Data Processing Agreement

This Data Processing Agreement (“DPA”) forms a part of the legal agreement (“Agreement”), as outlined in the Terms of Service (“Terms”), entered into by and between Subscribfy, Inc. (“Subscribfy”) and the user of the Subscribfy Services (“Customer”), collectively the “Parties.” The purpose of the DPA is to ensure such processing is conducted in accordance with applicable Data Protection Laws (defined below). 

This DPA is supplemental to the Agreement and sets out the terms that apply when: (i) Personal Data (defined below) is processed by Customer, who acts as Data Controller, under the Agreement; (ii) Subscribfy acts as Data Processor of Customer Account Data; (iii) the Customer wishes to contract the Services as set forth in the Terms, which imply the processing of Personal Data by the Data Processor. Further details of the Processing are set out in Exhibit A to this DPA. 

Customer acknowledges that by agreeing to the Terms, they are also agreeing to this DPA. To the extent that there are any conflicting provisions between the Terms and this DPA with regard to the processing of Personal Data, this DPA shall prevail. The effective date of this DPA is the same date that the Customer agreed to the Terms.

  1. Definitions. All capitalized terms not defined in Section 1 of this DPA or otherwise defined in other sections of this DPA, shall have the meanings set forth in the Agreement, GDPR, Subscribfy Privacy Policy, or Terms, as applicable. 

    1. “Sub-Processor” means any person appointed by or on behalf of Data Processor to process Customer Personal Data on behalf of the Customer in connection with the DPA.

    2. “Customer Account Data” means all data (including Personal Data) that relates to Customer’s relationship with Subscribfy. Customer Account Data includes any data Subscribfy may need to collect for the purpose of managing its relationship with Customer, or as otherwise required by applicable laws and regulations.

    3. “Data Exporter” means Customer.

    4. “Data Importer” means Subscribfy. 

    5. “Data Protection Laws” means all data protection legislation and regulations applicable to the processing of the Customer’s Personal Data under this DPA and the Terms, including supplementing national legislation, in each case as updated, amended, repealed, consolidated, or replaced from time to time. The terms “processing,” “processor,” “controller,” and “supervisory authority” shall have the meanings set forth under applicable Data Protection Laws. 

    6. “Data Subject” means an individual that is protected under any applicable Data Protection Law.

    7. “DPA” means this Data Processing Agreement and all Exhibits.

    8. “EU SCCs” or “Standard Contractual Clauses” means the standard contractual clauses approved by the European Commission in Commission Decision 2021/914 dated 4 June 2021, for transfers of Personal Data to countries not otherwise recognized as offering an adequate level of protection for Personal Data by the European Commission (as amended and updated from time to time). 

    9. “ex-EEA Transfer” means the transfer of Personal Data, which is processed in accordance with the GDPR, from the Data Controller to the Data Processor (or its premises) outside the European Economic
      Area (the “EEA”), and such transfer is not governed by an adequacy decision made by the European Commission in accordance with the relevant provisions of the GDPR. 

    10. 1.10. “ex-UK Transfer” means the transfer of Personal Data, which is processed in accordance with the UK GDPR and the Data Protection Act 2018, from the Data Controller to the Data Processor (or its premises) outside the United Kingdom (the “UK”), and such transfer is not governed by an adequacy decision made by the Secretary of State in accordance with the relevant provisions of the UK GDPR and the Data Protection Act 2018. 

    11. 1.11.“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and all supplementing legislation, in each case as may be amended, repealed, consolidated, or replaced from time to time.

    12. 1.12.“Personal Data” or any such variation of the term (such as “Personal Information” or “Personally Identifiable Information”) shall have the meaning set forth under applicable Data Protection Laws.

    13. 1.13. “Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Account Data, stored or otherwise processed by Subscribfy.

    14. 1.14. “Terms” means the terms of service entered into between Subscribfy and Customer, which are available here

  1. Processing of Customer Account Data

    1. Subscribfy shall not process Personal Data (i) for purposes other than those set forth in the Agreement, (ii) in a manner inconsistent with the terms and conditions set forth in this DPA or any other documented instructions provided by Customer, or (iii) in violation of Data Protection Laws. Customer hereby instructs Subscribfy to process Personal Data in accordance with the foregoing and as part of any processing initiated by Customer in its use of the Services.

    2. Customer shall, in its use of the Services, at all times process Personal Data, and provide instructions for the processing of Personal Data, in compliance with Data Protection Laws. Customer shall ensure that the processing of Personal Data in accordance with Customer’s instructions will not cause Subscribfy to be in breach of the Data Protection Laws. Customer is solely responsible for the accuracy, quality, and legality of (i) the Personal Data provided to Subscribfy by or on behalf of Customer, (ii) the means by which Customer acquired any such Personal Data, and (iii) the instructions it provides to Subscribfy regarding the processing of such Personal Data. Customer shall not provide or make available to Subscribfy any Personal Data in violation of the Agreement or otherwise inappropriate for the nature of the Services and shall indemnify Subscribfy from all claims and losses in connection therewith. 

    3. The Parties agree that the details of the data processing subject to this DPA are outlined in Exhibit A. 

    4. CCPA. The Parties acknowledge that their relationship under the CCPA is governed by the CCPA Addendum to this DPA, listed in Exhibit D. 

  2. Deletion or Return of Customer Account Data

    1. Following completion of the Services, at Customer’s choice, Subscribfy shall securely delete Customer Account Data (including Content), unless further storage of such Customer Account Data is required or authorized by applicable Data Protection Laws. If return or destruction is impracticable or prohibited by law, rule, or regulation, Subscribfy shall take measures to block such Customer Account Data from any further processing (except to the extent necessary for its continued hosting or processing required by law, rule, or regulation) and shall continue to appropriately preserve the confidentiality of the Customer Account Data remaining in its possession, custody, or control. By agreeing to this DPA, Customer authorizes Subscribfy, in accordance with this agreement, to delete information when not reasonably needed for Subscribfy’s Services.

  3. Data Processor Personnel and Confidentiality.

    1. Subscribfy shall take commercially reasonable steps to ensure that: (i) persons employed by Subscribfy; and (ii) other persons engaged at Subscribfy’s place of business who may have access to the Customer Account Data (including Content), are aware of and comply with the terms set forth in this DPA, ensuring in each case that access is limited to those individuals who need to know or access the relevant Customer Account Data, as necessary for the purposes of the Terms.

  4. Security of Customer Account Data; Security Incidents. 

    1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Subscribfy shall maintain reasonable technical and organizational security measures to ensure a level of security appropriate to the risk of processing Personal Data. Exhibit C sets forth additional information about Subscribfy’s technical and organizational security measures.

    2. Subscribfy shall notify Customer without undue delay upon becoming aware of a Security Incident affecting Customer Account Data and will provide Customer with sufficient information to allow the Customer to meet any obligations to notify, report, or inform Data Subjects and Supervisory Authorities of the Security Incident under the Data Protection Laws.

    3. Subscribfy shall cooperate with the Customer and take reasonable commercial steps as are directed by Customer to assist in the investigation, mitigation, and remediation of each such Security Incident. The obligations described in 5.1 and 5.2 do not apply to Security Incidents experienced by Customer, nor does compliance with such obligations acknowledge liability on the part of Subscribfy. 

  1. Sub-Processing of Customer Account Data.

    1. Customer acknowledges and agrees that Subscribfy may (1) engage or delegate Sub-Processors on the List (defined below) to access and process Personal Data in connection with the Services and (2) from time to time engage additional third parties for the purpose of providing the Services, including without limitation the processing of Personal Data. For purposes of this Section, Customer consents to Subscribfy engaging Sub-Processors reasonably required to assist Subscribfy for the purposes of providing the Services.

    2. Subscribfy maintains and provides Customer with a list of Sub-Processors (the “List”) which can be found here. Subscribfy will inform the Data Controller of changes in Sub-Processors in accordance with the procedure for modifying the Terms as described in Section 9(i) therein. Customer may object to the modification of Sub-Processors used by Subscribfy by contacting Subscribfy at support@subscribfy.com. However, Customer acknowledges that certain Sub-Processors are essential to providing the Services and that objecting to the use of a Sub-Processor may prevent Subscribfy from offering the Services to Customer.

    3. When Subscribfy does engage Sub-Processors, it will enter into a written agreement with such Sub-Processor imposing on the Sub-Processor data protection obligations comparable to those imposed on Subscribfy under this DPA, with respect to the protection of Customer Account Data. In case a Sub-Processor fails to fulfill its data protection obligations under such written agreement with Subscribfy, Subscribfy will remain liable to Customer for the performance of the Sub-Processor’s obligations under such agreement.

    4. If Customer and Subscribfy have entered into Standard Contractual Clauses as described in Section 7 (Transfers of Personal Data), (i) the above authorizations will constitute Customer’s prior written consent to the subcontracting by Subscribfy of the processing of Personal Data if such consent is required under the Standard Contractual Clauses, and (ii) the Parties agree that the copies of the agreements with Sub-Processors that must be provided by Subscribfy to Customer pursuant to Clause 9(c) of the EU SCCs or the UK International Data Transfer Agreement (“IDTA”) or UK Addendum (as applicable) may have commercial information, or information unrelated to the Standard Contractual Clauses or their equivalent, removed by Subscribfy beforehand, and that such copies will be provided by Subscribfy only upon request by Customer.

  2. Transfers of Personal Data

    1. The Parties agree that Subscribfy may transfer Personal Data processed under this DPA outside the EEA, the UK, or Switzerland as necessary to provide the Services. Customer acknowledges that Subscribfy’s primary processing operations take place in the United States, and that the transfer of Customer Account Data to the United States is necessary for the provision of the Services to Customer. If Subscribfy transfers Personal Data protected under this DPA to a jurisdiction for which the European Commission has not issued an adequacy decision, Subscribfy will ensure that appropriate safeguards have been implemented for the transfer of Personal Data in accordance with Data Protection Laws.

    2. Ex-EEA Transfers. The Parties agree that ex-EEA Transfers are made pursuant to the EU SCCs, which are deemed entered into (and incorporated into this DPA by this reference) and completed as follows:

      1. Module Two (Controller to Processor) of the EU SCCs applies when Customer is a controller and Subscribfy is processing Personal Data for Customer as a processor pursuant to Section 2 of this DPA.

      2. Module Three (Processor to Sub-Processor) of the EU SCCs applies when Customer is a processor and Subscribfy is processing Personal Data on behalf of Customer as a Sub-Processor.

    3. For each module, where applicable the following applies: 

      1. The optional docking clause in Clause 7 does not apply. 

      2. In Clause 9, Option 2 (general written authorization) applies, and the minimum time period for prior notice of Sub-Processor changes shall be as set forth in Section 6.2 of this DPA; 

      3. In Clause 11, the optional language does not apply; 

      4. All square brackets in Clause 13 are hereby removed; 

      5. In Clause 17 (Option 1), the EU SCCs will be governed by Irish law; 

      6. In Clause 18(b), disputes will be resolved before the courts of Ireland; 

      7. Exhibit B to this DPA contains the information required in Annex I of the EU SCCs; 

      8. Exhibit C to this DPA contains the information required in Annex II of the EU SCCs; and 

      9. By entering into this DPA, the Parties are deemed to have signed the EU SCCs incorporated herein, including their Annexes. 

    4. Ex-UK Transfers. The Parties agree that ex-UK Transfers are made pursuant to the provisions set forth in this section, whichever apply. 

      1. Data Exports from the United Kingdom under the International Data Transfer Agreement. For ex-UK Transfers, the Mandatory Clauses of the Approved IDTA (“Mandatory Clauses”), being the template IDTA A.1.0 issued by the UK Information Commissioner’s Office (“ICO”) and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section ‎5.4 of those Mandatory Clauses shall apply. 

        1. The information required for Table 1 of Part One of the IDTA is set out in Exhibit B of this DPA and below.

          1. The start date of the IDTA is the effective date of this DPA. 

          2. The Data Exporter’s full legal name, trading name, official registration number, address, and key contact person details will be as entered in relation to the Agreement.

          3. By entering into the Agreement, the Parties agree to be bound by the IDTA, as applicable. 

        2. The information required for Table 2 of Part One of the IDTA is set out in Exhibits A and B of this DPA and below.

          1. The Data Importer (processor or sub-processor) and Data Exporter (controller or processor) are known as the “Parties.” 

          2. The law of England and Wales governs the IDTA.

          3. England and Wales are the primary place for legal claims to be made by the Parties.

          4. The UK GDPR applies to the Data Importer’s processing of the transferred data.

          5. The Data Importer may process the transferred data for the period for which the DPA is in force.

          6. The Parties can end the IDTA before the end of the term of the IDTA by serving three months’ written notice in accordance with the Mandatory Clauses set forth in Part 4 of the IDTA. 

          7. The Data Importer may end the IDTA when the IDTA changes, in accordance with the Mandatory Clauses set forth in Part 4 of the IDTA.

          8. The Data Importer may transfer on the transferred data to another organisation or person (who is a different legal entity) under the Mandatory Clauses set forth in Part 4 of the IDTA. There are no specific restrictions on when the Data Importer may forward the transferred data. 

          9. The Parties must review the security requirements (as set forth in Section 7.4.1(iv) below) each time there is a change to the transferred data, purposes, Data Importer information, transfer risk assessment (TRA), or risk assessment.

        3. The information required for Table 3 of Part One of the IDTA is set out in Exhibits A and B of this DPA and below.

          1. The categories of transferred data, categories of special category and criminal records data, and the categories of Data Subjects will update automatically if the information is updated in the DPA.

          2. The Data Importer may process the transferred data for the purposes set out in Exhibits A and B of this DPA. The purposes will update automatically if the information is updated in the DPA.

        4. The information required for Table 4 of Part One of the IDTA is set out in Exhibit C of this DPA. The security requirements will update automatically if the information is updated in the DPA.

      2. Data Exports from the United Kingdom under the Standard Contractual Clauses. For ex-UK Transfers where the EU SCCs also apply, the Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the UK ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as revised under Section 18 of those Mandatory Clauses ("Approved Addendum") shall apply. The information required for Tables 1 and 3 of Part One of the Approved Addendum is set out in Exhibits B and C of this DPA, as well as below. The information required for Table 2 of Part One of the Approved Addendum is set out in Sections 7.2 and 7.3 of this DPA. For the purposes of Table 4 of Part One of the Approved Addendum, the Data Importer may end the Approved Addendum when it changes.

        1. The start date of the Approved Addendum is the effective date of this DPA.

        2. By entering into the Agreement, the Parties agree to be bound by the Approved Addendum, as applicable.

    5. Transfers from Switzerland. The Parties agree that transfers from Switzerland are made pursuant to the EU SCCs with the following modifications: 

      1. The terms “General Data Protection Regulation” or “Regulation (EU) 2016/679” as utilized in the EU SCCs shall be interpreted to include the Federal Act on Data Protection of 19 June 1992 (the “FADP,” and as revised as of 25 September 2020, the “Revised FADP”) with respect to data transfers subject to the FADP.

      2. The terms of the EU SCCs shall be interpreted to protect the data of legal entities until the effective date of the Revised FADP. 

      3. Clause 13 of the EU SCCs is modified to provide that the Federal Data Protection and Information Commissioner (“FDPIC”) of Switzerland shall have authority over data transfers governed by the FADP and the appropriate EU supervisory authority shall have authority over data transfers governed by the GDPR. Subject to the foregoing, all other requirements of Clause 13 shall be observed. 

      4. The term “EU Member State” as utilized in the EU SCCs shall not be interpreted in such a way as to exclude Data Subjects in Switzerland from exercising their rights in their place of habitual residence in accordance with Clause 18(c) of the EU SCCs. 

    6. Supplementary Measures. In respect of any ex-EEA Transfer or ex-UK Transfer, the following supplementary measures shall apply:

      1. As of the date of this DPA, Subscribfy has not received any formal legal requests from any government intelligence or security service/agencies in the country to which the Personal Data is being exported, for access to (or for copies of) Customer Account Data (“Government Agency Requests”); 

      2. If, after the date of this DPA, Subscribfy receives any Government Agency Requests, Subscribfy shall attempt to redirect the law enforcement or government agency to request that data directly from Customer. As part of this effort, Subscribfy may provide Customer’s basic contact information to the government agency. If compelled to disclose Customer Account Data to a law enforcement or government agency, Subscribfy shall give Customer reasonable notice of the demand and cooperate to allow Customer to seek a protective order or other appropriate remedy unless Subscribfy is legally prohibited from doing so. Subscribfy shall not voluntarily disclose Customer Account Data to any law enforcement or government agency. The Parties shall (as soon as reasonably practicable) discuss and determine whether all or any transfers of Personal Data pursuant to this DPA should be suspended in the light of such Government Agency Requests; and

      3. The Parties will meet as needed to consider whether:

  1. the protection afforded by the laws of the country of Subscribfy (Data Importer) to Data Subjects whose Personal Data is being transferred is sufficient to provide broadly equivalent protection to that afforded in the EEA or the UK, whichever the case may be;

  2. additional measures are reasonably necessary to enable the transfer to be compliant with the Data Protection Laws; and 

  3. it is still appropriate for Personal Data to be transferred to Subscribfy (Data Importer), taking into account all relevant information available to the Parties, together with guidance provided by the supervisory authorities. 

  1. Data Subject Rights.

    1. Taking into account the nature of the Processing, Subscribfy shall assist the Customer by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Customer’s obligations, as reasonably understood by Customer, to respond to requests to exercise Data Subject rights under the Data Protection Laws.

    2. Subscribfy has provided Customer with the tools necessary to correct, amend, or delete inaccurate data, and Customer may use these tools to comply with Data Subject requests related to the right to correct, amend, or delete inaccurate data. 

    3. Subscribfy shall:

      1. promptly notify Customer if it receives a request from a Data Subject under any Data Protection Law in respect to Customer Account Data.

      2. advise the Data Subject to submit their request to Customer and Customer will be responsible for responding to such request, including, where necessary, by using the functionality of the Services. Customer is solely responsible for ensuring that Data Subject Requests for erasure, restriction or cessation of processing, or withdrawal of consent to processing of any Personal Data are communicated to Subscribfy, and, if applicable, for ensuring that a record of consent to processing is maintained with respect to each Data Subject.

      3. ensure that it does not respond to that request except on the documented instructions of Customer or as required by applicable laws to which Customer is subject, in which case Subscribfy shall to the extent permitted by applicable laws inform Customer of that legal requirement before Subscribfy responds to the request.

  2. Actions and Access Requests; Audits.

    1. Subscribfy shall maintain records sufficient to demonstrate its compliance with its obligations under this DPA.

    2. Upon Customer’s written request at reasonable intervals (no more than every 12 months), and subject to reasonable confidentiality controls, Subscribfy shall, either (i) make available for Customer’s review copies of certifications or reports demonstrating Subscribfy’s compliance with prevailing data security standards applicable to the processing of Customer’s Personal Data, or (ii) if the provision of reports or certifications pursuant to (i) is not reasonably sufficient under Data Protection Laws, allow Customer’s independent third party representative to conduct an audit or inspection of Subscribfy’s data security infrastructure and procedures that is sufficient to demonstrate Subscribfy’s compliance with its obligations under Data Protection Laws, provided that (a) Customer provides reasonable prior written notice of any such request for an audit and such inspection shall not be unreasonably disruptive to Subscribfy’s business; (b) such audit shall only be performed during business hours and occur no more than once per calendar year; and (c) such audit shall be restricted to data relevant to Customer. Customer shall be responsible for the costs of any such audits or inspections, including without limitation a reimbursement to Subscribfy for any time expended for on-site audits. The scope of such an audit will be agreed in advance and shall not involve physical access to the servers on which Customer Content and Personal Data is hosted. 

    3. Subscribfy shall, taking into account the nature of the processing and the information available to Subscribfy, provide Customer with reasonable cooperation and assistance where necessary for Customer to:

      1. Comply with its obligations under Data Protection Laws to conduct a data protection impact assessment and/or to demonstrate such compliance, provided that Customer does not otherwise have access to the relevant information. 

      2. Cooperate and/or consult with any supervisory authority where necessary and where required by Data Protection Laws. 

      3. Customer shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance provided by Subscribfy as described in 9.3.1 and 9.3.2.

Exhibit A

Details of Processing

Nature and Purpose of Processing: Subscribfy will process Customer Account Data as necessary to provide the Services under the Agreement, for the purposes specified in the Agreement and this DPA, and in accordance with Customer’s instructions as set forth in this DPA.

Duration of Processing: Subscribfy will process Customer Account Data as long as required (i) to provide the Services to Customer under the Agreement; (ii) for Subscribfy’s legitimate business needs; or (iii) by applicable law or regulation. Customer Account Data will be processed and stored as set forth in Subscribfy’s Privacy Policy.

Categories of Data Subjects: Customer may submit Personal Data to Subscribfy for the provision of the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of Data Subjects:

  • Individuals who enter into commercial relationships with Customer (i.e., the customers of Customer).

  • Other individuals whose Personal Data Customer processes through the Services. 

Categories of Personal Data: Customer may submit Customer Account Data, which includes Personal Data, to Subscribfy for the provision of the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:

  • Name

  • Email address

  • Shipping address

  • Billing address

  • IP address

  • Telephone number

  • Payment information 

  • Purchase history

  • Cookies

Sensitive Data or Special Categories of Data: No sensitive personal data from any user will be processed under this arrangement. 

Exhibit B

The following includes, among other things, the information required by Annex I and Annex III of the EU SCCs, as well as the UK IDTA and UK Addendum (collectively, for purposes of Exhibit B, the “Clauses”). 

  1. The Parties 

Data Exporter(s): [Identity and contact details of the data controller(s) and, where applicable, of its/their data protection officer and/or representative in the European Union]

Full legal name: [__________]

Trading name (if different): [__________]

Official registration number (if any) (company number or similar identifier): [__________]

Address: [__________]

Key contact’s name, job title, and contact details (including email): [__________]

Activities relevant to the data transferred under these Clauses: As described in Section 2 of the DPA.

Signature and date: mm/dd/yyyy

Role (controller/processor): Controller 

Data Importer(s): [Identity and contact details of the data processor(s), including any contact person with responsibility for data protection]

Full legal name: Subscribfy, Inc.

Trading name (if different): [__________]

Official registration number (if any) (company number or similar identifier): 92-2803110 

Address: 401 Broadway, 12th Fl. New York, NY 10013

Key contact’s name, job title, and contact details (including email): [__________]: 

Data Importer data subject contact’s job title and contact details (including email): [__________]: 

Activities relevant to the data transferred under these Clauses: As described in Section 2 of the DPA. 

Signature and date: 06/21/2023

Role (controller/processor): Processor 

  1. Description of the Transfer 

Data Subjects

The Data Exporter may submit Personal Data to the Data Importer through its software, services, systems, products, and/or technologies, the extent of which is determined and controlled by the Data Exporter in compliance with applicable Data Protection Laws and regulations, and which may include but is not limited to Personal Data relating to the following categories of Data Subjects: 

  • Individuals who enter into commercial relationships with Customer (i.e., the customers of Customer)

Categories of Personal Data

The Personal Data transferred concern the following categories of data: 

  • Name

  • Email address

  • Shipping address

  • Billing address

  • IP address

  • Telephone number

  • Payment information 

  • Purchase history

  • Cookies

Special Category Personal Data (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved

N/A

Nature of the Processing 

Data is processed in order: to provide the Services as described in the Terms and in accordance with the Terms, including in this DPA, the Privacy Policy, and these Clauses.

Purposes of Processing

To fulfill each party’s obligations under the Agreement. 

Duration of Processing and Retention (or the criteria to determine such period) 

During the term of the Agreement.

Frequency of the transfer

During the term of the Agreement on a periodic basis throughout the day and/or at the discretion of Customer.

Recipients of Personal Data Transferred to the Data Importer

Subscribfy provided Customer with a list which outlines Subscribfy’s Sub-Processors in the DPA. Subscribfy’s relationship with Sub-Processors is described in Section 6 of the DPA. 

  1. Competent Supervisory Authority 

The supervisory authority shall be the supervisory authority of the Data Exporter, as determined in accordance with Clause 13.

Exhibit C

Description of the Technical and Organizational Security Measures implemented by the Data Importer

“Technical and organizational security measures” means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing. Subscribfy will maintain appropriate physical, administrative, technical, and organizational measures and safeguards for protection of the security, confidentiality, and integrity of the Data Exporter’s Personal Data. More information on Subscribfy’s technical and organizational measures can be found in the Privacy Policy and the Data Processing Agreement. Subscribfy will not materially decrease the overall security of the Services.

The following includes the information required by Annex II of the EU SCCs, as well as the UK IDTA and UK Addendum. 

Technical and Organizational Security Measure

Details

Measures of pseudonymization and encryption of Personal Data

  • Pseudonymization: Use pseudonyms to replace direct identifiers, making data harder to link to individuals.

  • Encryption: Convert data into an encrypted form, ensuring it can only be accessed with authorized decryption keys.

  • Access Controls: Implement strict controls to limit data access to authorized individuals.

  • Secure Transmission: Encrypt data when transmitting it, especially over public networks.

  • Regular Assessments: Conduct periodic assessments to identify vulnerabilities and address security concerns.

  • Data Minimization: Collect and store only necessary data to minimize risk.

  • Employee Training: Train employees on data protection and privacy practices.

Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services

To ensure ongoing security and reliability of data processing systems and services, Subscribfy employs the following measures:

  1. Confidentiality:

  • Access controls

  • Data encryption

  • Secure storage and transmission

  • Confidentiality policies and training

  1. Integrity:

  • Data validation

  • Version control

  • Access logs and auditing

  • Secure backup and recovery

  1. Availability:

  • Redundancy and failover

  • Disaster recovery planning

  • Scalability and performance optimization

  • Monitoring and incident response

          4       Resilience:

  • Redundancy and backup systems

  • Regular testing and maintenance

  • Incident response planning

  • Business continuity planning

Measures for ensuring the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident

To restore availability and access to personal data promptly after incidents, Subscribfy takes the following measures:

  • Backup and Recovery: Regularly backing up data and establishing efficient recovery processes.

  • Disaster Recovery Planning: Creating comprehensive plans to recover systems and data during disruptions.

  • Incident Response: Having protocols in place to address incidents and restore access swiftly.

  • Redundancy and Failover: Implementing backup systems and infrastructure for uninterrupted access.

  • Monitoring and Alerts: Employing robust monitoring systems to detect and respond to incidents.

  • Testing and Maintenance: Conducting regular tests and maintenance to ensure readiness for recovery.

Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing

  • Conduct Security Audits: Assess the effectiveness of technical and organizational measures.

  • Perform Penetration Testing: Simulate attacks to identify vulnerabilities.

  • Conduct Vulnerability Assessments: Evaluate weaknesses in systems and configurations.

  • Assess Risks: Identify potential risks and implement mitigation strategies.

  • Perform Incident Response Drills: Test response plans and coordination.

  • Provide Security Awareness Training: Educate employees on best practices.

  • Assess Compliance: Review policies to meet security requirements.

Measures for user identification and authorization

To ensure secure access to systems, Subscribfy employs the following measures for user identification and authorization:

  • Unique User IDs: Assigning distinct identifiers to each user for accurate tracking.

  • Strong Passwords: Requiring robust passwords or passphrases that meet complexity requirements.

  • Multi-Factor Authentication: Adding an extra layer of security with additional authentication factors.

  • Role-Based Access Control: Assigning permissions based on users' roles and responsibilities.

  • Regular User Access Reviews: Periodically reviewing and removing unnecessary access rights.

  • Account Lockout Policies: Temporarily locking accounts after failed login attempts.

  • Session Management: Setting session timeouts and automatic logouts for inactive sessions.

  • Audit Logs and Monitoring: Maintaining logs and monitoring user activities for security and policy compliance.

Measures for the protection of data during transmission

To protect data during transmission, Subscribfy implements the following measures:

  • Encryption: Securely transmit data by using encryption protocols like SSL/TLS.

  • Secure Communication: Utilize secure communication protocols such as HTTPS.

  • VPNs: Establish secure connections over public networks with Virtual Private Networks.

  • Secure File Transfer: Use protocols like SFTP or FTPS for secure file transfers.

  • Packet Filtering: Employ firewalls or intrusion prevention systems to filter network traffic.

  • Data Integrity Checks: Verify data integrity using checksums or digital signatures.

  • Access Control and Authentication: Implement strong access controls and authentication mechanisms.

  • Regular Updates: Keep communication infrastructure and software up to date with security patches.

Measures for the protection of data during storage

To protect data during storage, Subscribfy implements the following measures:

  • Data Encryption: Encrypt stored data to prevent unauthorized access.

  • Access Controls: Restrict user access to stored data through permissions and authentication.

  • Secure Storage Infrastructure: Use secure systems and technologies to safeguard data.

  • Regular Data Backups: Perform backups to ensure data availability and resilience.

  • Data Retention and Disposal Policies: Establish policies for data retention and secure disposal.

  • Data Integrity Checks: Verify stored data integrity to detect unauthorized modifications.

  • Security Monitoring and Logging: Implement monitoring systems to detect suspicious activities.

  • Physical Security: Ensure physical measures to protect storage devices.

Measures for ensuring physical security of locations at which Personal Data are processed

To ensure physical security at data processing locations, Subscribfy implements these measures:

  • Access Control: Restrict entry with keycards, biometrics, or PIN codes.

  • Video Surveillance: Monitor premises with security cameras.

  • Security Guards: Employ trained personnel for patrols and incident response.

  • Secure Perimeters: Use barriers and gates to control access.

  • Intrusion Detection: Install alarms and sensors for unauthorized entry.

  • Secure Storage: Safely store physical data in locked areas.

  • Visitor Management: Track and restrict visitor access.

  • Emergency Preparedness: Have plans for disasters and power outages.

  • Employee Training: Educate staff on security protocols.

  • Regular Audits: Assess and address vulnerabilities.

Measures for ensuring events logging

  • Logging Policies: Establish clear policies for what events to log and how long to retain logs.

  • Log Generation: Configure systems to generate logs for relevant events and activities.

  • Log Integrity: Implement safeguards to prevent unauthorized modifications or tampering of logs.

  • Centralized Log Management: Consolidate logs into a centralized system for efficient storage and analysis.

  • Timestamping: Ensure accurate timestamps for chronological reconstruction of events.

  • Log Storage and Retention: Securely store logs and define retention periods based on requirements.

  • Log Monitoring and Analysis: Use tools to monitor and analyze logs for anomalies and security incidents.

  • Audit Trails: Maintain detailed trails of critical events and actions for accountability.

  • Access Controls: Control access to log files to prevent unauthorized viewing or modification.

  • Regular Review and Reporting: Regularly review logs, generate reports, and take necessary actions.

Measures for ensuring system configuration, including default configuration 

  • Establish configuration baselines and secure defaults.

  • Regularly patch and update systems.

  • Implement change management processes.

  • Follow the principle of least privilege.

  • Conduct configuration audits and monitoring.

  • Apply security hardening guidelines.

  • Perform security testing and assessments.

  • Provide training on secure configuration practices.

Measures for internal IT and IT security governance and management

  • Establish IT policies, procedures, and governance framework.

  • Implement risk management processes.

  • Provide security awareness training for employees.

  • Develop an incident response plan.

  • Manage vendors to meet security requirements.

  • Follow change management processes.

  • Maintain IT asset inventory and lifecycle management.

  • Monitor and respond to security incidents.

  • Ensure compliance with regulations and standards.

  • Conduct regular audits and assessments.

Measures for certification / 

assurance of processes and product

  • Align with industry standards and frameworks.

  • Conduct internal and external audits.

  • Maintain comprehensive documentation.

  • Implement quality assurance practices.

  • Manage risks throughout processes and products.

  • Perform independent testing and validation.

  • Continuously monitor and improve.

  • Ensure compliance of suppliers and vendors.

  • Communicate with stakeholders.

Measures for ensuring data minimization

  • Conduct data inventory and classification.

  • Define specific purposes for data collection.

  • Establish data retention policies.

  • Securely delete or anonymize unnecessary data.

  • Implement strict access controls.

  • Use data sharing agreements with restrictions.

  • Regularly review and remove outdated data.

  • Incorporate data minimization in system design.

  • Provide employee training on data minimization.

Measures for ensuring data quality

  • Establish a data governance framework.

  • Validate and verify data accuracy and completeness.

  • Standardize data formats and naming conventions.

  • Cleanse and enrich data regularly.

  • Profile and monitor data for anomalies.

  • Define and track data quality metrics.

  • Implement data quality rules and validation checks.

  • Assign data ownership and accountability.

  • Enable data integration and interoperability.

  • Provide data quality training and awareness.

Measures for ensuring limited data retention

  • Establish clear data retention policies.

  • Collect and retain only necessary data.

  • Regularly review and remove outdated data.

  • Securely delete data when no longer needed.

  • Consider archiving data with long-term value.

  • Ensure compliance with legal and regulatory requirements.

  • Minimize data collection and storage.

  • Provide employee training on data handling.

  • Secure data storage during retention.

  • Maintain documentation and conduct audits.

Measures for ensuring accountability

  • Define clear roles and responsibilities.

  • Establish a code of conduct and ethics.

  • Set performance goals and metrics.

  • Encourage transparent communication.

  • Provide training and development.

  • Document policies and procedures.

  • Monitor compliance and conduct audits.

  • Protect whistleblowers.

  • Use incentives and rewards for accountability.

  • Lead by example.

Measures for allowing data portability and ensuring erasure

  • Adopt data interoperability standards.

  • Provide data export functionality.

  • Establish data portability policies.

  • Securely transfer data during portability.

  • Develop procedures for data erasure.

  • Verify and authenticate requests.

  • Maintain data backup and recovery.

  • Communicate transparent privacy policies.

  • Train employees on compliance.

  • Regularly audit and monitor compliance.

Technical and organizational measures of Sub-Processors

  • Sub-processors implement security measures such as encryption, access controls, and monitoring to protect personal data. They have incident response procedures, train employees, and ensure secure data transfer. Compliance, audits, and assessments are conducted to maintain data security and privacy.

Exhibit D

CCPA Addendum

This California Consumer Privacy Act Addendum ("CCPA Addendum") is incorporated as part of the DPA and sets out the terms that apply when Personal Data is processed by Subscribfy under the DPA. The purpose of the CCPA Addendum is to ensure such processing is conducted in accordance with the California Consumer Privacy Act and the California Privacy Rights Act (collectively, the “CCPA”).

  1. Definitions. Any capitalized term in this Addendum that is not otherwise defined in the DPA shall have the meaning given to that term in the CCPA. 

  2. Representations and Warranties

    1. Subscribfy represents and warrants that it is a Service Provider or Contractor for the purposes of the services it provides to Customer pursuant to the DPA and the Agreement.

  3. Subscribfy Processing of Customer Account Data (including Personal Data)

    1. Subscribfy shall process Personal Data it receives pursuant to the Agreement only for the limited and specified purposes of providing the agreed upon services to Customer (as outlined in Exhibit A) and is prohibited from using Personal Data for any other purpose. 

    2. Subscribfy shall comply with all applicable sections of the CCPA, including by providing the same level of protection to Personal Data as required by Customer under the law. 

    3. Subscribfy agrees that Customer has the right to take reasonable and appropriate steps to ensure that Subscribfy uses Personal Data that it receives from or processes on behalf of Customer in a manner consistent with Customer’s obligations under the CCPA. 

    4. Subscribfy agrees that Customer has the right to take reasonable and appropriate steps to stop and remediate Subscribfy’s unauthorized use of Personal Data. 

    5. Subscribfy shall notify Customer as soon as possible after Subscribfy determines that it can no longer meet its obligations under the CCPA. 

    6. If Subscribfy engages Sub-Processors in relation to providing services to Customer pursuant to the Agreement, Subscribfy shall have a contract with the Sub-Processor that complies with the CCPA and has the same restrictions on the processing of Personal Data as outlined in this Addendum. 

  4. Restrictions on Subscribfy’s Use of Personal Data

    1. Subscribfy shall not Sell or Share Personal Data it receives from or processes on behalf of Customer, for purposes outside of those outlined in the DPA and exhibits incorporated by reference in the DPA. 

    2. Subscribfy shall not retain, use, or disclose Personal Data it receives from or processes on behalf of Customer for any purpose (including any Commercial Purpose) other than for the purposes specified in the Agreement, DPA, and except as otherwise permitted by the CCPA. 

    3. Subscribfy shall not retain, use, or disclose Personal Data it receives from or processes on behalf of Customer outside of the direct business relationship between Subscribfy and Customer, except as otherwise permitted under the CCPA. 

    4. Subscribfy shall not combine the Personal Data it receives from or processes on behalf of Customer with Personal Data it receives from or on behalf of another person or which it collects from its own interaction with another individual, provided that Subscribfy may combine Personal Data to perform any Business Purpose, such as to analyze how users interact with Services, or as otherwise permitted under the CCPA. 

  5. Consumer Requests 

    1. Customer agrees to: (i) inform Subscribfy of any consumer request made pursuant to the CCPA that they must assist Customer to comply with and (ii) provide the information necessary for Subscribfy to comply with the request.