This Data Processing Addendum (“DPA”) is incorporated by reference into the Carousel Cloud Terms of Use or Carousel Cloud Master Services Agreement (the “Terms”), as applicable. All terms not defined in this DPA retain the meanings ascribed to them in the Terms. Tightrope reserves the right to update the terms and conditions of this Data Processing Addendum; provided however, that any such updates shall not materially degrade the level of Services provided to Customer.
1.0 Background
Tightrope and provides the Software to Customer and Users pursuant to the Terms.
The parties have now agreed to enter into this DPA for purposes of ensuring compliance with the EU Data Protection Law (as defined herein).
In consideration of the mutual obligations set out herein, the parties agree that this DPA shall be added to and form part of the Terms, and that except where context requires otherwise, references in this DPA to the Terms are to the Terms as amended by and including this DPA.
2.0 Definitions
Customer and Tightrope agree as follows:
2.1 The following definitions and rules of interpretation apply in this DPA.
“Business Purpose” means the Customer’s use of the Software to display information and content or its use for any other purpose specifically identified in a separate written agreement between Tightrope and Customer.
“Data Subject” means an individual who is the subject of Personal Information.
“Personal Information” means any information Tightrope processes for the Customer that (a) identifies or relates to an individual who can be identified directly or indirectly from that data alone or in combination with other information in Tightrope's possession or control or that Tightrope is likely to have access to, or (b) the relevant Privacy and Data Protection Requirements otherwise define as protected personal information. For purposes of this DPA and the Terms, Personal Information shall have the same meaning as “personal data” as defined by GDPR (as defined below).
“Processing, processes, or process” means any activity that involves the use of Personal Information, or that the relevant Privacy and Data Protection Requirements may otherwise include in, the definition of processing, processes, or process. It includes obtaining, recording, or holding the data, or carrying out any operation or set of operations on the data including, but not limited to, organizing, amending, retrieving, using, disclosing, erasing, or destroying it. Processing also includes transferring Personal Information to third parties.
Data processor or processor, data controller or controller, data subject, personal data and processing shall have the meanings given to such terms in EU Data Protection Law.
Subprocessor means other processors engaged by Tightrope to process Personal Information.
“Privacy and Data Protection Requirements” means all applicable United States (“US”) federal and state, European Union (“EU”) including the General Data Protection Regulation (“GDPR”), California Consumer Privacy Act (“CCPA”), and other countries’ laws and regulations relating to the processing, protection, or privacy of Personal Information, including where applicable, the guidance and codes of practice issued by regulatory bodies in any relevant jurisdiction.
“Security Breach” means any act or omission that compromises the security, confidentiality, or integrity of Personal Information or the physical, technical, administrative, or organizational safeguards put in place to protect such information. The loss of or unauthorized access, disclosure, or acquisition of Personal Information is a Security Breach whether or not the incident rises to the level of a security breach under the Privacy and Data Protection Requirements.
Standard Contractual Clauses (“SCC”) means the European Commission's Standard Contractual Clauses for the transfer of Personal Information from the European Union to processors established in third countries (controller-to-processor transfers), as set out in the Annex to Commission Decision 2010/87/EU. Tightrope provides access to a copy of the SCC on the Tightrope website and during registration for its Services. The SCC are incorporated into and made a part of the Terms and this DPA by reference
3.0 Scope and Operation
3.1 This DPA is subject to and incorporated into the Terms. Interpretations and defined terms set forth in the Terms apply to the interpretation of this DPA. This DPA applies to Tightrope’s processing of Personal Information within the context of providing Software and Services to the Customer that is subject to EU Data Protection Law and forms part of the Terms.
3.2 Nothing in this DPA reduces Tightrope’s obligations or expands Tightrope’s potential liabilities under any existing agreements between the parties in relation to the processing of Personal Information. Subject to the foregoing, in the event of any inconsistency between this DPA, the Terms and any separate agreements between the parties with respect to the processing of Personal Information, the order of priority shall be as follows: (a) this DPA; (b) any other data processing agreements executed by the parties; (c) the other parts of the Terms.
3.3 The parties agree that for purposes of this DPA, Customer and their users are the data controller of the Personal Information and Tightrope is the data processor. Tightrope shall post contact information for its privacy representative on the Tightrope website at all times. Customer shall provide Tightrope with the contact details for its data protection officer, if appointed.
3.4 A reference to writing or written includes faxes and email.
3.5 In the case of conflict or ambiguity between:
3.5.1 the terms of any accompanying invoice or other documents annexed to this DPA and any provision contained in this DPA, the provision contained in this DPA will prevail;
3.5.2 any of the provisions of this DPA and the provisions of the Terms, the provisions of this DPA will prevail; and
3.5.3 any of the provisions of this DPA and any the SCC, the provisions of the SCC will prevail.
4.0 Processing of Personal Information
4.1 The Customer retains control of the Personal Information and remains responsible for its compliance obligations under the applicable Privacy and Data Protection Requirements, including providing any required notices and obtaining any required consents, and for the processing instructions it gives to Tightrope.
4.2 The subject matter of the processing is Tightrope’s provision of the Services involving processing Personal Information within the scope of EU Data Protection Law. The duration of the processing is the period provided by the Terms and until all Personal Information has been returned to Customer or User or deleted in accordance with the terms of this Data Processing Addendum. The nature and purpose of the processing is to provide services to Customer and its Users. The types of Personal Information include those specified in Article 4 GDPR and any other Personal Information provided to Tightrope. The categories of data subjects include Customer’s authorized Users and customers and suppliers, including their respective employees, contractors, customers and users.
4.3 When Tightrope is processing Personal Information on behalf of Customer, Tightrope shall comply with the EU Data Protection Law and implement appropriate technical and organizational measures to meet the GDPR requirements and ensure the rights of data subjects are protected.
4.4 Tightrope shall take all measures required pursuant to Article 32 of the GDPR, taking into account the state of the art, costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
4.5 Tightrope will ensure that persons authorized to process Personal Information have committed themselves to confidentiality even after their engagement ends. All parties shall treat this Data Processing Addendum as Confidential Information.
4.6 Tightrope, and any person acting under its authority, shall only process Personal Information upon Customer’s documented instructions, including regarding transfers of Personal Information to a non-EU country, unless required to do so by EU or EU member state law (including UK law) to which Tightrope is subject; in such case Tightrope shall inform Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
5.0 Sub-processors
5.1 Tightrope may:
5.1.1 Engage Sub-processors provided that subprocessing is undertaken in compliance with its obligations under the Terms, this DPA, and EU Data Protection Law.
5.1.2 Continue to use Sub-processors engaged by it prior to the effective date of this DPA subject to compliance with its obligations under the Terms, this DPA and EU Data Protection Law. Tightrope shall provide a list of its Sub-processors to User upon written request to Tightrope’s privacy representative.
6.0 Personal Information Types and Processing Purposes
6.1 The general Personal Information categories and Data Subject types Tightrope may process to fulfill the Business Purposes are as follows:
6.1.1 Personal Information: The Personal Information transferred by the Customer and Users of the software and services may include Personal Information collected by the Customers or Users of the software and services.
6.1.2 Data Subjects: The Personal Information transferred may concern the Customers and users of the data importer’s online software products and services.
7.0 Tightrope’s Obligations
7.1 Tightrope will only process, retain, use, or disclose the Personal Information to the extent, and in such a manner, as is necessary for the Business Purposes in accordance with the Customer's instructions. Tightrope will not process, retain, use, or disclose the Personal Information for any other purpose or in a way that does not comply with this DPA, the Standards Contractual Clauses contained in the Appendix hereto and/or the Privacy and Data Protection Requirements. Tightrope must promptly notify the Customer if, in its opinion, the Customer's instruction would not comply with the complete terms of this agreement or the Privacy and Data Protection Requirements.
7.2 Tightrope must promptly comply with any Customer request or instruction requiring Tightrope to correct, amend, transfer, or delete Personal Information held by Tightrope and which is not accessible to the Customer or user, or to stop, mitigate, or remedy any unauthorized processing.
7.3 Tightrope will maintain the confidentiality of all Personal Information, will not sell it to anyone, and will not disclose it to third parties unless the Customer or this DPA specifically authorizes the disclosure, or as required by law. If a law requires Tightrope to process or disclose Personal Information, Tightrope must first inform the Customer of the legal requirement and give the Customer an opportunity to object or challenge the requirement, unless the law prohibits such notice.
7.4 Tightrope will reasonably assist the Customer with meeting the Customer's compliance obligations under the Privacy and Data Protection Requirements, taking into account the nature of Tightrope's processing and the information available to Tightrope. If the Customer or user requests the assistance of Customer to remove, transfer, modify or identify Personal Information of third-party data subjects, the Customer and/or user will compensate Tightrope for this service.
7.5 Tightrope must promptly notify the Customer of any changes to Privacy and Data Protection Requirements that may adversely affect Tightrope's performance of the Terms of Service.
8.0 Customer Obligations
8.1 The Customer acknowledges that Tightrope is under no duty to investigate the completeness, accuracy, or sufficiency of any specific Customer instructions or the Personal Information other than as required under the Privacy and Data Protection Requirements.
8.2 Tightrope will only process third party data subject personal information found within data supplied by the Customer or User that has been obtained from the data subject with the clear consent of the data subject to its reuse. The consent must be obtained in accordance with the requirements of the GDPR including the use of an approved data privacy notice informing the Data Subject of the Customer's identity and its appointed data protection representative, the purpose or purposes for which their Personal Information will be processed, and any other information that is required by applicable Privacy and Data Protection Requirements.
9.0 Tightrope’s Employees
9.1 Tightrope will limit Personal Information access to:
9.1.1 those employees who require Personal Information access to meet Tightrope's obligations under this DPA and the Terms; and
9.1.2 the part or parts of the Personal Information that those employees strictly require for the performance of their duties.
9.2 Tightrope will ensure that all employees:
9.2.1 are informed of the Personal Information's confidential nature and use restrictions;
9.2.2 have undertaken training on the Privacy and Data Protection Requirements relating to handling Personal Information and how it applies to their particular duties; and
9.2.3 are aware both of Tightrope's duties and their personal duties and obligations under the Privacy and Data Protection Requirements and this DPA.
9.3 Tightrope will take reasonable steps to ensure the reliability, integrity, and trustworthiness of all of Tightrope's employees with access to the Personal Information.
10.0 Tightrope Security
10.1 Tightrope will at all times implement appropriate technical and organizational measures designed to safeguard Personal Information against unauthorized or unlawful processing, access, copying, modification, storage, reproduction, display, or distribution, and against accidental loss, destruction, or damage.
10.2 Tightrope will promptly notify the Customer if it becomes aware of any advance in technology and methods of working, which indicate that the parties should adjust their security measures.
10.3 Tightrope must take reasonable precautions to preserve the integrity of any Personal Information it processes and to prevent any corruption or loss of the Personal Information, including but not limited to establishing effective back-up and data restoration procedures.
11.0 Security Breaches and Personal Information Loss
11.1 Tightrope will promptly notify the Customer if any Personal Information is lost or destroyed or becomes damaged, corrupted, or unusable.
11.2 Tightrope will, without unreasonable delay and in all cases within any legally required notice period, notify the other party if it becomes aware of:
11.2.1 any unauthorized or unlawful processing of the Personal Information; or
11.2.2 any Security Breach.
11.3 Promptly following any unauthorized or unlawful Personal Information processing or Security Breach, the parties will co-ordinate with each other to investigate the matter. Tightrope will reasonably co-operate with the Customer in the Customer's handling of the matter, including:
11.3.1 assisting with any investigation;
11.3.2 providing the Customer with physical access to any facilities and operations affected;
11.3.3 facilitating interviews with Tightrope's employees, former employees and others involved in the matter; and
11.3.4 making available all relevant records, logs, files, data reporting, and other materials required to comply with all Privacy and Data Protection Requirements or as otherwise reasonably required by the Customer.
11.4 Tightrope will not inform any third party of any Security Breach without first obtaining the Customer's prior written consent, except when law or regulation requires such notification.
11.5 Tightrope agrees that the Customer has the sole right to determine:
11.5.1 whether to provide notice of the Security Breach to any Data Subjects, regulators, law enforcement agencies, or others, as required by law or regulation or in the Customer's discretion, including the contents and delivery method of the notice; and
11.5.2 whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy
11.6 Tightrope will cover all reasonable expenses associated with the performance of the obligations under Section 11.2 and Section 11.3, unless the matter arose from the Customer's specific instructions, negligence, willful default, or breach of this DPA, in which case the Customer will cover all reasonable expenses.
11.7 Tightrope will also reimburse the Customer for actual reasonable expenses the Customer incurs when responding to and mitigating damages, to the extent that Tightrope caused a Security Breach, including all costs of notice and any remedy as set out in Section 11.5
11.8 The notice requirements in Section 17 will not apply if the Customer reasonably believes that a Security Breach occurred or is occurring, or Tightrope is in breach of any of its obligations under this DPA or any Privacy and Data Protection Requirements.
11.9 If a Security Breach occurs or is occurring, or Tightrope becomes aware of a breach of any of its obligations under this DPA or any Privacy and Data Protection Requirements, Tightrope will:
11.9.1 promptly conduct its own audit to determine the cause;
11.9.2 produce a written report that includes detailed plans to remedy any deficiencies identified by the audit;
11.9.3 provide the Customer with a copy of the written audit report; and
11.9.4 remedy any deficiencies identified by the audit within thirty (30) days.
12.0 Cross-Border Transfers of Personal Information
12.1 If the Privacy and Data Protection Requirements restrict cross-border Personal Information transfers, the Customer will only transfer that Personal Information to Tightrope under the following conditions:
12.1.1 Tightrope, either through its location or participation in a valid cross-border transfer mechanism authorized by the Privacy and Data Protection Requirements, may legally receive that Personal Information, however Tightrope must immediately inform the Customer of any change to that status;
12.1.2 the Customer obtained valid Data Subject consent to the transfer under the Privacy and Data Protection Requirements; or
12.1.3 the transfer otherwise complies with the Privacy and Data Protection Requirements.
12.2 The parties hereby agree to be bound by and subject to all terms and conditions of the SCC (as defined above) to the same extent as if they had executed a physical copy of such clauses, and agree to take all other actions required to legitimize the transfer, including, if necessary:
12.2.1 co-operating to register the SCC with any supervisory authority in any European Economic Area country;
12.2.2 procuring approval from any such supervisory authority; or
12.2.3 providing additional information about the transfer to such supervisory authority.
12.3 Tightrope will not transfer any Personal Information to another country unless the transfer complies with the Privacy and Data Protection Requirements. Tightrope shall maintain a current privacy policy stating the legal basis supporting any transfers it makes and must promptly inform the Customer of any change to that status.
12.4 Customers and their Users acknowledge and agree that if they use (or instruct, permit, or enable any employees, contractors, partners, or customers of the entity that they represent to use), the Services to collect, retrieve, send, store, host, transfer, or otherwise process or use any information relating to any natural persons located in the European Union, then such activities shall be subject to this DPA.
13.0 Complaints, Data Subject Requests, and Third-Party Rights
13.1 Tightrope will notify the Customer immediately if it receives any complaint, notice, or communication that directly or indirectly relates to the Personal Information processing or to either party's compliance with the Privacy and Data Protection Requirements.
13.1.1 Tightrope must notify the Customer within two (2) business days if it receives a request from a Data Subject for access to or deletion of their Personal Information.
13.1.2 Tightrope will give the Customer its full co-operation and assistance in responding to any complaint, notice, communication, or Data Subject request.
13.1.3 Tightrope must not disclose the Personal Information to any Data Subject or to a third party unless the disclosure is either at the Customer's request or instruction, permitted by this DPA, or is otherwise required by law.
14.0 Term and Termination
14.1 This DPA will remain in full force and effect so long as:
14.1.1 the Customer’s subscription remains in effect; or
14.1.2 Tightrope retains any Personal Information related to Customer’s subscription in its possession or control (the “Term”).
14.2 Any provision of this DPA that expressly or by implication should come into or continue in force on or after termination of the Customer’s subscription in order to protect Personal Information will remain in full force and effect.
14.3 Tightrope or Customer's failure to comply with the terms of this DPA will be deemed a material breach of the Terms. In such event, the non-breaching party may terminate this agreement effective immediately upon written notice to the other party without further liability or obligation.
14.4 If a change in any Privacy and Data Protection Requirement prevents either party from fulfilling all or part of it’s the agreement’s obligations, the parties will suspend the processing of Personal Information until that processing complies with the new requirements. If the parties are unable to bring the Personal Information processing into compliance with the Privacy and Data Protection Requirement within thirty (30) days, the aggrieved party may terminate the agreement upon written notice to the other party.
15.0 Data Return and Destruction
15.1 At the Customer's request, Tightrope will give the Customer a copy of or access to all or part of the Customer's Personal Information in its possession or control in the format and on the media reasonably specified by the Customer.
15.2 On termination of the Customer’s subscription for any reason or expiration of its term, Tightrope will securely destroy or, if directed in writing by the Customer, return and not retain, all or any Personal Information related to this agreement in its possession or control with the exception being that Tightrope may retain such records as are necessary to fulfill all of its legal and regulatory obligations.
15.3 If any law, regulation, or government or regulatory body requires Tightrope to retain any documents or materials that Tightrope would otherwise be required to return or destroy, it will notify the Customer in writing of that retention requirement, giving details of the documents or materials that it must retain, the legal basis for retention, and establishing a specific timeline for destruction once the retention requirement ends. Tightrope may only use this retained Personal Information for the required retention reason or audit purposes.
15.4 Tightrope will certify in writing that it has destroyed the Personal Information within thirty (30) days after it completes the destruction upon the request of the Customer.
16.0 Records
16.1 Tightrope will keep detailed, accurate, and up-to-date records regarding any processing of Personal Information it carries out for the Customer, including but not limited to, the access, control, and security of the Personal Information, approved subcontractors and affiliates, the processing purposes, and any other records required by the applicable Privacy and Data Protection Requirements (the “Records”).
16.2 Tightrope will ensure that the Records are sufficient to enable the Customer to verify Tightrope's compliance with its obligations under this DPA.
16.3 The Customer and Tightrope must review the information listed in the Appendices to this DPA annually to confirm its current accuracy and update it when required to reflect current practices.
17.0 Audit
17.1 Tightrope will permit the Customer and its third-party representatives to audit Tightrope's compliance with its DPA obligations, upon at least thirty (30) days' notice, during the Term and for two (2) years after this DPA terminates. Tightrope will give the Customer and its third-party representatives all necessary assistance to conduct such audits. The assistance may include, but is not limited to:
17.1.1 physical access to, remote electronic access to, and copies of the Records and any other information held at Tightrope's premises or on systems storing Personal Information;
17.1.2 access to and meetings with any of Tightrope's personnel reasonably necessary to provide all explanations and perform the audit effectively; and
17.1.3 inspection of all Records and the infrastructure, electronic data, or systems, facilities, equipment, or application software used to store, process, or transport Personal Information.
17.2 At least once per year, Tightrope will conduct site audits of its Personal Information processing practices and the information technology and information security controls for all facilities and systems used in complying with its obligations under this DPA, including, but not limited to, obtaining a network-level vulnerability assessment performed by a recognized third-party audit firm based on recognized industry best practices.
17.3 Upon the Customer's written request, Tightrope will make all relevant audit reports available to the Customer for review. The Customer will treat such audit reports as Tightrope's confidential information under this DPA.
17.4 Tightrope will promptly address any issues, concerns, or exceptions noted in the audit reports with the development and implementation of a corrective action plan by Tightrope's management.
18.0 Warranties
18.1 Tightrope warrants and represents that:
18.1.1 to its knowledge, its employees, subcontractors, agents, and any other person or persons accessing Personal Information on its behalf are reliable and trustworthy and have received the required training on the Privacy and Data Protection Requirements relating to the Personal Information; and
18.1.2 it and anyone operating on its behalf will process the Personal Information in compliance with both the terms of this DPA and all applicable Privacy and Data Protection Requirements and other laws, enactments, regulations, orders, standards, and other similar instruments; and
18.1.3 to its knowledge, the Privacy and Data Protection Requirements do not prevent it from providing any of the Services; and
18.1.4 considering the current technology environment and implementation costs, it will take appropriate technical and organizational measures to prevent the unauthorized or unlawful processing of Personal Information and the accidental loss or destruction of, or damage to, Personal Information, and ensure a level of security appropriate to:
18.1.4.1 the harm that might result from such unauthorized or unlawful processing or accidental loss, destruction, or damage; and
18.1.4.2 the nature of the Personal Information protected; and
18.1.4.3 comply with all applicable Privacy and Data Protection Requirements and its information and security policies, including the security measures required Section 10, above.
18.2 The Customer warrants and represents that Tightrope's expected use of the Personal Information for the Business Purpose and as specifically instructed by the Customer will comply with all Privacy and Data Protection Requirements.
19.0 Indemnification
19.1 Tightrope agrees to indemnify, keep indemnified, and defend at its own expense the Customer against all costs, damages, or expenses incurred by the Customer resulting from a third-party claim based on an alleged failure of Tightrope or its employees, subcontractors, or agents to comply with any of its obligations under this DPA or applicable Privacy and Data Protection Requirements.
19.2 Customer agrees to indemnify, keep indemnified, and defend at its own expense Tightrope against all costs, damages, or expenses incurred by Tightrope resulting from a third-party claim based on an alleged failure of Customer or its employees, subcontractors, or agents to comply with any of its obligations under this DPA or applicable Privacy and Data Protection Requirements.
19.3 During the Term, Tightrope must, at its own cost and expense, obtain and maintain insurance, in full force and effect, covering Tightrope's indemnity and reimbursement obligations under this Section 19. Tightrope will produce the policy and premium payment receipt to the Customer on request. Tightrope will give the Customer thirty (30) days advance written notice if the policy materially changes or is cancelled.
20.0 Notice
20.1 Any notice or other communication given to a party under, or in connection with, this DPA must be provided as required by the Terms.
20.2 Section 20.1 does not apply to the service of any proceedings or other documents in any legal action or, where applicable, any arbitration or other method of dispute resolution.
21.0 Enforceability
21.1 If any provision of this DPA is deemed to be invalid or unenforceable, the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be amended as needed to ensure its validity or enforceability, preserving the intentions of the parties as far as possible, or if not possible, construed in a manner as if the invalid or unenforceable provision had never formed part of the Data Processing Addendum.
Except for any changes made by this DPA, the Terms remain unchanged and in full force and effect.
