Data Processing Addendum
Need a copy of our Data Processing Addendum? Click here.
This Data Processing Addendum (“DPA”) is effective as of the date the following parties have executed it:
(a) Objective AI, Inc. (“Objective”, “we”, “us”, or “our”); and
(b) the customer identified in the signature block below (“Customer”).
Objective and Customer are hereinafter collectively referred to in this DPA as the “Parties” or each individually as “Party”.
WHEREAS:
- Objective and Customer entered into a Terms of Use and related order forms, if applicable (the “Principal Agreement”) which may involve automated and manual Processing of Personal Data of Data Subjects subject to Data Protection Laws in the context of the Services.
- This DPA is hereby incorporated into the Principal Agreement between Objective and Customer.
- In accordance with Data Protection Laws, the Parties enter into this DPA which shall govern the Processing of Personal Data of Data Subjects subject to Data Protection Laws in the context of the Services.
NOW, THEREFORE, the Parties agree as follows:
- Definitions
Capitalized terms used but not defined herein shall have the meaning ascribed to them in the Principal Agreement. In this DPA, save where the context requires otherwise, the following terms have the following meaning:
“Applicable Law” means all regional, national, and international applicable laws, orders, statutes, codes, regulations, ordinances, decrees, rules, subordinate legislation, treaties, directives, bylaws, standards or other requirements with similar effect of any governmental or regulatory authority, each as updated from time to time which apply to Customer or Objective in the circumstances governed by this DPA, including Data Protection Laws.
“CCPA” means the California Consumer Privacy Act and the California Privacy Rights Act, and their applicable regulations.
“Customer Data” shall have the meaning given to the term under the Principal Agreement. Customer Data may include Personal Data.
“Data Breach” means the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer’s Personal Data transmitted, stored, or otherwise Processed by Objective or its Sub-processors on behalf of Customer under the Principal Agreement, or any other incident involving such Customer Personal Data that Data Protection Laws would require notification to a governmental entity or to a Data Subject.
“Data Protection Laws” means all laws and regulations (including, without limitation, EU Data Protection Laws and the CCPA), applicable to Objective’s or a Sub-processor’s Processing of Personal Data under the Principal Agreement.
“Data Subject” means the identified or identifiable natural person to whom Personal Data relates.
“Europe” or “EU” means the European Union, the European Economic Area, and/or their member states, Switzerland and the United Kingdom.
“EU Data” means Personal Data that is subject to the protection of EU Data Protection Laws.
“EU Data Protection Laws” means data protection laws applicable in Europe, including: (a) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (“GDPR”); (b) applicable national implementations of the GDPR; (c) the United Kingdom Data Protection Act 2018 and the GDPR as it forms parts of the United Kingdom domestic law by virtue of Section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”); and (d) Swiss Federal Data Protection Act on 19 June 1992 and its Ordinance; in each case, as may be amended, superseded, or replaced.
“Personal Data” means any information relating to an identified or identifiable natural person included in Customer Data, which is protected under Data Protection Laws and Processed by Objective or a Sub-processor under the Principal Agreement. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Processing” (or “Processed” or “Process”) means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, and governed by Data Protection Laws, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Standard Contractual Clauses” or “SCCs” means Module Two’s obligations in the Annex to the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.
“Services” means the services described in the Principal Agreement, including search functions using the Objective APIs and Platform.
“Sub-processor” means any third-party engaged by Objective to Process Personal Data in order to provide the Services under the Principal Agreement.
“Supervisory Authority” means (a) an independent public authority which is established by an EU member state pursuant to the GDPR, (b) for the United Kingdom, the Information Commissioner’s Office (“ICO”), or (c) other independent competent public authority established or recognized under Data Protection Laws.
“Worker” means any employee, staff member, agency worker or other full time or temporary, paid or unpaid person working for Objective.
2. Introduction
2.1. This DPA governs the manner in which Personal Data shall be Processed under the Principal Agreement in connection with the Services. Objective is the processor of Personal Data and Customer is the controller of Personal Data under this DPA and the Principal Agreement.
2.2. The details of the Processing operations provided by Objective – in particular, the subject matter of the Processing, the duration of the Processing, the nature and purpose of the Processing, the types of Personal Data Processed, and the categories of Data Subjects Processed under this DPA – are further specified in Schedule 2 below.
3. General Personal Data Obligations
3.1. The Parties shall comply with the terms of this DPA, and each Party is responsible for compliance with its respective obligations under applicable Data Protection Laws.
3.2. Objective shall Process Personal Data on behalf of Customer to maintain, improve, train and provide the Services in accordance with this DPA and documented instructions received from Customer. Customer hereby instructs Objective to Process Personal Data: (a) in accordance with the Principal Agreement and applicable Order Form(s), including to maintain, provide, train, and improve the Services; (b) to comply with other documented reasonable instructions provided by Customer (e.g., via email) where such instructions are consistent with the terms of the Principal Agreement; and (c) where required by Applicable Law. Customer’s instructions for the Processing of Personal Data shall comply with Data Protection Laws. Objective shall notify Customer about any instruction from Customer which, in Objective’s opinion, infringes Data Protection Laws.
3.3. With respect to “personal information” of a “consumer” under the CCPA, Objective shall only process such personal information in accordance with this subsection 3.3. This subsection 3.3 shall not be an admission that sharing of personal information between Customer and Objective constitutes a sale. The terms “business,” “business purpose,” “commercial purposes,” “consumer,” “personal information,” “sell,” “sale”, “share,” and “service provider” as used in this subsection 3.3 have the meanings defined in the CCPA.
3.3.1 Objective is prohibited from selling or sharing personal information it collects pursuant to the Principal Agreement. It shall only process such personal information as a service provider on Customer’s behalf for the specific business purpose of providing the Services and as otherwise permitted in the Principal Agreement. Customer is disclosing the personal information to Objective only for the business purposes set forth within the Principal Agreement and for such other purposes as may be permitted by the CCPA. Objective shall be prohibited from retaining, using, or disclosing such personal information that it collected pursuant to the Principal Agreement for any purpose or commercial purpose other than the specific business purposes specified in the Principal Agreement or as otherwise permitted by the CCPA. Objective is further prohibited from retaining, using, or disclosing the personal information that it collected, pursuant to the Principal Agreement, outside the direct business relationship between Objective and Customer, unless expressly permitted by the CCPA or the Principal Agreement. Objective shall comply with all applicable sections of the CCPA, including – with respect to the personal information that it collected pursuant to the Principal Agreement – providing the same level of privacy protection as required of businesses by the CCPA, assisting Customer in responding to and complying with consumers’ requests made pursuant to the CCPA, and implementing reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure in accordance with Civil Code section 1798.81.5. Objective certifies that it understands and will comply with the restrictions set forth in this Section 3.3.1.
3.3.2 Objective shall grant Customer the right to take reasonable and appropriate steps to ensure that Objective uses the personal information that it collected pursuant to the Principal Agreement in a manner consistent with Customer’s obligations under the CCPA, as mutually agreed upon. Objective shall notify Customer after it makes a determination that it can no longer meet its obligations under the CCPA. Objective shall further grant Customer the right, upon notice, to take reasonable and appropriate steps to stop and remediate Objective’s unauthorized use of personal information. For example, Customer may require Objective to provide documentation that verifies that it no longer retains or uses the personal information of consumers that have made a valid request to delete with Customer. Objective shall use reasonable efforts at Customer’s cost to enable Customer to comply with consumer requests made pursuant to the CCPA. Customer shall promptly inform Objective of any consumer request made pursuant to the CCPA that they must comply with and provide the information necessary for Objective to comply with the request.
3.4. If Objective is legally required to Process Personal Data otherwise than as instructed by Customer, it shall inform Customer before such Processing occurs, unless the law requiring such Processing prohibits Objective from informing Customer on an important ground of public interest, in which case it shall notify Customer as soon as that law permits it to do so.
3.5.Additional instructions outside the scope of this DPA (if any) shall require prior written agreement between Objective and Customer, including agreement on any additional fees payable by Customer to Objective for carrying out such instructions.
3.6.Objective Workers: (a) who have access to Personal Data shall have committed themselves to confidentiality or be under an appropriate statutory obligation of confidentiality; (b) shall Process Personal Data only as instructed to by Customer, unless otherwise required to do so by Data Protection Laws; and (c) shall be provided training as necessary from time to time with respect to Objective’s obligations under this DPA and under Data Protection Laws. Objective shall take commercially reasonable steps to ensure the reliability of its Workers in the Processing of Personal Data and shall ensure that access thereto is limited to Workers performing Services in connection with the Agreement.
3.7. Objective will not publish, disclose, divulge or otherwise permit third parties to access any Personal Data, except, in each case, in accordance with the Principal Agreement and this DPA (including as necessary to maintain, provide, and improve the Services and to Sub-processors in accordance with this DPA), with Customer’s consent or as necessary to comply with the law or a valid and binding order of a governmental body (such as a subpoena or court order).
3.8. Objective will cooperate and assist Customer with any data protection impact assessments required under Data Protection Laws or with any regulatory consultations that Customer is legally required to make in respect of Personal Data, taking into account the nature of the Processing and the information made available to Objective.
3.9. Upon Customer's written request, Objective will provide reasonable assistance to Customer in the event of an investigation by or request from any regulator, including a Supervisory Authority, or similar authority, if and to the extent that such investigation or request relates to Personal Data. Objective will take steps reasonably requested by Customer to assist Customer in complying with any obligations in connection with such an investigation or request.
4. Customer Obligations
4.1. Customer agrees and represents that:
4.1.1. It shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data;
4.1.2. It will obtain all necessary consents from and provide all required disclosures and notices to Data Subjects required under applicable Data Protection Laws for the Processing of Personal Data and recording of communications with its customers by Objective and use of such Personal Data and communications to train Objective’s artificial intelligence models;
4.1.3. It will provide notice of sharing of Personal Data with Objective consistent with the requirements of Data Protection Laws, including without limitation, the CCPA, and will be solely responsible for compliance with the CCPA;
4.1.4. It will only provide Personal Data from Data Subjects in the United States or the EU and has a lawful basis for Processing of Personal Data under all Data Protection Laws;
4.1.5. All instructions from Customer to Objective with respect to Processing of Personal Data shall comply with Data Protection Laws;
4.1.6. It shall promptly inform Objective of (a) any non-compliance by Customer, its employees, or contractors with the Principal Agreement or the provisions of the Data Protection Laws relating to the protection of Personal Data processed under the Principal Agreement; (b) any legally binding request for disclosure of Personal Data by a law enforcement authority, unless otherwise prohibited, such as in order to preserve the confidentiality of an investigation by the law enforcement authorities; and (c) any relevant notice, inquiry, or investigation by a Supervisory Authority or claim by a Data Subject relating to Personal Data.
5. Sub-processors
5.1. Customer agrees that Objective may use Sub-processors to fulfill its contractual obligations under this DPA or to provide certain services on its behalf, such as providing support services.
5.2. Where Objective engages a Sub-processor to carry out specific Processing activities (on behalf of Customer), it shall do so by way of a written contract that provides for substantially similar data protection obligations as those binding Objective under this DPA with respect to the protection of Personal Data to the extent applicable to the nature of the Services provided by such Sub-processor. Objective conducts appropriate due diligence on its Sub-processors.
5.3. Objective shall remain fully responsible to Customer for the performance of the Sub-processor’s obligations under its contract with Objective and for any acts or omissions of the Sub-processors that cause Objective to breach any of Objective’s obligations under this DPA.
6. Data Transfers
6.1. Where Personal Data is transferred from Europe to a country outside of Europe, the Parties acknowledge that steps must be taken to ensure that such data transfers comply with EU Data Protection Laws. The Parties acknowledge that similar obligations can apply for international transfers of Personal Data from a non-EU country and shall in good faith take the steps required where necessary under Data Protection Laws to ensure the transfer complies with Data Protection Laws.
6.2. If EU Data is transferred by Customer to Objective in a country that has not been found to provide an adequate level of protection under EU Data Protection Laws, Customer and Objective agree that the transfer shall be governed by the SCCs, subject to the additional terms in Schedule 3, to the extent such transfers are subject to such EU Data Protection Laws. The SCCs will apply as long as no alternative recognized compliance standard for the lawful transfer of EU Data outside of Europe has been adopted, such as Binding Corporate Rules for Processors.
6.3. In case of any transfers of Personal Data under the DPA under the SCCs from the United Kingdom, to the extent such transfers are subject to the UK GDPR, the Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as revised under Section 18 of those Mandatory Clauses ("Approved Addendum") shall apply. The information required for Tables 1 to 3 of Part One of the Approved Addendum is set out in Annex 1 of Schedule 4 (as applicable). For the purposes of Table 4 of Part One of the Approved Addendum, neither Party may end the Approved Addendum when it changes.
6.4. For data transfers governed by Swiss Data Protection Laws, the SCCs also apply to the transfer of information relating to an identified or identifiable legal entity where such information is protected similarly as Personal Data under Swiss Data Protection Laws until such laws are amended to no longer apply to a legal entity.
7. Notification of Access Requests and Complaints
7.1. Objective shall, to the extent legally permitted, promptly notify Customer of any Data Protection Communication it receives. “Data Protection Communication” means (a) any request received directly by a Party from a Data Subject to exercise the Data Subject’s rights under Data Protection Laws (e.g., right of access or have copies of Personal Data, right to rectification, restriction of Processing, erasure, data portability, object to the Processing or its right not to be subject to automated individual decision making pertaining to his or her Personal Data); or (b) any complaint or allegation made to a Party relating to Personal Data, either from a Data Subject, a Supervisory Authority, or other third party.
7.2. Objective shall not respond to a Data Protection Communication it receives, unless Objective is authorized to do so by Customer or Objective is legally compelled to respond.
7.3. Where Objective is compelled to respond to a Data Protection Communication, unless prohibited by law, it shall permit Customer to make representations and/or participate in the response process to ensure compliance with Data Protection Laws.
7.4. Customer is responsible for responding to a Data Protection Communication received directly by Customer by using its own access to the relevant Personal Data. If Customer is unable to access the relevant Personal Data after reasonable efforts, Objective will, at Customer’s request, provide reasonable assistance to Customer in responding to any such Data Protection Communication directly received by Customer to the extent the response to such Data Protection Communication is required under Data Protection Laws. To the extent legally permitted, Customer shall be responsible for any costs arising from Objective’s provision of such assistance.
8. Data Security Requirements
8.1. Objective shall, with regard to the state of the art and costs of implementation, as well as taking into account the nature, scope, context, and purposes of the Processing and the risk of varying likelihood and severity for the rights and freedoms of individuals, implement, maintain, and comply with comprehensive information and network security programs, practices, and procedures that govern the Services to ensure a level of security appropriate to the risk.
8.2. In assessing the appropriate level of security, Objective shall take into account the risks that are presented by Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Personal Data transmitted, stored, or otherwise Processed.
8.3. Objective implements appropriate technical and organizational measures designed to protect Personal Data as detailed in Schedule 1.
9. Data Breach
9.1. Objective shall notify Customer without undue delay after becoming aware of a Data Breach but within 72 hours. In the event of a Data Breach, Objective shall provide Customer with all reasonable assistance in investigating and mitigating the adverse effects of any such Data Breach. Objective will also provide all reasonable assistance to Customer to enable Customer to comply with its obligations under Data Protection Laws to notify the competent Supervisory Authority and the affected Data Subjects, taking into account the nature of Processing and the information available to Objective.
9.2. Unless legally required by Data Protection Laws, or other applicable laws, Objective will not disclose the Data Breach to any third party without obtaining Customer's prior written consent, not to be unreasonably withheld.
9.3. Objective’s obligation in this section shall not apply to Data breaches that are caused by Customer or its representatives or users or Personal Data that is not Processed on behalf of Customer. Except to the extent required by law, Objective shall have no responsibility to provide notifications to governmental entities or to Data Subjects relating to a Data Breach, and Customer shall be solely responsible for any such notifications.
10. Audits
10.1. Customer may audit Objective’s compliance with its obligations under this DPA up to once per year; additionally, to the extent required by Data Protection Laws, including where mandated by Customer’s Supervisory Authority, Customer or Customer’s Supervisory Authority may perform more frequent audits of the procedures relevant to the protection of Customer’s Personal Data (collectively, “Customer Audit”). Objective will contribute to such Customer Audits by providing Customer or Customer’s Supervisory Authority with the information and assistance reasonably necessary to conduct the Customer Audit, including any relevant records of Processing activities applicable to the Services ordered by Customer.
10.2. If a third party is to conduct the Customer Audit, the third party must be mutually agreed to by Customer and Objective (except if such third party is a competent Supervisory Authority). Objective will not unreasonably withhold its consent to a third-party auditor requested by Customer. The third party must execute a written confidentiality agreement acceptable to Objective or otherwise be bound by a statutory confidentiality obligation before conducting the Customer Audit.
10.3. To request a Customer Audit, Customer must submit a detailed proposed audit plan to Objective at least four (4) weeks in advance of the proposed audit date. The proposed audit plan must describe the proposed scope, duration, and start date of the audit. Objective will review the proposed audit plan and provide Customer with any concerns or questions (for example, any request for information that could compromise Objective security, privacy, employment or other relevant policies). Objective will work cooperatively with Customer to agree on a final audit plan. Before the commencement of any Customer Audit, Customer and Objective shall mutually agree upon the scope, timing, and duration of the Customer Audit.
10.4. If the requested audit scope is addressed in a SSAE 18/ISAE 3402, ISO, or similar audit report or certification issued by a qualified third party auditor within the prior twelve (12) months and Objective provides such report or certification to Customer confirming there are no known material changes in the controls audited, Customer agrees to accept the findings presented in the third party audit report or certification in lieu of requesting an audit of the same controls covered by the report or certification.
10.5. The Customer Audit must be conducted during regular business hours at the applicable facility, subject to the agreed final audit plan and Objective’s health, safety, security or other relevant policies, and may not unreasonably interfere with Objective’s business activities or operations (provided access to Objective’s third party data centers shall be subject to their separate approval). Nothing in this Section 10 shall require Objective to breach its obligations under Applicable Law or breach its confidentiality, security, or privacy obligations to any customers, employees, or third parties.
10.6. Customer will provide Objective any audit reports generated in connection with any Customer Audit, unless prohibited by Applicable Law or otherwise instructed by a Supervisory Authority. Customer may use the audit reports only for the purposes of meeting Customer’s regulatory audit requirements and/or confirming compliance with the requirements of this DPA. The audit reports are Confidential Information of the Parties under the terms of the Principal Agreement.
10.7. Any Customer Audits are at Customer’s expense. The Parties will negotiate in good faith with respect to any charges or fees that may be incurred by Objective to provide assistance with a Customer Audit that requires the use of resources different from or in addition to those required for the provision of the Services. Before the commencement of a Customer Audit, Customer and Objective shall mutually agree upon the reimbursement rate for which Customer shall be responsible for any time expended for any such Customer Audit. All reimbursement rates shall be reasonable, taking into account the resources expended by Objective.
11. Return and Deletion of Personal Data
11.1. Unless prohibited by law, Objective will delete or return all Customer Data, including Personal Data, on termination or expiration of the Principal Agreement in accordance with the Principal Agreement. Until all Personal Data is deleted or returned, Objective shall continue to ensure compliance with this DPA. If Applicable Law prohibits the return or deletion of Personal Data, Objective will continue to ensure compliance with this DPA and will only Process Personal Data to the extent and for as long as required under Applicable Law. The foregoing shall not apply to Resultant Data, usage data, or any Personal Data that has been de-identified in accordance with Data Protection Laws or to the extent that deletion or return of such Personal Data would require re-training of Processor’s artificial intelligence models.
12. Requests for Personal Data from Governmental Bodies
12.1. To the extent permitted by Applicable Law, if Objective receives a valid and binding order (“Request”) from any governmental body (“Requesting Party”) for disclosure of Personal Data, Objective will use every reasonable effort to redirect the Requesting Party to request Personal Data directly from Customer. As part of this effort, Objective may provide Customer’s basic contact information to the Requesting Party.
12.2. If compelled to disclose Personal Data to a Requesting Party, Objective will: (a) give Customer reasonable notice of the Request to allow Customer to seek a protective order or other appropriate remedy, if Objective is legally permitted to do so, provided, that, if Objective is prohibited from notifying Customer about the Request, Objective will use all reasonable and lawful efforts to obtain a waiver of prohibition, to allow Objective to communicate as much information to Customer as soon as possible; and (b) to the extent permitted by Applicable Law, challenge any overbroad or inappropriate Request (including where such Request conflicts with the law of Europe).
12.3. If, after exhausting the steps described above in this Section, Objective remains compelled to disclose Personal Data to a Requesting Party, Objective will disclose only the minimum amount of Personal Data necessary to satisfy the Request.
12.4. Nothing in this Section restricts Customer’s Data Subjects from exercising their rights under the GDPR, including their rights to compensation from Objective for material or non-material damage under, and in accordance with, Article 82 of the GDPR.
13. Liability
13.1. The liability of each Party under this DPA shall be subject to the exclusions and limitations of liability set out in the Principal Agreement. Any reference to “limitation of liability” of a Party in the Principal Agreement shall be read to mean the aggregate liability of a Party and all of its Affiliates under the Principal Agreement and this DPA.
14. Miscellaneous
14.1. The Processing of Personal Data under this DPA is governed by the law of the Principal Agreement, except as set forth in Schedule 3. Any disputes between the Parties relating to the Processing of Personal Data under this DPA will be subject to the exclusive jurisdiction of the courts set forth in the Principal Agreement.
14.2. Unless stated otherwise, each party shall perform its obligations under this DPA at its own cost.
14.3. In the event of inconsistencies between the provisions of this DPA and other agreements between the Parties, including but not limited to the Principal Agreement, the provisions of this DPA shall prevail.
14.4. This DPA may only be modified by a written amendment signed by authorized representatives of each of the Parties.
14.5. This DPA will become effective as of the date the Parties have executed it and, notwithstanding expiry of the Services Term of the Principal Agreement, will remain in effect until, and will automatically expire upon, deletion of all Personal Data by Objective and/or any applicable Sub-processors.
14.6. If any provision of this DPA is found by any court or administrative body of competent jurisdiction to be invalid or unenforceable, the invalidity or unenforceability of such provision shall not affect any other provision of this DPA, and all provisions not affected by such invalidity or unenforceability will remain in full force and effect.
14.7. This DPA may be executed in any number of counterparts, each of which when executed shall constitute a duplicate original, but all the counterparts shall together constitute the one agreement.