Last updated: November 1, 2024
DATA PROCESSING AGREEMENT
This Data Processing Agreement (“DPA“) is hereby incorporated by reference and forms an integral party of the agreement Master Service Agreement or any service agreement governing the use of the Walnut Platform and Services (“Agreement“) and entered into by and between Walnut Ltd. and its affiliates (“Walnut“) and Customer. Capitalized terms not defined herein shall have the meaning set forth in the Agreement. Each of Customer and Walnut may be referred herein as a “party” and collectively as the “parties”.
WHEREAS, Walnut is the developer and operator of a cloud-based platform allowing customer to create interactive tailored demos and collect interaction insights (“Platform” and “Services” respectively);
WHEREAS, the Services may require Walnut to Process Personal Data (as such terms are defined below) on Customer’s behalf, which Customer discloses to Walnut only for the limited and specified purposes set forth herein, and subject to the terms and conditions of this DPA; and
WHEREAS, the parties wish to supplement this DPA to ensure the Processing of Personal Data is conducted in accordance with Data Protection Laws (as defined below);
NOW, THEREFORE THE PARTIES AGREE AS FOLLOWS:
1. DEFINITIONS
1.1 “Adequate Country” is a country that received an adequacy decision from the European Commission or other applicable data protection authority.
1.2 The terms “Business“, “Business Purpose“, “Consumer“, “Controller“, “Data Subject“, “Personal Data” or “Personal Information“, “Personal Data Breach“, “Processing” (and “Process“), “Processor“, “Sensitive Data“, “Service Provider“, “Sale” (or “Sell“), “Share“, “Special Categories of Personal Data” and “Supervisory Authority” shall have their respective meanings under the applicable Data Protection Laws. “Data Subject” shall also mean and refer, under this DPA, to a “Consumer”; “Personal Data” shall mean and refer, under this DPA, to “Personal Information”; and “Special Categories of Data” shall also mean and refer to, under this DPA “Sensitive Data”. Capitalized terms not specifically defined under this Agreement shall have their respective meanings under the applicable Data Protection Laws.
1.3 “CCPA” means the California Consumer Privacy Act (Cal. Civ. Code §§ 1798.100 – 1798.199) of 2018, including as modified by the California Privacy Rights Act (“CPRA“) as well as all regulations promulgated thereunder from time to time.
1.4 “CPA” means the Colorado Privacy Act C.R.S.A. § 6-1-1301 et seq. (SB 21-190), including any implementing regulations and amendments thereto.
1.5 “CTDPA” means the Connecticut Data Privacy Act, S.B. 6 (Connecticut 2022), including any implementing regulations and amendments thereto.
1.6 “Customer Data” means any and all Personal Data uploaded to the Platform during the engagement between the parties, as detailed in ANNEX I.
1.7 “Data Privacy Framework” means the EU-U.S. Data Privacy Framework, the Swiss-U.S. Data Privacy Framework and the UK Extension to the EU-U.S. Data Privacy Framework self-certification programs (as applicable) operated by the U.S. Department of Commerce; as may be amended, superseded or replaced.
1.8 “Data Protection Laws” means any and all applicable privacy and data protection laws and regulations (including, where applicable, EU Data Protection Law, UK Data Protection Laws, Swiss Data Protection Laws, Israeli Law and the US Data Protection Laws) as may be amended or superseded from time to time.
1.9 “EEA” means the European Economic Area.
1.10 “EU Data Protection Law” means the (i) EU General Data Protection Regulation (Regulation 2016/679) (“GDPR“); (ii) Regulation 2018/1725; (iii) the EU e-Privacy Directive (Directive 2002/58/EC), as amended (e-Privacy Law); (iv) any national data protection laws made under, pursuant to, replacing or succeeding (i) and (ii); (v) any legislation replacing or updating any of the foregoing; and (vi) any judicial or administrative interpretation of any of the above, including any binding guidance, guidelines, codes of practice, approved codes of conduct or approved certification mechanisms issued by any relevant Supervisory Authority.
1.11 “EU Standard Contractual Clauses” or the “EU SCCs” mean the standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council adopted by the European Commission Decision 2021/914 of 4 June 2021, available at: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN
1.12 “Instructions” means the written, documented instructions issued by a Controller to a Processor, and directing the same to perform a specific or general action with regard to Personal Data (including, but not limited to, instructions under this DPA as well as those which are related to depersonalizing, blocking, deletion, making available).
1.13 “Israeli Law” means the Israeli Privacy Protection Law, 5741-1981, the regulations promulgated pursuant thereto, including the Israeli Privacy Protection Regulations (Data Security), 5777-2017 and other related privacy regulations.
1.14 “Security Incident” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data. For the avoidance of doubt, any Personal Data Breach will be considered a Security Incident.
1.15 “Standard Contractual Clauses” shall mean either the EU SCC, the UK SCC or the Swiss SCC.
1.16 “Swiss Data Protection Laws” or “FADP” shall mean (i) Swiss Federal Data Protection Act (“FDPA“); (ii) The Ordinance on the Federal Act on Data Protection (“FODP“); (iii) any national data protection laws made under, pursuant to, replacing or succeeding and any legislation replacing or updating any of the foregoing.
1.17 “Swiss SCC” shall mean the applicable standard data protection clauses issued, approved or recognized by the Swiss Federal Data Protection and Information Commissioner.
1.18 “UCPA” means the Utah Consumer Privacy Act, Utah Code Ann. § 13-61-101 et seq.
1.19 “UK Data Protection Laws” shall mean the Data Protection Act 2018 (DPA 2018), as amended, and the GDPR, as incorporated into UK law as the UK GDPR, as amended (“UK GDPR“), and any other applicable UK data protection laws or regulatory Codes of Conduct or other guidance that may be issued from time to time.
1.20 “UK SCC” shall mean the UK ‘International data transfer addendum to the European Commission’s standard contractual clauses for international data transfers’, available at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf, as adopted, amended or updated by the UK’s Information Commissioner’s Office, Parliament or Secretary of State.
1.21 “US Data Protection Laws” means any U.S. federal and state privacy laws in effect which applies to the Processing of Personal Data under this DPA, and any implementing regulations and amendment thereto, including without limitation, the CCPA, the CPA, the CTDPA, the UCPA and the VCDPA.
1.22 “VCDPA” means the Virginia Consumer Data Protection Act, Va. Code Ann. § 59.1-575 et seq. (SB 1392), including any implementing regulations and amendments thereto.
2. RELATIONSHIP OF THE PARTIES
2.1 The parties acknowledge that in relation to all Customer Data, as between the parties, Customer is the Controller of Customer Data, and Walnut is acting as a Processor on behalf of the Customer in the course of providing the Services.
2.2 The purpose, subject matter and duration of the Processing carried out by Walnut on behalf of the Customer, the nature and purpose of the Processing, the type of Personal Data and categories of Data Subjects are described in ANNEX I attached hereto.
2.3 Additional US Data Protection Laws specifications are further detailed in ANNEX V.
3. REPRESENTATIONS AND WARRANTIES
3.1 The Customer represents and warrants that it: (i) will fully comply with applicable Data Protection Law with respect to its Processing of Customer Data including the issuance of any Instruction to Walnut; (ii) shall inform Walnut without undue delay if it is not able to comply with its responsibilities under this Section or applicable Data Protection Laws; (iii) shall be responsible to secure its use of the Service, including protecting the security of Customer Data in transit to and from the Services (including to securely backup or encrypt any such Customer Data); and (iv) is responsible for independently determining whether the data security provided for in the performance of the Services adequately meets its obligations under applicable Data Protection Laws.
3.2 If Walnut reasonably believes that an Instruction infringes applicable Data Protection Law, Walnut shall inform Customer without undue delay, and shall have the right to immediately cease any such Processing activity related to the infringing Instruction. To the extent the infringement was not cured by Customer within 10 days from receiving written notice of the same from Walnut, Walnut shall have the right to terminate its Processing activities under this DPA or terminate the Agreement immediately without providing further notice to Customer.
3.3 Walnut represents and warrants that it: (i) shall process Customer Data, on behalf of the Customer, solely for the purpose of providing the Services, all in accordance with Customer’s Instructions; (ii) in the event Walnut is required under applicable laws, including Data Protection Law or any union or member state regulation, to Process Customer Data other than as instructed by Customer, it shall inform the Customer of such requirement prior to Processing such Customer Data, unless prohibited under applicable law; and (iii) shall provide reasonable cooperation and assistance to Customer in ensuring compliance with its obligation to carry out data protection impact assessments.
3.4 In addition, Walnut shall take reasonable steps to ensure: (i) the reliability of its personnel and any other person acting under its supervision who may come into contact with, or otherwise have access to Customer Data; (ii) that the personnel authorized to process the Customer Data (solely on a need to know basis) have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
3.5 The parties agree that the Agreement and this DPA, together with Customer’s use of the Service in accordance with the Agreement, constitute the complete Instructions to Walnut in relation to the Processing of Customer Data, so long as Customer may provide additional Instructions during the term of the Agreement that are consistent with the Agreement, the nature and lawful use of the Services.
4. RIGHTS OF DATA SUBJECTS AND THE PARTIES’ COOPERATION OBLIGATIONS
4.1 It is agreed that where Walnut receives a request from a Data Subject or an applicable authority in respect of Customer Data Processed by Walnut, where relevant, it will notify the Customer of such request and direct the Data Subject or the applicable authority to the Customer in order to allow the Customer to respond directly to the Data Subject’s or the applicable authority’s request, unless otherwise required under applicable laws. Both parties shall provide each other with commercially reasonable cooperation and assistance in relation to the handling of a Data Subject’s or applicable authority’s request, to the extent permitted under Data Protection Law.
4.2 Where applicable, Walnut shall assist the Customer in ensuring that Customer Data Processed is accurate and up to date, by informing the Customer without delay if it becomes aware of the fact that the Customer Data it is Processing is inaccurate or has become outdated.
5. SUB-PROCESSORS
5.1 Customer acknowledges and agrees that Walnut may engage with third party data Processors (“Sub-Processors“) for the purpose of Processing the Customer Data. Walnut may continue to use those Sub-Processors which Walnut has already appointed as listed under ANNEX III, or replace, add, or cease any use of a Sub-Processor, upon providing Customer with 30-days prior notice of the same; provided Customer shall have the right to object to the addition or replacement of certain Sub-Processor on reasonable grounds relating to the security of Customer Data. If Customer notifies Walnut of such an objection, the parties will discuss those concerns in good faith with a view to achieving a commercially reasonable resolution. If no such resolution can be reached, Walnut will, at its sole discretion, either not appoint the new Sub-Processor, or permit Customer to suspend or terminate the affected Services in accordance with the termination provisions of the Agreement without liability to either party (but without prejudice to any fees incurred by Customer prior to suspension or termination effective date).
5.2 Where Walnut engages Sub-Processors, it will impose data protection terms on the Sub-Processors that provide at least the same level of protection for Customer Data as those in this DPA, to the extent applicable to the nature of the services provided by such Sub-Processors. Walnut will remain responsible for each Sub-Processor’s compliance with the obligations of this DPA and for any acts or omissions of such Sub-Processor that cause Walnut to breach any of its obligations under this DPA.
6. TECHNICAL AND ORGANIZATIONAL MEASURES
6.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context of the Customer Data available to Walnut and purposes of the Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, and without prejudice to any other security standards agreed upon by the parties, Walnut shall implement appropriate physical, technical and organizational measures to protect the Customer Data as required under Data Protection Laws, without prejudice to Walnut’s right to make future replacements or updates to the measures that do not lower the level of protection of Customer Data, as detailed under ANNEX II.
7. SECURITY INCIDENT
7.1 Walnut will notify Customer without undue delay after it becomes aware of any Security Incident involving Customer Data and will provide timely information relating to the Security Incident as it becomes known or reasonably requested by Customer. At Customer’s request, Walnut will promptly provide Customer with such reasonable assistance as necessary to enable Customer to comply with its obligations mandated by the applicable Data Protection Laws to notify such Security Incident to competent authorities or affected Data Subjects.
7.2 Walnut’s notification of or response to a Security Incident under this Section shall not be construed as an acknowledgment by Walnut of any fault or liability with respect to the Security Incident.
8. AUDIT RIGHTS
8.1 Walnut shall maintain accurate written records of all Processing activities of any Customer Data carried out under this DPA and shall make such records available to the Customer and applicable Supervisory Authorities upon written request. Such records provided shall be considered Walnut’s Confidential Information and shall be subject to confidentiality obligations under the Agreement.
8.2 Customer may audit Walnut’s compliance with this DPA and Data Protection Laws by requesting a certificate issued for security verification reflecting the outcome of an audit conducted by a third-party auditor (e.g., ISO27001/ISO27701 certification, SOC2 certificate) or a comparable certification or other security certification of an audit conducted by a third-party auditor, within twelve (12) months as of the date of Customer’s request.
8.3 Alternatively, in the event the records and documentation provided subject to Section 8.2 and 8.3 above are not sufficient for the purpose of demonstrating compliance, Walnut shall make available, solely upon prior reasonable written notice and no more than once per calendar year, to a reputable auditor nominated by the Customer, information necessary to reasonably demonstrate compliance with this DPA, and shall allow for audits, including inspections, by such reputable auditor solely in relation to the Processing of the Customer Data (“Audit“) in accordance with the terms and conditions hereunder. The auditor shall be subject to standard confidentiality obligations (including towards third parties). Walnut may object to an auditor appointed by the Customer in the event Walnut reasonably believes the auditor is not suitably qualified or is a competitor of Walnut. Customer shall bear all expenses related to the Audit and shall (and ensure that each of its auditors shall) over the course of such Audit, avoid causing any damage, injury or disruption to Walnut’s premises, equipment, personnel and business while its personnel are on those premises in the course of such Audit.
8.4 Nothing in this DPA will require Walnut to either disclose to Customer or its third-party auditor, or to allow Customer or its third-party auditor to access: (i) any data of any other Walnut’s customer; (ii) Walnut’s internal accounting or financial information; (iii) any trade secret of Walnut or its affiliates; (iv) any information that, in Walnut reasonable opinion, could compromise the security of any Walnut’s systems or cause any breach of its obligations under applicable law or its security or privacy obligations to any third party; or (v) any information that Customer or its third-party auditor seeks to access for any reason other than the good faith fulfillment of Customer’s obligations under the Data Protection Laws.
9. DATA TRANSFER
9.1 Subject to Section 9.2 herein below, Customer acknowledges and agree that Walnut may access and Process Customer Data on a global basis as necessary to provide the Services in accordance with the Agreement, and in particular that Customer Data may be transferred to and Processed in the United States and other jurisdictions where Walnut affiliates and Sub-Processors have operations. Whenever Customer Data is transferred outside its country of origin, each party will ensure such transfers are made in compliance with the requirements of Data Protection Laws.
9.2 Walnut will only transfer Customer Data to those Adequate Countries, unless it first takes all such measures as are necessary to ensure the transfer is in compliance with applicable Data Protection Laws. Such measures may include (without limitation) (i) transferring such data to a recipient that is covered by a suitable framework or other legally adequate transfer mechanism recognized by the relevant authorities or courts as providing an adequate level of protection for Personal Data, including the Data Privacy Framework; (ii) to a recipient that has achieved binding corporate rules authorization in accordance with applicable Data Protection Laws; or (iii) to a recipient that has executed the Standard Contractual Clauses in each case as adopted or approved in accordance with applicable Data Protection Laws.
9.3 In relation to Customer Data that is subject to the EU Data Protection Laws, transfers will be conducted in accordance with the terms under ANNEX IV to this DPA.
9.4 In relation to Customer Data that is subject to the UK GDPR, the Standard Contractual Clauses will apply in accordance with the terms under ANNEX IV, and the following modifications (i) the Standard Contractual Clauses will be modified and interpreted in accordance with the UK SCC, which will be incorporated by reference and form an integral part of the Agreement; (ii) Tables 1, 2 and 3 of the UK SCC will be deemed completed with the information set out in the annexes herein below, and Table 4 to the UK SCC will be deemed completed by selecting “neither Party”; and (iii) any conflict between the terms of the Standard Contractual Clauses and the UK SCC will be resolved in accordance with Section 10 and Section 11 of the UK SCC.
9.5 In relation to Customer Data that is subject to the Swiss DPA, the Standard Contractual Clauses will apply in accordance with the terms under ANNEX IV, and the following modifications (i) references to “Regulation (EU) 2016/679” will be interpreted as references to the Swiss DPA; (ii) references to “EU”, “Union” and “Member State law” will be interpreted as references to Swiss law; and (iii) references to the “competent supervisory authority” and “competent courts” will be replaced with the “the Swiss Federal Data Protection and Information Commissioner” and the “relevant courts in Switzerland”.
10. CONFLICT
10.1 In the event of a conflict between the terms and conditions of this DPA and the Agreement, the terms of this DPA shall prevail as to the subject matter thereof. For the avoidance of doubt, in the event Standard Contractual Clauses have been executed between the parties, the terms of the Standard Contractual Clauses shall prevail over those of this DPA. Except as explicitly set forth herein, all of the terms and conditions of the Agreement shall remain in full force and effect.
11. TERM AND TERMINATION
11.1 This DPA shall be effective as of the Effective Date (as defined in the Agreement) and shall remain in force and effect for as long as Walnut Processes the Customer Data.
11.2 Following the termination of this DPA, Walnut shall, at the choice of the Customer, delete all Customer Data Processed on behalf of the Customer and certify to the Customer that it has done so, or return all Customer Data to the Customer and delete existing copies, unless applicable law or regulatory requirements require that Walnut continues to store Customer Data. Until the Customer Data is deleted or returned, the Parties shall continue to ensure compliance with this DPA.
ANNEX I
DETAILS OF PROCESSING
This Annex I include certain details of the Processing of the Customer Data as under the Data Protection Laws.
1. Categories of Data Subjects:
- Customers’ prospects interacting with our Services, including the demos which are being shared with such prospects through the Platform.
- Customer Authorized Users.
2. Categories of Personal Data:
Any information provided or uploaded by the Customer or its Authorized User, depending on the Services purchased and the features used by Customer, however including, but not limited to:
- Contact information.
- Telemetry and usage data regarding such prospects’ interaction with our Services including demo’s (i.e. IP address, used id, demo viewed and any interaction with the platform).
3. Special Categories of Personal Data:
N/A
4. Process Frequency:
On a continuous basis during the term defined under the Agreement.
5. Nature of the Processing:
Storage, recording, hosting, transferring and optimization, etc.
6. Purpose of Processing:
Providing the Services.
7. Retention Period:
The duration of processing shall be for the term of the Agreement with an additional period of 30 days from the expiration of the Agreement until deletion of Personal Data by Walnut or as otherwise required by Customer.
ANNEX II
TECHNICAL AND ORGANISATIONAL MEASURES
Below is a summary of the security measures Walnut adhering to: Implement and maintain current and appropriate technical and organizational measures to protect Customer Data against accidental, unauthorized or unlawful Processing and against accidental loss, destruction, damage, alteration, disclosure or access;
Provide third-party attestation of static or dynamic application security testing or penetration testing on all software Processing Customer Data, remediate any identified high vulnerabilities prior to delivery to Customer, provide written remediation plans for medium and low vulnerabilities, and provide evidence of its remediation of any identified security vulnerabilities at Customer’s request;
Maintain a level of security appropriate to the harm that may result from any unauthorized or unlawful Processing or accidental loss, destruction, damage, denial of service, alteration or disclosure, and appropriate to the nature of Customer Data;
Oblige its employees, agents or other persons to whom it provides access to Customer Data to keep it confidential; take reasonable steps to ensure the integrity of any employees who have access to Customer Data; provide annual training to staff and subcontractors on the security requirements contained herein;
Maintain measures designed to ensure the ongoing confidentiality, integrity, availability and resilience of Walnut’s systems and services;
Maintain a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing of Customer Data, regularly testing such measures to validate their appropriateness and effectiveness, and implementing corrective action where deficiencies are revealed by such testing;
Log all individuals’ access to and activities on systems and at facilities containing Customer Data. Upon Customer’s request, and subject to applicable laws and the Walnut retention policy, Walnut will provide a report detailing a list of authorized users, their associated privileges, status of accounts, and history of activities;
For passwords applicable to Walnut’s access, adhere to password policies for standard and privileged accounts consistent with industry best practices; protect both Walnut’s and Customer’s user accounts with access to Customer Data using multi-factor authentication (e.g., using at least two different factors to authenticate such as a password and a security token or certificate);
Store and transmit Customer Data using strong cryptography, consistent with industry best practices, and pseudonymize Personal Data where appropriate;
Ensure that only those Walnut’s personnel who need to have access to Customer Data are granted access, such access is limited to the least amount required, and only granted for the purposes of performing obligations under this DPA. Walnut shall conduct access reviews upon each individual’s scope of responsibility change, Walnut staffing change or other change impacting Walnut’s personnel access to Customer Data;
Maintain a physical security program that is consistent with industry best practices;
Ensure that any storage media (whether magnetic, optical, non-volatile solid state, paper, or otherwise capable of retaining information) that captures Customer Data is securely erased or destroyed before repurposing or disposal;
Measures and assurances regarding US government surveillance (“Additional Safeguards“):
Walnut agrees and hereby represents it maintains, and will continue to maintain, the following additional safeguards in connection with any Personal Data transferred under this Annex:
- Walnut maintains industry standard measures to protect the Personal Data from interception (including in transit from Customer to Walnut and between different systems and services). This includes maintaining encryption of Personal Data in transit and at rest.
- In the event that section 702 of the United States Foreign Intelligence Surveillance Court (“FISA“) applies to Walnut, Walnut will make reasonable efforts to resist, subject to applicable laws, any request for bulk surveillance relating to the Personal Data protected under the GDPR or the UK GDPR, including (if applicable) under Section 702 of the FISA.
- If Walnut becomes aware of any law enforcement agency or other governmental authority (“Authority“) attempt or demand to gain access to or a copy of the Personal Data (or part thereof), whether on a voluntary or a mandatory basis, then, unless legally prohibited or under a mandatory legal compulsion that requires otherwise, Walnut shall: inform the relevant Authority that Walnut is a Processor of the Personal Data and that Customer, as the Controller has not authorized Walnut to disclose the Personal Data to the Authority; inform the relevant Authority that any and all requests or demands for access to the Personal Data should be directed to or served upon Customer in writing; and use reasonable legal mechanisms to challenge any such demand for access to Personal Data which is under the Walnut’s control.
- Notwithstanding the above, if, taking into account the nature, scope, context and purposes of the related Authority’s intended access to Personal Data, Walnut has a reasonable and good-faith belief that urgent access is necessary to prevent an imminent risk of serious harm to any individual or entity, these subsections shall not apply. In such event, Walnut shall notify Customer, as soon as possible, following the access by the Authority, and provide Customer with relevant details, unless and to the extent legally prohibited to do so.
- The parties agree that the terms of the Standard Contractual Clauses are hereby incorporated by reference and shall apply to transfer of Personal Data from the EEA to other countries that are not deemed as Adequate Countries.
- Module II of the Standard Contractual Clauses shall apply where the transfer is effectuated between the Customer as data Controller of the Customer Data and Walnut as the data Processor of the Customer Data.
- The parties agree that for the purpose of transfer of Personal Data between Customer (as Data Exporter) and Walnut (as Data Importer), the following shall apply:
- a) Clause 7 of the Standard Contractual Clauses shall not be applicable.
- b) In Clause 9 (applicable to Module II only), option 2 (general written authorization) shall apply and the method for appointing and time period for prior notice of Sub-Processor changes shall be as set forth in the Sub-Processing Section of the DPA.
- c) In Clause 11, the optional language will not apply, and data subjects shall not be able to lodge a complaint with an independent dispute resolution body.
- d) In Clause 13, the Supervisory Authority shall be the Supervisory Authority in Ireland.
- e) In Clause 17, option 1 shall apply. The parties agree that the EU Standard Contractual Clauses shall be governed by the laws of Ireland.
- f) In Clause 18(b) the parties choose the courts of Ireland, as their choice of forum and jurisdiction.
- ANNEX I of this DPA serves as ANNEX II of the EU Standard Contractual Clauses.
- ANNEX II of this DPA (Technical and Organizational Measures) serves as ANNEX II of the EU Standard Contractual Clauses.
- ANNEX III of this DPA (List of Sub-Processors) serves as ANNEX III of the EU Standard Contractual Clauses.
- Transfers to the US: Measures and assurances regarding US government surveillance as detailed in ANNEX II to this DPA.
- Walnut shall not (i) sell or share the Personal Data; (ii) retain, use or disclose the Personal Data for any purpose other than for the limited purpose of providing the Services; or (iii) combine the Personal Data that it Processes on behalf of the Customer with other Personal Data it receives or collects from, or on behalf of, another entity or customer, except as otherwise permitted by the applicable US Data Protection Law.
- Walnut agrees to notify the Customer if it determines that it can no longer meet its obligations under this US Addendum or US Data Protection Law.
- Walnut shall assist the Customer in respect of Consumer requests to limit the use of Sensitive Personal Information and provide necessary assistance and procures that its subcontractors will provide assistance as Customer may reasonably request, where applicable, in connection with any obligation to respond to requests for exercising the rights of a Consumer under the applicable US Data Protection Law.
- Each party shall, taking into account the context of Processing, implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. The parties are hereby establishing a clear allocation of the responsibilities between them to implement these measures. Walnut technical measures are detailed under Annex II above.
- In addition to the Audit rights provided in the DPA, under US Data Protection Laws and subject to Customer’s consent, Walnut may, as an alternative to an on-premise audit, initiate a third-party audit to verify Walnut’s compliance with its obligations under US Data Protection Laws. Walnut will make available to the third-party auditor all necessary information to demonstrate such compliance.
- Each Party will comply with the requirements set forth under US Data Protection Laws with regard to the processing of de-identified data, as defined under the applicable US Data Protection Law.
- Walnut acknowledges and confirms that it does not receive or Process any Personal Information as consideration for any Services it provides to the Customer.
- Walnut certifies that it understands the rules, requirements and definitions of the applicable US Data Protection Law and agrees to refrain from Selling any Personal Data.
Walnut will inform Customer, upon written request (and not more than once a year), of the types of binding legal demands for Personal Data Walnut has received and complied with, including demands under national security orders and directives, specifically including any process under Section 702 of FISA.
ANNEX III
LIST OF SUB-PROCESSORS
Name | Location of Processing | Description of the Processing | Transfer Mechanism |
---|---|---|---|
AWS | US | Hosting | Data Privacy Framework |
Salesforce, Inc. | US | CRM | Data Privacy Framework |
Intercom | US | Support chatbot | Data Privacy Framework |
Mixpanel Inc. | US | Analytics | Data Privacy Framework |
Fullstory, Inc. | US | Analytics | Data Privacy Framework |
Twilio Inc. [Segment] | US | Data Transfer Tool | Data Privacy Framework |
Catalyst Software Corporation | US | Customer success software for retention and growth | SCC |
DataDog, Inc. | US | IT Monitoring Service | Data Privacy Framework |
Catamorphic, Co. dba LaunchDarkly | US | Feature Management | Data Privacy Framework |
Gong.io Inc. | US | Calls and meeting intelligence platform | Data Privacy Framework |
Slack Technologies, Inc. | EU | Instant messaging services | Data Privacy Framework |
OpenAI, LLC | US | content creation features | DPA |
EverAfter Ltd. | Israel | Client’s onboarding | DPA |
ANNEX IV
EU INTERNATIONAL TRANSFERS AND SCC
ANNEX V
US ADDENDUM
This US Addendum (“US Addendum“) provides additional specifications applicable to US Data Protection Laws. All terms used but not defined in this US Addendum shall have the meaning set forth in the DPA or the applicable US Data Protection Law.