ADDENDUM: DATA PROCESSOR ADDENDUM

1. Introduction

1.1 This Data Processing Addendum (“DPA”) forms part of, and is subject to the provisions of, the Starfish and Bear Inc. Terms of Service. Capitalized terms that are not defined in this Data Processing Addendum have the meanings set forth in the Terms of Service.

1.2 Definitions

The following definitions apply solely to this Data Processing Addendum:

1.2.1. “GDPR” means the EU General Data Protection Regulation 2016/679.

1.2.2. “EU Data Protection Law”, “Applicable Law” means any data protection or data privacy law or regulation of Switzerland or any European Economic Area (“EEA”) country applicable to Your Controlled Data, including, as applicable, the GDPR and the e-Privacy Directive 2002/58/EC.

1.2.3. the terms “controller”, “data subject”, “personal data”, “process,” “processing” and “processor” have the meanings given to these terms in EU Data Protection Law.

1.2.4. “Security Measures” means the technical and organizational security measures.

1.2.5. “Content” means any content provided to us from your data subject, including without limitation text, photos, images, audio, video, code, and any other materials.

1.2.6. “Your Controlled Data”, “Controlled Data” means the personal data in the Content that Starfish and Bear Inc. processes on your behalf and instructions as part of the Service, but only to the extent that you are subject to EU Data Protection Law in respect of such personal data. Your Controlled Data does not include personal data when controlled by us.

1.2.7. “Breach” means a breach of the Security Measures resulting in access to Starfish and Bear Inc.’s equipment or facilities storing Your Controlled Data and the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Your Controlled Data transmitted, stored or processed by Starfish and Bear Inc. on your behalf and instructions through the Service.

1.2.8. “Sub-Processor” means an entity engaged by Starfish and Bear Inc. to process Your Controlled Data.

2. Legislation and Applicability

2.1 The Data Processor Addendum shall ensure that the Data Processor complies with the Applicable Law. with the applicable data protection and privacy legislation (the “Applicable Law”), including in particular The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679)

2.2 This Data Processing Addendum only applies to you if you or your data subjects are located within the EEA or Switzerland and only applies in respect of Your Controlled Data. You agree that Starfish and Bear Inc. is not responsible for personal data that you have elected to process through third-party services or outside of the Service, including the systems of any other third-party cloud services, offline or on-premises storage.

3 Processing of personal data

3.1 The purpose of the processing under the Terms of Service is the provision of the Service by the Data Processor as specified in the Terms of Service.

3.2 In connection with the Data Processor’s delivery of the Service to the Data Controller, the Data Processor will process certain categories and types of the Controlled Data on behalf of the Data Controller.

3.3 The categories and types of Controlled Data processed by the Data Processor on behalf of the Data Controller can be requested from the Data Processor. are listed in sub-appendix A. The Data Processor only performs processing activities that are necessary and relevant to perform the Service. The Data Processor shall update this list whenever changes to the Service occurs that necessitates an update.

3.4 The Data Processor shall have and maintain a register of processing activities in accordance with GDPR, article 32 (2).

4 Instruction

4.1 The Data Processor may only act and process Controlled Data in accordance with the documented instruction from the Data Controller (the “Instruction”), unless required by law to act without such instruction. The Instruction at the time of entering into this Data Processor Addendum is that the Data Processor may only process the Controlled Data with the purpose of delivering the Service as described in the Terms of Service. Subject to the terms of this DPA and with mutual agreement of the parties, the Data Controller may issue additional written instructions consistent with the terms of this DPA. The Data Controller is responsible for ensuring that all individuals who provide written instructions are authorised to do so.

4.2 The Data Controller guarantees to process Controlled Data in accordance with the requirements of the Applicable Law. The Data Controller’s instructions for the processing of Controlled Data shall comply with Applicable Law. The Data Controller will have sole responsibility for the accuracy, quality, and legality of Controlled Data and the means by which it was obtained.

4.3 The Data Processor will inform the Data Controller of any instruction that it deems to be in violation of Applicable Law and will not execute the Instruction until they have been confirmed or modified.

5. The Data Processor’s obligations

5.1 Confidentiality

5.1.1 The Data Processor shall treat all the Controlled Data as strictly confidential information. The Controlled Data may not be copied, transferred or otherwise processed in conflict with the Instruction, unless the Data Controller in writing has agreed.

5.1.2 The Data Processor’s employees shall be subject to an obligation of confidentiality that ensures that the employees shall treat all the Controlled Data under this DPA with strict confidentiality.

5.1.3 Controlled Data will only be made available to personnel that require access to such Controlled Data for the delivery of the Service and this Data Processor Addendum.

5.2 The Data Processor shall also ensure that employees processing the Controlled Data only process the Controlled Data in accordance with the Instruction.

5.3 Security

5.3.1 The Data Processor shall implement the appropriate technical and organizational measures as set out in the DPA and in the Applicable Law, including in accordance with GDPR, article 32. The security measures are subject to technical progress and development. The Data Processor may update or modify the security measures from time-to-time provided that such updates and modifications do not result in the degradation of the overall security.

5.4 The Data Processor shall provide documentation for the Data Processor’s security measures if requested by the Data Controller in writing.

5.5 Data protection impact assessments and prior consultation

5.5.1 If the Data Processor’s assistance is necessary and relevant, the Data Processor shall assist the Data Controller in preparing data protection impact assessments in accordance with GDPR, article 35, along with any prior consultation in accordance with GDPR, article 36.

5.6 Rights of the data subjects

5.6.1 If the Data Controller receives a request from a data subject for the exercise of the data subject’s rights under the Applicable Law and the correct and legitimate reply to such a request necessitates the Data Processor’s assistance, the Data Processor shall assist the Data Controller by providing the necessary information and documentation. The Data Processor shall be given reasonable time to assist the Data Controller with such requests in accordance with the Applicable Law.

5.6.2 If the Data Processor receives a request from a data subject for the exercise of the data subject’s rights under the Applicable Law and such request is related to the Controlled Data of the Data Controller, the Data Processor must immediately forward the request to the Data Controller and must refrain from responding to the person directly.

5.7 Controlled Data Breaches

5.7.1 The Data Processor shall give immediate notice to the Data Controller if a Breach occurs, that can lead to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to, personal data transmitted, stored or otherwise processed re the Controlled Data processed on behalf of the Data Controller.

5.7.2 The Data Processor shall make reasonable efforts to identify the cause of such a Breach and take those steps as they deem necessary to establish the cause, and to prevent such a Breach from reoccurring.

5.8 Documentation of compliance and Audit Rights

5.8.1 Upon request by a Data Controller, the Data Processor shall make available to the Data Controller all relevant information necessary to demonstrate compliance with this DPA, and shall allow for and reasonably cooperate with audits, including inspections by the Data Controller or an auditor mandated by the Data Controller. The Data Controller shall give notice of any audit or document inspection to be conducted and shall make reasonable endeavours to avoid causing damage or disruption to the Data Processors premises, equipment and business in the course of such an audit or inspection. Any audit or document inspection shall be carried out with reasonable prior written notice of no less than 30 days, and shall not be conducted more than once a year.

5.8.2 The Data Controller and auditor will be required to sign a non-disclosure agreement reasonably acceptable to the Data Processor before being furnished with the above.

5.8.3 Starfish and Bear Inc. may (but is not obliged to) use external or internal auditors to verify the adequacy of our Security Measures.

5.9 Data Transfers

5.9.1 You authorize us to transfer Controlled Data away from the country in which such data was originally collected. In particular, you authorize us to transfer Controlled Data to the US. We will transfer Controlled Data to outside the EEA using the Swiss-U.S. and EU-U.S. Privacy Shield Frameworks or another lawful data transfer mechanism that is recognized under EU Data Protection Law as providing an adequate level of protection for such data transfers.

6. Sub-Processors

6.1 The Data Processor is given general authorization to engage third-parties to process the Controlled Data without obtaining any further written, specific authorization from the Data Controller, provided that the Data Processor notifies the Data Controller in writing about the identity of a potential Sub-Processor before any agreements are made with the relevant Sub-Processors and before the relevant Sub-Processor processes any of the Controlled Data. If the Data Controller wishes to object to the relevant Sub-Processor, the Data Controller shall give notice hereof in writing within ten (10) business days from receiving the notification from the Data Processor. Absence of any objections from the Data Controller shall be deemed consent to the relevant Sub-Processor.

6.2 In the event the Data Controller objects to a new Sub-Processor and the Data Processor cannot accommodate the Data Controller’s objection, the Data Controller may terminate the Service by providing written notice to the Data Processor.

6.3 The Data Processor shall complete a written sub-processor agreement with any Sub-Processors. Such an agreement shall at minimum provide the same data protection obligations as the ones applicable to the Data Processor, including the obligations under this Data Processor Addendum. The Data Processor shall on an ongoing basis monitor and control its Sub-Processors’ compliance with the Applicable Law. Documentation of such monitoring and control shall be provided to the Data Controller if so requested in writing.

6.4 The Data Processor is accountable to the Data Controller for any Sub-Processor in the same way as for its own actions and omissions.

6.5 The Data Processor is at the time of entering into this Data Processor Addendum using the Sub-Processors listed in Sub-appendix A . If the Data Processor initiates sub-processing with a new Sub-Processor, such new Sub-Processor shall be added to the list in Sub-appendix A under paragraph 2.

7. Remuneration and costs

7.1 We will, to the extent that you cannot reasonably do so through the Service or otherwise, provide reasonable assistance to you in respect of your fulfillment of your obligation as controller to respond to requests by data subjects under Chapter 3 of the GDPR, taking into account the nature of the Service and information available to us. You will be responsible for our reasonable costs arising from our provision of such assistance.

7.2 The Data Processor is also entitled to remuneration for any time and material used to adapt and change the processing activities in order to comply with any changes to the Data Controller’s Instruction, including implementation costs and additional costs required to deliver the Service due to the change in the Instruction. The Data Processor is exempted from liability for non-performance with the Terms of Service if the performance of the obligations under the Terms of Service would be in conflict with any changed Instruction or if contractual delivery in accordance with the changed Instruction is impossible. This could for instance be the case; (i) if the changes to the Instruction cannot technically, practically or legally be implemented; (ii) where the Data Controller explicitly requires that the changes to the Instruction shall be applicable before the changes can be implemented; and (iii) in the period of time until the Terms of Service is changed to reflect the new Instruction and commercial terms thereof.

8. Limitation of Liability

8.1 The total aggregate liability to the Client, of whatever nature, whether in contract, tort or otherwise, of the Data Processor for any losses whatsoever and howsoever caused arising from or in any way connected with this engagement shall be subject to the “Limitation of Liability” clause set out in the Terms of Service.

8.2 Nothing in this DPA relieves the processor of its own direct responsibilities and liabilities under the GDPR.

9. Duration

9.1 The Data Processor Addendum shall remain in force until the Terms of Service is terminated.

10. Data Protection Officer

10.1 The Data Processor will appoint a Data Protection Officer where such appointment is required by Data Protection Laws and Regulations.

10. Termination

10.1 Following expiration or termination of the Data Processing Addendum, the Data Processor will delete or return to the Data Controller all Controlled Data in its possession as provided in the DPA except to the extent the Data Processor is required by the Applicable Law to retain some or all of the Controlled Data (in which case the Data Processor will archive the data and implement reasonable measures to prevent the Controlled Data from any further processing). The terms of this DPA will continue to apply to such Controlled Data.

11. Contact

11.1 If you have any questions about this DPA, please contact us at privacy@starfishandbear.com

Sub-appendix A

1. APPROVED SUB-PROCESSORS

1.1 The following Sub-Processors shall be considered approved by the Data Controller at the time of entering into this Agreement:

Stripe - Privacy Shield participant

Google Analytics - Privacy Shield participant

Amazon Web Services (AWS) (Amazon Web Services, Inc.) - United States - Privacy Shield participant

iUbenda

2. New Sub-Processors

2.1 The following Sub-Processors have been added and communicated to the Data Controller prior to the relevant sub-processing:

None