Supplemental Terms to Wunder Data Processing Addendum – Controller
These Wunder Data Processing terms (“Terms”) are incorporated by reference into the Wunder Data Processing Addendum (the “Addendum” or “DPA”) that further modifies the platform or services agreement (“Agreement”) currently in place between Company (as defined in the applicable DPA) and Wunder. The parties agree to comply with the following provisions with respect to any Personal Data of Data Subjects located in the European Economic Area Processed in connection with the Agreement. The purpose of these Terms is to ensure such Processing is conducted in accordance with Data Protection Laws, including the GDPR and with due respect for the rights and freedoms of individuals whose Personal Data are Processed. References to the Agreement will be construed as including the DPA and these Terms. Except as amended by these Terms, the Agreement will remain in full force and effect. If there is a conflict between the Agreement and this Addendum, the terms of this Addendum will control. Capitalized terms used but not defined in these Terms have the same meanings as set out in the Addendum and the Agreement. To the extent that these Terms differ from those in the Agreement or Addendum, the terms of these Terms shall govern.
1.1 “Affiliates” means any entity which is controlled by, controls or is in common control with one of the parties.
1.2 “Wunder Third Party Partner” means any entity, exclusive of any Wunder engaged Processors or Sub-processor, engaged by Wunder for the Processing of Personal Data.
1.3 “Data Protection Laws” means all privacy and data protection laws and regulations applicable to the Processing of Personal Data under the Agreement, including, as applicable: (a) the GDPR; (b) the UK Data Protection Act 2018 and/or (c) the Federal Data Protection Act of 19 June 1992 (Switzerland) and applicable to the Processing of Personal Data under the Agreement.
1.4 “Data Subject” means the individual to whom Personal Data relates.
1.5 “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC. For purposes of clarity, references to the GDPR are intended to include the UK Data Protection Act 2018.
1.6 “Company Third Party Partner” means any entity engaged by Company for the Processing of Personal Data.
1.7 “Security Breach” has the meaning set forth in Section 7 of these Terms.
1.8 “Sub-processor” means any sub-processor engaged by Wunder for the Processing of Personal Data.
1.9 “Supervisory Authority” has the meaning set forth in Article 51 of the GDPR, or means the Federal Data Protection and Information Commissioner of Switzerland, as applicable.
1.10 “Term” means the period from the date these Terms are incorporated into the DPA and the date the DPA is terminated in accordance with Section 10.1.
1.11 The terms “Controller“, “Personal Data”, “Processor,” “Processed” and “Processing,” have the meanings given to them in Data Protection Laws. If and to the extent that Data Protection Laws do not define such terms, then the definitions given in GDPR will apply.
2 PROCESSING OF PERSONAL DATA – ARRANGEMENT BETWEEN CONTROLLERS
2.1 The parties agree that Company and Wunder are Controllers with respect to the processing of such Personal Data under these Terms with respect to these Terms as described in Appendix 1. To the extent that the data protection legislation of another jurisdiction is applicable to either party’s processing of data, the parties acknowledge and agree that the relevant party will comply with any obligations applicable to it under that legislation with respect to the processing of that data. Both parties shall keep a record of all Processing activities with respect to Personal Data covered under these Terms as required under GDPR.
2.2 Each party will comply with the obligations applicable to it under the Data Protection Laws with respect to the processing of Personal Data covered under these Terms, including but not limited to: (i) providing the other party contact details for each party’s Data Protection Officer which are accurate and up to date; (ii) providing reasonable information and assistance to the other party conducting data protection impact assessments as required by Data Protection Laws; and (iii) providing reasonable information and assistance to the other party regarding consultations between that party and a Supervisory Authority. Company shall, in its use or receipt of the Services covered under these Terms, Process Personal Data in accordance with the requirements of the Data Protection Laws. Wunder shall, in its provision of the Services covered under these Terms, Process Personal Data in accordance with the requirements of the Data Protection Laws. Each party shall have individual responsibility for determining its legal basis for processing Personal Data covered under these Terms. As between the parties, Company shall have sole responsibility (to the extent legally required) to obtain all consents from Data Subjects necessary for collection, storage (e.g., via HTTP cookies) and Processing of Personal Data in the scope of the Services covered under these Terms. Wunder will provide a list of any Wunder Third Party Partners to Company as necessary to enable Company to comply with this Section 2.2.
2.3 The objective of its Processing of Personal Data by Wunder is the performance of the Services covered under these Terms pursuant to the Agreement. Company agrees that Wunder will Process Personal Data covered under these Terms for the following purposes: (i) Processing in accordance with the Agreement in order to provide the Services covered under these Terms; and (ii) Processing to comply with other reasonable instructions provided by Company where such instructions are acknowledged by Wunder as consistent with the terms of the Agreement. Wunder may Process Personal Data other than as written herein if it is mandatory under applicable law to which Wunder is subject. In this situation Wunder shall inform the Company of such a requirement unless the law prohibits such notice.
2.4 Each party is separately responsible for honoring Data Subject access requests which pertain to Personal Data governed by this Section 2 under Data Protection Law (including its rights of access, correction, objection, erasure and data portability, as applicable) and responding to correspondence, inquiries and complaints from data subjects. Each party shall provide reasonable and timely assistance to the other party as necessary to help facilitate compliance with this Section 2.4. If required by Article 21 of the GDPR, Company shall make available the mechanism(s) by which Wunder enables Data Subjects to object to Processing.
3 INTENTIONALLY LEFT BLANK
4 Wunder AND COMPANY PERSONNEL
4.1 Both parties shall ensure that their respective personnel engaged in the Processing of Personal Data under these Terms are informed of the confidential nature of the Personal Data as well as any security obligations with respect to such Data.
4.2 Wunder will take appropriate steps to ensure compliance with the Security Measures outlined in Appendix 2 by its personnel to the extent applicable to their scope of performance, including ensuring that all persons authorized to process Personal Data covered under these Terms have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality and that any such obligations survive the termination of that individual’s engagement with Wunder. With respect to any Personal Data Processed by Company under these Terms, Company hereby represents and warrants that its security measures are at least as stringent as those of Wunder with respect to Company’s Processing of Personal Data covered under these Terms pursuant to these Terms.
4.3 Wunder shall ensure that access to Personal Data covered under these Terms is limited to those personnel who require such access to perform the Services. Company shall ensure that access to Personal Data covered under these Terms is limited to those personnel who require such access to receive the Services.
5 SECURITY; AUDIT RIGHTS
5.1 Wunder shall maintain administrative, physical and technical safeguards for protection of the security, confidentiality and integrity of Personal Data it Processes under these Terms. Wunder will implement and maintain technical and organizational measures to protect such Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access as described in Appendix 2 (the “Security Measures”). As described in Appendix 2, the Security Measures include measures to encrypt Personal Data; to help ensure ongoing confidentiality, integrity, availability and resilience of Wunder’s systems and services; to help restore timely access to Personal Data following an incident; and for regular testing of effectiveness. Wunder may update or modify the Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services.
5.2 Both parties will (taking into account the nature of the processing of Personal Data under these Terms) cooperatively and reasonably assist each other in ensuring compliance with any of each other’s respective obligations with respect to the security of Personal Data and Personal Data breaches under these Terms, including (if applicable) any obligations pursuant to Articles 32 to 34 (inclusive) of the GDPR, by: (a) in the case of Wunder, implementing and maintaining the Security Measures in accordance with Appendix 2; and (b) complying with the terms of Section 7 of these Terms.
5.3 Company may engage a mutually agreed upon third party to audit Wunder solely for the purposes of meeting its audit requirements pursuant to Article 28, Section 3(h) of the General Data Protection Regulation (“GDPR”). To request an audit, Company must submit a detailed audit plan at least four (4) weeks in advance of the proposed audit date describing the proposed scope, duration, and start date of the audit. Audit requests must be sent to privacy@Wunder.co. The auditor must be approved in advance by Wunder (such approval may not be unreasonably withheld) and execute a written confidentiality agreement acceptable to Wunder before conducting the audit. The audit must be conducted during regular business hours, subject to Wunder’s policies, and may not unreasonably interfere with Wunder’s business activities. Any such audits are at Company’s expense and any request for Wunder to provide assistance which requires the use of resources different from or in addition to those required by law may be charged as a separate service by Wunder under a reasonable fee structure that takes into account the resources expended by Wunder. Company shall promptly notify Wunder with information regarding any non-compliance discovered during the course of an audit.
6.1 Company acknowledges and agrees that Wunder may engage third-party Sub-processors in connection with the provision of the Services. Any such Sub-processors will be permitted to obtain Personal Data only to deliver the services Wunder has retained them to provide, and are prohibited from using Personal Data for any other purpose. Wunder will have a written agreement with each Sub-processor and agrees that any agreement with a Sub-processor will include substantially the same data protection obligations as set out in these Terms.
6.2 A list of Sub-processors is available in the Wunder user interface or at a particular web page hosted by Wunder. Wunder may change the list of such other Sub-processors by no less than 10 business days’ notice via the Wunder user interface. If Company objects to Wunder’s change in such Sub-processors, Wunder may, as its sole and exclusive remedy, terminate the portion of the Agreement relating to the Services that cannot be reasonably provided without the objected-to new Sub-processor by providing 30 days’ written notice to Company. Where Wunder is processing Personal Data covered under these Terms, Wunder agrees that Processors engaged by Wunder will be treated as Sub-processors solely with respect to the requirements under this Section 6.
6.3 Wunder shall be liable for the acts and omissions of its Sub-processors to the same extent Wunder would be liable if performing the services of each Sub-processor directly under the terms of these Terms, except as otherwise set forth in the Agreement.
6.4 Company acknowledges and agrees that neither Company Third Party Partners nor Wunder Third Party Partners are Sub-processors and Wunder assumes no responsibility or liability for the acts or omissions of such Company Third Party Partners and Wunder Third Party Partners.
7 SECURITY BREACH MANAGEMENT AND NOTIFICATION
7.1 If either party becomes aware of any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to any Personal Data transmitted, stored or otherwise Processed on the other party’s equipment or facilities under these Terms (“Security Breach”) which, in the reasonable opinion of that party’s Data Protection Officer, requires such notification, such party will promptly notify the other party of the Security Breach. Notifications made pursuant to this section will describe, to the extent possible, details of the Security Breach, including steps taken to mitigate the potential risks and steps Wunder recommends Customer take to address the Security Breach. Notifications of any Security Breach will take place within a reasonable time and certainly no longer than seventy-two (72) hours after the discovery where required by law. Each party will promptly investigate the Personal Data Breach if it occurred on its infrastructure or in another area it is responsible for and will assist the other party as reasonably necessary for both parties to meet their obligations under Data Protection Laws.
7.2 Both parties agree that an unsuccessful Security Breach attempt will not be subject to this Section 7. An unsuccessful Security Breach attempt is one that results in no unauthorized access to Personal Data processed pursuant to these Terms or to any of either party’s equipment or facilities storing Personal Data, and may include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, or similar incidents.
7.3 Notification(s) of Security Breaches, if any, will be delivered to one or more of the other party’s business, technical or administrative contacts by any reasonable means, including via email. It is each party’s responsibility to ensure it maintains accurate contact information.
7.4 Any notification of or response to a Security Breach under this Section 7 will not be construed as an acknowledgement by either party of any fault or liability with respect to the Security Breach.
7.5 Wunder shall implement reasonable technical and organizational Security Measures to provide a level of security appropriate to the risk in respect to the Personal Data. As technical and organizational measures are subject to technological development, Wunder is entitled to implement alternative measures provided they are at least as protected as those offered by the Security Measures and they do not fall short of the level of data protection set out by Data Protection Law.
8 CROSS-BORDER DATA TRANSFERS
8.1 Wunder may, subject to this Section 9, store and process the relevant Personal Data in the European Economic Area, the United Kingdom and the United States.
8.2 Given that the Services involve the storage and/or processing of Company’s Personal Data which transfers Personal Data out of the European Economic Area, Switzerland or the UK to a jurisdiction that does not have adequate data protection laws, and the Data Protection Laws apply to the transfers of such data (“Transferred Personal Data”), both parties agree that the Standard Contractual Clauses for transfers reflecting the roles of the parties as described in the DPA in the form approved by the European Commission and available at https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/model-contracts-transfer-personal-data-third-countries_en (as amended or updated from time to time) (“Standard Contractual Clauses”) shall be incorporated by reference and form an integral part of this DPA. Appendices 1 and 2 of this DPA will take the place of Appendices 1 and 2 of the Standard Contractual Clauses respectively.
8.3 If the Standard Contractual Clauses are deemed invalid by a governmental entity with jurisdiction over Transferred Personal Data (e.g., the EU Court of Justice) or if such governmental entity imposes additional rules and/or restrictions regarding such Transferred Personal Data, the parties agree to work in good faith to find an alternative and/or modified approach with respect to such Transferred Personal Data which is in compliance with Data Protection Laws..
8.4 To the extent Company is the recipient of Personal Data from Wunder pursuant to these Terms, Company will provide at least the same level of protection for the information as is available under the Standard Contractual Clauses.
9.1 Both parties agree that their respective liability under these Terms shall be apportioned according to each parties’ respective responsibility for the harm (if any) caused by each respective party.
9.2 Liability Cap Exclusions. Nothing in this Section 10 will affect the remaining terms of the Agreement relating to liability (including any specific exclusions from any limitation of liability).
10.1 These Terms will remain in effect until the termination or expiration of the Agreement between the parties.
10.2 Nothing in these Terms shall impact Company’s intellectual property rights with respect to Personal Data provided by Company under the Agreement except to the extent required by applicable law.
10.3 Nothing in these Terms shall confer any benefits or rights on any person or entity other than the parties to these Terms.
Subject matter and details of the processing
Data Exporter: Company
Data Importer: Wunderkind Corporation d/b/a Wunder
Data Subjects: The Data Exporter’s customers, other visitors to the Data Exporter’s website, the Data Exporter’s personnel and any other persons affected.
Categories of data: The Personal Data transferred concern the following categories of Data Subjects: Data Exporter may submit Personal Data to the Data Importer’s proprietary platform (Wunder Platforms), the extent of which is determined and controlled by the Data Exporter in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:
First and last name
Contact information (company, email, phone, physical business address)
Device ID data (cookie ID, AD ID, Mobile ID address and other pseudonymous information and identifiers)
Other data reasonably required to implement the performance requested by Data Exporter under the Agreement.
Special categories of data The Personal Data transferred concern the following special categories of data (please specify): None
Processing operations: The Personal Data transferred will be subject to the following processing activities:
Processing activities in the performance of the services as set forth in the Agreement for the duration of the Agreement.
Description of the technical and operational Security Measures used by the Data Importer
Data Importer will implement and maintain a comprehensive written information security program designed to protect Personal Data from unauthorized access, use, modification, disclosure or destruction, and that complies with the most recent published version of one or more of the following industry security standards: NIST Cybersecurity Framework, ISO 27001, or SANS/CIS Critical Security Controls. As part of its information security program, Data Importer will limit access to Personal Data to the minimum number of Data Importer’s personnel who require such access in order to provide services to Data Exporter. Data Importer shall also provide the appropriate training to its personnel who process Personal Data.
Appendix 2(A) – Supplemental Technical and Operational Measures
Client is data exporter
Wunder is data importer
1. Disclosure Requests and Encryption
a) Notwithstanding other obligations of the Data Importer in this agreement to implement appropriate technical and organizational measures, the Data Importer is obliged, as far as possible, to encrypt Personal Data processed under this agreement immediately upon receipt and to only transmit Personal Data using end-to-end encryption.
b) Data Importer will not disclose Personal Data except: (1) as Data Exporter directs; (2) as expressly authorized in this agreement; or (3) as required by law. All processing of Personal Data is subject to Data Importer’s obligation of confidentiality under this agreement.
c) Data Importer will not intentionally disclose Personal Data to law enforcement, other governmental authority, or other persons (“Requesting Body”) unless Data Importer receives a civil or criminal subpoena, warrant, or other official and written request which:
aa) is issued by a Requesting Body with the authority and jurisdiction to demand the disclosure, and
bb) is, in the reasonable judgment of Data Importer, legally binding on Data Importer and requires Data Importer to disclose Personal Data in response thereto (a “Disclosure Request”).
d) Data Importer affirms that it has not, as of today’s date, been the recipient of a Disclosure Request and shall notify Data Export of any Disclosure Requests that pertains to Data Exporter’s data during the term of the Agreement unless prohibited from doing so by applicable law. If Data Importer is contacted with a Disclosure Request, Data Importer will
aa) attempt to redirect the Requesting Body to request that Personal Data directly from Data Exporter instead;
bb) promptly notify Data Exporter and provide a copy of the Disclosure Request unless legally prohibited from doing so;
cc) review the Disclosure Request to determine whether it is valid and if Data Importer has a legal requirement to disclose Personal Data; and
dd) assert its legal rights, including to resist and narrow the demand by taking all available remedies to the fullest extent possible, and/or seek a stay from enforcement of the Disclosure Request.
e) In the event Data Importer is notified by the Requesting Body issuing a Disclosure Request that Data Importer is prohibited by law from giving notice to Data Exporter of the Disclosure Request, Data Importer will use best efforts to relieve itself of any such prohibition so that it may fully disclose such Disclosure Request to Data Exporter and coordinate with Data Exporter in responding to the Disclosure Request solely to the extent possible without incurring additional or outside legal fees or expenses. In any case, Data Importer will provide notice to Data Exporter of the Disclosure Request immediately as soon as legally permissible. Data Importer will notify the Data Exporter of a Disclosure Request by contacting the indicated contact person.
f) Data Importer will only provide Personal Data if, and to the extent that, it is necessary and proportionate to comply with a Disclosure Request. Unless specifically requested by the Requesting Body, Data Importer will not provide any Requesting Body: (a) direct, indirect, blanket, or unfettered access to Personal Data; (b) encryption keys used to secure Personal Data or the ability to break such encryption; or (c) access to Personal Data if Data Importer is aware that the Personal Data is to be used for purposes other than those stated in the Disclosure Request.
g) In support of the above, Data Importer may provide Data Exporter’s basic contact information to the Requesting Body.
h) The parties understand and agree that “best efforts” of the Data Importer in responding to and/or challenging a Disclosure Request are limited to what is reasonable. Under no circumstances is the Data Importer expected to incur additional legal fees or expenses in excess of $1,000 in meeting its obligations under subsections 1(d) through 1(i). If permitted under applicable law, Data Importer will provide Data Exporter with an estimate of any additional legal fees and/or expenses and provide the Data Exporter with the opportunity to pay for such fees and/or expenses.
i) The Data Importer states that: (1) it has not purposefully created back doors or similar programming that could be used to access it’s systems and/or personal data (2) it has not purposefully created or changed its business processes in a manner that facilitates access to personal data or systems, and (3) that neither U.S. law nor government policy requires the importer to create or maintain back doors or to facilitate access to personal data or systems or for the importer to be in possession or to hand over the encryption key.
j) The Data Importer has internal policies, organizational methods and standards to support the foregoing.
k) The parties recognize that Data Importer has sole discretion over its approach to adhering to the above and shall not be in breach of this section unless Data Exporter is able to demonstrate willful misconduct or gross negligence.