This Data Processing Addendum (“DPA”) is incorporated by reference into the Carousel Cloud Terms of Use or Carousel Cloud Master Services Agreement (the “Terms”), as applicable. Capitalized terms used in this DPA that are not defined have the meanings given them in the Terms. Tightrope and provides the Software to its Customers and Users pursuant to the Terms. This DPA governs the use of the Software by Customer to Process of Personal Information of Users and any other persons. Tightrope reserves the right to update the terms and conditions of this DPA upon notice to its Customers.
The following definitions and rules of interpretation apply in this DPA.
“Business Purpose” means the Customer’s use of the Software to display information and content or its use for any other purpose specifically identified in a separate written agreement between Tightrope and Customer.
“Controller” means the entity that determines the purposes and means of processing Personal Information, in this case, Customer. “Data Subject” means an individual who is the subject of Personal Information.
“Personal Information” means any information Tightrope processes for the Customer that (a) identifies or relates to an individual who can be identified directly or indirectly from that data alone or in combination with other information in Tightrope's possession or control or that Tightrope is likely to have access to, or (b) the relevant Privacy and Data Protection Requirements otherwise define as protected personal information. For purposes of this DPA and
the Terms, Personal Information shall have the same meaning as “personal data” as defined by GDPR (as defined below).
“Processing, processes, or process” means any activity that involves the use of Personal Information, or that the relevant Privacy and Data Protection Requirements may otherwise include in, the definition of processing, processes, or process. It includes obtaining, recording, or holding the data, or carrying out any operation or set of operations on the data including, but not limited to, organizing, amending, retrieving, using, disclosing, erasing, or destroying it.
Processing also includes transferring Personal Information to third parties. “Processor” means an entity that processes Personal Information on behalf of the Controller, in this case, Tightrope.
“Privacy and Data Protection Requirements” means all applicable United States (“US”) federal and state, European Union (“EU”) including the General Data Protection Regulation (“GDPR”), California Consumer Privacy Act, Colorado Privacy Act, Virginia Consumer Data Privacy Act, and the Utah Consumer Privacy Act, and other U.S. states or countries’ laws and regulations relating to the processing, protection, or privacy of Personal Information, including where applicable, the guidance and codes of practice issued by regulatory bodies in any relevant jurisdiction. “Security Breach” means any act or omission that compromises the security, confidentiality, or integrity of Personal Information or the physical, technical, administrative, or organizational safeguards put in place to protect such information. The loss of or unauthorized access, disclosure, or acquisition of Personal Information is a Security Breach whether or not the
incident rises to the level of a security breach under the Privacy and Data Protection Requirements.
“Standard Contractual Clauses (“SCC”)” means the Standard Contractual Clauses for Personal Data Transfers from an EU Controller to a Processor Established in a Third Country (Controller- to-Processor Transfers), as set out in the Annex to Commission Decision 2021/914 on Standard Contractual Clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679. Tightrope provides access to a form of the SCC on the Tightrope website. The SCC are incorporated into and made a part of the Terms and this DPA by reference to the extent applicable.
“Sub-Processor” means processors engaged by Tightrope to process Personal Information. A list of all current Sub-Processors is available here.
2.1 This DPA is subject to and incorporated into the Terms. Interpretations and defined terms set forth in the Terms apply to the interpretation of this DPA. This DPA applies to Tightrope’s processing of Personal Information within the context of providing Software and Services to the Customer.
2.2 Nothing in this DPA reduces Tightrope’s obligations or expands Tightrope’s potential liabilities under any existing agreements between the parties in relation to the processing of Personal Information. Subject to the foregoing, in the event of any conflict or ambiguity between or among this DPA, the Terms, and the SCC, the order of priority shall be as follows: (a) the SCC, (b) this DPA; and (c) the Terms.
2.3 The parties agree that for purposes of this DPA, Customer is the Controller of the Personal Information and Tightrope is the Processor. Tightrope shall post contact information for its privacy representative on the Tightrope website at all times. Customer shall provide Tightrope with the contact details for its data protection officer, if appointed.
2.4 A reference to writing or written includes faxes and email.
3.1 The Customer retains control of the Personal Information and remains responsible for its compliance obligations under the applicable Privacy and Data Protection Requirements, including providing any required notices and obtaining any required consents, and for the processing instructions it gives to Tightrope.
3.2 The subject matter of the processing is Tightrope’s provision of the Software and Services. The duration of the processing is the period provided by the Terms and until all Personal Information has been returned to Customer or User or deleted in accordance with the terms of this DPA. The nature and purpose of the processing is to provide the
Software and Services to Customers for use for all legal business purposes subject to the Terms to Customer. The types of Personal Information include all Personal Information provided to Tightrope by Customer for processing. The categories of data subjects include Customer’s authorized Users and customers and suppliers, including their respective employees, contractors, customers and users.
3.3 When Tightrope is processing Personal Information on behalf of Customer, Tightrope shall implement appropriate technical and organizational measures and ensure the rights of data subjects are protected in compliance with the Privacy and Data Protection Requirements.
3.4 Tightrope shall take the security measures reasonably required by the Privacy and Data Protection Requirements, taking into account the state of the art, costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
3.5 Tightrope will ensure that any Sub-Processors have committed themselves to confidentiality even after their engagement ends. Tightrope and Customer shall treat this DPA as Confidential Information.
3.6 Tightrope, and any person acting under its authority, shall only process Personal Information upon Customer’s documented instructions, including any transfers of Personal Information from the EU to a non-EU country, unless required to do so by EU or EU member state law (including UK law) to which Tightrope is subject; in such case Tightrope shall inform Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
4.1 Customer expressly authorizes Tightrope to engage Sub-Processors to provide the Software and process the Personal Information pursuant to the Terms, subject to the following conditions:
4.1.1 Customer must have an opportunity to object to Sub-Processors within 15 days from the effective date of Customer’s subscription, or 15 days after Tightrope informs Customer of any changes to its Sub-Processors;
4.1.2 Tightrope enters into a written contract with the Sub-Processor that contains terms substantially the same as those set out in this DPA and, upon Customer's written request, provides Customer with copies of such contracts;
4.1.3 Tightrope maintains control over all Personal Information it entrusts to the Sub-Processor; and
4.1.4 Any processing by the Sub-Processor of the Personal Information of Customer terminates upon the termination of this DPA for any reason, subject to any continued processing required or allowed by the Terms.
4.2 Where the Sub-Processor fails to fulfill its obligations under its written agreement with Tightrope, Tightrope remains fully liable to Customer for the Sub-Processor’s performance of its agreement obligations.
4.3 The Parties consider Tightrope to control any Personal Information controlled by or in the possession of its Sub-Processor.
5.1 The Personal Information and Data Subjects categories that Tightrope may process to fulfill the Business Purposes are as follows:
5.1.1 Personal Information: The Personal Information transferred by the Customer and Users of the Software and Services may include Personal Information collected by the Customers or Users.
5.1.2 Data Subjects: The Personal Information transferred may concern the Customers and Users of the Software and Services.
6.1 Tightrope will only process, retain, use, or disclose the Personal Information to the extent, and in such a manner, as is necessary for the Business Purposes in accordance with the Customer's instructions. Tightrope will not process, retain, use, or disclose the Personal Information for any other purpose or in a way that does not comply with this DPA and the Privacy and Data Protection Requirements. Tightrope must promptly notify the Customer if, in its opinion, the Customer's instruction would not comply with the complete terms of this DPA or the Privacy and Data Protection Requirements.
6.2 Tightrope must promptly comply with any Customer request or instruction requiring Tightrope to correct, amend, transfer, or delete Personal Information held by Tightrope and which is not accessible to the Customer or user, or to stop, mitigate, or remedy any unauthorized processing.
6.3 Tightrope will maintain the confidentiality of all Personal Information, will not sell it to anyone, and will not disclose it to third parties unless the Customer or this DPA specifically authorizes the disclosure, or as required by law. If a law requires Tightrope to process or disclose Personal Information, Tightrope must first inform the Customer of the legal requirement and give the Customer an opportunity to object or challenge the requirement, unless the law prohibits such notice.
6.4 Tightrope will reasonably assist the Customer with meeting the Customer's compliance obligations under the Privacy and Data Protection Requirements, taking into account the nature of Tightrope's processing and the information available to Tightrope. If the Customer or user requests the assistance of Customer to remove, transfer, modify or identify Personal Information of data subjects, the Customer and/or User will compensate Tightrope for this service.
6.5 Tightrope must promptly notify the Customer of any changes to Privacy and Data Protection Requirements that may adversely affect Tightrope's performance of the Terms or this DPA.
7.1 The Customer acknowledges that Tightrope is under no duty to investigate the completeness, accuracy, or sufficiency of any specific Customer instructions or the Personal Information other than as required under the Privacy and Data Protection Requirements.
7.2 Customer represents and warrants it has obtained the express consent of all Data Subjects whose Personal Information it processes using the Tightrope Software or Services. Tightrope will not knowingly process such information unless Customer has obtained such consent from the Data Subjects. The consent must be obtained in accordance with the Privacy and Data Protection Requirements, including the use of a data privacy notice informing the Data Subject of the Customer's identity and its appointed data protection representative, and the purpose or purposes for which their Personal Information will be processed.
8.1 Tightrope will limit Personal Information access to:
8.1.1 those employees who require Personal Information access to meet Tightrope's obligations under this DPA and the Terms; and
8.1.2 the part or parts of the Personal Information that those employees strictly require for the performance of their duties.
8.2 Tightrope will ensure that all employees:
8.2.1 are informed of the Personal Information's confidential nature and use restrictions;
8.2.2 have undertaken training on the Privacy and Data Protection Requirements relating to handling Personal Information and how it applies to their particular duties; and
8.2.3 are aware both of Tightrope's duties and their personal duties and obligations under the Privacy and Data Protection Requirements and this DPA.
8.3 Tightrope will take reasonable steps to ensure the reliability, integrity, and trustworthiness of all of Tightrope's employees with access to the Personal Information.
9.1 Tightrope will use appropriate technical and organizational measures designed to safeguard Personal Information against unauthorized or unlawful processing, access, copying, modification, storage, reproduction, display, or distribution, and against accidental loss, destruction, or damage.
9.2 Tightrope will promptly notify the Customer if it becomes aware of any advance in technology and methods of working, which indicate that the parties should adjust their security measures.
9.3 Tightrope must take reasonable precautions to preserve the integrity of any Personal Information it processes and to prevent any corruption or loss of the Personal Information, including but not limited to establishing effective back-up and data restoration procedures.
10.1 Tightrope will promptly notify the Customer if any Personal Information is lost, destroyed, or becomes damaged, corrupted, or unusable.
10.2 Tightrope will, without unreasonable delay and in all cases within any legally required notice period, notify the other party if it becomes aware of:
10.2.1 any unauthorized or unlawful processing of the Personal Information; or
10.2.2 any Security Breach.
10.3 Promptly following any unauthorized or unlawful Personal Information processing or Security Breach, the parties will co-ordinate with each other to investigate the matter. Tightrope will reasonably co-operate with the Customer in such matter, including:
10.3.1 assisting with any investigation;
10.3.2 providing the Customer with physical access to any facilities and operations under Tightrope’s control that are affected;
10.3.3 facilitating interviews with Tightrope's employees, former employees and others involved in the matter; and
10.3.4 making available all relevant records, logs, files, data reporting, and other materials required to comply with all Privacy and Data Protection Requirements.
10.4 Tightrope will not inform any third party of any Security Breach without first obtaining the Customer's prior written consent, except when law or regulation requires such notification.
10.5 Tightrope agrees that the Customer has the sole right to determine:
10.5.1 whether to provide notice of the Security Breach to any Data Subjects, regulators, law enforcement agencies, or others, as required by law or regulation or in the Customer's discretion, including the contents and delivery method of the notice; and
10.5.2 whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy.
10.6 Tightrope will cover the reasonable and necessary expenses of the performance of the obligations under Section 10.2 and Section 10.3, unless the matter arose from the Customer's specific instructions, negligence, willful default, or breach of this DPA, in which case the Customer will cover all reasonable and necessary expenses.
10.7 Tightrope will also reimburse the Customer for actual reasonable and necessary expenses the Customer incurs when responding to and mitigating damages, to the extent that Tightrope caused a Security Breach, including all costs of notice and any remedy as set out in Section 10.5.
10.8 The notice requirements in Section 17 will not apply if the Customer reasonably believes that a Security Breach occurred or is occurring, or Tightrope is in breach of any of its obligations under this DPA or any Privacy and Data Protection Requirements.
10.9 If a Security Breach occurs or is occurring, or Tightrope becomes aware of a breach of any of its obligations under this DPA or any Privacy and Data Protection Requirements, Tightrope will:
10.9.1 promptly conduct its own audit to determine the cause;
10.9.2 produce a written report that includes detailed plans to remedy any deficiencies identified by the audit;
10.9.3 provide the Customer with a copy of the written audit report; and
10.9.4 remedy any deficiencies identified by the audit within thirty (30) days.
11.1 If the Privacy and Data Protection Requirements restrict cross-border Personal Information transfers, the Customer will only transfer that Personal Information to Tightrope under the following conditions:
11.1.1 Tightrope, either through its location or participation in a valid cross-border transfer mechanism authorized by the Privacy and Data Protection Requirements, may legally receive that Personal Information, however Tightrope must immediately inform the Customer of any change to that status;
11.1.2 the Customer obtained valid Data Subject consent to the transfer under the Privacy and Data Protection Requirements; or
11.1.3 the transfer otherwise complies with the Privacy and Data Protection Requirements.
11.2 If Customer is subject to GDPR and transfers of Personal Information of Data Subjects located in the EU will be made to the United States, Tightrope and Customer agree to be bound by the SCC and to take all steps necessary to complete and make such SCC valid and enforceable, including, the implementation of any needed supplementary measures or supervisory authority consultations.
11.3 Tightrope shall maintain a current privacy policy stating the legal basis supporting any transfers it makes and must promptly inform the Customer of any change to that status.
12.1 Tightrope will notify the Customer immediately if it receives any complaint, notice, or communication that directly or indirectly relates to the Personal Information processing or to either party's compliance with the Privacy and Data Protection Requirements.
12.1.1 Tightrope must notify the Customer within two (2) business days if it receives a request from a Data Subject for access to or deletion of their Personal Information.
12.1.2 Tightrope will give the Customer its full co-operation and assistance in responding to any complaint, notice, communication, or Data Subject request.
12.1.3 Tightrope must not disclose the Personal Information to any Data Subject or to a third party unless the disclosure is either at the Customer's request or instruction, permitted by this DPA, or is otherwise required by law.
13.1 This DPA will remain in full force and effect so long as:
13.1.1 the Customer’s subscription for the Software remains in effect; or
13.1.2 Tightrope retains any Personal Information related to Customer’s subscription in its possession or control (the “Term”).
13.2 Any provision of this DPA that expressly or by implication should come into or continue in force on or after termination of the Customer’s subscription in order to protect Personal Information will remain in full force and effect.
13.3 Tightrope or Customer's material breach of this DPA will be deemed a material breach of the Terms. In such event, the non-breaching party may terminate this DPA effective immediately upon written notice to the other party without further liability or obligation.
13.4 If a change in any Privacy and Data Protection Requirement prevents either party from fulfilling all or part of its obligations under this DPA, the parties will suspend the processing of Personal Information until that processing complies with the new requirements. If the parties are unable to bring the Personal Information processing into compliance with the Privacy and Data Protection Requirement within thirty (30) days, the aggrieved party may terminate the agreement upon written notice to the other party.
14.1 At the Customer's request, Tightrope will give the Customer a copy of or access to all or part of the Personal Information processed for Customer in its possession or control in the format and on the media reasonably specified by the Customer.
14.2 On termination of the Customer’s subscription to the Software for any reason or expiration of its term, Tightrope will securely destroy or, if directed in writing by the Customer, return and not retain, all or any Personal Information related to this agreement in its possession or control with the exception being that Tightrope may retain such records as are necessary to fulfill all of its legal and regulatory obligations.
14.3 If any law, regulation, or government or regulatory body requires Tightrope to retain any documents or materials that Tightrope would otherwise be required to return or destroy, it will notify the Customer in writing of that retention requirement, giving details of the documents or materials that it must retain, the legal basis for retention, and establishing a specific timeline for destruction once the retention requirement ends. Tightrope may only use this retained Personal Information for the required retention reason or audit purposes.
14.4 Tightrope will certify in writing that it has destroyed the Personal Information within thirty (30) days after it completes the destruction upon the request of the Customer.
15.1 Tightrope will keep detailed, accurate, and up-to-date records regarding any processing of Personal Information it carries out for the Customer, including but not limited to, the access, control, and security of the Personal Information, approved Sub-Processors, the processing purposes, and any other records required by the applicable Privacy and Data Protection Requirements (the “Records”).
15.2 Tightrope will ensure that the Records are sufficient to enable the Customer to verify Tightrope's compliance with its obligations under this DPA.
16.1 Tightrope will permit the Customer and its third-party representatives to audit Tightrope's compliance with its DPA obligations, upon at least thirty (30) days notice, during the Term and for two (2) years after this DPA terminates. Tightrope will give the Customer and its third-party representatives all necessary assistance to conduct such audits. The assistance may include, but is not limited to:
16.1.1 physical access to, remote electronic access to, and copies of the Records and any other information held at Tightrope's premises or on systems storing Personal Information;
16.1.2 access to and meetings with any of Tightrope's personnel reasonably necessary to provide all explanations and perform the audit effectively; and
16.1.3 inspection of all Records and the infrastructure, electronic data, or systems, facilities, equipment, or application software used to store, process, or transport Personal Information.
16.2 At least once per year, Tightrope will conduct audits of its Personal Information processing practices and the information technology and information security controls for all facilities and systems used in complying with its obligations under this DPA, including, but not limited to, obtaining a network-level vulnerability assessment performed by a recognized third-party audit firm based on recognized industry best practices.
16.3 Upon the Customer's written request, Tightrope will make all relevant audit reports available to the Customer for review. The Customer will treat such audit reports as Tightrope's confidential information under this DPA.
16.4 Tightrope will promptly address any issues, concerns, or exceptions noted in the audit reports with the development and implementation of a corrective action plan by Tightrope's management.
17.1 Tightrope warrants and represents that:
17.1.1 to its knowledge, its employees, subcontractors, agents, and any other person or persons accessing Personal Information on its behalf are reliable and trustworthy and have received any required training on the Privacy and Data Protection Requirements relating to the Personal Information; and
17.1.2 it and anyone operating on its behalf will process the Personal Information in compliance with both the terms of this DPA and all applicable Privacy and Data
Protection Requirements and other laws, enactments, regulations, orders, standards, and other similar instruments; and
17.1.3 to its knowledge, the Privacy and Data Protection Requirements do not prevent it from providing any of the Software or Services; and
17.1.4 considering the current technology environment and implementation costs, it will take appropriate technical and organizational measures to prevent the unauthorized or unlawful processing of Personal Information and the accidental loss or destruction of, or damage to, Personal Information, and ensure a level of security appropriate to:
17.1.4.1 the harm that might result from such unauthorized or unlawful processing or accidental loss, destruction, or damage; and
17.1.4.2 the nature of the Personal Information protected; and
17.1.4.3 comply with all applicable Privacy and Data Protection Requirements and its information and security policies, including the security measures required Section 9, above.
17.2 The Customer warrants and represents that Tightrope's expected use of the Personal Information for the Business Purpose and as specifically instructed by the Customer will comply with all Privacy and Data Protection Requirements.
18.1 Tightrope agrees to indemnify, keep indemnified, and defend at its own expense the Customer against all costs, damages, or expenses incurred by the Customer resulting from a third-party claim based on an alleged failure of Tightrope or its employees, subcontractors, or agents to comply with any of its obligations under this DPA or applicable Privacy and Data Protection Requirements.
18.2 Customer agrees to indemnify, keep indemnified, and defend at its own expense Tightrope against all costs, damages, or expenses incurred by Tightrope resulting from a third-party claim based on an alleged failure of Customer or its employees, subcontractors, or agents to comply with any of its obligations under this DPA or applicable Privacy and Data Protection Requirements.
18.3 During the Term, Tightrope must, at its own cost and expense, obtain and maintain insurance, in full force and effect, covering Tightrope's indemnity and reimbursement obligations under this Section 18. Tightrope will produce the policy and premium payment receipt to the Customer on request. Tightrope will give the Customer thirty (30) days advance written notice if the policy materially changes or is cancelled.
19.1 Any notice or other communication given to a party under, or in connection with, this DPA must be provided as required by the Terms.
19.2 Section 20.1 does not apply to the service of any proceedings or other documents in any legal action or, where applicable, any arbitration or other method of dispute resolution.
Tightrope may update or amend the terms of this DPA from time to time as data processing requirements change or products evolve. If this happens, Tightrope will promptly notify Customer.
If any individual provisions of this DPA are determined to be invalid or unenforceable, the validity and enforceability of the other provisions of this DPA will not be affected.
Except as required otherwise by the Privacy and Data Protection Requirements, each party’s liability arising out of or related to this DPA in contract, tort, or under any other theory of liability, is subject to the Limitations of Liability section of the Terms.
This DPA will be governed by and construed in accordance with the designated law in the Terms, except as required otherwise by the Privacy and Data Protection Requirements.
Questions, comments or concerns about this DPA and related matters may be sent to Tightrope using the following contact information:
Tightrope Media Systems, Inc.
400 South 4th Street Suite 410
PMB 92452
Minneapolis, MN 55415
legal@carouselsignage.com
Copyright © 2018-2022. Tightrope Media Systems, Inc. All rights reserved.
Last revised: September 30, 2022.
