You, the Customer (“Customer”), has contracted with Penny AI Technologies Inc. (“Vendor”), to perform certain data processing functions on behalf of the Customer pursuant to the Penny AI Terms located at https://pennyapp.com/terms.html, or a written agreement entered into between them (“Services Agreement”), including the processing of Personal Data (as defined in the Definitions section below).
This agreement is made in light of the requirements set out in the GDPR and the CCPA (as those terms are defined below), each to the extent applicable.
Capitalized terms used in this agreement that are not defined shall have the same meaning as set out in the GDPR. This Data Processing Agreement (this “Agreement” or “DPA”) is based on the requirements set out in Article 28 of the GDPR and the CCPA (including Section 1798.140(v) thereof).
The purpose of this Agreement is to ensure that Vendor provides the services under the Services Agreement (“Services”) to Customer in a manner that complies with the Data Protection Legislation.
“CCPA” means the California Consumer Privacy Act of 2018, codified at California Civil Code Title 1.81.5, Section 1798.100 et seq., and any regulations promulgated pursuant thereto.
“Customer Content” means any data, file attachments, text, images, reports, personal information, or other content that is uploaded or submitted to the Services by Customer or Customer’s users and is processed by Vendor on behalf of Customer. For the avoidance of doubt, Customer Content does not include aggregated or deidentified information or usage, statistical, or technical information that does not reveal the contents of the Customer Content.
“Data Controller” has the meaning set out in the GDPR.
“Data Processor” has the meaning set out in the GDPR.
“Data Protection Legislation” means all privacy laws applicable to any Personal Data processed under or in connection with this Agreement, including, without limitation the CCPA and the GDPR, each to the extent applicable.
“Data Subject” means the identified or identifiable person to whom Personal Data relates and who is (a) an identified or identifiable natural person who is in the EEA or whose rights are protected by the GDPR and/or (b) a “Consumer” as such term is defined in the CCPA.
“GDPR” means the Data Protection Directive 95/46/EC (as the same may be superseded by the General Data Protection Regulation 2016/679 (the “GDPR”)), the Privacy and Electronic Communications Directive 2002/58/EC and all national legislation implementing or supplementing the foregoing and all associated codes of practice and other guidance issued by any applicable data protection authority, all as amended, re-enacted and/or replaced and in force from time to time.
“Personal Data” means Customer Content that directly or indirectly identifies or relates to a Data Subject.
"Process" and other derivations such as “processed” and “processing” means any use of or processing applied to any Personal Data and includes "processing" as defined in the Data Protection Legislation.
3. Roles of Parties
In respect of the parties’ rights and obligations under this Agreement regarding the Personal Data, the parties hereby acknowledge and agree that Customer is the “Data Controller” and Vendor is the “Data Processor” and accordingly Vendor agrees that it shall process all Personal Data in accordance with its obligations pursuant to this Agreement and otherwise in accordance with the Data Controller’s written instructions.
The Data Processor shall process the Personal Data only on documented instructions from the Data Controller, including any transfer of data to a third countries or international organizations.
4. Engagement of Sub-Processors
Where the Data Processor engages another processor (sub-processor) for carrying out specific processing activities on behalf of the Data Controller, the same data protection obligations as set out this processor agreement or other legal act between the Data Controller and the processor as referred to in the GDPR (including Article 28(3) thereof), and the CCPA (including Section 1798.140(v) thereof, shall be imposed on that other processor (sub-processor) by way of contract or other legal act under Union or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR. Where that other processor (sub-processor) fails to fulfil its data protection obligations, the initial Data Processor shall remain fully liable to the Data Controller for the performance of that other processor’s (sub-processor’s) obligations.
The Data Processor shall not engage another processor without prior specific or general written authorization of the Data Controller. Data Controller hereby provides general authorization for Data Processor to engage sub-processors, including the sub-processors listed at [https://pennyapp.com/privacy-policy.html#subprocessors], which list may be updated from time to time with notice by the Data Processor to the Data Controller.
If, in the performance of this Agreement, Data Processor transfers any Personal Data received from or on behalf of Data Controller to any third party (which shall include without limitation any affiliates of Data Processor) where such third party is located outside the European Economic Area, Data Processor shall in ensure that such transfer is in accordance with the GDPR, which may include:
- the requirement for Data Processor to execute or procure that the third party execute the applicable Standard Contractual Clauses;
- the requirement for the third party to be certified under the Privacy Shield framework; or
- the existence of any other specifically approved safeguard for data transfers (as recognized under the GDPR) and/or a European Commission finding of adequacy.
6. Subject-Matter and Duration of the Processing
The type of Personal Data processed pursuant to this Agreement, including the subject matter, duration, nature and purpose of the processing, and the categories of Data Subjects, is as described in Annex 1.
7. Data Processor to assist with Customer’s Obligations
Data Processor shall, where applicable in respect of any Personal Data processed pursuant to this Agreement, provide full cooperation and assistance to Customer to allow Customer to comply with Customer’s obligations set out under Articles 32 – 36 of the GDPR to:
- ensure the security of the processing;
- notify the relevant supervisory authority, and any data subject(s), where relevant, of any breaches relating to Personal Data;
- carry out any data protection impact assessments (“DPIA”) of the impact of the processing on the protection of Personal Data; and
- consult the relevant supervisory authority prior to any processing where a DPIA indicates that the processing would result in a high risk in the absence of measures taken by Customer to mitigate the risk.
The Data Processor shall take reasonable steps to ensure that only authorized personnel have access to Personal Data and that any persons whom it authorizes to have access to the Personal Data will respect and maintain all due confidentiality.
9. Security of Processing
The Data Processor shall implement appropriate technical and organizational measures in accordance with Article 32 of the GDPR and Section 1798.150(a) of the CCPA, each to the extent applicable in the relevant context, to ensure a level of security appropriate to the risk, including the following measures
- the pseudonymization and encryption of data;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and
- a process for regularly testing, accessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
10. Requests by Data Subjects
As further set out in Chapter III of the GDPR, Data Subject has certain rights (e.g. information and access to Personal Data, rectification and erasure, restriction of processing, data portability, right to object and automated individual decision-making). The Data Controller is obliged to facilitate the exercise of these Data Subject rights under Articles 15 to 22 of the GDPR. The Data Processor shall assist the Data Controller by appropriate technical and organizational measures for the fulfilment of the Data Controller’s obligation to respond to requests for exercising the Data Subject’s rights laid down in Chapter III of the GDPR.
11. Data Breach
As further set out in applicable Data Protection Legislation, Data Controller has certain obligations (e.g. notification of data breach involving Personal Data to the supervisory authority, and communication of data breach to the Data Subject).
The Data Processor shall notify the Data Controller of any actual or suspected data breaches involving Data Controller’s Personal Data and in all other aspects assist the Data Controller in ensuring compliance with applicable Data Protection Legislation. In particular, the Data Processor shall promptly provide the Data Controller with cooperation and assistance in respect of the data breach and all information in Data Processor’s possession concerning the data breach, including the following:
- the probable cause and consequences of the breach;
- the categories of Personal Data involved;
- a summary of the probable consequences for the relevant Data Subjects;
- a summary of the unauthorized recipients of the Personal Data; and
- the measures taken by Data Processor to mitigate any damage.
12. Return and Deletion of Personal Data
The Data Processor shall, at the choice of Data Controller, delete or return all the Personal Data to the Data Controller at the end of the provision of Services relating to processing, and delete any existing copies unless Union or Member State law requires storage of the Personal Data.
13. Audit, Compliance and Duty to Inform
The Data Processor shall maintain written records of all categories of processing activities carried out on behalf of the Data Controller.
The Data Processor shall make available to the Data Controller all information reasonably necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Data Controller or another auditor mandated by the Data Controller. Data Processor shall immediately inform the Data Controller if, in its opinion, an instruction infringes the GDPR or other Union or Member State data protection provisions.
If Data Controller believes that an on-site audit is necessary, upon reasonable notice of Data Controller, Data Processor agrees to give Data Controller access to Data Processor’s premises no more than once per year, (subject to any reasonable confidentiality and security measures at a mutually acceptable time), and to any stored Personal Data and data processing programs it has on-site. Data Controller is entitled to have the audit carried out by a third party.
The scope of an audit will be limited to the Vendor’s systems, processes and documentation relevant to the processing and protection of Personal Data processed in the provision of the Services.
14. California Consumer Privacy Act of 2018 (CCPA)
For purposes of this DPA, Vendor is a “Service Provider” as defined in CCPA Section 1798.140(v).
Customer discloses Personal Data to Vendor (or facilitates such disclosure by Customer’s users) solely for (a) a valid business purpose as defined in the CCPA and (b) to facilitate Vendor’s performance of the Services.
In connection with its processing of Personal Data as described in this DPA and the Services Agreement, Vendor shall not (a) sell any Personal Data; or (b) retain, use or disclose Personal Data for a commercial purpose other than providing the Services as provided in the Services Agreement and this DPA, or as otherwise permitted by the CCPA, and (c) Vendor certifies that it understands and will comply with the restrictions described in this Section 14.
The Data Processor’s compensation is being included in the Services charges set out in the Services Agreement referred above, and the Data Processor shall thus not be entitled to any additional compensation for carrying out its obligations under this Addendum.
The costs of the Vendor and its sub-processors to comply with their respective obligations as data processors under Data Protection Legislation applicable in a specific jurisdiction shall be borne by the Vendor and its sub-processors to the extent compliance with such obligations is necessary for the Vendor and/or its sub-processors’ compliance with applicable Data Protection Legislation in their role as data processors in the jurisdiction in question.
Notwithstanding the foregoing, if the Vendor is requested by the Customer to take on compliance activities which go beyond the activities that the Vendor is required to do as a Data Processor under applicable Data Protection Legislation, the Vendor shall be entitled to its reasonable costs.
Should changes to applicable Data Protection Legislation, including the interpretation thereof, entail increased costs for the Vendor or its sub-processors, the Vendor may, subject to providing written notice to the Customer, increase the rates charged to the Customer to reflect the increased costs. The increase to the Customer should be fair and reasonable and should be proportional to what other similar Customers are being asked to pay.
16. Governing law and dispute resolution
The governing law and dispute resolution clause set out in the Services Agreement referred to above shall also be applicable to this Data Processing Agreement, provided that to the extent required by GDPR, this Addendum shall be governed by the laws of Ireland.
For the purposes of the Agreement, the parties set out below a description of the Personal Data being processed under the terms of the Agreement and further details required pursuant to the GDPR.
- TYPES OF PERSONAL DATA: name, email address, phone number, birthday, mailing address and social media accounts.
- DURATION OF PROCESSING: The duration of the processing shall be the term of the Services agreement.
- NATURE OF PROCESSING: Collection and storage.
- PURPOSE OF PROCESSING: To provide the Services.
- CATEGORIES OF DATA SUBJECT: Customer’s end users, clients and downlines.