DATA PROCESSING AGREEMENT
This Data Processing Agreement is concluded between Displai Systems, Inc., a private company with limited liability established and existing under the laws of the state of Delaware, having its principal place of business in Millbrae, California, (hereinafter referred to as “Displai”), and the Customer as defined in the Agreement.
Customer and Displai each a “Party” jointly referred to as “Parties”,
1. Definitions
1.1. In this Data Processing Agreement, capitalized words and expressions, whether in single or plural, have the meaning specified as set out below:
Annex:
appendix to this Data Processing Agreement which forms an integral part of it.
Agreement:
the agreement concluded between Customer and the Displai with partnership in respect.
Data Processing Agreement:
the present agreement.
Data Protection Laws:
means any laws or regulations applicable to the processing of Personal Data in performance of the Agreement, including but not limited to, the General Data Protection Regulation (“GDPR”), the Personal Information Protection Act of Canada (“PIPEDA”), the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act, and its implementing regulations (“CCPA”) and other applicable U.S. federal and state privacy laws.
Personal Data:
all information relating to an identified or identifiable natural person as referred to in Data Protection Laws.
Process:
as well as conjugations of this verb: the processing of Personal Data as referred to in Data Protection Laws.
Sub-Processor:
the sub-contractor hired by Displai that Processes Personal Data in the context of this Data Processing Agreement on behalf of Customer.
1.2. The provisions of the Agreement apply in full to this Data Processing Agreement.
2. Purpose of the Personal Data Processing
2.1. Parties agree that where the Processing of Personal Data is concerned, Displai acts as a processor as that term is defined under applicable Data Protection Laws and Customer as the controller as that term is defined under applicable Data Protection Laws.
2.2. Customer and Displai have concluded the present Data Processing Agreement for the Processing of Personal Data in the context of the Agreement. An overview of the type of Personal Data, categories of data subjects and the purposes of Processing, is included in Annex A.
2.3. Displai is solely responsible for the Processing of Personal Data under this Data Processing Agreement, in accordance with the legitimate instructions of Customer and under the express (final) responsibility of Customer. For all other Processing of Personal Data, including but not limited to the collection of Personal Data by the Customer, Processing for purposes not reported to Displai by Customer, Processing by third parties and/or for other purposes, Displai is not responsible or liable. Responsibility and liability for these Processing activities rest exclusively with Customer.
2.4. Customer is responsible and liable for the processing of Personal Data in relation to the Agreement and guarantees that Processing is in compliance with all applicable legislation and does not infringe any rights of third parties. Customer will indemnify and hold harmless Displai against any and all claims of third parties, those of the data protection authority in particular, resulting in any way from not complying with this guarantee.
2.5. Displai undertakes to Process Personal Data only for the purpose of the activities referred to in this Data Processing Agreement and/or the Agreement. Displai will not use the Personal Data which it Processes under this Data Processing Agreement for its own or third-party purposes in any way without Customer’s express written consent, unless a legal provision requires Displai to do so. In such a case, Displai shall immediately inform Customer of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.
3. Technical and organizational security measures
3.1. Displai will implement (or arrange the implementation of) appropriate technical and organizational measures to ensure a level of security appropriate to the risk. These measures will guarantee an appropriate level of security, taking into account the state of the art and the costs of implementation, in view of the risks entailed by Personal Data Processing and the nature of the data to be protected. Displai will in any case take measures to protect Personal Data against accidental or unlawful destruction, accidental or deliberate loss, forgery, unauthorized distribution or access, or any other form of unlawful Processing.
3.2. Displai will provide the appropriate technical and organizational measures to be taken by Displai based on the Customer agreement. Customer acknowledges having taken cognizance of the relevant measures and by signing this Data Processing Agreement, the Customer agrees with the measures taken by Displai.
4. Confidentiality
4.1. Displai will require the employees that are involved in the execution of the Agreement to sign a confidentiality statement – whether or not included in the employment agreement with those employees – which in any case states that these employees must keep strict confidentiality regarding the Personal Data.
5. Sub-Processors
5.1. Displai has Customer’s general authorization for the engagement of Sub-Processors as stated in Annex B. Displai shall specifically inform in writing Customer of any intended changes of that list through the addition or replacement of Sub-Processors, thereby giving Customer at least five working days to be able to object to such changes prior to the engagement of the concerned Sub-Processor(s). Displai shall provide the controller with the information necessary to enable the controller to exercise the right to object.
5.2. Where Displai engages a Sub-Processor for carrying out specific Processing activities on behalf of Customer, the same data protection obligations as set out in this Data Processing Agreement shall be imposed on that Sub-Processor, in particular providing sufficient guarantees to implement appropriate technical and organizational measures.
5.3. Displai shall remain fully responsible to Customer, in accordance with the Agreement, for the performance of the Sub-Processor’s obligations in accordance with its contract with Displai.
6. International transfers
6.1. Displai will only be permitted to transfer Personal Data outside the applicable jurisdiction where the Personal Data originates if this is done in compliance with the applicable Data Protection Laws.
6.2. Customer agrees that where Displai engages a Sub-Processor for carrying out specific Processing activities (on behalf of Customer) and those Processing activities involve a transfer of Personal Data that requires a transfer mechanism under Data Protection Laws, Displai and the Sub-Processor can ensure compliance with applicable Data Protection Laws by using an applicable transfer mechanism, which may include relevant standard contractual clauses, adopted by the supervisory authority or data protection commission pursuant to applicable Data Protection Laws.
7. Liability
7.1. With regard to any liability and indemnification obligations of Displai under this Data Processing Agreement, the stipulation in the Agreement regarding the limitation of liability applies.
7.2. Without prejudice to article 7.1 of this Data Processing Agreement, Displai is solely liable for damages suffered by Customer and/or for third party claims as a result of any Processing, in the event the specific obligations of Displai under Data Protection Laws are not complied with or in case Displai acted in breach of the legitimate instructions of the Customer.
8. Personal Data Breach
8.1. Displai will notify Customer without undue delay of a Personal Data Breach and will take all reasonable measures to prevent or limit (further) violation of Data Protection Laws.
8.2. Displai will provide all reasonable cooperation requested by Customer in order for Customer to comply with its legal obligations relating to the identified Personal Data Breach.
8.3. Displai will, insofar as reasonable, assist Customer with Customer’s notification obligation relating to the Personal Data to the Data Protection Authority and/or the data subject. Displai is never held to report a Personal Data Breach with the Data Protection Authority and/or the data subject.
8.4. Displai will not be responsible and/or liable for the (timely and correctly) notification obligation to the relevant supervisor and/or data subjects.
9. Audit
9.1. When so requested by Customer, Displai will enable Customer, or experts (including external experts) designated by Customer, to inspect and audit the implementation of this Data Processing and, in particular, the security measures taken by Displai, at most once per calendar year, subject to a reasonable notice and with permission of Displai, to adequately monitor compliance with what has been agreed between the Parties. Such an audit will at all times be carried out in a manner that has as little effect as possible on the normal business operations of Displai . Customer will bear all the costs of this audit.
9.2. The audit in Article 9.1 of this Data Processing Agreement, will only take place if Customer has requested and assessed similar audit reports available at Displai and Customer provides reasonable arguments that justify an audit initiated by Customer. Such an audit is justified when similar audit reports present at Displai give no or insufficient information about compliance with this Data Processing Agreement.
9.3. In case Displai is of the opinion that an instruction relating to the provisions of this Article 9 infringes applicable Data Protection Laws, Displai will inform the Customer immediately.
9.4. Displai is entitled to charge any possible costs that relate to the provisions of this Article 9 with Customer.
10. Assistance to Customer
10.1. Displai will, taking into account the nature of the Processing and insofar as reasonably possible, provide cooperation to Customer in fulfilling its obligation pursuant to applicable Data Protection Laws to respond to requests for exercising rights of data subjects, in particular the right of access, rectification, erasure, restriction, data portability and the right to object. Displai will forward a complaint or request from a data subject with regard to the Processing of Personal Data to the Customer as soon as possible, as Customer is responsible for handling the request.
10.2. Displai will, taking into account the nature of Processing, the information available to Displai and insofar as reasonably possible, provide all reasonable cooperation to Customer in fulfilling its obligation pursuant to Data Protection Laws to carry out a data protection impact assessment.
10.3. Displai is entitled to charge any costs associated with the cooperation as referred to in this Article 10 with Customer.
11. Termination
11.1. Following termination of the Agreement, Displai shall, at the choice of Customer, delete all Personal Data Processed on behalf of Customer and confirm to Customer that it has done so, or, insofar as possible, return all the Personal Data to Customer and delete existing copies unless Union or Member State law requires storage of the Personal Data. Until the data is deleted or returned, Displai shall continue to ensure compliance with this Data Processing Agreement.
12. CCPA Provisions
12.1. Scope. The ‘CCPA Provisions’ section of the DPA will apply only with respect to California Personal Information (as that term is defined under the CCPA).
12.2. Roles of the Parties. When processing California Personal Information in accordance with your Instructions, the parties acknowledge and agree that Customer is a Business and Displai a Service Provider for the purposes of the CCPA.
12.3. Responsibilities. Displai certifies that it will Process California Personal Information as a Service Provider strictly for the purpose of performing the Services under the Agreement (the “Business Purpose”) or as otherwise permitted by the CCPA. Further, Displai certifies it i) will not Sell or Share California Personal Information; (ii) will not Process California Personal Information outside the direct business relationship between the parties, unless required by applicable law; and (iii) will not combine the California Personal Information with personal information that it collects or receives from another source (other than information we receive from another source in connection with our obligations as a Service Provider under the Agreement).
12.4. Compliance. Displai will (i) comply with obligations applicable to it as a Service Provider under the CCPA and (ii) provide California Personal Information with the same level of privacy protection as is required by the CCPA. Displai will notify Customer if it makes a determination that it can no longer meet its obligations as a Service Provider under the CCPA.
12.5. CCPA Audits. Customer will have the right to take reasonable and appropriate steps to help ensure that we use California Personal Information in a manner consistent with Customer’s obligations under the CCPA. Upon notice, Customer will have the right to take reasonable and appropriate steps in accordance with the Agreement to stop and remediate unauthorized use of California Personal Information.
12.6. Not a Sale. The parties acknowledge and agree that the disclosure of California Personal Information by the Customer to Displai does not form part of any monetary or other valuable consideration exchanged between the parties.
ANNEX A – DESCRIPTION OF THE PROCESSING
Subject matter and duration of the Processing of Company Personal Data
- The subject matter and duration of the Processing of the Personal Data are set out in the Agreement and Data Processing Agreement between the Parties.
The categories of Personal Data
- Facial features (such as eye locations, face location and rotation, age, gender, mood, facial expressions, gaze and attention span), the face prints (also referred to as “embeddings”) derived from facial features, and aggregated statistics.
The categories of Data Subject to whom the Personal Data relates
- Client of Customer, visitors, passers-by
The nature and purpose of the Processing of Personal Data
- Providing the software technology, dashboard and optional support with which Customer obtains real-time insights into audience’s spontaneous behavior, interest, and anonymized approximated demographic profile.
The obligations and rights of Customer
- The obligations and rights of Customer are set out in the Agreement and this Data Processing Agreement.
ANNEX B – SUB-PROCESSORS
| Sub-Processor | Country | Safeguards |
|---|---|---|
| Amazon Web Services, Inc | EU | Data processing agreement (art. 28(3) GDPR) |
| Displai (Displai CX) | US | Standard Contractual Clauses |
| Google LLC (DeepSight Data Studio) | US | Standard Contractual Clauses |
