4370 La Jolla Village Drive Suite 310
San Diego, CA 92121

Privacy Policy

Effective Date: 4/29/2019

This “Privacy Policy” describes the privacy practices of Daasity, Inc. (“Daasity”, “we”, “us” or “our”). This Privacy Policy describes how we collect, use, disclose and otherwise process personal information in connection with our website and other Internet-enabled services (together “Services”), and explains the privacy rights and choices available to individuals. This Privacy Policy governs any of the Services on which the policy is posted.

Privacy Policy Statement

Product Privacy Statement

Privacy Shield Statement

Data Processing Addendum

Subprocessor List

Privacy Policy Statement

Please note that this Privacy Policy does not apply to the information we process on behalf of our clients. Our platform helps the direct to consumer community make optimal use of the vast quantities of highly complex customer, order, product, marketing and supply chain data by integrating the data points into our platform and placing the data into a useful context. Our processing of data on behalf of our clients is governed by agreements between us and our clients. These agreements require our clients to comply with applicable privacy laws and, to the extent the clients are legally required, provide privacy notices to the individuals whose data our clients process using Daasity’s platform. You can find further details on our processing of data on behalf of our clients in our Product Privacy Statement.

Table of Contents

  1.  Personal Information We Collect

2.  How We Use Your Personal Information

3.  How We Share your Personal Information

4.  Your Choices

5.  Cookies and Similar Technologies

6.  Other Important Privacy Information

7.  How to Contact Us

8.  Notice to European Users

Personal Information We Collect

Information you give us. You may provide information to us when you interact with the Services, for example, by registering, establishing an account, requesting information or otherwise communicating with us via the Services. You may provide your personal and business information, such as your name, mailing and email address, telephone number, company and other details you may choose to share with us.

Information we collect automatically. Our servers and third party service providers may automatically record certain information about how you use the Services, such as your Internet Protocol (IP) address, domain name, device and browser type, operating system, Internet service provider, referring/exit pages, clickstream data, the pages or features of the Services that you browse and the time you spend on those pages or features, the frequency with which you use the Services, the links that you click on or use and other statistics. We collect this information in server logs and by using cookies and similar tracking technologies. See our Cookie Policy for more information.

How We Use Your Personal Information

We use the information we collect for the following purposes:

To operate and improve the Services, including to:

  • Establish and manage accounts and registrations;
  • Communicate with you regarding the Services, including by sending you announcements, updates, security alerts, and support and administrative messages;
  • Respond to your requests, questions and feedback related to the Services;
  • Analyze our visitors’ and users’ needs and interests, and personalize experience with the Services; and
  • Analyze use of the Services to study trends and users’ movements around the Services, improve the Services and develop new features and services.

To send you marketing and survey communications.

We may send you surveys, newsletters or other marketing communications, but you may opt out of receiving them as described in the Opt out of marketing section below.

For compliance, fraud prevention and safety.

We may use your personal information as we believe appropriate to (a) investigate violations of and enforce our Terms of Service; (b) protect our, your or others’ rights, privacy, safety or property (including by making and defending legal claims); and (c) protect, investigate and deter against fraudulent, harmful, unauthorized, unethical or illegal activity.

For compliance with law.

We may use your personal information as we believe appropriate to (a) comply with applicable laws, lawful requests and legal process, such as to respond to subpoenas or requests from government authorities; and (b) where permitted by law in connection with a legal investigation.

With your consent.

We may ask for your consent to collect, use or share your personal information, such as when we are required to do so by law.

How We Share your Personal Information

We do not share your personal information with third parties without your consent, except in the following circumstances:

Affiliates. We will share your personal information with our corporate affiliates for purposes consistent with this Privacy Policy.

Service providers. We may share your personal information with third parties that provide services that help us with our business activities (such as customer support, payment processing, hosting and storage, website analytics, email delivery and legal and other professional advice). We authorize these third parties to access your personal information to the extent reasonably necessary for them to provide their services.

For legal reasons. We may disclose your personal information as we believe appropriate to government or law enforcement officials or to private parties for the purposes described above under the following sections: For compliance, fraud prevention and safety and for compliance with law.

Business transfers. We may sell, transfer or otherwise share some or all of our business or assets, including your personal information, in connection with a business deal (or potential business deal) such as a corporate divestiture, merger, consolidation, acquisition, reorganization or sale of assets, or in the event of bankruptcy or dissolution.

Your Choices

Access or update your information. Service account holders may review or update information in their registration profile by logging into their account or contacting us at privacy@daasity.com.

 

Opt out of marketing emails. You may opt out of marketing-related emails by following the unsubscribe instructions in the email. You may continue to receive Services-related and other non-marketing emails.

Cookies and Similar Technologies

We may allow service providers and other third parties to use cookies and similar technologies to track your browsing activity over time and across the Services and third party websites. For more details, see our Cookie Policy. Some Internet browsers may be configured to send “Do Not Track” signals to the online services that you visit. We currently do not respond to “Do Not Track” or similar signals. To find out more about “Do Not Track,” please visit http://www.allaboutdnt.com.

Other Important Privacy Information

Third party sites and services. The Services may contain links to other websites and services operated by third parties. These links are not an endorsement of, or representation that we are affiliated with, any third party. We do not control third party websites, applications or services, and are not responsible for their actions. Other websites and services follow different rules regarding their collection, use and sharing of your personal information. We encourage you to read their privacy policies to learn more.

Security practices. The security of your personal information is important to us. We employ a number of organizational, technical and physical safeguards designed to protect the personal information we collect.

Changes to this Privacy Policy. We reserve the right to modify this Privacy Policy at any time. If we make material changes to this Privacy Policy we will notify you by email or through the Services if we are required to do so by applicable law.

How to Contact Us

Daasity, Inc.
4250 Executive Square

Suite 200
San Diego, CA 92037
privacy@daasity.com

Notice to European Users

The following applies to individuals in the European Economic Area.

Controller. Daasity, Inc. is the controller of your personal information covered by this Privacy Policy for purposes of European data protection legislation.

Legal bases for processing. We describe the legal bases for our processing of your personal information in the table below. If you have questions about the legal basis of how we process your personal information, contact us at privacy@daasity.com.

Processing purposeLegal basis
To operate and improve the Services
To send you marketing and survey communications
For compliance, fraud prevention and safety
These activities constitute our legitimate interests. We do not use your personal information for activities where our interests are overridden by the impact on your rights and freedoms (unless we have your consent or are otherwise required or permitted to by law). In some cases, for example where you establish an account on the site, we process your data to fulfill our obligations under a contract with you or with the organization with which you are associated.
For compliance with lawProcessing is necessary to comply with our legal obligations.
With your consentProcessing is based on your consent. Where we rely on your consent you have the right to withdraw it anytime in the manner indicated in the Services.
To share your personal information as described in this Privacy PolicyThis sharing constitutes our legitimate interests, and in some cases may be necessary to comply with our legal obligations.

Retention

We retain personal information where we have an ongoing legitimate business need to do so (for example, to provide you with a service you have requested; to comply with applicable legal, tax or accounting requirements; to establish or defend legal claims; or for fraud prevention). When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize it or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.

Cross-border data transfer

If we receive or transfer your personal information from the European Economic Area (“EEA”) to a third country and are required to apply additional safeguards to your personal information under European data protection legislation, we will do so. See our Privacy Shield Statement, below, for more information.

Your rights

European data protection laws give you certain rights regarding your personal information. You may ask us to take the following actions in relation to your personal information that we hold:

  • Provide you with information about our processing of your personal information and give you access to your personal information.
  • Update or correct inaccuracies in your personal information.
  • Delete your personal information.
  • Transfer a machine-readable copy of your personal information to you or a third party of your choice.
  • Restrict the processing of your personal information.
  • Object to our reliance on our legitimate interests as the basis of our processing of your personal information that impacts your rights.

You may submit these requests by email to privacy@daasity.com or our postal address provided above. We may request specific information from you to help us confirm your identity and process your request. Applicable law may require or permit us to decline your request. If we decline your request, we will tell you why, subject to legal restrictions. If you would like to submit a complaint about our use of your personal information or our response to your requests regarding your personal information, you may contact us or submit a complaint to the data protection regulator in your jurisdiction. You can find your data protection regulator here.

You may also have the right to make a GDPR complaint to the relevant Supervisory Authority. A list of Supervisory Authorities is available here:  https://edpb.europa.eu/about-edpb/board/members_en

Cookie Policy

This Cookie Policy explains how Daasity, Inc. (“Daasity”, “we”, “us” or “our”) uses cookies and similar tracking technologies when you visit our website at www.Daasity.com or any other site to which we post this Cookie Policy (the “Sites”).

What are cookies?

Cookies are small data files that are placed on your computer when you visit a site. Cookies serve different purposes, like helping us understand how a site is being used, letting you navigate between pages efficiently, remembering your preferences and generally improving your browsing experience.

Who places cookies on my device?

Cookies set by the site you visit are called “first party cookies”. Cookies set by parties other than us are called “third party cookies”. Third party cookies enable third party features or functionality within the site, such as site analytics. The parties that set these third party cookies can recognize your computer or device both when it visits the site in question and also when it visits certain other sites and/or mobile apps. We do not control how these third parties use your information, which is subject to their own privacy policies. See below for details on use of third party cookies and similar technologies with our Sites.

How long will cookies stay on my device?

The length of time a cookie will stay on your device depends on whether it is a “persistent” or “session” cookie. Session cookies will only stay on your device until you stop browsing. Persistent cookies stay on your browsing device after you have finished browsing until they expire or are deleted.

What other tracking technologies should I know about?

Cookies are not the only way to track visitors to a site or app. Companies use tiny graphics files with unique identifiers called beacons (and also “pixels” or “clear gifs”) to recognize when someone visits its sites. These technologies often depend on cookies to function properly, and so disabling cookies may impair their functioning.

What types of cookies and similar tracking technologies does Daasity use?

We use cookies and other tracking technologies in the following categories described in the table below.

TypeDescriptionWho serves the cookiesHow to control them
AnalyticsThese cookies help us understand how our Sites are performing and being used. These cookies may work with clear gifs included in emails we send to track which emails are opened and which links are clicked by recipients.Google AnalyticsSee ‘your choices’ below.

Google Analytics uses its own cookies. You can find out more information about Google Analytics cookies here and about how Google protects your data here. You can prevent the use of Google Analytics relating to your use of our Sites by downloading and installing a browser plugin available here.

Your choices

Most browsers let you remove or reject cookies. To do this, follow the instructions in your browser settings. Many browsers accept cookies by default until you change your settings. Please note that if you set your browser to disable cookies, the Sites may not work properly.

For more information about cookies, including how to see what cookies have been set on your computer or mobile device and how to manage and delete them, visit http://www.allaboutcookies.org.

For more information about how we collect, use and share your information, see our Privacy Policy.

Changes

Information about the cookies we use may be updated from time to time, so please check back on a regular basis for any changes.

Questions

If you have any questions about this Cookie Policy, please contact us by email at privacy@daasity.com.

Product Privacy Statement

Daasity, Inc. (“Daasity”) provides a platform that helps direct to consumer organizations (“Users”) make optimal use of the vast quantities of highly complex customer, order, product, marketing and supply chain data by integrating the data points into our platform and placing the data into a useful context.

This Services Privacy Statement explains how we collect, use, disclose, and otherwise process personal data that Users process via our platform. Daasity is the data processor with respect to the personal data, and Users are the data controllers or are otherwise authorized by data controllers to direct Daasity to process the personal data.

Daasity’s processing of personal data is governed by this Privacy Statement and our customer agreements. In the event of any conflict between this Privacy Statement and a customer agreement, the customer agreement will control to the extent permitted by applicable law.

Information We Collect

When Users upload data into our platform, the information they upload may include personal information, such as order history or marketing history that can be associated with individuals.

How We Use Information

Our platform allows Users to manipulate and analyze the information they upload into the platform. We use the personal data to facilitate the manipulation, analysis and other processing of data in the platform. We also use the information to provide customer support to our Users, to maintain and improve our platform, develop new services for our Users, comply with applicable law, enforce the terms and conditions that govern the platform, protect our rights, privacy, safety or property, and/or that of you or others, and protect, investigate and deter against fraudulent, harmful, unauthorized, unethical or illegal activity.

We may also use the information we process in the platform to generate de-identified or aggregate analytics, which cannot be associated with any User or the individuals to whom the information pertains.

How We Share Information

We may share personal data with third party service providers that provide services in connection with our platform. We authorize these third parties to access personal information only to the extent necessary for them to provide services to Daasity or Users.

We may also share personal information as required by law or legal process, enforce the terms and conditions that govern the platform, and protect, investigate and deter against fraudulent, harmful, unauthorized, unethical or illegal activity.

We may transfer the personal data as part of Daasity’s platform or other assets in connection with a business transaction, such as a merger, consolidation, acquisition, reorganization, or in the event of bankruptcy. In the event of such a transfer, we will require the transferee to continue to abide by the terms of this Privacy Statement and any customer agreements that govern our processing of the personal information, as specified in detail in the relevant customer agreements.

Information Security

We employ a number of organizational, technical and physical safeguards designed to protect the personal information in our platform, as we further describe our Security Overview webpage.

Data Subject Rights

Users are responsible for responding to requests that individuals submit to exercise any privacy rights, to the extent such requests are submitted by or on behalf of individuals to whom the personal information the Users process using the platform pertains. Daasity will assist Users in responding to such requests as set forth in the customer contract.

Cross Border Data Transfer

We may transfer personal data outside of the country in which Users provide it, including to the United States. In this case, we will safeguard the data as described in this Privacy Statement and the relevant customer agreements.

Data Retention

Daasity retains personal data for as long as necessary to (a) facilitate User’s processing of personal data via the platform; (b) comply with legal obligations; (c) resolve disputes; and (d) enforce the terms of customer agreements, as described in the customer contracts.

Third Party Products and Services

The Services may integrate with or enable access to third party tools. Third party tools registered, installed, or accessed by end users are governed by those third party providers’ privacy notices. Please review those notices carefully, as Daasity does not control and cannot be responsible for these providers’ privacy or information security practices.

Contact Us

If you have any question about this Privacy Statement, you can contact our privacy team at privacy@daasity.com.

Privacy Shield Statement

Daasity complies with the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries transferred to the United States pursuant to Privacy Shield. Daasity has certified that it adheres to the Privacy Shield Principles with respect to such data. If there is any conflict between the policies in this privacy policy and data subject rights under the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification page, please visit https://www.privacyshield.gov/

With respect to personal data received or transferred pursuant to the Privacy Shield Frameworks, Daasity is subject to the regulatory and enforcement powers of the U.S. Federal Trade Commission (FTC).

This Privacy Shield Statement explains how Daasity complies with the Privacy Principles in handling Personal Data.

The Privacy Shield Privacy Principles are:

Scope

Our Privacy Shield certification and this Privacy Shield Statement apply to Personal Data – personal information that we process on our own behalf or on behalf of our clients through our platform, to the extent the information is transferred from the EEA to Daasity in the United States.

Daasity’s Role in Processing Personal Data

Daasity provides a platform that helps individuals and organizations in the direct to consumer community (“Users”) make optimal use of the vast quantities of highly complex customer, order, product, marketing and supply chain data data by integrating the data points into our platform and placing the data into a useful context (the “Services”).

Daasity acts as a processor for the Services. This means that Daasity is a vendor that processes Personal Data on behalf of and on the instructions of Users. The Users act as data controllers or have been authorized by data controllers to instruct Daasity. Users control the purposes for which Daasity processes Personal Data, and are responsible for the processing to individuals to whom the Personal Data pertains. See our Product Privacy Statement for more information.

Daasity also may act as a controller when we collect or process data about visitors and Users of our Services. See our Privacy Policy Statement for more information.

Notice

When it acts as a processor, Daasity relies on its Users to provide notice to individuals regarding our privacy practices associated with the Services. Daasity has informed its Users that they are responsible for providing the notice. To assist Users in providing notice, we have provided Users with our Services Privacy Statement, which explains our privacy and security practices with respect to Personal Data.

Choice

Daasity has informed its Users that they are responsible for providing individuals with any required privacy choices regarding Daasity’s processing of Personal Data on behalf of the User. Daasity does not use Personal Data for purposes other than to provide our services, and as otherwise authorized by relevant customer agreements. We do not share Personal Data with third parties for those parties’ own purposes, except as follows:

We may share Personal Data with third party service providers that provide services in connection with our platform. We authorize these third parties to access Personal Data only to the extent necessary for them to provide services to Daasity or Users.

We may also share Personal Data as required by law or legal process, enforce the terms and conditions that govern the platform, and protect, investigate and deter against fraudulent, harmful, unauthorized, unethical or illegal activity.

We will provide an individual opt-out choice, or opt-in for sensitive data, before we share your data with third parties other than our agents, or before we use it for a purpose other than which it was originally collected or subsequently authorized. To request to limit the use and disclosure of your personal information, please submit a written request to privacy@daasity.com.

Accountability for Onward Transfer of Personal Data

Daasity may share Personal Data with third party services providers that perform services on behalf of Daasity. Daasity does not authorize these service providers to use or disclose the Personal Data except as necessary to perform services on behalf of Daasity or Daasity Users, or to comply with legal requirements. Daasity maintains contracts with these providers restricting their access, use and disclosure of Personal Data in compliance with the Privacy Principles, and requiring these providers to appropriately safeguard the privacy and security of the Personal Data they process. If Daasity has knowledge that a third party to which it has disclosed Personal Data subject to this Privacy Shield Statement is processing such Personal Data in a way that is inconsistent with the Principles, or if Daasity has knowledge that such third party is no longer capable of processing such Personal Data consistent with the Principles, Daasity will take reasonable and appropriate steps to prevent or stop and remediate such processing.

Daasity’s accountability for personal data that it receives in the United States under the Privacy Shield and subsequently transfers to a third party is described in the Privacy Shield Principles. In particular, Daasity remains responsible and liable under the Privacy Shield Principles if third-party agents that it engages to process personal data on its behalf do so in a manner inconsistent with the Principles, unless Daasity proves that it is not responsible for the event giving rise to the damage.

Security

Daasity takes reasonable and appropriate measures to protect Personal Data from loss, misuse, and unauthorized access, disclosure, alteration and destruction, as further described in our Security Overview webpage.

Data Integrity and Purpose Limitation

Daasity limits the Personal Data it collects to the Personal Data that is relevant for the purpose(s) for which it is being processed. Daasity does not use Personal Data for purposes incompatible with the purpose(s) for which it was collected.

In addition, Daasity takes reasonable steps to ensure that the Personal Data it processes is reliable for its intended use and is accurate, complete and current. Daasity depends on its Users to provide accurate Personal Data to Daasity and to correct and keep such Personal Data up to date, or to instruct merchants and consumers to do so.

Access

Users are responsible for responding to requests that individuals submit to exercise any privacy rights, to the extent such requests are submitted by or on behalf of individuals to whom the personal information the Users process using the platform pertains. Daasity will assist Users in responding to such requests as set forth in the customer contract.

Pursuant to the Privacy Shield Frameworks, EU individuals have the right to obtain our confirmation of whether we maintain personal information relating to you in the United States. Upon request, we will provide you with access to the personal information that we hold about you. You may also correct, amend, or delete the personal information we hold about you. An individual who seeks access, or who seeks to correct, amend, or delete inaccurate data transferred to the United States under Privacy Shield, should direct their query to privacy@daasity.com. If requested to remove data, we will respond within a reasonable timeframe.

Recourse, Enforcement and Liability

Daasity has established procedures for periodically reviewing and verifying the accuracy of this Privacy Shield Statement, for verifying the company’s implementation of and compliance with the Principles, and for remedying any issues identified during such reviews. Daasity conducts an annual self-assessment of its Personal Data practices to verify that the attestations and assertions the company makes about its privacy practices are true, that the company’s privacy practices have been implemented as represented, and that any identified issues have been remedied. Daasity personnel with access to the Personal Data covered by this policy are responsible for conducting themselves in accordance with the policies described in this Privacy Shield Statement, the failure of which may result in disciplinary action up to and including termination.

In compliance with the Privacy Shield Principles, Daasity commits to resolve complaints about your privacy and our collection or use of your personal information transferred to the United States pursuant to Privacy Shield. European Union individuals with Privacy Shield inquiries or complaints should first contact Daasity by email at privacy@daasity.com.

Daasity will respond to any such inquiries or complaints within forty-five (45) days.

Daasity has further committed to refer unresolved privacy complaints under the Privacy Shield Principles to an independent dispute resolution mechanism, the BBB EU PRIVACY SHIELD. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit http://www.bbb.org/EU-privacy-shield/for-eu-consumers for more information and to file a complaint. This service is provided free of charge to you.

If your Privacy Shield complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See Privacy Shield Annex 1 at https://www.privacyshield.gov/article?id=ANNEX-I-introduction.

US Federal Trade Commission Jurisdiction

Daasity’s commitments under the Principles are subject to the jurisdiction and the investigatory and enforcement authority of the United States Federal Trade Commission.

Required Disclosure

Daasity may be required to disclose Personal Data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

How to Contact Us

If you have any questions, comments or concerns about this Privacy Shield Statement, please contact us at privacy@daasity.com.

Data Processing Addendum

This Data Processing Addendum (the “Addendum”) forms part of the underlying Terms of Service executed between Daasity, Inc. (“Daasity”) and the identified User, inclusive of any amendments thereto, pursuant to which Daasity provides the Services to User (the “Agreement”), to the extent the Processing of User Data is governed by Data Protection Laws and Regulations, and reflects the parties’ agreement with regard to the Processing of Personal Data (as defined below) in accordance with the requirements of the applicable Data Protection Laws and Regulations. This Addendum is governed by and subject to the terms and conditions of the Agreement. All capitalized terms not defined herein shall have the meaning set forth in the Agreement.

In the course of providing the Services to User pursuant to the Agreement, Daasity only Processes Personal Data on behalf of User pursuant to the Instructions. The parties agree to comply with the following provisions with respect to any Personal Data contained in User Data. Nothing in this Addendum shall alter the parties’ agreement, as set forth in the Agreement, with respect to representations, warranties, liability, indemnification, or any other commercial terms with respect to data protection or data security; in the event of any such conflict between this Addendum and the Agreement, the Addendum shall prevail only to the extent of such conflict.

  1. Definitions

1.1 “User Data” has the same meaning as in the Agreement (whether referred to as User Data or Partner Data).

1.2 “Data Controller” means the entity that determines the purposes and means of the Processing of Personal Data.

1.3 “Data Processor” means the entity that Processes Personal Data on behalf of the Data Controller.

1.4 “Data Protection Laws and Regulations” means all laws and regulations, including laws and regulations of the European Union, the European Economic Area and their member states, applicable to the Processing of Personal Data under the Agreement, and including the General Data Protection Regulation (Regulation (EU) 2016/679) (the “GDPR”) as of its effective date.

1.5 “Data Subject” means the individual to whom Personal Data relates.

1.6 “Data Subject Request” means a Data Subject’s request to access, correct, amend, transfer, block or delete that person’s Personal Data consistent with that person’s rights under Data Protection Laws and Regulations.

1.7 “GDPR Assistance Materials” means those materials Daasity provides to its general customer base as information on the Services’ Processing of User’s Personal Data and, where required under Data Protection Laws and Regulations, as assistance for User’s data protection impact assessment(s) and/or prior consultations with Regulators. GDPR Assistance Materials will include, at a minimum, the Daasity Product Privacy Statement, our Security Overview webpage, Daasity’s current security certifications and reports, such as Privacy Shield Certification.

1.8 “Instructions” means User’s instructions to Daasity with respect to the Processing of Personal Data, comprising the Agreement and any written amendments to the Agreement, and any sale or work orders or amendments thereto.

1.9 “Personal Data” has the meaning set forth in Data Protection Laws and Regulations, namely (and without limitation) any information relating to an individual Data Subject, including sensitive data, to the extent such data is contained in User Data.

1.10 “Regulator” means any supervisory authority with authority under Data Protection Laws and Regulations over all or any part of the provision or receipt of the Services or the Processing of Personal Data.

1.11 “Subprocessor” means any Data Processor engaged by Daasity to support delivering the Services.

1.12 “Subprocessor List Page” means Daasity’s Subprocessors Page available at https://www.daasity.com/legal/subprocessors

  1. Subject matter duration nature and purpose of the processing type of personal data and categories of data subjects

2.1 Subject-matter of the Processing. The Processing of Personal Data is carried out pursuant to the Agreement, including as described in the Daasity Services Privacy Notice and in Appendix 1 of this Addendum.

2.2 Duration of the Processing. The Processing begins and ends with performance of the Services for the User, as specified in the Instructions.

2.3 Nature and Purpose of the Processing. The purpose and object of the Processing of Personal Data by Daasity is to perform and provide the Services pursuant to the Instructions, as specified in the Appendix 1 of this Addendum.

2.4 Type of Personal Data and Categories of Data Subjects. The type of personal data and categories of affected Data Subjects are set out in Appendix 1 of this Addendum.

  1. Instructions commitment to confidentiality

3.1 Daasity’s Processor Role. Daasity shall only Process Personal Data on behalf of the User. The User is the Data Controller or otherwise provides Instructions to Daasity on behalf of and as specifically authorized by the Data Controller.

3.2 Instructions. Daasity shall only Process Personal Data on behalf of and in accordance with the Instructions and shall protect Personal Data as User Data and/or Confidential Information. User shall ensure that its Instructions to Daasity comply with Data Protection Laws and Regulations. The Instructions are User’s complete and final instructions to Daasity for the Processing of Personal Data. Any additional or alternate instructions must be agreed upon separately with prior written agreement between User and Daasity.

3.3 Commitment to Confidentiality. Daasity shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have committed themselves to confidentiality. Daasity shall ensure that such confidentiality obligations survive the termination of the personnel engagement. Daasity restricts its personnel from Processing Data to those personnel who require such access to perform the Agreement.

  1. Security of personal data

4.1 Security Controls. Daasity maintains appropriate administrative, organizational and technical controls as set out in Appendix 2 of this Addendum. Daasity may update or modify the stated security controls from time to time provided that such updates and modifications meet or exceed the stated security controls. User agrees that Daasity has no obligation to protect Personal Data that User elects to store outside of Daasity and its backup systems. User has assessed the level of security appropriate to the Processing of Personal Data in the context of its obligations under Data Protection Laws and Regulations and agrees that the security measures set out in Appendix 2 of this Addendum are consistent with such assessment.

  1. Subprocessors

5.1 Appointment of Subprocessors and User Consent. User acknowledges and specifically authorizes Daasity’s use of its Subprocessors existing as of the Effective Date, including subprocessors listed on the Subprocessors Page. User hereby gives a general authorization to further Subprocessors, provided Daasity follows the following procedure:

(a) Daasity agrees to provide notice to User of any new or replacement Subprocessor that Processes Personal Data under the Agreement thereby giving the User the opportunity to object to such changes within ten (10) days from the date of receipt of notice (Subprocessor Notice). User agrees that it will not object to any Subprocessor with which Daasity has executed a written agreement that obligates the Subprocessor to (i) protect such Personal Data to the same extent as is required of Daasity by the Agreement and this Addendum, (ii) be in compliance with applicable Data Protection Laws and Regulations.

(b) If User has reasonable grounds to object to Daasity’s use of a new or replacement Subprocessor, User shall notify Daasity promptly in writing within ten (10) days after receipt of the Subprocessor Notice and specify those grounds. Such reasonable grounds (provided that such reason does not conflict with the Conditions above) may be that the new or replacement Subprocessor is unlikely to be able to comply with the terms of the Agreement so far as they relate to the protection of Personal Data, or other reasons that are at least as important. User acknowledges that Daasity provides a standardized service to all customers which does not allow using different Subprocessors for different customers and, therefore, that the inability to use a particular new or replacement Subprocessor for the Services to the User may result in delay in performing the Services, inability to perform the Services or increased fees. Daasity will notify User in writing of any change to Services or fees that would result from Daasity’s inability to use a new or replacement Subprocessor to which User has objected. User may either execute a written amendment to the Agreement implementing such change or exercise its right to terminate the Agreement in accordance with the termination provisions thereof. Such termination shall not constitute termination for breach of the Agreement. This termination right shall be User’s sole and exclusive remedy for such termination of the Agreement.

5.2 Processing Restrictions. Daasity will require Subprocessors to only access and use Personal Data in accordance with the terms of the Agreement (including this Addendum) and will bind the Subprocessors by written obligations: (i) that require them to provide at least the level of data protection required by Data Protection Laws and Regulations and by the Agreement; and (ii) where applicable, that impose the level of data protection required by the Privacy Shied.

5.3 Liability. Daasity shall be liable for the acts and omissions of its Subprocessors to the same extent Daasity would be liable if performing the Services of each Subprocessor directly under the terms of this Addendum.

5.4 List of Current Subprocessors and Notification of New Subprocessors. A current list of Subprocessors as may be used for Processing Data is available to User without charge. Daasity will keep the Subprocessor list current and inclusive of any new Subprocessors and will make available to User the updated Subprocessor list upon request by User. Daasity shall notify User prior to using any Subprocessor not included in such list, in accordance with clause 5.1 above.

  1. Rights of data subjects and cooperation with regulators

6.1 Correction, Deletion and Blocking. To the extent User, in its use of the Services, does not have the ability to correct, amend, block or delete Personal Data as required by Data Protection Laws and Regulations, Daasity shall provide User with assistance to comply with any reasonable request by User to facilitate such actions to the extent Daasity is legally permitted to do so. User shall be responsible for any costs arising from Daasity’s provision of such assistance.

6.2 Data Subject Requests. Daasity shall, to the extent legally permitted, promptly notify User if it receives a Data Subject Request. Daasity shall not respond to any such Data Subject request without User’s prior written consent except to confirm that the request relates to User, unless the Data Subject request relates only to that Data Subject’s registration data for accessing the Services. Daasity shall provide User with assistance in relation to handling of a Data Subject Request, to the extent legally permitted and to the extent User does not have access to such Personal Data through its use of the Services. If legally permitted, User shall be responsible for any costs arising from Daasity’s provision of such assistance.

6.3 Daasity shall promptly notify User of all enquiries from a Regulator that Daasity receives which relate to the Processing of Personal Data or the provision to or receipt of the Services by User, unless prohibited from doing so by law or by the Regulator.

6.4 Unless a Regulator requests in writing to engage directly with Daasity or the parties (acting reasonably and taking into account the subject matter of the request) agree that Daasity shall handle a Regulator request itself, User shall: (a) be responsible for all communications or correspondence with the Regulator in relation to the Processing of Personal Data and the provision or receipt of the Services; and (b) keep Daasity informed of such communications or correspondence to the extent permitted by law.

  1. Assistance and information for data protection impact assessment notifications

7.1 The information made available as GDPR Assistance Materials is intended to assist User in complying both with its obligations under the GDPR, such as data protection impact assessment(s), prior consultation with the Regulator and other Regulator inquiries, and with any requests by User with respect to Daasity’s privacy practices, including any audit request (“Privacy Inquiries”). User agrees that Daasity’s GDPR Assistance Materials will be used to fulfill User’s Privacy Inquiries. Except as otherwise agreed to in the Agreement, in the event that User requires information in addition to the GDPR Assistance Materials, including to demonstrate compliance with this Addendum, such information shall be made available under a separately-executed audit support agreement. User shall be responsible for the costs on a time and materials basis for Daasity’s provision of such assistance at Daasity’s then-current Professional Services rates.

7.2 If Daasity becomes aware of a security incident which leads or is likely to lead to a material infringement of Data Protection Laws and Regulations, or of this Addendum, that compromises the security, confidentiality or integrity of Personal Data and that would require reporting to a regulatory authority (as defined under applicable Data Protection Laws and Regulations) (a “Security Incident”), Daasity will notify User of such Security Incident without undue delay. Daasity will take appropriate actions to contain, investigate and mitigate the Security Incident and work with User to provide information to User concerning the Security Incident, and will assist User with any required notifications to affected individuals, subject to any related limitations set forth in the Agreement. Notification of or response to a Security Incident under this Section will not be construed as an acknowledgement by Daasity of any fault or liability with respect to the Security Incident.

7.3 Except as otherwise agreed to in the Agreement, to the extent that the Security Incident is the result of Daasity’s failure to comply with the terms of the Agreement or this Addendum, Daasity shall bear the actual, reasonable costs of notifying affected individuals. Daasity and User shall mutually agree on the content and timing of any such notifications, in good faith and as needed to meet applicable legal requirements. Notwithstanding the preceding sentence, the parties agree that Daasity shall have no obligation to send notification letters or provide credit monitoring for User unless such letters are legally required or otherwise reasonably required to alert individuals of potential harm.

  1. Deletion or return of personal data

8.1 Daasity shall return Personal Data to User or delete Personal Data in accordance with the terms of the Agreement and the policies and schedules set forth in Daasity’s Record Retention Policy and Schedule, which Policy and Schedule adhere to limitations required by law and regulation, including Good Clinical Practices (ICH GCP), except as required by law or as required in order to defend any actual or possible legal claim.

8.2 User acknowledges and agrees that Daasity shall have no liability for any losses incurred by User arising from or in connection with Daasity’s inability to perform the Services as a result of Daasity complying with a request to delete or return Personal Data made by User under this Section 8.

  1. Making available information to demonstrate compliance

9.1 Distribution of GDPR Assistance Materials. Daasity will make available upon User request its GDPR Assistance Materials (along with such additional information as the parties may agree to as part of an audit support agreement, described in Section 7.1) to demonstrate compliance with this Addendum and Data Protection Laws and Regulations.

  1. Privacy shield framework

10.1 To the extent Daasity receives in the United States User Data from the European Union, it will handle such User Data in accordance with the EU-US Privacy Shield Framework (Privacy Shield). Daasity will maintain certification under the Privacy Shield for the duration of the Agreement.

  1. Miscellaneous

11.1 Nondisclosure. The terms of this Addendum are not publicly known and constitute Confidential Information under the Agreement. User may only disclose the terms of this Addendum to a data protection Regulator to the extent required by law or regulatory authority. User shall take reasonable steps to ensure that data protection Regulators do not make the terms of this Addendum public, including by marking any copies as “Confidential and Commercially Sensitive,” requesting return of any copies, and requesting prior notice and consultation before any public disclosure.

11.2 Termination. This Addendum will terminate when Daasity ceases to Process Personal Data, except as otherwise agreed in writing between the parties.

Appendix 1: Subject matter and details of the data processing

Subject Matter: Daasity’s provision of the Services to Customer. Nature and Purpose of the Processing: Daasity will process Customer Personal Data for the purposes of providing the Services to Customer in accordance with the Addendum.

Appendix 2: Security measures

Daasity will implement and maintain the Security Measures set out in this Appendix 2. Daasity may update or modify such Security Measures from time to time provided that such updates and modifications do not materially decrease the overall security of the Services.

  1. Organizational management and dedicated staff responsible for the development, implementation and maintenance of Daasity’s information security program.
  2. Audit and risk assessment procedures for the purposes of periodic review and assessment of risks to Daasity’s organization, monitoring and maintaining compliance with Daasity’s policies and procedures, and reporting the condition of its information security and compliance to internal senior management.
  3. Data security controls which include at a minimum, but may not be limited to, logical segregation of data, restricted (e.g. role-based) access and monitoring, and utilization of commercially available and industry standard encryption technologies for Personal Data that is: a. transmitted over public networks (i.e. the Internet).
  4. Logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions, (e.g. granting access on a need-to-know basis, use of unique IDs and passwords for all users, periodic review and revoking/changing access when employment terminates or changes in job functions occur).
  5. Password controls designed to manage and control password strength, expiration and usage and requiring that Daasity’s passwords that are assigned to its employees: (i) be at least eight (8) characters in length, (ii) not be stored in readable format on Daasity’s computer systems; (iii) must be changed every ninety (90) days; must have defined complexity; (iv) must have a history threshold to prevent reuse of recent passwords; and (v) newly issued passwords must be changed after first use.
  6. Physical and environmental security of data center, server room facilities and other areas containing Personal Data designed to: (i) protect information assets from unauthorized physical access, (ii) manage, monitor and log movement of persons into and out of Daasity facilities, and (iii) guard against environmental hazards such as heat, fire and water damage.
  7. Change management procedures and tracking mechanisms designed to test, approve and monitor all changes to Daasity’s technology and information assets.
  8. Incident / problem management procedures design to allow Daasity to investigate, respond to, mitigate and notify of events related to Daasity’s technology and information assets.
  9. Network security controls that provide for the use of enterprise firewalls, and intrusion detection systems and other traffic and event correlation procedures designed to protect systems from intrusion and limit the scope of any successful attack.
  10. Vulnerability assessment and threat protection technologies and scheduled monitoring procedures designed to identify, assess, mitigate and protect against identified security threats, viruses and other malicious code.
  11. Business resiliency/continuity and disaster recovery procedures designed to maintain service and/or recovery from foreseeable emergency situations or disasters.

Daasity may update or modify such Security Measures from time to time provided that such updates and modifications do not materially decrease the overall security of the Services.

Subprocessors List

List of Subprocessors: