LEGAL DOCUMENTS
DATA PROCESSING AGREEMENT
Revised November 2022
This Data Processing Agreement ("DPA") forms a part of the Customer Terms of Service found at https://liqvid.io/legal/terms_and_conditions or other written agreement between Liqvid, PTE. LTD. and Customer, as set forth in the signature line below, for the purchase and/or use of Liqvid, PTE. LTD.'s and/or its Affiliates (collectively, "Liqvid") products and/or services (the "Agreement"), and reflects the parties mutual understanding and agreement related to the Processing of Customer's Personal Data (as defined herein) by Liqvid on behalf of Customer.
By signing the DPA, Customer enters into this DPA on behalf of itself and, to the extent required under Applicable Privacy and Data Protection Laws, in the name and on behalf of its Controller Affiliates (defined below). For the purposes of this DPA only, and except where indicated otherwise, the term "Customer" shall include Customer and Controller Affiliates. All capitalized terms not defined herein shall have the meaning set forth in the Agreement. In the event of inconsistencies between any provision of this DPA and any provision of the Agreement, the provisions of this DPA shall prevail. In the event of conflict between the Standard Contractual Clauses (SCCs) and this DPA, the SCCs shall prevail.
HOW THIS DPA APPLIES TO CUSTOMER AND ITS AFFILIATES
If the Customer entity signing this DPA is a party to the Agreement, this DPA is an addendum to and forms part of the Agreement. In such case, the Liqvid entity that is party to the Agreement with Customer is party to this DPA.
If the Customer entity signing this DPA has executed an Order Form with Liqvid or its Affiliate pursuant to the Agreement, but is not itself a party to the Agreement, this DPA shall be deemed to be an addendum to such Order Form and applicable renewal Order Forms, and the Liqvid entity that is party to such Order Form is party to this DPA.
If the Customer entity signing this DPA is neither a party to an Order Form nor an Agreement, this DPA is not valid and is not legally binding. Such entity should request that the Customer entity who is a party to the Agreement executes this DPA.
If the Customer entity is signing this DPA is neither a party to an Order Form nor an Agreement directly with Liqvid, but is instead a Customer indirectly via an authorized reseller of Liqvid's products and/or services, this DPA is not valid and is not legally binding. Such entity should contact the authorized reseller to discuss whether any amendments to its agreement with the reseller are necessary.
1. DEFINITIONS
"Affiliate" means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. "Control," for purposes of this definition, means direct or indirect ownership of or authority to direct more than 50% of the voting interests of the subject entity.
"Applicable Privacy and Data Protection Laws" means all applicable privacy and data protection laws and regulations, including laws and binding regulations that apply to the Processing of Personal Data under the Agreement, or to the privacy of electronic communications, including, to the extent applicable, (i) the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the EU e-Privacy Directive (Directive 2002/58/EC), (ii) in respect of the United Kingdom the Data Protection Act 2018 and the GDPR as saved into United Kingdom law by virtue of Section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 (the "UK GDPR"), (iii) the State laws of California, Colorado, Virginia, Utah, Connecticut and any other U.S. states that are applicable to the Processing of Personal Data, (iv) the Swiss Federal Data Protection Act ("Swiss Data Protection Act") and (v) Singapore's Personal Data Protection Act ("PDPA"), and any legislation or regulations implementing, replacing, amending or made pursuant to such laws (in each case as may be amended or superseded from time to time).
"Controller" shall have the meanings given to them under Applicable Privacy and Data Protection Laws.
"Controller Affiliate" means any of Customer's Affiliate(s) (i) that are subject to Applicable Privacy and Data Protection Laws of the European Union, the European Economic Area and/or their member states, Switzerland and/or the United Kingdom, Singapore and (ii) permitted to use Liqvid's products and/or services pursuant to the Agreement between Customer and Liqvid, but have not signed their own Order Form and are not a "Customer" as defined under the Agreement.
"Customer Data" means (unless otherwise defined in the Agreement in which case the definition in the Agreement shall apply), all data and information provided by Customer, its Affiliates and its customers to Liqvid in relation to Liqvid's provision of the products and/or services including without limitation message text, files, comments, links and profile information. "Customer Data" does not include non-Liqvid products and/or services.
"Data Subject" means the identified or identifiable person to whom Personal Data relates.
"EEA" means the European Economic Area.
"Personal Data" means any information that relates to an identified or identifiable natural person or to an identified or identifiable legal entity, to the extent that such information is protected as personal data or personally identifiable information under Applicable Privacy and Data Protection Laws and such data submitted is Customer Data. "Personal Data" as used herein only applies to Personal Data for which Liqvid is a Processor.
"Process" or "Processing" means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
"Processor" shall have the meanings given to them under Applicable Privacy and Applicable Privacy and Data Protection Laws.
"Liqvid PTE. LTD." means Liqvid, PTE. LTD., a corporation incorporated in Singapore.
"Liqvid" means, collectively, Liqvid PTE. LTD. and its Affiliates engaged in the Processing of Personal Data.
"Restricted Transfer" means: (i) where the GDPR applies, a transfer of Personal Data originating from the EEA to a country outside of the EEA which is not subject to an adequacy determination by the European Commission; (ii) where the UK GDPR applies, a transfer of Personal Data originating from the United Kingdom to any other country which is not subject to adequacy regulations adopted pursuant to Section 17A of the United Kingdom Data Protection Act 2018; and (iii) where the Swiss Data Protection Act applies, a transfer of Personal Data originating from Switzerland to a country outside of Switzerland which is not included on the list of adequate jurisdictions published by the Swiss Federal Data Protection and Information Commissioner (iv) where the Singapore PDPA applies, a transfer of Personal Data originating from the Singapore to a country outside of the Singapore which is not subject to adequacy regulations adopted pursuant to Section 26 of the PDPA.
"Security Practices" means Liqvid's "Security Practices Datasheet", as updated from time to time, and currently accessible at Exhibit 2.
"Standard Contractual Clauses" or "SCCs" (i) where the GDPR applies, the standard contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the European Council, (the "EU SCCs") and which are hereby incorporated into this DPA; (ii) where the UK GDPR applies, the International Transfer Addendum or Addendum to the EU SCCs for international data transfers issued under Section 119A of the Data Protection Act 2018 and approved by UK Parliament on 21 March 2022 ("International Data Transfer Addendum") and which is hereby incorporated into this DPA; and (iii) where the Swiss Data Protection Act applies, the applicable standard data protection clauses issued, approved or recognized by the Swiss Federal Data Protection and Information Commissioner (the "Swiss SCCs"), in each case as completed as described in Section 11 below. For the purposes of the EU SCCs and the International Transfer Addendum, if applicable, Customer shall be the 'data exporter and Liqvid the 'data importer.
"Sub-processor" means any entity engaged by Liqvid and/or its Affiliates to Process Personal Data in connection with Liqvid's products and/or services.
"Supervisory Authority" means an independent public authority which is established by an EU Member State pursuant to the GDPR for the EU; the Information Commissioner's Office ('ICO') in the United Kingdom; or the Federal Data Protection andInformation Commissioner (FDPIC) in Switzerland.
2. PROCESSING OF PERSONAL DATA
2.1 Roles of the Parties. The parties acknowledge and agree that with regard to the Processing of Personal Data, Customer is the Controller and Liqvid is the Processor. Liqvid may engage Sub-processors pursuant to the requirements set forth in Article 4 "Sub-processors" below to Process such Personal Data.
2.2 Customer's Processing of Personal Data. Customer shall have sole responsibility for the accuracy and quality of Personal Data, the means by which Customer acquired such Personal Data and ensure compliance with laws as it relates to the foregoing. Customer acknowledges that it is responsible for properly implementing access and use controls and configuring certain features and functionalities that Customer may elect to use and that it will do so in such manner that Customer deems adequate to maintain appropriate security, protection, deletion, and backup of Personal Data. Liqvid will be entitled to rely solely on Customer's instructions relating to Personal Data Processed by Liqvid.
2.3 Liqvid's Processing of Personal Data. With respect to Personal Data Processed by Liqvid as Customer's Processor, Liqvid shall only Process Personal Data for the following purposes: (i) Processing in accordance with the Agreement (ii) Processing initiated by authorized users in their use of Liqvid's products and/or services; and (iii) Processing to comply with other reasonable instructions provided by Customer in writing (e.g., via email or support tickets) that are consistent with the terms of the Agreement (individually and collectively, the "Purpose"). Liqvid shall not disclose Personal Data to third parties except: (i) to employees, service providers, or advisers who have a need to know the Personal Data and are under confidentiality obligations at least as restrictive as those described under this DPA, or (ii) as required to comply with valid legal process in accordance with the terms of the Agreement. If Liqvid has reason to believe Customer's instructions infringe the GDPR, UK GDPR or other EEA data protection provisions, or PDPA, then Liqvid will promptly notify Customer. Customer acknowledges and agrees that Liqvid collects cumulative, anonymized data and analytics pertaining to its customers including without limitation Customer ("Unidentifiable Data"), and, provided that such Unidentifiable Data Subject is and will remain unidentifiable, the data is not subject to the deletion requirement set forth in Paragraph 7 ("Return and Deletion of Client Data") herein.
2.4 Details of the Processing. Liqvid agrees that it will Process the Personal Data in relation to the Purpose and the provision of Liqvid's products and/or services. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this DPA are further specified in the Appendix attached hereto and incorporated herein.
3. RIGHTS OF DATA SUBJECTS & DATA SUBJECT REQUESTS
3.1 Liqvid shall, to the extent legally permitted, promptly notify Customer if Liqvid receives any requests from a Data Subject to exercise the following Data Subject rights: access, rectification, restriction of Processing, erasure ("right to be forgotten"), data portability, objection to the Processing, or to not be subject to an automated individual decision making (each, a "Data Subject Request"). Taking into account the nature of the Processing, Liqvid shall assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Customer's obligation to respond to a Data Subject Request under Applicable Privacy and Data
Protection Laws. In addition, to the extent Customer, in its use of Liqvid's products and/or services, does not have the ability to address a Data Subject Request, Liqvid shall, upon Customer's request, provide commercially reasonable efforts to assist Customer in responding to such Data Subject Request, to the extent Liqvid is legally permitted to do so and the response to such Data Subject Request is required under Applicable Privacy and Data Protection Laws. To the extent legally permitted, Customer shall be responsible for any costs arising from Liqvid's provision of such assistance, including without limitation any fees associated with provision of additional functionality.
4. SUB-PROCESSORS
4.1 Appointment of Sub-processors. Customer acknowledges and agrees that (a) Liqvid's Affiliates may be retained as Sub-processors; and (b) Liqvid and Liqvid's Affiliates respectively may engage third-party Sub-processors in connection with the provision of the products and/or services. As a condition to permitting a third-party Sub-processor to Process Personal Data, Liqvid or a Liqvid Affiliate will enter into a written agreement with each Sub-processor containing data protection obligations that provide at least the same level of protection for Personal Data as those in this DPA, to the extent applicable to the nature of the services provided by such Sub-processor. Customer acknowledges that Liqvid, PTE. LTD. is located in the Singapore and provides Liqvid's products and/or services to Customer. Customer agrees to enter into the SCCs and acknowledges that Sub-processors may be appointed by Liqvid in accordance with Clause 9 of the SCCs incorporated herein.
4.2 List of Current Sub-processors and Notification of New Sub-processors. The then-current list of Sub-processors Liqvid uses to provide the products and/or services, including the identities of those Sub-processors and their country of location, is accessible at SCCs ANNEX III of this Agreement ("Sub-processor List") which may be updated by Liqvid from time to time, but not less than annually when applicable, upon advance written notice to Customer.
4.3 Objection Right for New Sub-processors. Customer may reasonably object to Liqvid's use of a new Sub-processor (e.g., if making Personal Data available to the Sub-processor may violate Applicable Privacy and Data Protection Laws or weaken the protections for such Personal Data) by notifying Liqvid promptly in writing within 30 business days after Customer becomes aware of such change. Such notice shall include the date the Customer became aware of the new Sub- processor and explain the reasonable grounds for the objection. In the event Customer objects to a new Sub-processor, as permitted in the preceding sentence, Liqvid will use commercially reasonable efforts to make available to Customer a change in Liqvid's products and/or services or recommend a commercially reasonable change to Customer's configuration or use of Liqvid's products and/or services to avoid Processing of Personal Data by the objected-to new Sub- processor without unreasonably burdening Customer. If Liqvid is unable to make available such change within a reasonable period of time, which shall not exceed sixty (60) days from the date Liqvid receives written notice from Customer, either party may terminate without penalty the applicable Order Form(s) with respect only to those Liqvid's products and/or services which cannot be provided by Liqvid without the use of the objected-to new Sub-processor by providing written notice to the other party advising of such termination. Liqvid will refund to Customer any prepaid fees covering the remainder of the term of such Order Form(s) following the effective date of termination with respect to such terminated Liqvid products and/or services, without imposing a penalty for such termination on Customer.
4.4 Liability. Liqvid shall be liable for the acts and omissions of its Sub-processors to the same extent Liqvid would be liable if performing the services of each Sub-processor directly under the terms of this DPA, except as otherwise set forth in the Agreement.
5. SECURITY
5.1 Controls for the Protection of Customer Data. Liqvid shall maintain appropriate technical and organizational measures for protection of the security, confidentiality and integrity of Customer Data.
5.2 Third-Party Certifications and Audits. Liqvid if necessary, may obtain the third-party certifications and audits. Upon Customer's request, and subject to the confidentiality obligations set forth in the Agreement, Liqvid shall make available to Customer (or Customer's independent, third-party auditor) information regarding Liqvid's compliance with the obliga tions set forth in this DPA. Customer may contact Liqvid in accordance with the "Notices" Section of the Agreement to request an audit of Liqvid's procedures relevant to the protection of Personal Data, but only to the extent required under Applicable Privacy and Data Protection Laws and Customer shall not disrupt Liqvid's business operations during the performance of such audit. Customer shall reimburse Liqvid for any time expended for any such audit at Liqvid's current rates. Before the commencement of any such audit, Customer and Liqvid shall mutually agr ee upon the scope, timing, and duration of the audit, in addition to the reimbursement rate for which Customer shall be responsible. All reimbursement rates shall be reasonable, taking into account the resources expended by Liqvid. Customer shall promptly notify Liqvid with information regarding any non-compliance discovered during the course of an audit, and Liqvid shall use commercially reasonable efforts to address any confirmed non-compliance.
6. CUSTOMER DATA INCIDENT MANAGEMENT AND NOTIFICATION
Liqvid shall maintain commercially reasonable security incident management policies and procedures. Liqvid shall notify Customer without undue delay of any breach relating to Personal Data (within the meaning of Applicable Privacy and Data Protection Laws) of which Liqvid becomes aware and which may require a notification to be made to a Supervisory Authority or Data Subject under Applicable Privacy and Data Protection Laws or which Liqvid is required to notify to Customer under Applicable Privacy and Data Protection Laws (a "Customer Data Incident"). Taking into account the nature of Processing and the information available to Liqvid and in accordance with the Agreement, Liqvid shall provide commercially reasonable cooperation and assistance in identifying the cause of such Customer Data Incident and take commercially reasonable steps to remediate the cause to the extent the remediation is within Liqvid's control. The obligations herein shall not apply to incidents that are caused by Customer, Customer's authorized users and/or any non-Liqvid products and/or services.
7. RETURN AND DELETION OF CUSTOMER DATA
Upon termination of the Agreement and/or Order Form pursuant to which Liqvid is Processing Personal Data, Liqvid shall, upon Customer's request, and subject to the limitations described in the Agreement and the Security Practices, return all Customer Data and copies of such data to Customer or securely destroy them and reasonably demonstrate to the Customer that it has taken such measures, unless applicable law prevents it from returning or destroying all or part of Customer Data. Liqvid agrees to preserve the confidentiality of any retained Customer Data for the duration of the Agreement and only and will only actively Process such Customer Data after such date if agreed to by the parties or to otherwise comply with laws. This Section 7 shall not apply to Unidentifiable Data, as defined herein.
8. CONTROLLER AFFILIATES
8.1 Contractual Relationship. The parties acknowledge and agree that, by executing the Agreement and/or Order Form and this DPA, Customer enters into the DPA on behalf of itself and, as applicable, in the name and on behalf of its Controller Affiliates, thereby establishing a separate DPA between Liqvid and each such Controller Affiliate subject to the provisions of the Agreement. Each Controller Affiliate agrees to be bound by the obligations under this DPA and, to the extent applicable, the Agreement. For the avoidance of doubt, a Controller Affiliate is not and does not become a party to the Agreement and is only a party to the DPA. All access to and use of the Liqvid products and/or services by Controller Affiliates must comply with the terms and conditions of the Agreement and any violation of the terms and conditions of the Agreement by a Controller Affiliate shall be deemed a violation by Customer and Customer shall be liable for such violation.
8.2 Communication. The Customer that is the contracting party to the Agreement shall remain responsible for coordinating all communication with Liqvid under this DPA and be entitled to make and receive any communication in relation to this DPA on behalf of its Controller Affiliates.
8.3 Rights of Controller Affiliates. If a Controller Affiliate becomes a party to the DPA with Liqvid, it shall, to the extent required under Applicable Privacy and Data Protection Laws, also be entitled to exercise the rights and seek remedies under this DPA, subject to the following:
8.3.1 Except where Applicable Privacy and Data Protection Laws require the Controller Affiliate to exercise a right or seek any remedy under this DPA against Liqvid directly by itself, the parties agree that (i) solely the Customer that is the contracting party to the Agreement shall exercise any such right or seek any such remedy on behalf of the Controller Affiliate, and (ii) the Customer that is the contracting party to the Agreement shall exercise any such rights under this DPA not separately for each Controller Affiliate individually but in a combined manner for all of its Controller Affiliates together (as set forth, for example, in Section 8.3.2, below).
8.3.2 The parties agree that the Customer that is the contracting party to the Agreement shall, if carrying out an audit of the Liqvid procedures relevant to the protection of Personal Data, take all reasonable measures to limit any impact on Liqvid by combining, to the extent reasonably possible, several audit requests carried out on behalf of different Controller Affiliates in one single audit.
9. LIQVID PERSONNEL
9.1 Confidentiality. Liqvid shall use commercially reasonable efforts to ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements. Liqvid shall ensure that such confidentiality obligations survive the termination of the personnel engagement.
9.2 Reliability. Liqvid shall take commercially reasonable steps to ensure the reliability of any Liqvid personnel engaged in the Processing of Personal Data.
9.3 Limitation of Access. Liqvid shall ensure that Liqvid's access to Personal Data is limited to those personnel performing services in accordance with the Agreement.
9.4 Data Protection Officer/Responsible Party. Liqvid has a data protection officer or individual responsible for its data protection in the Singapore, United States, EU and UK that are collectively reached at privacyteam@liqvid.io.
10. LIMITATION OF LIABILITY
Each party's and all of its Affiliates' liability, taken together in the aggregate, arising out of or related to this DPA, and all DPAs between Controller Affiliates and Liqvid, whether in contract, tort or under any other theory of liability, is subject to the "Limitation of Liability" section of the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and all DPAs together.
For the avoidance of doubt, the total liability of Liqvid (and its Affiliates, if any) for all claims from the Customer and all of its Controller Affiliates arising out of and/or related to the Agreement and each DPA shall apply in the aggregate for all claims under the Agreement and all DPAs established under the Agreement, including by Customer and all Controller Affiliates. It is specifically understood that liability shall not apply individually and severally to Customer and to Controller Affiliates.
11. Liqvid will Process Personal Data in accordance with the Applicable Privacy and Data Protection Laws requirements directly applicable to the provisioning of Liqvid's products and services.
11.1 Data Protection Impact Assessment. Upon Customer's request, Liqvid shall provide Customer with reasonable cooperation and assistance (at Customer's expense) needed to fulfill Customer's obligation under the GDPR to carry out a data protection impact assessment related to
Customer's use of Liqvid's products and/or services, to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is available to Liqvid. Liqvid shall provide reasonable assistance toCustomer in the cooperation or prior consultation with the Supervisory Authority, to the extent required under the GDPR.
11.2 Transfer Mechanisms.
11.2.1 Liqvid shall (and shall procure that any Subprocessor shall) not Process or transfer (directly or via onward transfer) any Customer Data in or to a territory other than the territory in which the Customer Data was first collected (nor permit the Customer Data to be so Processed or transferred) unless: (i) it has first obtained Customer's prior written consent and (ii) it takes all such measures as are necessary to ensure such Processing or transfer is in compliance with Applicable Privacy and Data Protection Laws (including such measures as may be communicated by Customer to Liqvid). Without prejudice to the foregoing, the Parties agree that when a transfer of Customer Data by Customer (as data exporter) to Liqvid (as data importer) under this DPA is a Restricted Transfer, Liqvid shall be bound by the SCCs, which shall be deemed incorporated into this DPA as follows:
11.2.1.1 In relation to transfers of Personal Data protected by the GDPR, the EU SCCs will apply completed as follows:
11.2.1.1.1 Where Customer is a controller of the Personal Data, Module Two (controller to processor transfers) shall apply;
11.2.1.1.2 In Clause 7, the optional docking clause will apply;
11.2.1.1.3 In Clause 9, Option 2 will apply, and the time period for prior notice of Subprocessor changes shall be as set out in Section 4 of this Agreement;
11.2.1.1.4 In Clause 11, the optional language will not apply;
11.2.1.1.5 In Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law;
11.2.1.1.6 In Clause 18(b), disputes shall be resolved before the courts of Ireland; and
11.2.1.1.7 Annex I and II of the EU SCCs shall be deemed completed with the information set out in Exhibits 2-4 of this DPA;
11.2.1.2 In relation to transfers of Personal Data protected by the UK GDPR, the EU SCCs will also apply to such transfers in accordance with Section 11.2.1.1 above, with the following modifications:
11.2.1.2.1 any references in the EU SCCs to "Directive 95/46/EC" or "Regulation (EU) 2016/679" shall be interpreted as references to the UK GDPR; references to specific Articles of "Regulation (EU) 2016/679" are replaced with the equivalent Article or Section of UK GDPR;
11.2.1.2.2 references to "EU", "Union" and "Member State law" are all replaced with "UK"; Clause 13(a) and Part C of Annex I of the EU SCCs are not used; references to the "competent supervisory authority" and "competent courts" shall be interpreted as references to the Information Commissioner and the courts of England and Wales;
11.2.1.2.3 Clause 17 of the EU SCCs is replaced to state that "The Clauses are governed by the laws of England and Wales" and Clause 18 of the EU SCCs is replaced to state "Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may bring legal proceeding against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts;"
11.2.1.2.4 The International Transfer Addendum is set forth at Exhibit 4 to this DPA, if applicable, unless the EU SCCs as implemented above cannot be used to lawfully transfer such Personal Data in compliance with the UK GDPR, in which event the UK SCCs shall instead be incorporated by reference and form an integral part of this DPA and shall apply such to transfers. Where this is the case, the relevant Annexes or Appendices of the UK SCCs shall be populated using the information contained in Exhibits 2 -4 of this DPA (as applicable).
11.2.1.3 In relation to transfers of Personal Data protected by the Swiss Data Protection Act, the EU SCCs will also apply to such transfers in accordance with Section 11.2.1.1 above, with the following modifications:
11.2.1.3.2 references to "EU", "Union", "Member State" and "Member State law" shall be interpreted as references to Switzerland and Swiss law, as the case may be; and
11.2.1.3.3 references to the "competent supervisory authority" and "competent courts" shall be interpreted as references to the FDIPC and competent courts in Switzerland, unless the EU SCCs as implemented above cannot be used to lawfully transfer such Personal Data in compliance with the Swiss Data Protection Act, in which event the Swiss SCCs shall instead be incorporated by reference and form an integral part of this DPA and shall apply to such transfers. Where this is the case, the relevant Annexes or Appendices of the Swiss SCCs shall be populated using the information contained in Exhibits 2-4 of this DPA (as applicable).
12. LEGAL EFFECT
This DPA shall only become legally binding between Customer and Liqvid (and Liqvid, PTE. LTD., if different) when executed by both parties. If Customer has previously executed a data processing addendum with Liqvid concerning the subject matter hereof, the parties acknowledge and agree that this DPA supersedes and replaces such prior data processing addendum. For purposes of clarification, this DPA becomes legally binding on the date the last party below executes the DPA.
13. VENUE
This DPA and any dispute or claim arising out of and/or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by, and construed in accordance with, the legal system of England.
14. MISCELLANEOUS
The parties agree that this DPA and, if applicable, the Standard Contractual Clauses, shall terminate automatically upon (i) termination of the Agreement; or (ii) if applicable, the expiration or termination of all Order Forms or similar contract documents entered into by Liqvid with Customer pursuant to the Agreement, whichever is later. Any obligation imposed on either party under this DPA in relation to the Processing of Personal Data that would reasonably be interpreted to survive any termination or expiration of this DPA, shall survive. Customer may notify Liqvid in writing from time to time of any variations to this DPA which are required as a result of a change in Applicable Privacy and Data Protection Laws . Any such required variations shall take effect on the date falling 45 (forty-five) calendar days after the date such written notice is received and Liqvid shall procure that, where necessary, the terms in each contract between Liqvid or any Liqvid Affiliate and each Sub- processor are amended to incorporate such variations within the same time period. Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties' intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
EXHIBIT 1 TO THE DATA PROCESSING AGREEMENT CALIFORNIA SPECIFIC PROVISIONS
This Exhibit 1 forms part of the DPA. Capitalized terms not defined in this Exhibit 1 have the meaning set forth in the DPA.
When processing California Personal Information (as defined in the California Consumer Privacy Act "CCPA") in accordance with Customer's instructions, the parties acknowledge and agree that Customer is a Business and Liqvid is a Service Provider for the purposes of the CCPA. Liqvid shall process California Personal Information solely for a valid business purpose to perform the Services.
Liqvid understands and agrees to the prohibition from: (i) selling California Personal Information that it processes on behalf of the Customer; (ii) retaining, using, or disclosing California Personal Information for a commercial purpose other than providing the Services or otherwise permitted by CCPA; and (iii) retaining, using, or disclosing California Personal Information outside of the Agreement between Liqvid and Customer
EXHIBIT 2 TO THE DATA PROCESSING AGREEMENT TECHNICAL AND ORGANIZATIONAL MEASURES
This Exhibit 2 forms part of the DPA. Capitalized terms not defined in this Exhibit 2 have the meaning set forth in the DPA.
Liqvid shall implement and maintain commercially reasonable administrative, technical, and physical safeguards designed to protect Customer Personal Data. Such safeguards shall include:
  • IT Security Policy. Liqvid will maintain a written information security policy applicable to all authorized personnel and systems.
  • Training. Liqvid will provide information security awareness training to all employees at least annually.
  • Access Control. Liqvid will maintain an access control policy, procedures, and controls consistent with industry standard practices. Liqvid will limit access to Customer's Personal Data to those employees and Sub-processors with a need-to-know.
  • Logical Separation. Liqvid will ensure Customer's Personal Data is logically separated from other Liqvid customer data.
  • Encryption. Where appropriate, Customer's Personal Data will be encrypted in-transit and at rest using industry standard encryption technologies.
  • Asset Inventory. Liqvid will maintain an inventory of all information technology assets used in its operation of the services.
  • Password Management. Liqvid will maintain a password management policy designed to ensure strong passwords consistent with industry standard practices.
  • Incident Response Plan. Liqvid will maintain an incident response plan that addresses Security Incident handling.
  • Backups of Customer Personal Data. Liqvid will maintain an industry standard backup system and backup of Customer's Personal Data designed to facilitate timely recovery in the event of a service interruption.
  • Disaster Recovery and Business Continuity Plans. Liqvid will maintain disaster recovery and business continuity plans consistent with industry standard practices.
  • Malicious Code Protection. All Liqvid workstations will run the current version of industry standard anti-virus software with the most recent updates available on each workstation. Virus definitions will be updated within a reasonable period following release by the anti-virus software vendor.
  • Vendor Management. Liqvid will maintain the Third Party/Vendor Management Program and oversee the risk and compliance program for vendors, partners and other third parties by assessing and managing the risks assumed by
    the nature of relationships with vendors, partners and other third parties.
  • Vulnerability Management Controls. Liqvid will maintain a vulnerability management program to identify and resolve security vulnerabilities in a timely manner.
EXHIBIT 3 TO THE DATA PROCESSING AGREEMENT ANNEX 1-3 OF THE SCCS
This Exhibit 3 forms part of the DPA. Capitalized terms not defined in this Exhibit 3 have the meaning set forth in the DPA.
SCCs ANNEX I
A. LIST OF PARTIES
1. Data Exporter:
Name: Customer
Address: As set forth in the Agreement
Contact person's name, position and contact details:
Relevant Activities: As set forth in below and in accordance with the Services under the Master Service Agreement.
Signature and Date: The data importer will be deemed to have signed this Annex I on the transfer of Personal Data by the data exporter in connection with the Services.
Role: Data Controller
2. Data Importer:
Liqvid, PTE. LTD. 68 CIRCULAR ROAD #02-01
SINGAPORE, 049422
Alexander Solovev, CEO of Liqvid PTE. LTD.
Email: privacyteam@liqvid.io
Relevant Activities: As set forth in Exhibit 2. Further, Liqvid is an organization that assists other organizations in providing technical solutions simplifying their digital signage management with features such as creating and managing content on e-connected screens, scheduling content to display at specific times, remotely managing screens, and integrating social media feeds.
Signature and Date: The data importer will be deemed to have signed this Annex I on the transfer of Personal Data by the data exporter in connection with the Services.
Role: Data Processor
B. DESCRIPTION OF TRANSFER
1. Categories of data subjects whose personal data is transferred:
The authorized representative(s) of the organization using Liqvid and Customer's end-user, if applicable.
2. Categories of personal data transferred:
а) Customer and Customer's end-user (if applicable):
i.Contact details: Name (First & Last), Email Address, Phone Number, Company Name, Job Role
ii. Billing details: Name (First & Last), Email Address, Address, Country, State, City, Zip code, Credit Card information
b) Customer's Employees:
i.Contact Details: Name (First & Last), Email Address
3. Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitations, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures:
Data exporter shall not disclose (and shall not permit any data subject to disclose) any special categories of personal data to data importer for processing
4. The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Personal data may be transferred one-off or continuous basis at the option of the authorized user.
5. Nature of the processing. Please select from the following and/or add The following list shall act as the default in response to this, if no selection is made.
  1. Adaption or alteration
  2. Collection
  3. Consultation
  4. Destruction
  5. Disclosure by transmission
  6. Dissemination
  7. Erasure
  8. Organization
  9. Recording
  10. Retrieval
  11. Storage
  12. Structuring
  13. Use
6. Purpose(s) of the data transfer and further processing
The purpose of the data transfer is to further the contract (Terms of Service) and for the person seeking to evaluate the Liqvid service.
7. The period for which the personal data will be retained or, if that is not possible, the criteria used to determine that period.
For the duration of the Terms of Service and the provision of services as outlined in such Agreement or Order Form.
8. For transfers to (sub-) processors, also specific subject matter, nature and duration of the processing:
As set forth at Annex III.
C. COMPETENT SUPERVISORY AUTHORITY
Data Protection Commission (Ireland)
SCCs ANNEX II
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
As set forth in Exhibit 2.
LIST OF SUB-PROCESSORS
To support the delivery of our Services, Liqvid PTE. LTD. may use data processors with access to certain Customer Data (hereby known as "Subprocessor").
Liqvid currently uses third-party Subprocessors to provide various business functions such as business analytics, infrastructure, email notifications, payments, customer support. Prior to engaging any third party Subprocessor, Liqvid performs due diligence to evaluate their defensive posture and executes an agreement requiring each Subprocessor to maintain minimum acceptable security practices.
The Controller has authorized the following list of sub-processors:
Product(s)
Sub-processing Activities
In what countries does Liqvid store Customer Personal Data?
In what countries does Liqvid process (e.g., access, transfer, or otherwise handle) Customer Personal Data?
Amazon Web Services
Cloud Service Provider
Europe (EEA)
Asia-Pacific, Canada, Central America/ Caribbean/ Mexico, Europe (EEA), Europe (Non EEA), South America, United States
Kommo
Cloud-based Sales Services
Europe (EEA)
Asia-Pacific, Canada, Central America/ Caribbean/ Mexico, Europe (EEA), Europe (Non EEA), South America, United States
AVOXI
Cloud Telephony Provider
Europe (EEA)
Asia-Pacific, Canada, Central America/ Caribbean/ Mexico, Europe (EEA), Europe (Non EEA), South America, United States
CloudTalk
Cloud Telephony Provider
Europe (EEA)
Asia-Pacific, Canada, Central America/ Caribbean/ Mexico, Europe (EEA), Europe (Non EEA), South America, United States
Mixpanel
Product analytics
Europe (EEA)
Asia-Pacific, Canada, Central America/ Caribbean/ Mexico, Europe (EEA), Europe (Non EEA), South America, United States
Postmarkup
Transactional Email APIs
Europe (EEA)
Asia-Pacific, Canada, Central America/ Caribbean/ Mexico, Europe (EEA), Europe (Non EEA), South America, United States
SendPulse
Email automation platform
Europe (EEA)
Asia-Pacific, Canada, Central America/ Caribbean/ Mexico, Europe (EEA), Europe (Non EEA), South America, United States
PandaDoc
eSign documents platform
Europe (EEA)
Asia-Pacific, Canada, Central America/ Caribbean/ Mexico, Europe (EEA), Europe (Non EEA), South America, United States
Intercom
Online customer support
Europe (EEA)
Asia-Pacific, Canada, Central America/ Caribbean/ Mexico, Europe (EEA), Europe (Non EEA), South America, United States
Paypal
Payment Subscription Management
Europe (EEA)
Asia-Pacific, Canada, Central America/ Caribbean/ Mexico, Europe (EEA), Europe (Non EEA), South America, United States
Stripe
Payment Subscription Management
Europe (EEA)
Asia-Pacific, Canada, Central America/ Caribbean/ Mexico, Europe (EEA), Europe (Non EEA), South America, United States
Google Workspace & Analytics
User, employee and applicant data is maintained in GSuite
Europe (EEA)
Asia-Pacific, Canada, Central America/ Caribbean/ Mexico, Europe (EEA), Europe (Non EEA), South America, United States
Twilio
Communication API
Europe (EEA)
Asia-Pacific, Canada, Central America/ Caribbean/ Mexico, Europe (EEA), Europe (Non EEA), South America, United States
EXHIBIT 4 – UK INTERNATIONAL DATA TRANSFER ADDENDUM THIS IS ONLY APPLICABLE TO UK CUSTOMERS
This Exhibit 4 forms part of the DPA.
International Data Transfer Addendum to the EU Commission Standard Contractual Clauses
VERSION B1.0, in force 21 March 2022
This Addendum has been issued by the Information Commissioner for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.
Part 1: Tables
Table 1: Parties
Start date
Effective Date of this DPA
Effective Date of this DPA
The Parties
Exporter (who sends
the Restricted Transfer)
Importer (who receives
the Restricted Transfer)
Parties’ details
Full legal name: As set forth in the DPA Trading name (if different):

Main address (if a company registered address): As set forth in the DPA

Official registration number (if any) (company number or similar identifier):
Full legal name: Liqvid, PTE. LTD. Trading name (if different): n/a

Main address (if a company registered address): 68 CIRCULAR ROAD #02-01 SINGAPORE, 049422.

Official registration number (if any): 202002679R (company number or similar identifier): 68 CIRCULAR ROAD #02-01 SINGAPORE, 049422
Key Contact
Full Name (optional): As set forth in Exhibit 2 of this DPA

Job Title: As set forth in Exhibit 2 of this DPA

Contact details including email: As set forth in Exhibit 2 of this DPA
Full Name (optional): Aleksandr Solovev

Job Title: CEO

Contact details including email: privacyteam@liqvid.io
Signature
(if required for the purposes
of Section 2)
 
 
Table 2: Selected SCCs, Modules and Selected Clauses 
Addendum EU SCCs
☑The version of the Approved EU SCCs which this Addendum is appended to, detailed below, including the Appendix Information:

Date:  Effective Date of this DPA  Reference (if any): n/a

Other identifier (if any):  n/a        
Table 3: Appendix Information
“ Appendix Information ” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:

Annex 1A: List of Parties: Liqvid and Customer

Annex 1B: Description of Transfer: As detailed in Annex I of the SCCs, detailed in Table 2

Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: As detailed in Annex II of the SCCs, detailed in Table 2.

Annex III: List of Sub processors (Modules 2 and 3 only): As detailed in Exhibit 1 of the DPA and noted on Appendix III of the SCCs, detailed in Table 2.
Table 4: Ending this Addendum when the Approved Addendum Changes 
Ending this Addendum when the Approved Addendum changes
Which Parties may end this Addendum as set out in Section Error! Reference source not found. :

☑Importer
☑Exporter
☐neither
Party
Alternative Part 2 Mandatory Clauses:
Mandatory Clauses
Part 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section Error! Reference source not found. of those Mandatory Clauses.
Download the DPA