Data Privacy Addendum
PageBrain Data Protection DPA for Customers
This Data Privacy Addendum ("DPA") forms part of the underlying agreement (either a Master Services Agreement or Terms of Service), along with any associated contractual document between the Parties, such as an order form or statement of work ("Agreement") by and between PageBrain Inc. ("PageBrain") and the customer named in the Agreement ("Customer"), each a “Party” and collectively the “Parties”. This DPA applies to and takes precedence over the Agreement.
Customer and PageBrain agree as follows:
1. Definitions
For purposes of this DPA:
a. “Data Protection Law(s)” means all applicable laws, regulations, and other legal or self-regulatory requirements in any jurisdiction relating to privacy, data protection, data security, breach notification, or the Processing of Personal Data, including without limitation, to the extent applicable, the General Data Protection Regulation, Regulation (EU) 2016/679 ("GDPR"), the United Kingdom Data Protection Act of 2018 ("UK Privacy Act"), the Swiss Federal Act on Data Protection ("FADP"), the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. and associated amendments and regulations thereto ("CCPA"), and the Canadian Personal Information Protection and Electronic Documents Act ("PIPEDA").
b. “Data Subject” means an identified or identifiable natural person about whom Personal Data relates.
c. “EU SCCs” means the Standard Contractual Clauses issued pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, located http://data.europa.eu/eli/dec_impl/2021/914/oj., and completed as set forth in Section 7 below.
d. “Personal Data” includes “personal data,” “personal information,” “personally identifiable information,” and similar terms, and such terms shall have the same meaning as defined by applicable Data Protection Laws, that is Processed in relation to the Agreement.
e. “Process” and “Processing” mean any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, creating, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
f. “Security Breach” means any accidental or unlawful acquisition, destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
2. Scope and Purposes of Processing
a. The scope, nature, purposes, and duration of the processing, the types of Personal Data Processed, and the Data Subjects concerned are set forth in this DPA, including its Schedules. The details provided in Schedule A are deemed to satisfy any requirement to provide some or all of such details under any Data Privacy Law.
b. PageBrain will Process Personal Data solely: (1) to fulfill its obligations to Customer under the Agreement, including this DPA; (2) on Customer’s behalf; and (3) in compliance with applicable Data Protection Laws. PageBrain will not “sell” Personal Data (as such term is defined in applicable Data Protection Laws), “share” Personal Data for purposes of “cross-context behavioral advertising” (as such terms are defined in applicable Data Protection Laws), or otherwise Process Personal Data for any purpose other than for the specific purposes set forth herein or outside of the direct business relationship with Customer.
c. PageBrain will comply with any applicable restrictions under Data Protection Laws on combining Personal Data with personal data that PageBrain receives from, or on behalf of, another person or persons, or that PageBrain collects from any interaction between it and a Data Subject.
3. Personal Data Processing Requirements
PageBrain will:
a. Provide the same level of protection for Personal Data as is required under the Data Protection Laws applicable to Customer.
b. Ensure that the persons it authorizes to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
c. Assist Customer in the fulfilment of Customer’s obligations to respond to verifiable requests by Data Subjects (or their lawful representatives) for exercising their rights under Data Protection Laws (such as rights to access or delete Personal Data).
d. Promptly, and in any event within seven business (7) days, notify Customer of (i) any third-party or Data Subject complaints regarding the Processing of Personal Data; or (ii) any government or Data Subject requests for access to or information about PageBrain’s Processing of Personal Data on Customer’s behalf, unless prohibited by Data Protection Laws. Following such notification, PageBrain will await written instructions from Customer on how, if at all, to assist in responding to the request. PageBrain will provide Customer with reasonable cooperation and assistance in relation to any such request. If PageBrain is prohibited from providing notice regarding a government request, and determines that the request would interfere with PageBrain’s ability to meet its obligations under this DPA, PageBrain will notify Customer that PageBrain can no longer comply with this DPA, without being required to identify the specific provision with which it can no longer comply.
e. Provide reasonable assistance to and cooperation with Customer for Customer’s performance of a data protection impact assessment of Processing or proposed Processing of Personal Data, when required by applicable Data Protection Laws.
f. Provide reasonable assistance to and cooperation with Customer for Customer’s consultation with regulatory authorities in relation to the Processing or proposed Processing of Personal Data, including complying with any obligation applicable to Customer under Data Protection Laws to consult with a regulatory authority in relation to PageBrain’s Processing or proposed Processing of Personal Data.
g. PageBrain certifies that it understands its obligations under this DPA (including without limitation the restrictions under Sections 2 and 3) and that it will comply with them.
4. Data Security
PageBrain will implement appropriate administrative, technical, physical, and organizational measures to protect Personal Data, as set forth in Schedule B.
5. Security Breach
PageBrain will notify Customer promptly, and in any event within forty-eight (48) hours, of any Security Breach resulting from PageBrain’s Processing of Personal Data on behalf of Customer. PageBrain will comply with the Security Breach-related obligations directly applicable to it under Data Protection Laws and will assist Customer in Customer’s compliance with its Security Breach-related obligations, including without limitation by:
a. At PageBrain’s own expense, taking reasonable and appropriate steps to mitigate the effects of the Security Breach and reduce the risk to Data Subjects whose Personal Data was involved; and
b. Providing Customer with the following information, to the extent known:
i. The nature of the Security Breach, including, where possible, how the Security Breach occurred, the categories and approximate number of Data Subjects concerned, and the categories and approximate number of Personal Data records concerned;
ii. The likely consequences of the Security Breach; and
iii. Measures taken or proposed to be taken by PageBrain to address the Security Breach, including, where appropriate, measures to mitigate its possible adverse effects.
6. Subprocessors
a. Customer acknowledges and agrees that PageBrain may use PageBrain affiliates and other subprocessors to Process Personal Data in accordance with the provisions within this DPA and Data Protection Laws. Where PageBrain sub-contracts any of its rights or obligations concerning Personal Data, including to any affiliate, PageBrain will: (1) take steps to select and retain subprocessors that are capable of maintaining appropriate privacy and security measures to protect Personal Data consistent with applicable Data Protection Laws; and (2) require that each subprocessor complies with obligations that are no less restrictive than those imposed on PageBrain under this DPA.
b. To the extent required by applicable Data Protection Laws, PageBrain has provided a current list of PageBrain’s subprocessors listed herein as Schedule C, and Customer hereby consents to PageBrain’s use of such subprocessors. PageBrain will maintain an up-to-date list of its subprocessors, and it will provide Customer with reasonable notice of any new subprocessor added to the list. In the event Customer objects to a new subprocessor, PageBrain will not transfer Personal Data to the new subprocessor and will use reasonable efforts to make available to Customer a change in the services or recommend a commercially reasonable change to Customer’s use of the services to avoid Processing of Personal Data by the objected-to subprocessor without unreasonably burdening the Customer. Customer may, in its sole discretion, terminate the Agreement at any time and by providing written notice to PageBrain in the event that it objects to a subprocessor and PageBrain is unable to offer reasonable changes the services to satisfy Customer.
7. Data Transfers
a. PageBrain will not engage in any cross-border Processing of Personal Data, or transmit, directly or indirectly, any Personal Data to any country outside of the country from which such Personal Data was collected, without complying with applicable Data Protection Laws. Where PageBrain engages in an onward transfer of Personal Data, PageBrain shall ensure that a lawful data transfer mechanism is in place prior to transferring Personal Data from one country to another.
b. To the extent legally required, by signing this DPA, Customer and PageBrain are deemed to have signed the EU SCCs, which form part of this DPA and (except as described in Section 7(c) and (d) below) will be deemed completed as follows:
i. Module 2 of the EU SCCs applies to transfers of Personal Data from Customer (as a controller) to PageBrain (as a processor);
ii. Clause 7 (the optional docking clause) is included;
iii. Under Clause 9 (Use of sub-processors), the Parties select Option 2 (General written authorization). The initial list of sub-processors is set forth in Schedule C of this DPA and PageBrain shall propose an update to that list at least fifteen (15) business days in advance of any intended additions or replacements of sub-processors in accordance with Section 6(b) of this DPA;
iv. Under Clause 11 (Redress), the optional language requiring that data subjects be permitted to lodge a complaint with an independent dispute resolution body shall not be deemed to be included;
v. Under Clause 17 (Governing law), the Parties choose Option 1 (the law of an EU Member State that allows for third-Party beneficiary rights). The Parties select the law of Ireland;
vi. Under Clause 18 (Choice of forum and jurisdiction), the Parties select the courts of Ireland;
vii. Annex I(A) and I(B) (List of Parties) is completed as set forth in Schedule A of this DPA;
viii. Under Annex I(C) (Competent supervisory authority), the Parties shall follow the rules for identifying such authority under Clause 13 and, to the extent legally permissible, select the Irish Data Protection Commission.
ix. Annex II (Technical and organizational measures) is completed with Schedule B of this DPA; and
x. Annex III (List of subprocessors) is not applicable as the Parties have chosen General Authorization under Clause 9. PageBrain's current subprocessors are listed in Schedule C.
c. With respect to Personal Data transferred from the United Kingdom for which United Kingdom law (and not the law in any European Economic Area jurisdiction) governs the international nature of the transfer, the International Data Transfer DPA to the EU Commission Standard Contractual Clauses (available as of the Effective Date at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf (“UK SCCs”) forms part of this DPA and takes precedence over the rest of this DPA as set forth in the UK SCCs. Undefined capitalized terms used in this provision shall mean the definitions in the UK SCCs. For purposes of the UK SCCs, they shall be deemed completed as follows:
i. Table 1 of the UK SCCs:
1. The Parties' details shall be the Parties and their affiliates to the extent any of them is involved in such transfer.
2. The Key Contact shall be the contacts set forth in the Agreement.
ii. Table 2 of the UK SCCs: The Approved EU SCCs referenced in Table 2 shall be the EU SCCs as executed by the Parties.
iii. Table 3 of the UK SCCs: Annex 1A, 1B, II, and III shall be set forth in Schedules A, B, and C below.
iv. Table 4 of the UK SCCs: Either Party may end this DPA as set out in Section 19 of the UK SCCs.
v. By entering into this DPA, the Parties are deemed to be signing the UK SCCs.
d. For transfers of Personal Data that are subject to the FADP, the EU SCCs form part of this DPA as set forth in Section 7(b) of this DPA, but with the following differences to the extent required by the FADP: (1) references to the GDPR in the EU SCCs are to be understood as references to the FADP insofar as the data transfers are subject exclusively to the FADP and not to the GDPR; (2) references to personal data in the EU SCCs also refer to data about identifiable legal entities until the entry into force of revisions to the FADP that eliminate this broader scope; (3) term “member state” in EU SCCs shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the EU SCCs; and (4) the relevant supervisory authority is the Swiss Federal Data Protection and Information Commissioner (for transfers subject to the FADP and not the GDPR), or both such Commissioner and the supervisory authority identified in the EU SCCs (where the FADP and GDPR apply, respectively).
8. Audits
PageBrain will make available to Customer all information necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer, provided that such audit shall occur not more than once every twelve (12) calendar months, upon reasonable prior written notice, at Customer’s sole expense, and to the extent PageBrain’s personnel are required to cooperate therewith, only during PageBrain’s normal business hours. Notwithstanding the foregoing, in the event of a Security Breach resulting from PageBrain’s Processing of Personal Data on behalf of Customer, Customer shall have the right to request an audit with no frequency cap, and any audits performed as the result of a Security Breach shall be performed at PageBrain’s sole expense.
9. Return or Destruction of Personal Data
Except to the extent required otherwise by Data Protection Laws, PageBrain will, at the choice of Customer and upon Customer’s written request, either at the termination of the Agreement or at any time during the term of the Agreement, return to Customer and/or securely destroy all Personal Data. Except to the extent prohibited by Data Protection Laws, PageBrain will inform Customer if it is not able to return or delete the Personal Data.
10. Survival
The provisions of this DPA survive the termination or expiration of the Agreement for so long as PageBrain or its subprocessors Process the Personal Data.
Schedule A
ANNEX I
A. LIST OF PARTIES
Data exporter(s):
Name: The data exporter is Customer.
Activities relevant to the data transferred under these SCCs: The data exporter is a user of PageBrain’s VPN Services pursuant to their underlying Agreement. The data exporter acts as a controller with respect to its own personal data.
Signature and date: The Parties agree that execution of the Agreement shall constitute execution of these SCCs by both Parties.
Data importer(s):
Name: The data importer is PageBrain.
Activities relevant to the data transferred under these SCCs: The data importer is the provider of Services to the data exporter and its customers pursuant to their underlying Agreement. The data importer acts as the data exporter’s processor.
Signature and date: The Parties agree that execution of the Agreement shall constitute execution of these SCCs by both Parties.
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred: Customer’s employees and authorized users.
Categories of personal data transferred: The Personal Data transferred concern: the names and email addresses or usernames of Customer’s employees and authorized users; authorized user log-in authentication information; and metadata regarding devices used to connect to the Services, including device names, operating system type, host name, IP address and IP routing information, cryptographic public key, user agent (where applicable), language settings, date and time of access to the PageBrain VPN, logs describing connections and containing statistics about data sent to and from other devices (“Inter-Node Traffic Logs”), and version of PageBrain VPN installed. PageBrain does not Process in any way, or have the ability to access, the content of Customer’s traffic data transmitted through the Services, which is fully end-to-end encrypted.
Customers have the option, in their discretion, to use certain features and functionalities through the PageBrain Solution that may generate additional logs and other data that PageBrain processes and stores on behalf of our Customers (“Customer Log Data”). The Customer, and not PageBrain, has control over the contents of Customer Log Data processed through the PageBrain Solution using such additional features and functionalities.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures: N/A – as explained above, any traffic data transmitted through use of the Services is fully end-to-end encrypted and not accessible or viewable by PageBrain.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): Continuous.
Nature of the processing: PageBrain Processes Personal Data solely in connection with providing its VPN services to Customer.
Purpose(s) of the data transfer and further processing: The objective of the transfer and further Processing of Personal Data by PageBrain is to provide PageBrain’s VPN services to Customer.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: Personal Data will be retained for the period of time necessary to provide the Services to Customer under the Agreement and the DPA, and otherwise in accordance with applicable legal requirements.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: Same as above to the extent such information is provided to subprocessors for purposes of providing the Services.
C. COMPETENT SUPERVISORY AUTHORITY
See Section 7(b)(viii) of the DPA.
Schedule B
PAGEBRAIN DATA SECURITY MEASURES
PageBrain’s data security measures (“PageBrain Security Measures”) are outlined in depth at the following link: https://pagebrain.ai/security. At all times during the term of the Agreement and for as long as PageBrain is Processing Personal Data, PageBrain will maintain security measures that are at least as robust as those included in the PageBrain Security Measures on the data of execution of this DPA.