField will, to the extent permitted by Data Protection Laws, inform Customer of that legal requirement before the Contracted Processor responds to the request.
7.1 FastField will notify Customer without undue delay upon FastField becoming aware of aPersonal Data Breach affecting Customer Personal Data, providing Customer with sufficient information to allow Customer to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.Such notification will at a minimum:
7.1.1 Describe the nature of the Personal Data Breach, the location of the records breached;
7.1.2 Communicate the name and contact details of FastField’s data protection officer or other relevant contact from whom more information may be obtained;
7.1.3 Describe the likely consequences of the Personal Data Breach; and
7.1.4 Describe the measures taken or proposed to be taken to address the Personal Data Breach.
7.2 FastField will provide reasonable assistance to Customer if Customer is required underData Protection Laws to notify a regulatory authority of any data subjects impacted by a Personal Data Breach. Prior to making reference to FastField (whether or not by name), in any notice to a regulatory authority or any other public or private breach notice,Customer agrees to consult with FastField in good faith to consider any clarifications or corrections related to the notice.
FastField will provide reasonable assistance to Customer with any data protection impact assessments, and prior consultations with SupervisingAuthorities or other competent data privacy authorities, which Customer reasonably considers to be required of Customer by any Data Protection Law in each case solely in relation to processing of Customer Personal Data by, and taking into account the nature of the processing and information available to, the Contracted Processors.
9.1 Subject to sections 9.2 and 9.3 following the date of cessation of any Services involving the processing of Customer Personal Data (the "Cessation Date"), FastField will promptly delete, anonymize, and procure the deletion or anonymization of all copies of Customer PersonalData. Nothing herein shall restrict FastField’s ability to retain metadata and aggregate data beyond the Term of the Terms of Service.
9.2 At any time prior to the Cessation Date, Customer may access and download a complete copy of all records, including Customer PersonalData. Should Customer require access to records following the Cessation Date, such request must be made (i) in writing, and (ii) must be received within thirty(30) days of the Cessation Date.
9.3 EachContracted Processor may retain Customer Personal Data to the extent required by Data Protection Laws and for such period as required by Data Protection Laws, provided that FastField shall ensure the confidentiality of all such Customer Personal Data. In addition, FastField may maintain back-up tapes or other back-up media made in the ordinary course of business for up to seven (7) months from the date of Cessation.
9.4 Upon request, FastField will provide written certification to Customer that it has fully complied with this section 9 within 200 days of the Cessation Date.
10.1 Subject to Section 10.2 below, upon Customer request up to once per year, FastField will make available to Customer evidence that FastField is in compliance with this Addendum.FastField and Customer agree that such demonstration of compliance byFastField is the preferred mechanism for meeting the audits required by applicable Data Protection Laws. FastField uses external auditors to verify the adequacy of its security measures with respect to its processing of Customer Personal Data. Such audits are performed regularly at FastField’s expense by independent third-party security professionals at FastField’s selection and result in the generation of a confidential audit report (“Audit Report”). Upon Customer’s written request no more than once per year, and subject to reasonable confidentiality controls, FastField will make available to Customer a copy of FastField’s most recent AuditReport. Customer agrees that any audit rights granted by applicable Data Protection Laws will be satisfied by these Audit Reports.To the extent that FastField’s provision of an AuditReport does not provide sufficient information or Customer is required to respond to a regulatory authority audit, Customer agrees to a mutually agreed-upon audit plan with FastField that: (a) ensures the use of an independent third party; (b) provides written notice to FastField in a timely fashion; (c) requests access only during business hours; (d) accepts billing to Customer at FastField’s then-current rates; (e) occurs no more than once annually; (f) restricts its findings to only data relevant to Customer; and (g) obligates Customer, to the extent permitted by law or regulation, to keep confidential any information gathered that, by its nature, should be confidential.
10.2 Nothing in this Section shall limit Customer’s Audit Rights under executed EU Standard Contractual Clauses, or the Terms of Service.
11.1 Cross border transfers of CustomerPersonal Data shall be subject to the transfer mechanisms provided in Schedule 3 (Cross Border Data Transfer Mechanisms).
11.2 The processing of Customer Personal Data to which the laws of specific jurisdictions may apply shall be made subject to the additional provisions in Schedule4 (Jurisdiction Specific Terms).
12.1 Governing law and jurisdiction: The parties to this Addendum hereby submit to the choice of law and jurisdiction stipulated in the Terms of Service.
12.2 Nothing in this Addendum reduces FastField’s obligations under the Terms of Service in relation to the protection of Personal Data, or permits FastField to Process (or permit the processing of) Personal Data in a manner which is prohibited by the Terms ofService. In the event of any conflict or inconsistency between this Addendum and the applicable Standard Contractual Clauses, the Standard ContractualClauses will prevail.
12.3 Liability: For the sake of clarity and insofar as permissible by applicable law, this Addendum will be governed by the limitation of liability provision set forth in the Terms of Service.
12.4 Order of precedence:Subject to section 12.2, with regard to the subject matter of thisAddendum, in the event of inconsistencies between the provisions of thisAddendum and any other agreements between the parties, including the Terms ofService and including (except where explicitly agreed otherwise in writing, signed on behalf of the parties) agreements entered into or purported to be entered into after the date of this Addendum, the provisions of this Addendum will prevail.
12.5 Changes in Data Protection Laws, etc.: After the execution of this Addendum, either party may notify the other of additional requirements which the party reasonably considers to be necessary to address the changes to an applicable Data Protection Law. FastField, at its option, may: (i) offer alternative language or (ii) consider Customer’s amendment and negotiate in good faith with a view to agreeing and incorporating such language into this Addendum as soon as is reasonably practicable.
12.6 Severability: Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum will remain valid and in force. The invalid or unenforceable provision will be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
Details of Processing
FastField will process personal data as necessary to provide the Services under the Agreement. FastField does not sellCustomer’s Personal Data or Customer end users’ Personal Data and does not share such end users’ information with third parties for compensation or for those third parties’ own business interests.
Customer Personal Data. FastField will process Customer Personal Data as a processor in accordance with Customer’s instructions pursuant to this Addendum.
Customer Employee Data. FastField will process Customer Employee Data as a controller in accordance with the provisions of this Addendum.
FastField will process Customer Personal Data as necessary to perform the Services pursuant to the Agreement, as further specified in the Documentation, and as further instructed by Customer in its use of the Services.
The period for which personal data will be retained and the criteria used to determine that period is as permitted by the Terms of Service and this Addendum.
Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to Personal Data relating the following categories of data subjects:
· Prospects, customers, business partners and vendors of Customer (who are natural persons)
· Employees or contact persons of Customer’s prospects, customers, business partners and vendors
· Employees, agents, advisors, freelancers of Customer (who are natural persons)
· Customer’s Users by Customer to use the Services
Customer may submitPersonal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:
· First and last name
· Title
· Position
· Employer
· Contact information (company, email, phone, physical business address)
· ID data
· Professional life data
· Personal life data (including Health data)
· Connection data
· Localization data
The obligations and rights of Customer and Customer Affiliates are set out in the Terms of Service and this Addendum.
Customer PersonalData. Sensitive Data may, from time to time, be processed via the Services where Customer or its end users choose to include Sensitive Data within the Service. Customer is responsible for ensuring that appropriate Data Subject authorizations and suitable safeguards are in place prior to transmitting or processing, or prior to permitting Customer’s end users to transmit or process, any Sensitive Data via the Services.
Customer Employee Data. No Sensitive Data may be included in the Customer Employee Data.
Technical and Organizational Security Measures
Where applicable, this Schedule 2 will serve as Annex II to the EU Standard Contractual Clauses.
FastField uses, as far as reasonably possible and practical, strong encryption for the transport and storage of PersonalData (transport encryption and data-at-rest encryption). Strong encryption requires that
(a) transport encryption is used for which it is ensured that the encryption protocols employed are state-of-the-art and provide effective protection against active and passive attacks with resources known to be available to the public authorities of the third country;
(b) the encryption algorithm and its parameterization (e.g., key length, operating mode, if applicable) conform to the state-of-the-art and to be considered robust against cryptanalysis performed by the public authorities in the recipient country taking into account the resources and technical capabilities (e.g., computing power for brute-force attacks)available to them;
(c) the strength of the encryption takes into account the specific time period during which the confidentiality of the encrypted personal data must be preserved;
(d) the encryption algorithm is flawlessly implemented by properly maintained software.
☒ Further measures of pseudonymization and encryption of personal data
FastField has deployed secure methods and protocols for transmission of confidential or sensitive information over public networks. Databases housing sensitive customer data are encrypted at rest. FastField uses only recommended secure cipher suites and protocols to encrypt all traffic in transit and Customer Data is securely encrypted with strong ciphers and configurations when at rest.
☒ Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services
FastField’s customer agreements contain strict confidentiality obligations. Additionally, FastField requires every downstream Subprocessor to sign confidentiality provisions that are substantially similar to those contained inFastField's customer agreements.
☒ Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
Daily and weekly backups, and geo-replication of production data stores are taken. Backups are tested at least annually in accordance with information security and data management policies.
☒ Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing
FastField conducts ongoing internal assessments to evaluate technical and operational security posture. FastField participates in an SSAE18 SOC2 – Type II audit annually.
☒ Measures for user identification and authorization
FastField uses secure access protocols and processes and follows industry best-practices for authentication, including Multifactor Authentication (MFA) and Single Sign On (SSO). Network infrastructure is securely configured by service providers (AWS & Microsoft) to vendor and industry best practices to block all unnecessary ports, services, and unauthorized network traffic.
☒ Measures for the protection of data during transmission
FastField has deployed secure methods and protocols for transmission of confidential or sensitive information over public networks.FastField uses only recommended secure cipher suites and protocols to encrypt all traffic in transit. TLS 1.2 is the minimum supported protocol.
☒ Measures for the protection of data during storage
Encryption-at-rest uses industry standardAES-256 encryption to secure all volume (disk)data. All keys are fully managed by AWS and Microsoft, each to their respective services.
☒ Measures for ensuring physical security of locations at which personal data are processed
FastField data hosting occurs in physical data centers that are managed by AWS and Microsoft. https://aws.amazon.com/compliance/data-center/controls/
https://learn.microsoft.com/en-us/compliance/assurance/assurance-datacenter-security
☒ Measures for ensuring events logging
FastField monitors access to applications, tools, and resources that process or storeCustomer Data, including cloud services. Monitoring of security logs is managed by the security and engineering teams. Log activities are investigated when necessary and escalated appropriately.
☒ Measures for ensuring system configuration, including default configuration
FastField leverages Azure and AWS Application as a Service in order to ensure consistent configurations across our services. All application code is managed and distributed via a central repository.
☒ Measures for internalIT and IT security governance and management
FastField maintains a risk-based information security governance program.The framework for FastField's security program includes administrative, organizational, technical, and physical safeguards reasonably designed to protect the Services and confidentiality, security, and availability of Customer Data.
☒ Measures for certification/assurance of processes and products
FastField participates in an SSAE18SOC2 – Type II audit annually.
☒ Measures for ensuring data minimization
TheAgreement restricts the entry of certain Personal Data, or special categories of Personal Data, to FastField's Services, but the Customer unilaterally determines what personal data they route through the Services. As such, FastField operates on a shared responsibility model. FastField gives Customers control over exactly what PersonalData enters the platform. Additionally, FastField has built in self-service functionality to theServices that allows Customers to delete and suppress Personal Data at their discretion.
☒ Measures for ensuring data quality
FastField has a layered approach for ensuring data quality. These measures include:
· Database Level Enforcement
o Centralized database with referential data constraints to ensure integrity at the storage level.
· Traceability through Data Keys
o Unique keys are tied to customer records and transaction logs, along with timestamps and unique user ids to provide visibility to change events.Unique identifiers are used throughout system components to effectively tie data sets to relevant entities such as a customer or account.
· Quality Assurance Reviews for Identification of Software Flaws
o Our QA team tests for integrity of screen design in terms of inputs and the display of content. Automated and manual tests are performed to ensure data is presented and captured properly through our end user systems. This includes data validation and cleansing rules and enforced at the time of input to ensure data inputs properly conform with down stream service and storage requirements.
· Application Static Code Scans
o We scan our application source code to identify areas lacking sufficient input validation. Input validation is performed to ensure only properly formed data from the client passes through our API services.
· Privacy Policies
o Our internal and public privacy policies establish the guidelines for data sharing and procedures around data protection.
☒ Measures for ensuring limited data retention
Customer unilaterally determines what data they route through the Services. As such, FastField operates on a shared responsibility model. If a Customer is unable to delete CustomerData via the self-service functionality of the Services, thenFastField deletes Customer Data upon the Customer's written request, within the timeframe specified in the Data Protection Addendum and in accordance with ApplicableData Protection Law. All Customer Data is deleted from the Services 180 days following service termination, or sooner upon written request from Customer.
☒ Measures for ensuring accountability
FastField has adopted measures for ensuring accountability, such as implementing data protection and information security policies across the business, recording and reporting Security Incidents, and formally assigning roles and responsibilities for information security and data privacy functions. Additionally, FastField conducts regular internal and external audits and assessments to ensure compliance with our privacy and security standards.
☒ Measures for allowing data portability and ensuring erasure
All PersonalData in the Services may be deleted by the Customer or at the Customer’s request.
Based on Privacy by Design and Data Minimization principles, FastField severely limits the instances of sensitive data collection and processing within the Services. FastField will respond to all requests for data porting in order to address Customer needs.
☒ Technical and organizational measures of Subprocessors
FastField enters into Data Processing Agreements with its Authorized Subprocessors with data protection obligations substantially similar to those contained in this Addendum.
Cross BorderData Transfer Mechanisms
“Argentina Standard Contractual Clauses” means the Standard Contractual Clauses approved by the Agency for Access to Information of Argentina pursuant to Rule No. 60-E/2016.
“EEA” means the EuropeanEconomic Area
“EU StandardContractual Clauses” means the StandardContractual Clauses approved by the European Commission indecision 2021/914.
“UKInternational Data Transfer Agreement” means the International DataTransfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner, Version B1.0, in force 21 March2022.
Cross Border Data Transfer Mechanisms
Argentina Standard Contractual Clauses. Customer and FastField agree that the ArgentinaStandard Contractual Clauses will apply to personal data that is transferred via the Services from the Argentina, either directly or via onward transfer, to any country or recipient outside of Argentina that is not recognized by the competent regulatory authority as providing an adequate level of protection for personal data. For data transfers from Argentina that are subject to the Argentina StandardContractual Clauses, the Argentina Standard Contractual Clauses will be deemed entered into, and incorporated into this Addendum by this reference, and completed as follows:
· As to the processing of Customer PersonalData (other than Customer EmployeeData), the controller-to-processor Argentina StandardContractual Clauses shall apply, and FastField shall be a processor andCustomer a controller.
· As to the processing of Customer EmployeeData, the controller-to-processor Argentina Standard ContractualClauses shall apply and both parties shall be controllers (and not joint controllers).
· The ”importer” shall be FastField, Inc. The contact details for the importer shall be: Assistant General Counsel, privacy@fastfieldforms.com.
· The “exporter” shall be the Customer. The contact details for the exporter shall be: email address(es) designated by Customer in Customer’s account via its notification preferences or as set forth in the Terms of Service.
· The Description of Processing in Annex A, including the importer’s role, the nature and categories of personal data to be transferred, and the period for which the personal data will be retained are set forth in Schedule 1 to this Addendum.
· For transfers to sub-processors, the subject matter, nature, and duration of the processing is set forth at https://www.fastfieldforms.com/subprocessors-and-services.html
By entering into the Addendum, the importer and exporter are deemed to have signed these Argentina Standard Contractual Clauses incorporated herein, including Annex A, as of the effective date of the Addendum.
EU Standard Contractual Clauses. The EU Standard Contractual Clauses will apply to personal data that is transferred via the Services from the EEA, Switzerland,Guernsey, Isle of Man, or Jersey, either directly or via onward transfer, to any country or recipient outside of these jurisdictions that is not recognized by the relevant competent authority as providing an adequate level of protection for personal data. For data transfers that are subject to the EUStandard Contractual Clauses, the EU Standard Contractual Clauses will be deemed entered into, and incorporated into this Addendum by this reference, and completed as follows:
(a) Module One (Controller to Controller) of the EU Standard Contractual Clauses will apply where FastField is processing Customer Employee Data;
(b) Module Two (Controller to Processor) of the EU Standard Contractual Clauses will apply where Customer is a controller of Customer Personal Data and FastField is processing Customer Personal Data (other than Customer Employee Data);
(c) Module Three (Processor to Processor) of the EU Standard Contractual Clauses will apply where Customer is a processor of Customer Personal Data and FastField is processing Customer Personal Data;
(d) For each Module, where applicable:
(i) in Clause 7 of the EU StandardContractual Clauses, the optional docking clause will apply;
(ii) in Clause 9 of the EU StandardContractual Clauses, Option 2 will apply and the time period for prior written notice of sub-processor changes will be as set forth in this Addendum;
(iii) in Clause 11 of the EU StandardContractual Clauses, the optional language will not apply;
(iv) in Clause 17 (Option 1), the EU Standard Contractual Clauses will be governed by Irish law;
(v) in Clause 18(b) of the EU StandardContractual Clauses, disputes will be resolved before the courts of Ireland;
(vi) in Annex I, Part A of the EU Standard Contractual Clauses:
Data Exporter: Customer
Contact details:The email address(es) designated by Customer in Customer’s account via its notification preferences or as set forth in the Terms of Service.
Data ExporterRole: The Data Exporter’s role is set forth in Schedule 1 (either controller or processor) of thisAddendum.
Signature and Date: By entering into the Agreement, Data Exporter is deemed to have signed these EU Standard Contractual Clauses incorporated herein, including their Annexes, as of the effective date of the Agreement.
Data Importer: FastField Inc.
Contact details:FastField General Counsel, privacy@fastfieldforms.com.
Data Importer Role: The Data Importer’s role is set forth in Schedule 1 of this Addendum.
Signature and Date: By entering into the Agreement, Data Importer is deemed to have signed these EU Standard Contractual Clauses, incorporated herein, including their Annexes, as of the effective date of the Agreement;
(vii) in Annex I, Part B of the EU Standard Contractual Clauses:
The categories of data subjects are set forth in Schedule1 of this Addendum. TheSensitive Data transferred is set forth in Schedule 1 of this Addendum.
The frequency of the transfer is a continuous basis for the duration of the Terms of Service. The nature of the processing is set forth in Schedule 1 of this Addendum.
The purpose of the processing is set forth in Schedule 1 of this Addendum.
The period for which the personal data will be retained is set forth in Schedule1 of this Addendum.
For transfers to sub-processors, the subject matter and nature of the processing is set forth at https://www.fastfieldforms.com/subprocessors-and-services.html; The duration of processing by sub-processors will be the duration of the Terms of Service.
(viii) in Annex I, Part C of the EU Standard Contractual Clauses: The Irish Data Protection Commission will be the competent supervisory authority; and
(ix) Schedule 2 (Technical and Organizational Security Measures) of this Addendum serves as Annex II of the EUStandard Contractual Clauses.
UK International Data Transfer Agreement. Customer and FastField agree that the UK International Data Transfer Agreement will apply to personal data that is transferred via the Services from the UnitedKingdom, either directly or via onward transfer, to any country or recipient outside of the United Kingdom that is not recognized by the competent United Kingdom regulatory authority or governmental body for the United Kingdom as providing an adequate level of protection for personal data. For data transfers from the United Kingdom that are subject to the UKInternational Data Transfer Agreement, the UK International Data TransferAgreement will be deemed entered into, and incorporated into this Addendum by this reference, and completed as follows:
(a) In Table 1 of the UK International Data Transfer Agreement, Customer's and FastField's details and key contact information are set forth in the Terms of Service;
(b) In Table 2 of the UK International Data TransferAgreement, information about the version of the Approved EU SCCs, modules, and selected clauses, which the UK International Data Transfer Agreement is appended to, are set forth above in this Schedule 3;
(c) In Table 3 of the UK International Data Transfer Agreement:
(i) The list of Parties is set forth in the Terms of Service.
(ii) The description of the transfer is set forth in Schedule1 (Details of the Processing).
(iii) Annex II is located in Schedule 2 (Technical and Organizational SecurityMeasures) of this Addendum.
(iv) The list of sub-processors is available at https://www.fastfieldforms.com/subprocessors-and-services.html;and
(d) In Table 4 of the UK International Data Transfer Agreement, both the Importer and the exporter may end the UK International Data Transfer Agreement in accordance with the terms of the UK International Data Transfer Agreement.
Conflict. To the extent there is any conflict or inconsistency between the EU Standard Contractual Clauses or UK International Data TransferAgreement and any other terms in this Addendum, the Terms of Service, or the FastField Privacy Policy, the provisions of the EU Standard Contractual Clauses or UK International Data Transfer Agreement, as applicable, will prevail.
Jurisdiction SpecificTerms
· The definition of “Data Protection Laws” includes Law No. 25,326 of Protection of Personal Data of Argentina.
· The definition of “Applicable Data Protection Law” includes the Australian PrivacyPrinciples and the AustralianPrivacy Act (1988).
· The definition of “personal data”includes “Personal Information” as defined underData Protection Laws.
· The definition of “Sensitive Data” includes “Sensitive Information” as defined under Data Protection Laws.
· The definition of “Data Protection Laws” includes the Lei Geral de Proteçãode Dados (GeneralPersonal Data Protection Act).
· The definition of “Personal Data Breach” includes a Personal Data Breach that may result in any relevant risk ordamage to data subjects.
· The definition of “processor” includes“operator” as defined under Data Protection Laws.
· The definition of “Data Protection Laws” includes the Federal PersonalInformation Protection and ElectronicDocuments Act.
· FastField’s sub-processors, as set forth in this Addendum, are third parties under DataProtection Laws, with whom FastField has entered into a written contract that includes terms substantially similar to this Addendum. FastField has conducted appropriate due diligence on its sub-processors.
· FastField will implement technical and organizational measures as set forth in Schedule 3 of this Addendum.
· The definition of “Data Protection Laws” includes the General Data Protection Regulation (EU 2016/679) (“GDPR”).
· When FastField engages a sub-processor under Section 7.1 (Authorization for Onward Sub-processing) of this Addendum, it will:
o (a)require any appointed sub-processor to protect the Customer Personal Data to the standard required by Data Protection Laws, such as including the same data protection obligations referred to in Article 28(3) of the GDPR, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR, and
o require any appointed sub-processor to (i) agree in writing to only process personal data in a country that the European Union has declared to have an “adequate” level of protection or (ii) only process personal data on terms equivalent to the EU Standard Contractual Clauses.
· Notwithstanding anything to the contrary in this Addendum or in the Terms of Service(including, without limitation, either party’s indemnification obligations),neither party will be responsible for any GDPR fines issued or levied under Article 83 of the GDPR against the other party by a regulatory authority or governmental body in connection with such other party’s violation of the GDPR.
· Customer acknowledges that FastField, as a controller, may be required under Data Protection Laws to notify a regulatory authority of Personal Data Breaches involving CustomerUsage Data. If a regulatory authority requires FastField to notify impacted data subjects with whom FastField does not have a direct relationship (e.g.,Customer’s end users), FastField will notify Customer of this requirement.Customer will provide reasonable assistance to FastField to notify the impacted data subjects.
· The definition of “Data Protection Laws” includes the Protection of Privacy Law.
· The definition of “controller” includes“Database Owner” as defined under Data Protection Laws.
· The definition of “processor” includes“Holder” as defined under Data Protection Laws.
· FastField will require that any personnel authorized to process Customer Personal Data comply with the principle of data secrecy and have been duly instructed about Data Protection Laws. Such personnel sign confidentiality agreements with FastField in accordance with this Addendum.
· The definition of “Data Protection Laws” includes the Act on the Protection of Personal Information (“APPI”).
· The definition of “personal data” includes information about a specific individual applicable under Section 2(1) of the APPI, which Customer entrusts to FastField during FastField’s provision of the Services to Customer.
· FastField agrees it has and will maintain a privacy program conforming to the standards prescribed by rules of the Personal Information Protection Commission concerning the handling of personal data pursuant to the provisions of Chapter 4 of the APPI. Accordingly:
o FastField will (i) process personal data as necessary to provide the Services to Customer in accordance with the Agreement and as set forth in Schedule 1 (Details of the Processing) of this Addendum and(ii) not process personal data for any other without Customer’s consent;
o FastField will implement and maintain measures appropriate and necessary to prevent unauthorized disclosure and loss of personal data and for the secure management of personal data in accordance with the APPI as set forth in Schedule 3 of this Addendum;
o FastField will notify Customer for(i) a failure to comply with the purpose of use limitations of this Schedule 4 or (ii) FastField’s discovery of aPersonal Data Breach impacting Customer Data, in either case, in accordance with thisAddendum. FastField will provide reasonable assistance to Customer in the event that Customer is required to notify a regulatory authority or any data subjects impacted by a Personal Data Breach;
o FastField will ensure that any of its employees who have access to personal data (i) have executed employee agreements requiring them to keep such personal data confidential and (ii) who violate confidentiality will be subject to disciplinary action and possible termination; (iii) carry out appropriate employee supervision and training for the secure management of personal data; and (iv) limit the number of authorized personnel, including FastField’s employees, who have access to personal data and control such access such that it is only permitted for the time period necessary for the Purpose of Use;
o FastField will promptly notify Customer of any third party request and not respond to such Third Party Request without Customer’s prior consent, except as legally required to do so or to confirm that such third party request relates to Customer. To the extentCustomer does not have the ability to resolve a third party request from a data subject through the self-service features made available via the Services, then, upon Customer’s request, FastField will provide reasonable cooperation and support to assist Customer in resolving such third party request from a data subject;
o Unless prohibited by applicable law or regulation, FastField will promptly notify Customer of any third party request that requiresFastField to disclose personal data on order or disposition of any governmental authority or court of law;
o Customer agrees that FastField is nota “third party” as the term is used in the APPI provisions that restrict the provision of personal data to third parties. As such, the requirement to obtain data subject consent in advance for domestic transfers within Japan do not apply.
· The definition of “Data Protection Laws” includes the Federal Law for the Protection of Personal Data Held by Private Parties and its Regulations.
The definition of “Data Protection Laws” includes the Personal Data Protection Act 2012 (“PDPA”).
FastField will process personal data to a standard of protection in accordance with thePDPA by implementing adequate technical and organizational measures as set forth in Schedule 3 of this Addendum and complying with the terms of the Terms of Service.
· The definition of “Data Protection Laws” includes the Swiss FederalAct on Data Protection, as revised (“FADP”).
· When FastField engages a sub-processor, it will:
o require any appointed sub-processor to protect the Customer PersonalData to the standard required by Data Protection Laws, such as including the same data protection obligations referred to in Article28(3) of the GDPR, in particular, providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of theGDPR, and
o require any appointed sub-processor to (i) agree in writing to only process personal data in a country that Switzerland has declared to have an “adequate” level of protection or (ii) only process personal data on terms equivalent to the EU Standard Contractual Clauses.
· To the extent that personal data transfers from Switzerland are subject to the EU Standard Contractual Clauses, the following amendments will apply to the EU Standard Contractual Clauses:
o references to “EU Member State” and “Member State”will be interpreted to include Switzerland, and
o insofar as the transferor onward transfers are subject to the FADP:
§ references to "Regulation (EU) 2016/679" are to be interpreted as references to the FADP;
§ the “competent supervisory authority” in Annex I, Part C will be the Swiss Federal Data Protection and InformationCommissioner;
§ in Clause17 (Option 1), the EU Standard Contractual Clauses will be governed by the laws ofSwitzerland; and
§ in Clause 18(b) of the EU Standard Contractual Clauses, disputes will be resolved before the courts ofSwitzerland.
· References in this Addendum to “GDPR” will be deemed references to the corresponding laws and regulations of the United Kingdom, including, without limitation, the UK GDPR and Data Protection Act 2018.
· When FastField engages a sub-processor, it will:
o require any appointed sub-processor to protect the Customer PersonalData to the standard required by Data Protection Laws, such as including the same data protection obligations referred to in Article28(3) of the GDPR, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of theGDPR, and
o require any appointed sub-processor to (i) agree in writing to only process personal data in a country that the United Kingdom has declared to have an “adequate” level of protection or (ii) only process personal data on terms equivalent to the UK International Data TransferAgreement.
· Not withstanding anything to the contrary in this Addendum or in the Agreement (including, without limitation, either party’s indemnification obligations), neither party will be responsible for any UK GDPR fines issued or levied under Article 83 of the UK GDPR against the other party by a regulatory authority or governmental body in connection with such other party’s violation of the UK GDPR.
· Customer acknowledges that FastField, as a controller, may be required under Data Protection Laws to notify a regulatory authority of Personal Data Breaches involving CustomerUsage Data. If a regulatory authority requires FastField to notify impacted data subjects with whom FastField does not have a direct relationship (e.g.,Customer’s end users), FastField will notify Customer of this requirement.Customer will provide reasonable assistance to FastField to notify the impacted data subjects.
· “US State PrivacyLaws” mean all state laws relating to the protection and processing of personal data in effect in the United States of America, which may include, without limitation, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA”), the Virginia Consumer Data Protection Act, the ColoradoPrivacy Act, the Connecticut Data Privacy Act, and the Utah Consumer PrivacyAct.
· The definition of “Data Protection Laws” includes US State PrivacyLaws.
· The following terms apply whereFastField processes personal data subject to the CCPA:
o The term “personal information”, as used herein, will have the meaning provided in the CCPA;
o FastField is a service provider when processing Customer Personal Data. FastField will process any personal information contained in Customer PersonalData only for the business purposes set forth in the Agreement, including the purpose of processing and processing activities set forth in this Addendum. As a service provider, FastField will not sell or share Customer Personal Data or retain, use, or disclose Customer Personal Data(i) for any other purpose, including retaining, using, or disclosing CustomerPersonal Data for a commercial purpose outside the scope the Terms of Service, or as otherwise permitted by the CCPA; or (ii) outside of the direct business relationship between Customer and FastField;
o FastField will (i) comply with obligations applicable to it as a service provider under the CCPA and (ii)provide personal information with the same level of privacy protection as is required by the CCPA. Customer is responsible for ensuring that it has complied, and will continue to comply, with the requirements of the CCPA in its use of the Services and its own processing of personal information;
o Customer will have the right to take reasonable and appropriate steps to help ensure that FastField uses personal information in a manner consistent with Customer’s obligations under the CCPA;
o FastField will notify Customer if it makes a determination that it can no longer meet its obligations as a service provider under the CCPA;
o Upon notice,Customer will have the right to take reasonable and appropriate steps in accordance with the Agreement to stop and remediate unauthorized use of personal information;
o FastField will provide reasonable additional and timely assistance to assistCustomer in complying with its obligations with respect to consumer requests as set forth in the Agreement;
o For any sub-processor used byFastField to process personal information subject to the CCPA, FastField will ensure that FastField’s agreement with such sub-processor complies with the CCPA ,including, without limitation, the contractual requirements for service providers and contractors;
o FastField will not combine CustomerPersonal Data that it receives from, or on behalf of, Customer, with personal information that it receives from, or on behalf of, another person or persons, or collects from its own interaction with the consumer, unless such combination is required to perform any business purpose as permitted by the CCPA, including any regulations there to, or by regulations adopted by the California Privacy Protection Agency; and
o FastField certifies that it understands and will comply with its obligations under the CCPA.
· FastField acknowledges and confirms that it does not receive Customer Personal Data as consideration for any Servicesprovided to Customer.
