DATA PROCESSING ADDENDUM FOR DATAHAPPY SERVICES

This Data Processing Addendum for DataHappy Services (“DPA”) forms a part of the DataHappy Terms of Use between Drivn Ltd and Customer (“Agreement”) which apply to the Customer’s use of the DataHappy service. All capitalized terms not defined herein shall have the meaning set forth in the Agreement.

This DPA is an addendum to and forms a part of the Agreement, and shall be legally binding with effect from the commencement of the Agreement. If any terms of this DPA are inconsistent with the terms of the Agreement, including the exhibits thereto, then the terms of this DPA shall prevail.

  1. BACKGROUND

    1. This DPA applies to Customer Personal Data provided by Customer as a Data Controller in connection with their use of DataHappy. It states the technical and organizational measures Drivn uses to protect Customer Personal Data in the course of acting as a Data Processor when providing DataHappy.
    2. If processing of Customer Personal Data involves an International Transfer, the EU Standard Contractual Clauses and/or the UK Standard Contractual Clauses, as the case may be, apply, and as stated in Section 5 and are incorporated by reference.
  2. APPENDICES

    Customer as a Data Controller determines the purposes of collecting and processing Customer Personal Data in DataHappy. Appendix 1 states the details of the processing Drivn will provide via DataHappy under the Agreement. Appendix 2 states the technical and organizational measures Drivn applies to DataHappy, unless the Agreement states otherwise. Appendix 3 defines the applicable modules and options for the EU Standard Contractual Clauses and the UK Standard Contractual Clauses.

  3. DRIVN OBLIGATIONS

    1. Drivn will follow instructions received from Customer with respect to Customer Personal Data, unless they are (i) legally prohibited or (ii) require material changes to DataHappy. In the event and to the extent the functionality of DataHappy does not allow Customer or authorized users to do so, Drivn may correct, block or remove any Customer Personal Data in accordance with Customer’s instruction. If Drivn cannot comply with an instruction, it will notify Customer (email permitted) without undue delay.
    2. Drivn will use the appropriate technical and organizational measures to protect all Customer Personal Data.
    3. Drivn shall notify Customer without undue delay but in no event later than seventy-two (72) hours of its discovery of a Security Breach.
    4. At Customer’s request, Drivn will reasonably support Customer in dealing with requests from Data Subjects or regulatory authorities regarding Drivn’s processing of Customer Personal Data.
    5. Upon termination of the Agreement for whatever reason, and upon Customer’s written request made within thirty (30) days after such termination, Drivn will (as applicable) return to Customer or destroy all Customer Personal Data. After such 30-day period, Drivn will destroy such Personal Data.
  4. SUBPROCESSORS

    1. Customer authorizes Drivn to subcontract the processing of Customer Personal Data to Subprocessors. Drivn is responsible for any breaches of the Agreement caused by its Subprocessors.
    2. Subprocessors will have the same obligations in relation to Drivn as Drivn does as a Data Processor (or Subprocessor) with regard to their processing of Customer Personal Data.
    3. Drivn will evaluate the security, privacy and confidentiality practices of a Subprocessor prior to selection. Subprocessors may have security certifications that evidence their use of appropriate security measures. If not, Drivn will regularly evaluate each Subprocessor’s security practices as they relate to data handling.
    4. Drivn’s use of Subprocessors is at its discretion, provided that:
      1. Drivn will notify Customer in advance (by email or such other means which Drivn makes available to its customers) of any changes to the list of Subprocessors in place as of the commencement of provision of DataHappy (except for Emergency Replacements or deletions of Subprocessors without replacement).
      2. If Customer has a legitimate reason that relates to the Subprocessors’ processing of Customer Personal Data, Customer may object to Drivn’s use of a Subprocessor, by notifying Drivn in writing within thirty days after receipt of Drivn’s notice. If Customer objects to the use of the Subprocessor, the parties will come together in good faith to discuss a resolution. Drivn may choose to: (i) not use the Subprocessor or (ii) take the corrective steps requested by Customer in its objection and use the Subprocessor. If none of these options are reasonably possible and Customer continues to object for a legitimate reason, either party may terminate the Agreement on thirty days’ written notice. If Customer does not object within thirty days of receipt of the notice, Customer is deemed to have accepted the new Subprocessor.
      3. If Customer’s objection remains unresolved sixty days after it was raised, and Drivn has not received any notice of termination, Customer is deemed to accept the Subprocessor.
      4. The list of Subprocessors current as of the commencement of provision of DataHappy is set out in Appendix 1.
    5. Drivn may change a Subprocessor where the reason for the change is outside of Drivn’s reasonable control. In this case, Drivn will inform Customer of the replacement Subprocessor as soon as possible. Customer retains its right to object to a replacement Subprocessor under Section 4.4.2.
  5. INTERNATIONAL TRANSFERS

    1. Personal Data from EEA, UK, or Swiss Data Controller(s) may only be exported to or accessed by Drivn or its Subprocessors outside the EEA, the UK, or Switzerland, as applicable (“International Transfer”):
      1. if the recipient, or the country or territory in which it processes or accesses Personal Data, ensures an adequate level of protection for the rights and freedoms of Data Subjects in relation to the processing of Customer Personal Data as determined by the European Commission or another regulatory body of competent jurisdiction; or
      2. in accordance with Section 5.2.
    2. The UK or EU Standard Contractual Clauses (as applicable) apply where:
      1. there is an International Transfer to a country that does not ensure an adequate level of protection for the rights and freedoms of Data Subjects in relation to the processing of Customer Personal Data as determined by the European Commission or another regulatory body of competent jurisdiction, and/or
      2. there is an International Transfer to a recipient that is not covered by an appropriate safeguard, including, but not limited to, binding corporate rules, an approved industry code of conduct, and individual adequacy decision by a regulatory body of competent jurisdictions, or an individual transfer authorisation granted by a regulatory body of competent jurisdiction.
    3. For Third Country Subprocessors, Drivn shall ensure that such Subprocessor has entered into the unchanged version of the UK or EU Standard Contractual Clauses prior to the Subprocessor’s processing of Personal Data.
    4. Nothing in this DPA will be construed to prevail over any conflicting clause of the UK or EU Standard Contractual Clauses.
  6. DEFINITIONS

    Customer Personal Data” means any Personal Data that the Customer or any of its Users uploads to DataHappy.

    Data Protection Legislation” means the Data Protection Act 2018, Regulation (EU) 2016/679 of the European Parliament and of the Council, (the General Data Protection Regulation); any other existing or future law, directive or regulation (anywhere in the world) relating to the Processing of Personal Data or privacy, to which Drivn is subject.

    Data Controller”, “Data Processor”, “Data Subject”, “Processing” and “Personal Data” have the meanings given to those expressions or any equivalent or corresponding expressions in the Data Protection Legislation.

    EEA” means the European Economic Area, namely the European Union Member States along with Iceland, Lichtenstein and Norway.

    EU Standard Contractual Clauses” shall mean the standard contractual clauses promulgated by the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (C/2021/3972) on standard contractual clauses for the transfer of personal data to third countries pursuant to the GDPR.

    Security Breach” means a confirmed accidental or unlawful destruction, loss, alteration, or disclosure that results in the compromise of the integrity and/or confidentiality of Personal Data. They include Appendices 1 and 2 attached to this DPA.

    Subprocessor” means Drivn affiliates and third parties engaged by Drivn or Drivn’s affiliates to process Personal Data.

    Third Country Subprocessor” means any Subprocessor incorporated outside the EEA and outside any country for which the European Commission has published an adequacy decision as published at http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm.

    UK Standard Contractual Clauses” means the UK Data Transfer Addendum, being the applicable EU Standard Contractual Clauses as amended by a data transfer addendum in a form adopted by the UK ICO, as amended, superseded or replaced from time to time.

APPENDIX 1


DETAILS OF DATA PROCESSING

Data Exporter

Name: The Customer acting as a Data Controller subscribed to a Service that allows authorized users to enter, amend, use, delete or otherwise process Personal Data, as identified in the Agreement.

Address: As stated in the Agreement.

Contact person’s name, position and contact details: As stated in the Agreement.

Role: (Controller/Processor): Controller