Data Processing Addendum
Last Updated January 2024
This Data Processing Addendum, including its Schedules (“DPA”) forms part of the Terms of Service (the “Agreement”) between Steady, Inc. (“Steady”, “us” or “we”) and you as a Steady Customer. Terms not defined herein shall have the meaning as set forth in the Agreement. This DPA takes effect on the date Customer agrees to our Terms of Service as a Steady Customer, and governs the collection, processing, or receipt of Personal Data by Steady on behalf of the Customer in the course of providing the Services.
If you have questions or would like to receive a signed copy of this DPA, please contact us at privacy@steady.space.
1. Definitions
- “Applicable Laws” means all laws, rules, regulations, and orders applicable to the subject matter herein, including without limitation Data Protection Laws.
- “California Personal Information” means Personal Data that is subject to the protection of the CCPA.
- "CCPA" means California Civil Code Sec. 1798.100 et seq. (also known as the California Consumer Privacy Act of 2018).
- “CPRA” means California Civil Code Sec. 1798.150 et seq. (also known as the California Privacy Rights Act of 2020).
- "Consumer", "Business", "Sell", and "Service Provider" shall have the meanings given to them in the CCPA.
- “Controller”, “Data Subject”, “Processing”, and “Processor” shall have the meanings given to them in the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council together with any subordinate legislation or regulation implementing the General Data Protection Regulation) or “GDPR.”
- “Customer Data” means all Personal Data, including without limitation California Personal Information and European Personal Data, Processed by Steady on behalf of Customer pursuant to the Agreement.
- “Data Protection Laws” means all applicable worldwide legislation relating to data protection and privacy that apply to the respective Party in its role of Processing Personal Data in question under the Agreement, including without limitation European Data Protection Laws and the CCPA; in each case as amended, superseded, or replaced from time to time.
- “Data Subject” means the Consumer or other individual to whom Personal Data relates.
- “European Data” means Personal Data that is subject to the protection of European Data Protection Laws.
- "European Data Protection Laws" means data protection laws applicable in Europe, including: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR); (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector; and (iii) applicable national implementations of (i) and (ii); or (iii) in respect of the United Kingdom, any applicable national legislation that replaces or converts in domestic law the GDPR or any other law relating to data and privacy as a consequence of the United Kingdom leaving the European Union; and (iv) Swiss Federal Data Protection Act on 19 June 1992 and its Ordinance; in each case, as may be amended, superseded, or replaced.
- “Instructions” means the written, documented instructions issued by Customer to Steady, and directing Steady to perform a specific or general action with regard to Personal Data for the purpose of providing the Services to Customer. The Parties agree that the Agreement (including this DPA), together with Customer's use of the Services in accordance with the Agreement, constitute Customer’s complete and final Instructions to Steady in relation to the Processing of Customer Data, and additional Instructions outside the scope of the Instructions shall require prior written agreement between Steady and Customer.
- “Personal Data” means any information relating to an identified or identifiable individual where such information is contained within Customer Data and is protected similarly as personal data, personal information, or personally identifiable information under applicable Data Protection Laws.
- “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise Processed by Steady and/or its Sub-Processors in connection with the provision of the Services. Personal Data Breach does not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.
- “Sub-Processor” means any entity which provides processing services to Steady in furtherance of Steady’s processing of Customer Data.
- “Standard Contractual Clauses” or “SCCs” means the Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as currently set out at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj.
- “Supervisory Authority” means an independent public authority which is established by an EU Member State pursuant to the GDPR.
2. Nature, Purpose, and Subject Matter. The nature, purpose, and subject matter of Steady’s data processing activities performed as part of the Services are set out in the Agreement. The Customer Data that may be processed may relate to (a) Customer’s employees, contractors, and agents; (b) the personnel of Customer's customers, suppliers, and subcontractors; and (c) any other end user granted access to the Services by Customer. Categories of Personal Data Processed may include identifiers, internet and similar activity, and, if Customer or its end user chooses to submit it, employment information or commercial information, as well as any other Personal Data that may be processed pursuant to the Agreement.
3. Duration. The term of this DPA shall follow the term of the Agreement. Steady will Process Personal Data for the duration of the Agreement, unless otherwise agreed in writing.
4. Processing of Customer Data. Steady shall process Customer Data only for the purposes described in the Agreement (including this DPA) or as otherwise agreed within the scope of Customer’s lawful Instructions, except where and to the extent otherwise required by Applicable Law. If Steady is collecting Personal Data from end users on behalf of Customer, Steady shall follow Customer’s Instructions regarding such Personal Data collection. Steady shall inform Customer without delay if, in Steady’s opinion, an Instruction violates applicable Data Protection Laws and, where necessary, cease all Processing until Customer issues new Instructions with which Steady is able to comply. If this provision is invoked, Steady will not be liable to Customer under the Agreement for any failure to perform the Services until such time as Customer issues new lawful Instructions.
5. Confidentiality. Steady shall ensure that any personnel whom Steady authorizes to Process Customer Data on its behalf is subject to appropriate confidentiality obligations (whether a contractual or statutory duty) with respect to that Customer Data. Additionally, Steady shall take reasonable steps to ensure that persons employed by Steady and other persons engaged to perform on Steady’s behalf comply with the terms of the Agreement.
6. Customer Responsibilities. Within the scope of the Agreement (including this DPA) and in Customer’s use of the Services, Customer shall comply with all Applicable Laws, including without limitation all requirements that apply to Customer under Data Protection Laws with respect to its Processing of Personal Data and the Instructions it issues to Steady. In particular, and without limiting the generality of the foregoing, Customer shall take sole responsibility for: (a) the accuracy, quality, and legality of Customer Data and the means by which Customer acquired Personal Data; (b) complying with all necessary transparency and lawfulness requirements under applicable Data Protection Laws for the collection and use of the Personal Data, including obtaining any necessary consents and authorizations; (c) ensuring Customer has the right to transfer, or provide access to, the Personal Data to Steady for Processing in accordance with the terms of the Agreement (including this DPA); (d) ensuring that Customer’s Instructions to Steady regarding the Processing of Customer Data comply with Applicable Laws; and (e) complying with all Applicable Laws (including Data Protection Laws) applicable to Customer’s use of the Services, including without limitation those relating to providing notice and obtaining consents. Customer shall inform Steady without undue delay if it is not able to comply with this section or applicable Data Protection Laws. For the avoidance of doubt, Steady is not responsible for compliance with any Data Protection Laws applicable to Customer or Customer's industry that are not generally applicable to Steady.
7. Sub-Processors. Customer agrees that Steady may engage Sub-Processors to Process Customer Data. Where Steady engages Sub-Processors, Steady will impose data protection terms on the Sub-Processors that provide at least the same level of protection for Personal Data as those in this DPA, to the extent applicable to the nature of the services provided by such Sub-Processors. Steady will remain responsible for each Sub-Processor’s compliance with the obligations of this DPA and for any acts or omissions of such Sub-Processor that cause Steady to breach any of its obligations under this DPA. Steady shall maintain on its website a list of current Sub-Processors engaged to Process Customer Data and shall notify Customer of any changes to the Sub-processors list through in-product notifications, email or other means.
8. Security. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Steady shall, in relation to the Customer Data, maintain appropriate technical and organizational security measures designed to protect against unauthorized or accidental access, loss, alteration, disclosure or destruction of Customer Data. In assessing the appropriate level of security, Steady shall take account of the risks that are presented by Processing, in particular from a Personal Data Breach. Upon request, Steady shall provide Customer with a summary of Steady’s security policies applicable to the Services.
9. Data Transfers. Customer acknowledges and agrees that Steady may access and Process Personal Data on a global basis as necessary to provide the Services in accordance with the Agreement, and in particular that Personal Data will be transferred to and Processed by Steady in the United States and to other jurisdictions where Steady’s Sub-Processors have operations.
10. Personal Data Breaches. Steady will notify Customer without undue delay after Steady becomes aware of any Personal Data Breach involving Customer Data and will provide timely information relating to such Personal Data Breach as it becomes known or reasonably requested by Customer. At Customer’s request, Steady will promptly provide Customer with commercially reasonable assistance as necessary to enable Customer to notify authorities and/or affected Data Subjects, if Customer is required to do so under Data Protection Laws.
11. Data Subject Requests. As part of the Services, Steady provides Customer and its end users with certain controls that Customer or end users may use to access, correct, delete, or restrict Personal Data, which Customer or its end users may use to assist in connection with Customer’s obligations under Data Protection Laws, including its obligations relating to responding to requests from Data Subjects to exercise their rights under applicable Data Protection Laws ("Data Subject Requests"). To the extent that Customer is unable to independently address a Data Subject Request through the Services, then upon Customer’s written request Steady shall provide reasonable assistance to Customer to respond to any Data Subject Requests or requests from data protection authorities relating to the Processing of Customer Data under the Agreement. Customer shall reimburse Steady for the commercially reasonable costs arising from this assistance. If a Data Subject Request or other communication regarding the Processing of Customer Data under the Agreement is made directly to Steady, Steady will promptly inform Customer. Customer shall be solely responsible for facilitating any such Data Subject Requests or communications involving Personal Data.
12. Data Protection Impact Assessment and Prior Consultation. To the extent Steady is required under Data Protection Law, Steady shall (at Customer's expense) provide reasonably requested information regarding Steady’s processing of Customer Data under the Agreement to enable Customer to carry out data protection impact assessments or prior consultations with data protection authorities as required by law.
13. Deletion or Return of Personal Data. At the expiry of termination of the Agreement, Steady will, at Customer's option, delete or return to Customer all Customer Data Processed pursuant to this DPA in accordance with Customer’s reasonable Instructions. The requirements of this section shall not apply to the extent that Steady is required by Applicable Law to retain some or all of the Customer Data, or to Customer Data Steady has archived on back-up systems, which data Status Hero shall securely isolate and protect from any further Processing and delete in accordance with Steady’s deletion practices.
14. Demonstration of Compliance. Upon Customer's written request and with at least 45 days’ notice(or a shorter period if permitted by Applicable Law), Steady shall make available to Customer (on a confidential basis) all information reasonably necessary and allow for and contribute to audits (collectively, “ Audits”), to demonstrate Steady’s compliance with this DPA, provided that Customer shall not exercise this right more than once per year. Such Audits shall solely of the provision by Steady of written information that may include information relating to Third Parties and interviews with Steady information technology employees and subcontractors. No access to any part of Status Hero’s information system, data hosting sites or centers, or infrastructure will be permitted. Customer or its designated and professionally qualified agent may carry out such Audit. Customer must conduct all Audits (a) during normal business hours; (b) according to security and confidentiality terms and guidelines; and (c) taking reasonable measures necessary to prevent unnecessary disruption to Steady’s operations. Customer shall be responsible for all costs and expenses arising from such audit, including the reasonable costs and expenses of Steady in complying with an Audit request. Customer shall take all reasonable measures to limit any impact on Steady by combining several information and/or audit requests carried out on behalf of Customer in one single audit.
15. European Data. This Section 15 applies only with respect to Processing of European Data by Steady.
- Roles of the Parties. When Processing European Data under the Agreement, the Parties acknowledge and agree that Customer is the Controller and Steady is the Processor.
- Sub-Processors. In addition to the provisions of Section 7, within 30 days after posting an updated Sub-Processor List, Customer may object to Steady’s engagement of a new Sub-Processor if Customer can demonstrate that such Sub-Processor’s Processing of European Data does not comply with European Data Protection Laws. If Customer so objects, the Parties will discuss Customer's concerns in good faith with a view to achieving a commercially reasonable resolution. If no such resolution can be reached, Steady will, at its sole discretion, either not appoint the new Sub-Processor, or permit Customer to suspend or terminate the Agreement without liability to either party (but without prejudice to any fees incurred by Customer prior to suspension or termination).
- Data Transfers. In addition to Section 9, for transfers of European Personal Data to Steady for processing by Steady in a jurisdiction other than a jurisdiction in the EU, the EEA, or the European Commission-approved countries providing “adequate” data protection, Steady agrees it will: (i) use the form of the Controller-to-Processor SCCs; or (ii) use another transfer mechanism that is approved by the European Commission as valid at the time of the transfer, as applicable. If such data transfers rely on Controller-to-Processor SCCs to enable the lawful transfer of European Personal Data, as set forth in the preceding sentence, the Parties agree that Data Subjects for whom Steady Processes European Personal Data are third-party beneficiaries under the Controller-to-Processor SCCs. If Steady is unable or becomes unable to comply with these requirements, then: (a) Steady shall notify Customer of such inability; and (b) any movement of European Personal Data to a non-EU country requires the prior written consent of Customer.
- Data Protection Impact Assessments and Consultation with Supervisory Authorities. To the extent that the required information is reasonably available to Steady, and Customer does not otherwise have access to the required information, Steady will provide reasonable assistance to Customer with any data protection impact assessments, and prior consultations with supervisory authorities or other competent data privacy authorities to the extent required by European Data Protection Laws.
- Roles of the Parties. When Processing California Personal Information in accordance with Customer's Instructions, the Parties acknowledge and agree that Customer is a Business and Steady is the Service Provider for the purposes of the CCPA. Additionally, for the purposes of interpreting this DPA with respect to Processing of California Personal Information, the term “Controller” is replaced with “Business” and “Processor” is replaced with “Service Provider” wherever those terms appear in Sections 2 through 14 and Section 17 of this DPA.
- Responsibilities. The Parties agree that Steady will process California Personal Information as a Service Provider strictly for the business purpose of performing the Services under the Agreement and as set forth in Steady’s Privacy Policy. The Parties agree that Steady shall not: (i) Sell California Personal Information; (ii) retain, use, or disclose California Personal Information for a commercial purpose other than for such business purpose or as otherwise permitted by the CCPA; or (iii) retain, use, or disclose California Personal Information outside of the direct business relationship between Customer and Status Hero.
- Certification. Steady hereby certifies that it understands and will comply with the restrictions of Section 16(b).
- No CCPA Sale. The Parties agree that Customer does not sell California Personal Information to Steady because, as a Service Provider, Steady may only use California Personal Information for the purposes of providing the Services to Customer.
- Where Customer is established in an EU Member State, the supervisory authority with responsibility for ensuring compliance by Customer with Regulation (EU) 2016/679 as regards the data transfer shall act as competent supervisory authority.
- Where Customer is not established in an EU Member State but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and have appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679, the supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established shall act as competent supervisory authority.
- Where Customer is not established in an EU Member State but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679: The Data Protection Commission of Ireland, 21 Fitzwilliam Square South, Dublin, 2 D02 RD28, Ireland shall act as competent supervisory authority.
- Where Customer is established in the United Kingdom or fall within the territorial scope of application of UK Data Protection Laws and Regulations, the Information Commissioner's Office shall act as competent supervisory authority.
- Where You are established in Switzerland or fall within the territorial scope of application of Swiss Data Protection Laws and Regulations, the Swiss Federal Data Protection and Information Commissioner shall act as competent supervisory authority insofar as the relevant data transfer is governed by Swiss Data Protection Laws and Regulations.
- The contents of section 1 of Schedule 2 shall form Annex I.A to the Standard Contractual Clauses
- The contents of sections 2 to 9 of Schedule 2 shall form Annex I.B to the Standard Contractual Clauses
- The contents of section 10 of Schedule 2 shall form Annex I.C to the Standard Contractual Clauses
- The contents of section 11 of Schedule 2 to this Exhibit shall form Annex II to the Standard Contractual Clauses.
- Customer's employees, contractors, and agents
- Personnel of Customer's customers, suppliers, and subcontractors
- Other end users granted access to the Services by Customer
- Identifiers (e.g., IP address, email address, full name, username)
- Internet and similar activity (e.g., browser agents, browser and operating system identifiers)
- Employment information (to the extent the Customer or end user chooses to submit it)
- Commercial history (to the extent the Customer or end user chooses to submit it)
- Where the data exporter is established in an EU Member State: The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer shall act as competent supervisory authority.
- Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679: The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established shall act as the competent supervisory authority.
- Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679: Data Protection Commission, 21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland shall act as the competent supervisory authority.
- Where the data exporter is established in the United Kingdom or falls within the territorial scope of application of UK Data Protection Laws and Regulations, the Information Commissioner's Office shall act as the competent supervisory authority.
- Where the data exporter is established in Switzerland or falls within the territorial scope of application of Swiss Data Protection Laws and Regulations, the Swiss Federal Data Protection and Information Commissioner shall act as competent supervisory authority insofar as the relevant data transfer is governed by Swiss Data Protection Laws and Regulations
- Organizational management and dedicated staff responsible for the development, implementation, and maintenance of Company’s information security program.
- Audit and risk assessment procedures for the purposes of periodic review and assessment of risks to the Company organization, monitoring and maintaining compliance with Company policies and procedures, and reporting the condition of its information security and compliance to senior internal management.
- Maintain Information security policies and make sure that policies and measures are regularly reviewed and where necessary, improve them.
- Communication with Company applications utilizes cryptographic protocols such as TLS to protect information in transit over public networks. At the network edge, stateful firewalls, web application firewalls, and DDoS protection are used to filter attacks. Within the internal network, applications follow a multi-tiered model which provides the ability to apply security controls between each layer.
- Data security controls which include logical segregation of data, restricted (e.g. role-based) access and monitoring, and where applicable, utilization of commercially available and industry-standard encryption technologies.
- Logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions, (e.g. granting access on a need-to-know and least privilege basis, use of unique IDs and passwords for all users, periodic review and revoking/changing access promptly when employment terminates or changes in job functions occur).
- Password controls designed to manage and control password strength, and usage including prohibiting users from sharing passwords.
- System audit or event logging and related monitoring procedures to proactively record user access and system activity for routine review.
- Physical and environmental security of data center, server room facilities and other areas containing client confidential information (if any) designed to: (i) protect information assets from unauthorized physical access, (ii) manage, monitor and log movement of persons into and out of Company facilities, and (iii) guard against environmental hazards such as heat, fire and water damage.
- Operational procedures and controls to provide for configuration, monitoring, and maintenance of technology and information systems according to prescribed internal and adopted industry standards, including secure disposal of systems and media to render all information or data contained therein as undecipherable or unrecoverable prior to final disposal or release from Company possession.
- Change management procedures and tracking mechanisms to designed to test, approve and monitor all changes to Company technology and information assets.
- Incident / problem management procedures to enable Company to investigate, respond to, mitigate and notify of events related to Company technology and information assets.
- Network security controls that provide for the use of enterprise firewalls and layered DMZ architectures, and intrusion detection systems and other traffic and event correlation procedures designed to protect systems from intrusion and limit the scope of any successful attack.
- Vulnerability assessment, patch management, and threat protection technologies and scheduled monitoring procedures designed to identify, assess, mitigate and protect against identified security threats, viruses and other malicious code.
- Business resiliency/continuity and disaster recovery procedures, as appropriate, designed to maintain service and/or recovery from foreseeable emergency situations or disasters.
- Customer-specific security measures shall be subject to a separate agreement between the parties.
16. California Personal Information. This Section 16 applies only with respect to Processing of California Personal Information by Steady in Status Hero’s capacity as a Service Provider.
17. General. Customer represents that it is authorized to, and hereby agrees to, enter into and be bound by this DPA for and on behalf of itself and each of its affiliates and subsidiaries, thereby establishing a separate DPA between Steady and Customer and each of Customer’s affiliates and subsidiaries subject to the Agreement, as applicable. The limitations of liability set forth in the Agreement shall apply to Steady’s liability arising out of or relating to this DPA and the Standard Contractual Clauses (where applicable), taken in the aggregate along with the Agreement and any other agreement between the Parties. In case of any conflict or inconsistency with the terms of the Agreement, this DPA shall take precedence over the terms of the Agreement to the extent of such conflict or inconsistency. If any individual provisions of this DPA are determined to be invalid or unenforceable, the validity and enforceability of the other provisions of this DPA shall not be affected. We periodically update this Agreement. If you are a current Customer, you will be informed of any modification by email, alert on the Services or by other means.
Steady Space Corp
Henry Poydar
Founder and CEO
SCHEDULE 1
TRANSFER MECHANISMS FOR EUROPEAN DATA TRANSFERS
STANDARD CONTRACTUAL CLAUSES OPERATIVE PROVISIONS AND ADDITIONAL TERMS
For the purposes of the Standard Contractual Clauses, Customer is the data exporter and Steady is the data importer and the Parties agree to the following:
1. Reference to the Standard Contractual Clauses. The relevant provisions contained in the SCCs are incorporated by reference and are an integral part of this DPA. The information required for the purposes of the Appendix to the SCCs are set out in Schedule 2.
2. Docking clause. The option under clause 7 shall not apply.
3. Certification of Deletion. The parties agree that the certification of deletion of Personal Data that is described in clause 8.5 and 16(d) of the Standard Contractual Clauses shall be provided by Steady to Customer only upon Customer’s written request.
4. Instructions. This DPA and the Agreement are Customer’s complete and final documented instructions at the time of signature of the Agreement to Steady for the Processing of Personal Data. Any additional or alternate instructions must be consistent with the terms of this DPA and the Agreement. For the purposes of clause 8.1(a), the instructions by Customer to Process Personal Data are set out in Section 4 of this DPA and include onward transfers to a third party located outside Europe for the purpose of the provision of the Services.
5. Security of Processing. For the purposes of clause 8.6(a), You are solely responsible for making an independent determination as to whether the technical and organisational measures provided by Steady meet Your security requirements and You agree that (taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of the Processing of its Personal Data as well as the risks to individuals) the security measures and policies implemented and maintained by Steady provide a level of security appropriate to the risk with respect to the Personal Data. For the purposes of clause 8.6(c), personal data breaches will be handled in accordance with Section 10 of this DPA.
6. Audits of the SCCs. The parties agree that the audits described in clause 8.9 of the Standard Contractual Clauses shall be carried out in accordance with Section 14 of this DPA.
7. General authorisation for use of Sub-processors. Option 2 under clause 9 shall apply. For the purposes of clause 9(a), Steady has Customer’s general authorisation to engage Sub-processors in accordance with Section 7 of this DPA. Steady shall make available to Customer the current list of Sub-processors in accordance with Section 7 of this DPA. Where Steady enters into Standard Contractual Clauses with a Sub-processor in connection with the provision of the Services, Customer grants Steady authority to provide a general authorisation on Customer’s behalf for the engagement of sub-processors by Sub-processors engaged in the provision of the Services, as well as decision making and approval authority for the addition or replacement of any such sub-processors.
8. Notification of New Sub-processors and Objection Right for new Sub-processors . Pursuant to clause 9(a), Customer acknowledges and expressly agrees that Steady may engage new Sub-processors as described in Section 7 of this DPA. Steady shall inform Customer of any changes to Sub-processors following the procedure provided for in Section 7 of this DPA.
9. Complaints - Redress. For the purposes of clause 11, Steady shall inform data subjects on its website of a contact point authorised to handle complaints. Steady shall inform Customer if it receives a complaint by, or a dispute from, a Data Subject with respect to Personal Data and shall without undue delay communicate the complaint or dispute to Customer. Steady shall not otherwise have any obligation to handle the request (unless otherwise agreed with You). The option under clause 11 shall not apply.
10. Liability. Steady’s liability under clause 12(b) shall be limited to actual and proven damage caused by Steady’s Processing of Personal Data on Customer’s behalf as a Processor where Steady has not complied with its obligations under the GDPR specifically directed to Processors, or where Steady has acted outside of or contrary to Customer’s lawful Instructions, as specified in Article 82 GDPR.
11. Supervision. Clause 13 shall apply as follows:
12. Notification of Government Access Requests . For the purposes of clause 15.1(a), Steady shall notify Customer only, and not the Data Subject(s), in case of government access requests. Customer shall be solely responsible for promptly notifying the Data Subject as necessary.
13. Governing Law . The governing law for the purposes of clause 17 shall be the law that is designated in the Governing Law section of the Agreement. If the Agreement is not governed by an EU Member State law, the Standard Contractual Clauses will be governed by either (a) the laws of Ireland; or (b) where the Agreement is governed by the laws of the United Kingdom, the laws of the United Kingdom.
14. Choice of forum and jurisdiction . The courts under clause 18 shall be those designated in the Venue section of the Agreement. If the Agreement does not designate an EU Member State court as having exclusive jurisdiction to resolve any dispute or lawsuit arising out of or in connection with this Agreement, the parties agree that the courts of either (a) Ireland; or (b) where the Agreement designates the United Kingdom as having exclusive jurisdiction, the United Kingdom, shall have exclusive jurisdiction to resolve any dispute arising from the Standard Contractual Clauses. For Data Subjects habitually resident in Switzerland, the courts of Switzerland are an alternative place of jurisdiction in respect of disputes.
15. Appendix. The Appendix shall be completed as follows:
16. Data Exports from the United Kingdom and Switzerland under the Standard Contractual Clauses . In case of any transfers of Personal Data from the United Kingdom and/or transfers of Personal Data from Switzerland subject exclusively to the Data Protection Laws and Regulations of Switzerland (“ Swiss Data Protection Laws”), (a) general and specific references in the Standard Contractual Clauses to GDPR or EU or Member State Law shall have the same meaning as the equivalent reference in the Data Protection Laws and Regulations of the United Kingdom (“ UK Data Protection Laws”) or Swiss Data Protection Laws, as applicable; and (b) any other obligation in the Standard Contractual Clauses determined by the Member State in which the data exporter or Data Subject is established shall refer to an obligation under UK Data Protection Laws or Swiss Data Protection Laws, as applicable. In respect of data transfers governed by Swiss Data Protection Laws, the Standard Contractual Clauses also apply to the transfer of information relating to an identified or identifiable legal entity where such information is protected similarly as Personal Data under Swiss Data Protection Laws until such laws are amended to no longer apply to a legal entity.
17. Conflict. The Standard Contractual Clauses are subject to this DPA and the additional safeguards set out hereunder. The rights and obligations afforded by the Standard Contractual Clauses will be exercised in accordance with this DPA, unless stated otherwise. In the event of any conflict or inconsistency between the body of this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
SCHEDULE 2
DESCRIPTION OF PROCESSING/TRANSFER
1. LIST OF PARTIES
Data exporter(s): Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union
Name: Customer as identified in registration
Address: Customer’s address listed in registration
Role: For the purposes of the Standard Contractual Clauses, Customer is a Controller.
Activities relevant to the data transferred under these clauses: Provision of the Services pursuant to the Agreement (including the DPA).
Contact person's name, position, and contact details: Customer’s designated point of contact listed at registration
Signature: By agreeing to the Agreement and the DPA, Customer agrees to this Schedule 2, effective as of the date of the Agreement.
Data importer(s): Identity and contact details of the data importer(s), including any contact person with responsibility for data protection
Name: Steady Space Corp
Address: 228 Park Ave S, Ste 24881, NY, NY 10003
Role: For the purposes of the Standard Contractual Clauses, Steady is a Processor.
Contact person's name, position, and contact details:
Henry Poydar, Founder and CEO
henry@steady.space
Signature:
2. CATEGORIES OF DATA SUBJECTS WHOSE PERSONAL DATA IS TRANSFERRED
Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in Customer’s sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects:
3. CATEGORIES OF PERSONAL DATA TRANSFERRED
You may submit Personal Data to the Services, the extent of which is determined and controlled by You in Your sole discretion, and which may include, but is not limited to the following categories of Personal Data:
2. SENSITIVE DATA TRANSFERRED
The parties do not anticipate the transfer of sensitive Personal Data.
3. FREQUENCY OF THE TRANSFER
Data is transferred on a continuous basis depending on Customer’s use of the Services.
4. NATURE OF THE PROCESSING
The nature of the Processing is the provision of the Services pursuant to the Agreement
5. PURPOSE OF PROCESSING, THE DATA TRANSFER AND FURTHER PROCESSING
Steady will Process Personal Data as necessary to provide the Services pursuant to the Agreement and as further instructed by Customer in Customer’s use of the Services.
6. DURATION OF PROCESSING
Subject to Section 3 of the DPA, Steady will Process Personal Data for the duration of the Agreement, unless otherwise agreed in writing.
7. SUB-PROCESSOR TRANSFERS
Sub-processor(s) will Process Personal Data as necessary to provide the Services pursuant to the Agreement. Subject to section 5 of this DPA, the Sub-processor(s) will Process Personal Data for the duration of the Agreement, unless otherwise agreed in writing. Identities of the Sub-processors used for the provision of the Services and their country of location are available to Customer upon request.
8. COMPETENT SUPERVISORY AUTHORITY
9. TECHNICAL AND ORGANISATIONAL MEASURES
In addition to the administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Personal Data described in the DPA and Steady’s Privacy Notice, Steady also had implemented the following technical and organizational measures: