Last updated: May 19th, 2025
DATA PROCESSING AGREEMENT
This Data Processing Agreement (“DPA”) is hereby incorporated by reference into the agreement between Walnut Ltd. And its affiliates (“Walnut”) and Customer, that governs Customer’s use of the Walnut Platform and Services (“Agreement”). This DPA sets forth the parties’ responsibilities and obligations when Processing Personal Data during the Term and under the Agreement. All capitalized terms not defined herein shall have the meaning set forth in the Agreement.
WHEREAS, Walnut provides the Customer with access to Walnut’s sales experience platform (“Platform”) which enables Customer to create interactive product demos and collect insights about the usage of such demos by Customer’s prospects (“Services”); and
WHEREAS, the parties wish to ensure the Processing of Personal Data is conducted in accordance with Data Protection Laws (as defined below);
NOW, THEREFORE THE PARTIES AGREE AS FOLLOWS:
1. DEFINITIONS
1.1 “Adequate Country” is a country that received an adequacy decision from the European Commission.
1.2 The terms “Business”, “Business Purpose“, “Consumer”, “Controller”, “Data Subject”, “Holder”, “Personal Data”, “Personal Information”, “Personal Data Breach”, “Processing” (and “Process”), “Processor”, “Sale” (or “Sell”), “Service Provider”, “Sensitive Data”, “Share”, “Special Categories of Personal Data” and “Supervisory Authority”, shall all have the same meanings as ascribed to them in the applicable Data Protection Law. Under this DPA: “Controller” shall also mean and refer a “Business”; “Processor” shall also mean and refer to a “Services Provider” and a “Holder”; “Data Subject” shall also mean and refer a “Consumer”; “Personal Data” shall also mean and refer to “Personal Information”, and; “Sensitive Data” shall also mean and refer to “Special Categories of Personal Data” or “Highly Sensitive Data” as applicable.
1.3 “Customer Data” means any and all Personal Data uploaded to Walnut’s Platform during the engagement between the parties, as detailed in ANNEX I.
1.4 “Data Protection Law” means any and all applicable privacy and data protection laws and regulations, including, where applicable, the Israeli Data Protection Law, the EU Data Protection Law, Swiss Data Protection Laws, the UK Data Protection Law and the US Data Protection Laws, as all may be amended or superseded from time to time.
1.5 “Israeli Data Protection Law” means, collectedly, the: (i) Israeli Protection of Privacy Law, 5741-1981 (as amended under Amendment 13), the regulations promulgated pursuant thereto, including the Israeli Protection of Privacy (Data Security) Regulations, 5777-2017 and the Israeli Protection of Privacy (Transfer of Data to Databases Abroad) Regulations, 5761-2001; (iii) any amendments or legislation replacing or updating any of the foregoing, and; (iv) any judicial or administrative interpretation of any of the above, including any binding guidance, guidelines, codes of practice, approved codes of conduct or certification mechanisms approved by the Israeli Privacy Protection Authority
1.6 “EU Data Protection Law” means the (i) EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”); (ii) Regulation 2018/1725; (iii) the EU e-Privacy Directive (Directive 2002/58/EC), as amended (e-Privacy Law); (iv) any national data protection laws made under, pursuant to, replacing or succeeding (i) – (iii); and (iv) any legislation replacing or updating any of the foregoing. (v) the Data Protection Act 2018 (DPA 2018), as amended, and the EU GDPR as it forms part of domestic law in the United Kingdom by virtue of section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”); (iv) the Swiss Federal Data Protection Act (dated June 19, 1992, as of March 1, 2019) (“FDPA”) as well as the Ordinance on the Federal Act on Data Protection (“FODP“); and (vii) any legislation replacing or updating any of the foregoing; and binding judicial or administrative interpretation of any of the above, or approved certification mechanisms issued by any relevant Supervisory Authority. The EU GDPR, together with the UK GDPR shall be collectively referred to under this DPA as “GDPR”.
1.7 “Instructions” means the written, documented instructions issued by the Customer to Walnut directing Walnut to perform a specific or general action with regard to Customer Personal Data (including, but not limited to, instructions to provide the Services under the Agreement and instructions under this DPA
1.8 “Security Incident” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data of the other party.
1.9 “Standard Contractual Clauses” or “SCC” mean, collectively and as applicable, the: (i) standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council adopted by the European Commission Decision 2021/914 of 4 June 2021, available HERE (“EU SCC”) (ii) the UK “International Data Transfer Addendum to The European Commission Standard Contractual Clauses” available HERE (“UK SCC”); and (iii) the applicable standard data protection clauses issued, approved or recognized by the Swiss Federal Data Protection and Information Commissioner (“Swiss SCC”).
1.10 “US Data Protection Laws” means any and all applicable federal and state privacy laws and regulations applicable to the Supplier’s Processing activities of Walnut Data under this DPA, and any implementing regulations and amendment thereto, including without limitation the: (i) California Consumer Privacy Act (Cal. Civ. Code §§ 1798.100 – 1798.199) of 2018 including as modified by the California Privacy Rights Act as well as all regulations promulgated thereunder from time to time (‘CCPA’); (ii) the Colorado Privacy Act C.R.S.A. § 6-1-1301 et seq. (SB 21-190) (‘CPA’); (iii) the Connecticut Data Privacy Act, S.B. 6 (Connecticut 2022) (‘CTDPA’); (iv) the Florida Digital Bill of Rights S.B 262 (‘FDBR’); (v) the Montana Consumer Data Privacy Act 68th Legislature 2023, S.B. 0384 (‘MTCDPA’); (vi) the Oregon Consumer Data Privacy Act ORS 646A.570-646A.589 (‘OCDPA’); (vii) the Texas Data Privacy and Security Act, Tex. Bus. & Com. Code Ann. § 541.001 et seq (‘TDPSA’); (viii) the Utah Consumer Privacy Act, Utah Code Ann. § 13-61-101 et seq (‘UCPA’); and (ix) the Virginia Consumer Data Protection Act, Va. Code Ann. § 59.1-575 et seq. (SB 1392). All as amended or superseded from time to time and including any implementing regulations and amendments thereto.
1.11 “Usage Data” means information about Customer’s or its Authorized Users use of the Platform and Services, such information may include without limitation, access logs, sessions replays, clickstream, errors, and crashes, all as detailed in the Walnut Privacy Policy available at https://www.walnut.io/privacy.
Any other terms that are not defined herein shall have the meaning provided under the Agreement or applicable Data Protection Laws. A reference to any term or section of Data Protection Laws means the version as may be amended, modified, updated, or replaced from time to time. Any references to the GDPR in this DPA shall mean the GDPR and/or UK GDPR depending on the applicable Law.
Scope and Applicability of this DPA. This DPA applies to Customer Data processed as part of the Services. This DPA does not apply to Usage Data.
2. RELATIONSHIP OF THE PARTIES
2.1 The parties acknowledge that in relation to all Customer Data, as between the parties, Customer is the Controller of Customer Data, and Walnut is acting as a Processor on behalf of the Customer in the course of providing the Services.
2.2 For the purpose of the US Data Protection Laws, Walnut shall Process Customer Personal Data as the Service Provider on behalf of the Customer as the Business and shall not: (i) Sell or Share the Customer Personal Data; (ii) retain, use or disclose the Customer personal Data for any purpose other than for a Business Purpose specified in the Agreement; or (iii) combine the Customer Personal Data with other Personal Data that it receives from, or on behalf of, another customer.
2.3 Each party shall be individually and separately responsible for complying with the obligations that apply to such party under applicable Data Protection Law. Without derogating from the generality of the above, the Customer shall be exclusively responsible to ensure compliance of its Instructions to enable lawful collection and Processing of Customer Personal Data, including obtaining any required consent and providing any required disclosures
2.4 The purpose, subject matter and duration of the Processing carried out by Walnut on behalf of the Customer, the nature and purpose of the Processing, the type of Personal Data and categories of Data Subjects are described in ANNEX I attached hereto.
3. REPRESENTATIONS AND WARRANTIES
3.1 The Customer represents and warrants that: (i) its Processing instructions shall comply with applicable Data Protection Law; (ii) it will comply with Data Protection Law, specifically with regards to the lawful basis principal for Processing Personal Data; and (iii) due to the nature of the Services, Walnut does not monitor or control the Customer Data obtained by Walnut’s system and thus, the type of Personal Data or Categories of the Data Subjects processed by it is subject to the Customer’s sole discretion.
3.2 Walnut represents and warrants that it: (i) shall process Customer Data, on behalf of the Customer, solely for the purpose of providing the Services, all in accordance with Customer’s written instructions including the Agreement and this DPA; (ii) in the event Walnut is required under applicable laws, including Data Protection Law or any union or member state regulation, to Process Customer Data other than as instructed by Customer, it shall inform the Customer of such requirement prior to Processing such Customer Data, unless prohibited under applicable law; and (iii) shall provide reasonable cooperation and assistance to Customer in ensuring compliance with its obligation to carry out data protection impact assessments.
3.3 Walnut shall take reasonable steps to ensure: (i) the reliability of its personnel and any other person acting under its supervision who may come into contact with, or otherwise have access to Customer Data; (ii) that the personnel authorized to process the Customer Data (solely on a need to know basis) have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
4. RIGHTS OF DATA SUBJECTS AND THE PARTIES’ COOPERATION OBLIGATIONS
4.1 It is agreed that where Walnut receives a request from a Data Subject or an applicable authority in respect of Customer Data Processed by Walnut, where relevant, it will notify the Customer of such request and direct the Data Subject or the applicable authority to the Customer in order to allow the Customer to respond directly to the Data Subject’s or the applicable authority’s request, unless otherwise required under applicable laws. Both parties shall provide each other with commercially reasonable cooperation and assistance in relation to the handling of a Data Subject’s or applicable authority’s request, to the extent permitted under Data Protection Law.
4.2 Where applicable, Walnut shall assist the Customer in ensuring that Customer Data Processed is accurate and up to date, by informing the Customer without delay if it becomes aware of the fact that the Customer Data it is Processing is inaccurate or has become outdated.
5. SUB-PROCESSORS
5.1 The Customer acknowledges that Walnut may transfer Customer Data to and otherwise interact with third party data processors (“Sub-Processor”). The Customer hereby, authorizes Walnut to engage and appoint such Sub-Processors to Process Customer Data, as well as permits each Sub-Processor to appoint a Sub Processor on its behalf. Walnut may continue to use those Sub-Processors already engaged by it, as listed in ANNEX III. Walnut may replace its existing Sub-Processors or add additional Sub-Processors provided it notifies the Customer before authorizing such Sub-Processor(s) to Process Customer Data in connection with the provision of the Services (email will suffice). Customer may reasonably object to the use of a new Sub-Processor by notifying Walnut promptly in writing within 10 days after receipt of Walnut’s notice. Customer shall explain its reasonable grounds for objection. In the event Customer objects to a new Sub-processor, Walnut will use commercially reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer’s configuration or use of the Services to avoid Processing of Customer Data by the objected-to new Sub-processor without unreasonably burdening Customer. If Walnut is unable to make available such change within a reasonable period of time, either party may terminate without penalty the applicable Order Form(s) with respect only to those Services which cannot be provided by Walnut without the use of the objected-to new Sub-processor by providing written notice to the other party.
5.2 Where Walnut engages a Sub-Processor, it shall impose on the Sub-Processor data protection obligations no less onerous than those set out in this DPA, through a legally binding contract between Walnut and the Sub-Processor (“Contract”). Walnut shall ensure that the Contract will require the Sub-Processor to provide sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the Processing will meet the requirements of Data Protection Law.
5.3 Walnut shall remain fully responsible to the Customer for the performance of the Sub-Processor’s obligations in accordance with the Agreement. Walnut shall notify the Customer of any known failure by the Sub-Processor to fulfill its contractual obligations.
6. TECHNICAL AND ORGANIZATIONAL MEASURES
6.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context of the Customer Data available to Walnut and purposes of the Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, and without prejudice to any other security standards agreed upon by the parties, Walnut shall implement appropriate physical, technical and organizational measures to protect the Customer Data as required under Data Protection Laws, without prejudice to Walnut’s right to make future replacements or updates to the measures that do not lower the level of protection of Customer Data.
6.2 For more information on Walnut’s security measures please see ANNEX II attached hereto.
7. SECURITY INCIDENT
7.1 Walnut shall notify the Customer upon becoming aware of a Security Incident involving Customer’s Data in, as determined by Walnut in its sole discretion, and Where such confirmed Security Incident affects the Customer Data, Walnut shall: (i) take such steps as necessary to contain, remediate, minimize any effects of and investigate any Security Incident and to identify its cause; (ii) co-operate with the Customer and provide the Customer with such assistance and information as it may reasonably require in connection with the containment, investigation, remediation or mitigation of the Security Incident; (iii) notify the Customer in writing of any request, inspection, audit or investigation by a supervisory authority or other authority; (iv) keep the Customer informed of all material developments in connection with the Security Incident and execute a response plan to address the Security Incident; and (v) cooperate with the Customer and assist Customer with the Customer’s obligation to notify affected individuals in the case of a Security Incident.
7.2 Walnut’s notification of or response to a Security Incident under this Section 7 shall not be construed as an acknowledgment by Walnut of any fault or liability with respect to the Security Incident.
8. AUDIT RIGHTS
8.1 Walnut shall respond promptly and adequately with respect to Customer’s reasonable inquiries regarding the Processing of Customer Data in accordance with this DPA. Walnut shall make available to the Customer all information necessary to demonstrate Customer’s compliance with the obligations under the EU Data Protection Law.
8.2 Walnut shall make available, so long as the Agreement remains in effect, solely upon prior written notice and no more than once per calendar year during the Term (except for in the case of a Security Incident), information necessary to reasonably demonstrate compliance with this DPA to a reputable auditor nominated by the Customer, at Customer’s sole expense, and shall allow for audits, including inspections, by such reputable auditor solely in relation to the Processing of the Customer Data (“Audit”) in accordance with the terms and conditions hereunder. The Audit shall be subject to the terms of this DPA and standard confidentiality obligations (including towards third parties). Walnut may object to an auditor appointed by the Customer in the event Walnut reasonably believes that the auditor is not suitably qualified or is a competitor of Walnut or otherwise unsuitable. Customer shall bear all expenses related to the Audit and shall (and ensure that each of its auditors shall) over the course of such Audit, avoid causing any damage, injury or disruption to Walnut’s business operations. Any and all conclusions of such Audit shall be confidential and reported back to Walnut immediately.
8.3 Nothing in this DPA will require Walnut either to disclose to Customer or its third-party auditor or to allow Customer or its third-party auditor to access: any data of any other customer; Walnut internal accounting or financial information; any trade secret of a Walnut or its affiliates; any information that, in Walnuts’ reasonable opinion, could compromise the security of any Walnuts’ systems or cause any breach of its obligations under applicable law or its security or privacy obligations to any third party; or any information that Customer or its third-party auditor seeks to access for any reason other than the good faith fulfillment of Customer’s obligations under the Data Protection Laws.
9. DATA TRANSFER
9.1 Subject to Section 9.2 herein below, Customer acknowledges and agrees that for the provisions of the Services, Walnut may Process, including transfer, Customer Personal Data on various jurisdictions where Walnut’s affiliates and Sub-Processors operate. Walnut will ensure that transfers are made in compliance with Data Protection Laws that applies to such Walnut’s Processing.
9.2 Where the GDPR, UK GDPR or the Swiss FADP applies: Walnut will not transfer Customer Personal Data originating from the (“EEA”) European Economic Area , unless it takes all such measures as are necessary to ensure the transfer is in compliance with applicable Data Protection Laws. Such measures may include (without limitation): (i) transferring such Customer Personal Data to a recipient that is covered by a suitable framework or other legally adequate transfer mechanism recognized by the relevant authorities or courts as providing an adequate level of protection for Personal Data, including to an Adequate Country or data privacy and transfer frameworks; (ii) to a recipient that has achieved binding corporate rules authorization in accordance with applicable Data Protection Law; or (iii) to a recipient that has executed the Standard Contractual Clauses. When Customer and Walnut rely on the SCC to facilitate a transfer to a third country the following shall apply:
9.2.1 For Transfer of Customer Personal Data from the EEA the EU SCC shall apply and completed as follows: (1) Module II (Controller to Processors) will apply; (2) In Clause 7 the optional docking clause will not apply; (3) In Clause 9, option 2 (general written authorization) shall apply and the method for appointing Sub-Processor shall be as set forth in the Sub-Processing Section of the DPA; (4) In Clause 11, the optional language will not apply, and Data Subjects shall not be able to lodge a complaint with an independent dispute resolution body; (5) In Clause 17, option 1 shall apply, and the EU SCC shall be governed by the law of the Republic of Ireland; (6) In Clause 18(b) the parties choose the courts of Republic of Ireland, as their choice of forum and jurisdiction; (7) Annex I(A) of the EU SCC is completed as follows: Customer is the Data Exporter, Walnut is the Data Importer, the parties’ contact details Agreement Effective Date; Annex I(B) of the EU SCC is completed as set out in Annex I of this DPA; Annex I(C) of the EU SCC shall identify the competent supervisory authority/ies as the supervisory authority of Republic of Ireland; (8) Annex II of the EU SCC is deemed completed with the information set out in Annex III of this DPA; (9) Annex III of the EU SCC shall be completed with the list of sub-processors set out in Annex II of this DPA.
9.2.2 For transfer of Customer Personal Data from the UK, the UK SCC shall apply and completed as follows: (1) Table 1 shall be completed as set forth in section (i)(7) above; (2) Table 2 shall be completed as set forth in Section (i)(1) – (i)(4) above; (3) Tables 3 shall be completed as follows: Annex 1A shall be completed with relevant information as set out in Section (i)(7) above; Annex 1B shall be completed with relevant information as set out in Annex I of this DPA; , Annex II shall be completed with relevant information as set out in Annex III of this DPA; Annex III shall be completed with the list of sub-processors set out in Annex II of this DPA; (4) Table 4 shall be completed with the “neither party” option; and (5) Any conflict between the terms of the EU SCC and the UK SCC will be resolved in accordance with Section 10 and Section 11 of the UK SCC.
9.2.3 For transfer of Customer Personal Data from Switzerland, the Swiss SCC shall apply, and the following modifications (i) references to “Regulation (EU) 2016/679” will be interpreted as references to the Swiss DPA; (ii) references to “EU”, “Union” and “Member State law” will be interpreted as references to Swiss law; and (iii) references to the “competent supervisory authority” and “competent courts” will be replaced with the “the Swiss Federal Data Protection and Information Commissioner ” and the “relevant courts in Switzerland”.
10. CONFLICT
10.1 In the event of a conflict between the terms and conditions of this DPA and the Agreement, this DPA shall prevail. For the avoidance of doubt, in the event Standard Contractual Clauses have been executed between the parties, the terms of the Standard Contractual Clauses shall prevail over those of this DPA. Except as explicitly set forth herein, all of the terms and conditions of the Agreement shall remain in full force and effect.
11. TERM AND TERMINATION
11.1 This DPA shall be effective as of the Effective Date and shall remain in force until the Agreement terminates or as long as Walnut processes Customer Data. The Customer shall be entitled to suspend the Processing of its Customer’s Data in the event Walnut is in breach of Data Protection Laws, or the terms of this DPA, subject to a final decision of a competent court or the competent supervisory authority.
11.2 Walnut shall be entitled to terminate this DPA or cease the Processing of Customer Data if the Processing according to Customer’s instructions or this DPA infringes applicable laws and regulations. Such termination shall be subject to informing the Customer and the Customer insists on compliance with the instructions.
11.3 Following the termination of this DPA, Walnut shall, at the choice of the Customer, delete all Customer’s Data processed on behalf of the Customer and certify to the Customer that it has done so, or otherwise, return all Customer’s Data to the Customer and delete existing copies unless applicable law or regulatory requirements requires that Walnut continue to store the Customer’s Data. Until the Customer Data is deleted or returned, Walnut shall continue to ensure compliance with this DPA.
ANNEX I
DETAILS OF PROCESSING
This Annex I include certain details of the Processing of the Customer Data as under the Data Protection Laws.
1. Categories of Data Subjects:
Any Customer Data uploaded by Customer to Walnut’s Platform, including contact information of Customer’s employees (authorized users) and Customer’s prospects (which view the demo).
2. Categories of Personal Data:
Contact information,
Customer’s prospects usage data (i.e. IP address, used id, demo viewed and any interaction with the platform)
Any content related to the interaction and engagement of the Customer with the Customer’s prospects uploaded by the Customer.
3. Special Categories of Personal Data:
N/A
4. Process Frequency:
The Personal Data is transferred on a continous basis.
5. Nature of the Processing:
Storage, recording, hosting, transferring and optimization.
6. Purpose of Processing:
Providing the Services.
7. Retention Period:
The duration of processing shall be for the term of the Agreement with an additional period of 30 days from the expiration of the Agreement until deletion of Personal Data by Walnut.
ANNEX II
TECHNICAL AND ORGANISATIONAL MEASURES
Below is a summary of the security measures Walnut adhering to: Implement and maintain current and appropriate technical and organizational measures to protect Customer Data against accidental, unauthorized or unlawful Processing and against accidental loss, destruction, damage, alteration, disclosure or access;
1. Provide third-party attestation of static or dynamic application security testing or penetration testing on all software Processing Customer Data, remediate any identified high vulnerabilities prior to delivery to Customer, provide written remediation plans for medium and low vulnerabilities, and provide evidence of its remediation of any identified security vulnerabilities at Customer’s request;
2. Maintain a level of security appropriate to the harm that may result from any unauthorized or unlawful Processing or accidental loss, destruction, damage, denial of service, alteration or disclosure, and appropriate to the nature of Customer Data;
3. Oblige its employees, agents or other persons to whom it provides access to Customer Data to keep it confidential; take reasonable steps to ensure the integrity of any employees who have access to Customer Data; provide annual training to staff and subcontractors on the security requirements contained herein;
4. Maintain measures designed to ensure the ongoing confidentiality, integrity, availability and resilience of Walnut’s systems and services;
5. Maintain a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing of Customer Data, regularly testing such measures to validate their appropriateness and effectiveness, and implementing corrective action where deficiencies are revealed by such testing;
6. Maintain an automatic recording mechanism which shall enable monitoring the access to the systems and facilities containing the Customer Data, and to log all individuals’ or codes access to and activities on systems and at facilities containing the Customer Data. Such logs shall include, at the minimum the user identity, date and time of access attempt, system component to which access was attempted, access type, its scope, and whether access was granted or denied. Walnut shall ensure the automatic recording mechanism will not enable, to the extent possible, disabling or modifying its operation and will detect and alert such modifications or the disabling of its operation and will send alerts to those responsible. Logs shall be retained by Walnut for a period of 24 months, and in any event shall not be earlier deleted unless transferred to Customer. Upon Customer’s request, Walnut shall provide the applicable logs set forth above to Customer;
7. For passwords applicable to Walnut’s access, adhere to password policies for standard and privileged accounts consistent with industry best practices; protect both Walnut’s and Customer’s user accounts with access to Customer Data using multi-factor authentication (e.g., using at least two different factors to authenticate such as a password and a security token or certificate);
8. Store and transmit Customer Data using strong cryptography, consistent with industry best practices, and pseudonymize Personal Data where appropriate;
9. Ensure that only those Walnut’s personnel who need to have access to Customer Data are granted access, such access is limited to the least amount required, and only granted for the purposes of performing obligations under this DPA. Walnut shall conduct access reviews upon each individual’s scope of responsibility change, Walnut staffing change or other change impacting Walnut’s personnel access to Customer Data;
10. Maintain a physical security program that is consistent with industry best practices;
11. Ensure that any storage media (whether magnetic, optical, non-volatile solid state, paper, or otherwise capable of retaining information) that captures Customer Data is securely erased or destroyed before repurposing or disposal;
12. Measures and assurances regarding US government surveillance (“Additional Safeguards”): Walnut agrees and hereby represents it maintains, and will continue to maintain, the following additional safeguards in connection with any Personal Data transferred under this Annex:
A. Measures and assurances regarding US government surveillance (“Additional Safeguards”): Walnut agrees and hereby represents it maintains, and will continue to maintain, the following additional safeguards in connection with any Personal Data transferred under this Annex:
B. In the event that section 702 of the United States Foreign Intelligence Surveillance Court (“FISA”) applies to Walnut, Walnut will make reasonable efforts to resist, subject to applicable laws, any request for bulk surveillance relating to the Personal Data protected under the GDPR or the UK GDPR, including (if applicable) under Section 702 of the FISA.
C. If Walnut becomes aware of any law enforcement agency or other governmental authority (“Authority”) attempt or demand to gain access to or a copy of the Personal Data (or part thereof), whether on a voluntary or a mandatory basis, then, unless legally prohibited or under a mandatory legal compulsion that requires otherwise, Walnut shall: inform the relevant Authority that Walnut is a Processor of the Personal Data and that Customer, as the Controller has not authorized Walnut to disclose the Personal Data to the Authority; inform the relevant Authority that any and all requests or demands for access to the Personal Data should be directed to or served upon Customer in writing; and use reasonable legal mechanisms to challenge any such demand for access to Personal Data which is under the Walnut’s control.
D. Notwithstanding the above, if, taking into account the nature, scope, context and purposes of the related Authority’s intended access to Personal Data, Walnut has a reasonable and good-faith belief that urgent access is necessary to prevent an imminent risk of serious harm to any individual or entity, these subsections shall not apply. In such event, Walnut shall notify Customer, as soon as possible, following the access by the Authority, and provide Customer with relevant details, unless and to the extent legally prohibited to do so.
E. Walnut will inform Customer, upon written request (and not more than once a year), of the types of binding legal demands for Personal Data Walnut has received and complied with, including demands under national security orders and directives, specifically including any process under Section 702 of FISA.
ANNEX III
LIST OF SUB-PROCESSORS
| Name | Location of Processing | Description of the Processing | Transfer Mechanism | US Data Privacy Framework |
|---|---|---|---|---|
| AWS | 410 Terry Avenue North Seattle, WA 98109, United States | Hosting | https://aws.amazon.com/blogs/security/aws-gdpr-data-processing-addendum/ | https://compliance.salesforce.com/en/us-data-privacy-framework-dpf https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt0000000TOWQAA4&status=Active |
| Mixpanel Inc. | One Front Street, 28th Floor, San Francisco, CA 94111, US | Analytics | https://mixpanel.com/legal/dpa/ | https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt0000000TOacAAG&status=Active |
| Fullstory, Inc | 1745 Peachtree Rd NW Suite G, Atlanta, GA 30309, United States | Analytics | https://www.fullstory.com/legal/form-of-standard-dpa/ | https://www.privacyshield.gov/ps/participant?id=a2zt0000000TNHwAAO&status=Active |
| DataDog, Inc. | 225 Franklin Street 24th FloorBoston, MA 02110, United States | IT Monitoring Service | https://www.datadoghq.com/legal/data-processing-addendum/ | https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt0000000GnxPAAS&status=Active |
| OpenAI, LLC | OpenAI, L.L.C180 18th St, San Francisco, California 94110, US | content creation features | Yes – Offline DPA. | |
| Microsoft | One Microsoft Way Redmond, Washington 98052 USA | Hosting | https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA | https://www.dataprivacyframework.gov/participant/6474 |
| Google LLC | Googleplex 1600 Amphitheatre Parkway Mountain View, CA 94043, USA | Hosting | https://cloud.google.com/terms/data-processing-terms | https://www.dataprivacyframework.gov/participant/5780 |