Skip to main content

Outbound Processor Data Protection Addendum

X Data Processing Addendum

This X Data Processing Addendum (the “DPA”) shall amend and apply to all of your agreements (“Agreements”) with X, Inc., X International Company, and their affiliates and/or subsidiaries (“X”) to the extent that You process (i) as X’s processor any personal data originating from the European Economic Area, the United Kingdom and Switzerland; or (ii) as X’s service provider any personal information of California consumers (collectively, “X Data”).

1. Definitions

Words and expressions used in this DPA but not defined herein shall have the meanings given to such words and expressions in (i) the General Data Protection Regulation (2016/679) (the “GDPR”), including any subordinate or implementing legislation, (ii) the EU-US Privacy Shield and the Swiss-US Privacy Shield (the “Privacy Shield”), and (iii) the California Consumer Privacy Act of 2018, Cal. Civ. Code 1798.100 et seq. (the “CCPA”) (collectively, “Applicable Data Protection Law”).

You” refers to the processor or service provider who has agreed to this DPA with X.

2. Details of the Processing Operations

The subject matter of the processing, including the processing operations carried out by You on X’s behalf, the instructions from X to You, and the security measures deployed by You, are described in the relevant Agreements between You and X. You act as a service provider for, and on behalf of and on the instructions of X, in carrying out the processing operations.

3. X’s Obligations

3.1 X determines the purposes for and means by which X Data is being or will be processed, and the manner in which they are or will be processed.

3.2 X represents, warrants and agrees that with respect to X Data provided to You pursuant to this DPA X:

3.2.1 complies with personal data security and other obligations prescribed by Applicable Data Protection Law for controllers or businesses;

3.2.2 confirms that the provision of X Data to You complies with Applicable Data Protection Law;

3.2.3 has established a procedure for the exercise of the rights of the individuals/consumers whose personal data or personal information is collected;

3.2.4 only processes personal data or personal information that has been lawfully and validly collected and ensures that such data or information is relevant and proportionate to the respective uses;

3.2.5 discloses X Data to You for a business purpose consistent with the disclosures X makes to our users in our privacy policy, and X does not sell X Data to You;

3.2.6 ensures that after assessment of the requirements of Applicable Data Protection Law, the security and confidentiality measures implemented are suitable for protection of X Data against any accidental or unlawful destruction, accidental loss, alteration, unauthorized or unlawful disclosure or access, in particular when the processing involves data transmission over a network, and against any other forms of unlawful or unauthorized processing; and

3.2.7 takes reasonable steps to ensure compliance with the provisions of this DPA by X personnel and by any person accessing or using X Data on X’s behalf.

4. Your Obligations.

4.1 You carry out the processing of X Data on X’s behalf.

4.2 Pursuant to the provisions of Article 28 of the GDPR, You agree that You will:

4.2.1 process X Data only on X’s behalf and in compliance with X’s instructions (including relating to international data transfers), including instructions in this DPA and all Agreements between You and X, unless required to do so by EU or Member State law to which You are subject;

4.2.2 immediately inform X if in Your opinion an instruction from X infringes Applicable Data Protection Law;

4.2.3 implement appropriate technical and organizational security measures as provided for in Your Agreements with X prior to the commencement of the processing activities for X Data, maintain such security measures (or better security measures) for the duration of this DPA, and provide X with reasonable evidence of Your privacy and security policies;

4.2.4 take reasonable steps to ensure that (i) persons employed by You and (ii) other persons engaged at Your place of business who may process X Data are aware of and comply with this DPA;

4.2.5 comply with confidentiality obligations in respect of X Data as detailed in all Agreements and take appropriate steps to ensure that Your employees, authorized agents and any sub-processors comply with and acknowledge and respect the confidentiality of X Data, including after the end of their employment, contract or at the end of their assignment;

4.2.6 inform X of:

4.2.6.1 any legally binding request for disclosure of X Data by a law enforcement authority, unless otherwise prohibited, such as in order to preserve the confidentiality of an investigation by the law enforcement authorities;

4.2.6.2 any personal data breach within the meaning of Applicable Data Protection Law relating to X Data which may require a notification to be made to a supervisory authority or data subject under Applicable Data Protection Law (“Security Incident”);

4.2.6.3 any relevant notice, inquiry or investigation by a supervisory authority relating to X Data; and

4.2.6.4 any requests for access to, rectification or blocking of X Data received directly from a data subject without responding to that request, unless X has authorized a response or such a response is required by law;

4.2.7 provide reasonable co-operation and assistance to X in respect of X’s obligations regarding:

4.2.7.1 requests from data subjects in respect of access to or the rectification, erasure, restriction, blocking or deletion of X Data;

4.2.7.2 the investigation of any Security Incident and the notification to the supervisory authority and data subjects in respect of such a Security Incident;

4.2.7.3 the preparation of data protection impact assessments and, where applicable, carrying out consultations with the supervisory authority;

4.2.7.4 the security of X Data, including by implementing the technical and organizational security measures detailed in Your Agreements with X;

4.2.8 if You are required by law to process X Data, take reasonable steps to inform X of this requirement in advance of any processing, unless You are prohibited from informing X on grounds of important public interest; and

4.2.9 upon reasonable request, make available to X information necessary to demonstrate compliance with the obligations in this Clause 4.2.

4.3 Pursuant to the CCPA, You agree that:

4.3.1 You are acting solely as a service provider with respect to X Data;

4.3.2 You shall not retain, use or disclose X Data for any purpose other than for the specific purpose of performing the services specified in this DPA or any other Agreement between You and X;

4.3.3 You may deidentify or aggregate X Data as part of performing the services specified in this DPA and any other Agreement between You and X; and

4.3.4 You certify that You understand and will comply with the requirements and restrictions set forth in this Section 4.3 of this DPA.

4.4 X or an accredited third-party audit firm agreed to by both You and X may audit Your compliance with the terms of this DPA during regular business hours in a manner that is not disruptive to Your business, upon reasonable advance notice to You and subject to reasonable confidentiality procedures. X is responsible for all costs and fees related to such audit, including all reasonable costs and fees for any and all time You expend for any such audit, in addition to the rates for support services performed by You and any expenses incurred by You in complying with this Clause 4.4 and Clause 4.2.7. Before the commencement of any such audit, You and X will mutually agree upon the timing, duration and scope of the audit. X will promptly notify You of information regarding any non-compliance discovered during the course of an audit.

4.5 Further to the provisions of Privacy Shield, You agree that You will provide any EU Personal Data with at least the same level of protection as required under the Privacy Shield Principles, as described here: www.privacyshield.gov/EU-US-Framework.

5. Transfer, Disclosure and Third Parties

5.1 X acknowledges and agrees that (a) Your affiliates may be retained as sub-processors and (b) You and Your affiliates may engage third parties in connection with the provision of the data processing services. You or Your affiliate shall enter into contractual arrangements with such sub-processors requiring them to guarantee a similar level of data protection compliance and information security to that provided for herein. For the purposes of this Clause 5, X hereby authorizes You to engage sub-processors required to assist You for the purposes of providing the data processing services under the Agreements.

5.2 You will provide or make available to X a current list of sub-processors You use for the data processing services.   You will provide reasonable notice to X before You engage a new sub-processor of X Data, including the date on which the new sub-processor will begin processing X Data (the “Sub-Processor Effective Date”).  X may object to Your engagement of a new sub-processor by ceasing to provide or make available to you the X Data prior to the Sub-Processor Effective Date.  X’s continued use of the applicable product, program or feature on or after the Sub-Processor Effective Date constitutes X’s acceptance of the new sub-processor.

6. Post-termination obligations

You and X agree that on the termination of any of the data processing services, You and any sub-processors shall, subject to the limitations described in any relevant Agreements, return all X Data relating to such data processing services and copies of such data to X or securely destroy them and demonstrate to X’s satisfaction that You have taken such measures, unless applicable law prevents You from returning or destroying all or part of the X Data. In such case, You or the sub-processor agree to preserve the confidentiality of the X Data retained by You and that You will only actively process the X Data after such date in order to comply with the laws to which You are subject.

7. Governing law and jurisdiction

If You are in the EU or in the EEA, then this DPA and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by, and construed in accordance with, the laws of Ireland, and the parties to this DPA irrevocably agree that the courts of Ireland shall have exclusive jurisdiction to settle any dispute or claim that arises out of or in connection with this DPA or its subject matter or formation (including non-contractual disputes or claims).

If You are outside of the EU or EEA, then this DPA and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by, and construed in accordance with, the laws of the State of California, USA, and the parties to this DPA irrevocably agree that the federal or state courts located in San Francisco County, California, United States, shall have exclusive jurisdiction to settle any dispute or claim that arises out of or in connection with this DPA or its subject matter or formation (including non-contractual disputes or claims)

8. Conflicts

In the event of any conflict between the terms of this DPA and any other terms between You and X, including but not limited to the terms of any Agreements, the terms in this DPA will prevail.