Data Processing Addendum

Effective Date: September 27, 2021

You have entered into one or more agreements with us (each, as amended from time to time, an “Agreement”) governing the provision of our After,Inc.® service more fully described at (https://afterinc.com) (the “Service”). This DPA will amend the terms of the Agreement to reflect the parties’ rights and responsibilities with respect to the processing and security of Customer Data (as defined below) under the Agreement. If you are accepting this DPA in your capacity as an employee, consultant or agent of Customer, you represent that you are an employee, consultant or agent of Customer, and that you have the authority to bind Customer to this DPA.

This DPA applies where and only to the extent After processes Personal Data as a processor (for the purposes of European Data Protection Legislation).

Definitions and Interpretation

Unless otherwise defined herein, capitalized terms and expressions used in this Agreement shall have the following meaning:

“Agreement” means this Data Processing Agreement and all Schedules;

“Customer Personal Data” means any Personal Data Processed by a Contracted Processor on behalf of Customer pursuant to or in connection with the Principal Agreement;

“Contracted Processor” means a Subprocessor;

“Data Protection Laws” means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country;

“EEA” means the European Economic Area;

“EU Data Protection Laws” means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;

“GDPR” means EU General Data Protection Regulation 2016/679;

“Data Transfer” means:

  •  a transfer of Customer Personal Data from the Customer to a Contracted Processor; or
  • an onward transfer of Customer Personal Data from a Contracted Processor to a Subcontracted Processor, or between two establishments of a Contracted Processor, in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws);

“Standard Contractual Clauses” or “SCCs” means (a) where the GDPR applies, the standard contractual clauses as approved by the European Commission pursuant to its decision 2021/914 of 4 June 2021 (“EU SCCs”); and (ii) where the UK GDPR applies, the standard data protection clauses adopted pursuant to or permitted under Article 46 of the UK GDPR (“UK SCCs”).

“Subprocessor” means any third party appointed by or on behalf of Processor to process Personal Data on behalf of the Customer in connection with the Agreement.

1.2 The terms, “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.

Processing of Customer Personal Data

Processor shall:

  • comply with all applicable Data Protection Laws in the Processing of Customer Personal Data; and
  • not Process Customer Personal Data other than to provide Customer the Service.

The Customer agrees that After shall process Personal Data in accordance with Customer’s documented lawful instructions. By entering into this DPA, you hereby authorize and instruct us to process Personal Data: (i) to provide the Service, and related technical support; (ii) as otherwise permitted or required by your use of the Service and/or your requests for technical support; (iii) as otherwise permitted or required by the Agreement, including this DPA; and (iv) as further documented in any other written instructions that are agreed by the parties. We will not process Personal Data for any other purpose, unless required to do so by applicable law or regulation. The parties agree that the Agreement (including this DPA), and your use of the Service in accordance with the Agreement, set out your complete and final processing instructions and any processing outside the scope of these instructions (if any) shall require prior written agreement between the parties. Customer shall ensure its instructions are lawful and that the processing of Personal Data in accordance with such instructions will not violate Privacy Laws.

Processor Personnel

Processor shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Contracted Processor who may have access to the Customer Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Customer Personal Data, as strictly necessary for the purposes of the Principal Agreement, and to comply with Applicable Laws in the context of that individual’s duties to the Contracted Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

Security

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Processor shall in relation to the Customer Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.

In assessing the appropriate level of security, Processor shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.

Subprocessing

You authorize us to engage third parties as Subprocessors. Whenever we engage a Subprocessor, we will enter into a contract with that Subprocessor which imposes data protection terms that require the Subprocessor to protect Personal Data to an equivalent standard required under this DPA, and we shall remain responsible for the Subprocessor’s compliance with the obligations of this DPA and for any acts or omissions of the Subprocessor that cause us to breach any of our obligations under this DPA.

A list of our current Subprocessors is set out in Annex I. We may update the list of Subprocessors upon thirty (30) days’ prior written notice to you, during which period you will have the opportunity to object as described this Section 5.

During the thirty (30) day period beginning on the date we notify you of any new or replacement Subprocessor, you have the right to object to the appointment of that Subprocessor on reasonable grounds that the Subprocessor does not or cannot comply with the requirements set forth in this DPA (each, an “Objection”). If we do not remedy or provide a reasonable workaround for your Objection within a reasonable time, you may, as your sole remedy and our sole liability for your Objection, terminate the Agreement for your convenience, and without further liability to either party. We will not owe you a refund of any fees you have paid in the event you decide to terminate the Agreement pursuant to this Section.

You agree that by complying with this Section 5, we fulfill our obligations under Clause 9(a) and Clause 9(b) of the Standard Contractual Clauses. You further acknowledge that, for the purposes of Clause 9(c) of the Standard Contractual Clauses, we may be restricted from disclosing Subprocessor agreements to you (or the relevant third party controller) due to confidentiality restrictions. Notwithstanding this, we shall use reasonable efforts to require Subprocessors to permit us to disclose Subprocessor agreements to you and, in any event, will provide (upon request and on a confidential basis) all information we reasonably can in connection with such Subprocessor agreement.

Data Subject Rights

Taking into account the nature of the Processing, Processor shall assist the Customer by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Customer obligations, as reasonably understood by Customer, to respond to requests to exercise Data Subject rights under the Data Protection Laws.

Processor shall:

  • promptly notify Customer if it receives a request from a Data Subject under any Data Protection Law in respect of Customer Personal Data; and
  • ensure that it does not respond to that request except on the documented instructions of Customer or as required by Applicable Laws to which the Processor is subject, in which case Processor shall to the extent permitted by Applicable Laws inform Customer of that legal requirement before the Contracted Processor responds to the request.

Personal Data Breach

Processor shall notify Customer without undue delay upon Processor becoming aware of a Personal Data Breach affecting Customer Personal Data, providing Customer with sufficient information to allow the Customer to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.

Processor shall co-operate with the Customer and take reasonable commercial steps as are directed by Customer to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

Data Protection Impact Assessment and Prior Consultation

Processor shall provide reasonable assistance to the Customer with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Customer reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Customer Personal Data by, and taking into account the nature of the Processing and information available to, the Contracted Processors.

Deletion or Return of Customer Personal Data

Subject to this section 9 Processor shall promptly and in any event within 10 business days of the date of cessation of any Services involving the Processing of Customer Personal Data (the “Cessation Date”), delete and procure the deletion of all copies of those Customer Personal Data. Customer acknowledges that deletion of such data will be final and that no data will be retrievable after such deletion.

Audit Rights

You acknowledge that After is regularly audited against various information security standards by independent third-party auditors and internal auditors, respectively. Upon request, we shall supply (on a confidential basis) a summary copy of our audit report(s), so that you can verify our compliance with the audit standards against which it has been assessed, and this DPA. Further, we will provide written responses (on a confidential basis) to all reasonable requests for information necessary to confirm our compliance with this DPA, provided that you will not exercise this right more than once per calendar year.

While it is the parties’ intention to rely ordinarily on the provision of the above audit report(s) to verify our compliance with this DPA, we will allow an internationally-recognized independent auditor that you select to conduct audits to verify our compliance with our obligations under this DPA. You must send any requests for audits under this Section 10 to legal@afterinc.com. Following our receipt of your request, the parties will discuss and agree in advance on the reasonable start date, scope, duration, and security and confidentiality controls applicable to the audit. You will be responsible for any costs associated with the audit. You agree not to exercise your audit rights under this Section 10 more than once in any twelve (12) calendar month period, except (i) if and when required by a competent data protection authority; or (ii) an audit is necessary due to a Data Incident. You agree that (to the extent applicable), you shall exercise any audit rights under Privacy Laws and the Standard Contractual Clauses by instructing us to comply with the measures described in this Section 10.

Governing Law and Jurisdiction

Any dispute arising from these Clauses shall be resolved by the courts of an EU Member State

The Parties agree that those shall be the courts of the Republic of Ireland .

A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of the Member State in which he/she has his/her habitual residence.

The Parties agree to submit themselves to the jurisdiction of such courts.

Data Subject Rights and Data Export

You acknowledge that the Service may, depending on the functionality of the Service, enable you to: (i) access the Customer Data; (ii) rectify inaccurate Customer Data; (iii) restrict the processing of Customer Data; (iv) delete Customer Data; and (v) export Customer Data.

To the extent that you cannot access the relevant Personal Data within the Service, we will provide you, at your expense, with all reasonable and timely assistance to enable you to respond to: (i) requests from data subjects who wish to exercise any of their rights under applicable Privacy Laws; and (ii) any other correspondence, inquiry or complaint received from a data subject, supervisory authority or other third party in connection with the processing of the Customer Data. In the event that any such request, correspondence, inquiry or complaint is made directly to us, we will promptly inform you of it, and provide you with as much detail as reasonably possible.

Data Transfers

You agree that we may store and process Customer Data in the United States and any other country in which we or our Subprocessors maintain data processing operations. After shall ensure that such transfers are made in compliance with applicable Privacy Laws and this DPA.

If the storage and/or processing of Personal Data involves a transfer of Personal Data to After outside of Europe, and European Data Protection Legislation applies to the transfer (collectively, “Transferred Personal Data”), then (i) the Standard Contractual Clauses shall be incorporated into and form a part of this DPA in accordance with Section 6.3; and (ii) for so long as After is self-certified to the Privacy Shield we shall continue to process Transferred Personal Data in compliance with the Privacy Shield Principles. With respect to Transferred Personal Data, you agree that if we adopt an alternative data transfer mechanism (including any new version of, or successor to, the Standard Contractual Clauses or Privacy Shield adopted pursuant to applicable European Data Protection Legislation) for Transferred Personal Data not described in this DPA (“Alternative Transfer Solution”), the Alternative Transfer Solution shall apply instead of the transfer mechanisms described in this DPA (but only to the extent such Alternative Transfer Solution complies with applicable European Data Protection Legislation and extends to the territories to which Transferred Personal Data is transferred), and if we request that you take any action (including, without limitation, execution of documents) reasonably required to give full effect to that solution, you will promptly do so.

Standard Contractual Clauses

For the purposes of the Standard Contractual Clauses, the parties agree that (i) After is the “data importer” and you are the “data exporter”; (ii) the EU SCCs shall be incorporated by reference and the UK SCCs shall be incorporated by reference; (iii) the Annexes or Appendices of the EU SCCs and UK SCCs (as applicable) shall be populated with the information from Annex I of this DPA; and (iv) the EU SCCs shall be governed by the laws of the Republic of Ireland and the UK SCCs shall be governed by the laws of England and Wales. It is not the intention of either party to contradict or restrict any of the provisions set forth in the Standard Contractual Clauses and, accordingly, if and to the extent the Standard Contractual Clauses conflict with any provision of the Agreement (including this DPA), the Standard Contractual Clauses shall prevail to the extent of such conflict. In particular, nothing in the DPA shall exclude the rights of third-party beneficiaries granted under the Standard Contractual Clauses. You agree that in the event we cannot ensure compliance with the Standard Contractual Clauses, we will inform you promptly and you will provide us with a reasonable period of time to cure any non-compliance. You will reasonably cooperate with us to agree what additional safeguards or measures, if any, may be reasonably required to cure the non-compliance and will only be entitled to suspend the transfer of Personal Data and/or terminate the affected parts of the Service if we have not or cannot cure the non-compliance before the end of the cure period.

Additional Information.

You acknowledge that we are required under European Data Protection Legislation (i) to collect and maintain records of certain information, including, among other things, the name and contact detail of each processor and/or controller on whose behalf we are acting and, where applicable, of such processor’s or controller’s local representative and data protection officer; and (ii) to make such information available to the supervisory authorities. Accordingly, if European Data Protection Legislation applies to the processing of Personal Data, you will, when requested, provide this additional information to us, and ensure that the information is kept accurate and up-to-date.

Annex I – Subprocessors

Amazon Web Services | 410 Terry Avenue North Seattle, WA 98109 USA | Cloud infrastructure services

Google, Inc. | 1600 Amphitheatre Parkway Mountain View, CA 94043 USA | Web traffic analysis

SendGrid (owned by Twilio, Inc.) | 889 Winslow St. Redwood City, CA 94063 USA | Email delivery services

Twilio, Inc. | 375 Beale Street, Suite 300, San Francisco, CA 94105 USA | SMS and email messaging services