Data Processing Addendum
This Data Processing Addendum (“DPA”) amends and forms part of XGENESIS, INC. STANDARD TERMS AND CONDITIONS, (https://xgen.ai/legal/terms-and-conditions) (the “Agreement”) between XGenesis, Inc.“Company” (“Company”)and the entity that entered into the Agreement(“Customer”). This DPA prevails over any conflicting term of the Agreement.
In this DPA:
“Controller”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Processing”, “Processor”, and “Supervisory Authority” have the meaning given to them in the GDPR;
“Customer Personal Data” means any Customer Data that constitutes Personal Data, the Processing of which is subject to Data Protection Law, for which Customer or Customer’s customers are the Controller, and which is Processed by Company to provide the Services;
“Data Protection Law” means General Data Protection Regulation (EU) 2016/679 (“GDPR”), and e-Privacy Directive 2002/58/EC (as amended by Directive 2009/136/EC), and their national implementations in the European Economic Area (“EEA”), the Swiss Federal Data Protection Act, the UK General Data Protection Regulation, the UK Data Protection Act 2018, each as applicable, and as may be amended or replaced from time to time;
“Data Subject Rights” means Data Subjects’ rights to information, access, rectification, erasure, restriction, portability, objection, and not to be subject to automated individual decision-making in accordance with Data Protection Law;
“Europe” means the EEA and Switzerland;
“International Data Transfer” means any transfer of Customer Personal Data from Europe or the United Kingdom to an international organization or to a country outside of Europe and the United Kingdom;
“Services” means the services provided by Company to Customer under the Agreement;
“Sub-Processor” means a Processor engaged by Company to Process Customer Personal Data; and
“Standard Contractual Clauses” means the clauses annexed to the EU Commission Decision 2021/914 of June 4, 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (OJ L 199, 7.6.2021, p. 31-61) as applicable and may be amended or replaced from time to time.
Scope and applicability
This DPA applies to Processing of Customer Personal Data by Company to provide the Services. The subject matter, nature and purpose of the Processing, the types of Customer Personal Data and categories of Data Subjects are set out in Annex I.
Customer acknowledges that Company may Process Personal Data relating to the operation, support, or use of the Services for its own business purposes, such as billing, account management, data analysis, big data analytics, machine learning analytics, benchmarking, technical support, product development and improvement, and compliance with law. Company may also de-identify or aggregate Personal Data and reuse it for its own business purposes.
Company will Process Customer Personal Data to provide the Services and in accordance with Customer’s documented instructions. The Controller’s instructions are documented in this DPA, the Agreement, and any applicable statement of work.
Unless prohibited by applicable law, Company will inform Customer if Company is subject to a legal obligation that requires Company to Process Customer Personal Data in contravention of Customer’s documented instructions.
Company will ensure that all personnel authorized to Process Customer Personal Data are subject to an obligation of confidentiality.
Security and Personal Data Breaches
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Company will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including the measures listed in Annex II.
Company will notify Customer without undue delay after becoming aware of a Personal Data Breach involving Customer Personal Data. If Company’s notification is delayed, it will be accompanied by reasons for the delay.
Customer hereby authorizes Company to engage Sub-Processors. A list of Company’s current Sub-Processors is available at the following URL: https://xgen.ai/legal/infrastructure-and-sub-processors.
Company will enter into a written agreement with Sub-Processors which imposes the same obligations as required by Data Protection Law. Company will notify Customer prior to any intended change to Sub-Processors. Customer may object to the addition of a Sub-Processor based on reasonable grounds relating to a potential or actual violation of Data Protection Law by providing written notice detailing the grounds of such objection within thirty (30) days following Company’s notification of the intended change. Customer and Company will work together in good faith to address Customer’s objection.
Taking into account the nature of the Processing, and the information available to Company, Company will assist Customer, including, as appropriate, by implementing technical and organizational measures, with the fulfilment of Customer’s own obligations under Data Protection Law to: comply with requests to exercise Data Subject Rights; conduct data protection impact assessments, and prior consultations with Supervisory Authorities; and notify a Personal Data Breach.
Company must make available to Customer all information necessary to demonstrate compliance with the obligations of this DPA and allow for and contribute to audits, including inspections, as mandated by a Supervisory Authority or reasonably requested by Customer and performed by an independent auditor as agreed upon by Customer and Company.
Company will inform Customer if Company believes that Customer’s instruction under Section 8.1 infringes Data Protection Law. Company may suspend the audit or inspection, or withhold requested information until Customer has modified or confirmed the lawfulness of the instructions in writing.
International Data Transfers
Customer hereby authorizes Company to perform International Data Transfers to any country deemed adequate by the EU Commission; on the basis of appropriate safeguards in accordance with Data Protection Law; or pursuant to the Standard Contractual Clauses referred to in Section 9.2 or Section 9.3.
To the extent Company transfers Customer Personal Data from Europe to provide the Services to Customer, by signing this DPA, Customer and Company conclude the Standard Contractual Clauses, which shall be governed by the terms of MODULE TWO of the Standard Contractual Clauses, which are hereby incorporated into this DPA by reference. The Parties hereby agree that where the Standard Contractual Clauses apply, they shall be completed as follows: (i) the optional Clause 7 is kept; (ii) in Clause 9, Option 1 is struck and Option 2 is kept; (iii) in Clause 11, the optional language is struck; (iv) in Clause 17 and 18, the Governing law and the competent courts are those mentioned in the Agreement; and (v) Annex I and II to the Standard Contractual Clauses are Annex I and II to this DPA, respectively.
To the extent that Company transfers Customer Personal Data from the United Kingdom to provide the Services to Customer, by signing this DPA, Customer and Company conclude the UK Standard Contractual Clauses (the clauses annexed to EU Commission Decision 2010/87/EU of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council (OJ L 39, 12.2.2010, p. 5-18)) which are hereby incorporated by reference and completed as follows: (i) the “data exporter” is Customer; the “data importer” is Company; (ii) the governing law in Clause 9 and Clause 11.3 is the law of the country in which Customer is established; (iii) Appendix 1 and Appendix 2 are Annex I and Annex II to this DPA respectively; and (iv) the optional indemnification clause is struck. In addition, the following changes apply: (i) references to Data Protection Law are replaced with references to applicable UK data protection law, (ii) references to the EU or Member States are replaced with references to the United Kingdom, (iii) references to EU authorities are replaced with references to the competent UK authority, and (iv) references to the Member State governing law in Clause 9 and Clause 11.3 of the Standard Contractual Clauses are replaced with references to the law of England and Wales.
If Company’s compliance with Data Protection Laws applicable to International Data Transfers is affected by circumstances outside of its control, including if a legal instrument for International Data Transfers is invalidated, amended, or replaced, then Customer and Company will work together in good faith to reasonably resolve such non-compliance.
To the extent permitted by applicable law, where Company has paid damages or fines, Company is entitled to claim back from Customer that part of the compensation, damages or fines, corresponding to Customer’s part of responsibility for the damages or fines.
Invalidity and severability
This DPA is terminated upon the termination of the Agreement. Customer may request return of Customer Personal Data up to ninety (90) days after termination of the Agreement. Unless required or permitted by applicable law, Company will delete all remaining copies of Customer Personal Data within one hundred eighty (180) days after returning Customer Personal Data to Customer.
Termination and return or deletion
If any provision of this DPA is found by any court or administrative body of competent jurisdiction to be invalid or unenforceable, then the invalidity or unenforceability of such provision does not affect any other provision of this DPA and all provisions not affected by such invalidity or unenforceability will remain in full force and effect.
List of Parties
MODULE TWO: Transfer controller to processor
Data exporter(s): The Customer, as detailed in the Agreement and Customer Order Form
Name: A detailed in the Agreement Address: As detailed in the Agreement Contact person’s name, position and contact details: As detailed in the Agreement Activities relevant to the data transferred under these Clauses: As detailed in the Agreement Signature and date: As detailed in the Agreement Role (controller/processor): Controller
Data importer(s): XGenesis, Inc. a Delaware Corporation
Name: XGenesis, Inc. Address:136 Madison Avenue, Manhattan, NY, 10016 Contact person’s name, position and contact details: As detailed in the Agreement Activities relevant to the data transferred under these Clauses: XGen provides various products and services to help customers sell goods and services to buyers, as defined in XGen’s Terms of Service (https://xgen.ai/legal/terms-of-service). Signature and date: As detailed in the Agreement Role (controller/processor): Processor
DESCRIPTION OF TRANSFER
MODULE TWO: Transfer controller to processor
Categories of data subjects whose personal data is transferred
Customer’s administrative personnel responsible for maintenance of Customer’s account with Company
Categories of personal data transferred
Customer’s end-user’s IP addresses, URL, user signature, user agent, device information, referrer, timestamp, time zone, domain secret, session ID and relevant event data as needed to provide the Service.
Customer’s end-user’s event information, including, (but not limited to):
Page Views: page view home page view, PDP view, PLP view, check out view, thank you page view, media page view, FAQ page view, about page view, contact page view, blog view, arrived from Ad
PDP: selected product attribute/variant, product image select
Review: viewed review, commented on review, added review
Wishlist: wishlist view, add to wishlist, remove from wishlist, wishlist item added to cart
Cart: add to cart, remove from cart, cart abandonment, checkout started, checkout step, upsell
Purchase: purchase (product ids, price, coupon used, product attributes), purchase button hover (product ids, cart price).
Page action: scroll (page offset percentage start, page offset percentage finish), download (source), upload, email sent, clicked on chat box, engaged with chat box, no activity (no scroll or mouse events for certain period of time), heat map (general click), like (item liked), comment (item commented), button hover (button name), link hover (href), accepted GDPR cookie notification, impaired action (action type), window resize (dimensions start, dimensions finished), full screen.
Search: search (search text), search results clicked (item type, item id (as applicable))
Clicks: href (if link), current page type, x normalized, y normalized, link click, CTA click (name), Ad impression (ad id), external link click (target blank), recommendation click (product id), promotion click (promotion id, promotion title)
Social: social link click (social platform), content shared (social platform, content), social liked (social platform, content)
Media: video hover (source), video started (source), video stopped (source, scrubber time), video completed (source), image hover (source), image clicked (source), image opened in new tab (source), image downloaded (source)
Form: account sign up viewed, account created, email sign up viewed, email captured, input focused (input name), input typed (input name)
Exit: exit intent, exit intent interruption, new tab open, switched tabs, site exit
Pop up: viewed pop up, clicked pop up, closed pop up, site exit after pop up
Save: text highlighted (text), text copied (text), URL highlighted, URL copied, URL bookmarked
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis). Continuous basis.
Nature of the processing
The personal data transferred will be subject to the following processing operations.
XGen will Process the Personal Data for product cataloging purposes, for content cataloging purposes, and for content delivery.
XGen Processes Personal data for analytics purposes, consumer predictions, behavioral trends and patterns, and image recognition purposes.
XGen Processes Personal data to resolve technical or administrative issues, billing and invoicing, and otherwise comply with its own legal obligations.
XGen Processes Personal Data to optimize the performance of its services, improve its products, and for its own business purposes as described in the DPA.
Purpose(s) of the data transfer and further processing
The purpose of the data transfer is to provide XGen’s services as requested by Customer.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
Different data retention periods apply depending on the applicable service. When determining the specific retention period, XGen considers various factors, such as the type of service provided to the Customer, the nature and length of our relationship with the Customer, and mandatory retention periods provided by law and the statute of limitations.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
Same as per above for the Company.
COMPETENT SUPERVISORY AUTHORITY
MODULE TWO: Transfer controller to processor
Identify the competent supervisory authority/ies in accordance with Clause 13
The competent supervisory authority as defined by Customer.
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
The technical and organizational measures must be described in specific (and not generic) terms. See also the general comment on the first page of the Appendix, in particular on the need to clearly indicate which measures apply to each transfer/set of transfers.
Company will implement the following types of security measures:
Physical access control
Technical and organizational measures to prevent unauthorized persons from gaining access to the data processing systems available in premises and facilities (including databases, application servers and related hardware), where Customer Personal Data are Processed, include:
Establishing security areas, restriction of access paths;
Establishing access authorizations for employees and third parties;
Access control system (ID reader, magnetic card, chip card, access code);
Key management, card-keys procedures;
Door locking (automatic door locks etc.);
Security staff, janitors;
Surveillance facilities, video/CCTV monitor, alarm system; and
Securing decentralized data processing equipment and personal computers.
2. Virtual access control
Technical and organizational measures to prevent data processing systems from being used by unauthorized persons include:
User identification and authentication procedures;
ID/password security procedures (special characters, minimum length, change of password);
Automatic blocking (e.g. password or timeout);
Monitoring of break-in-attempts and automatic turn-off of the user ID upon several erroneous passwords attempts;
Creation of one master record per user, user-master data procedures per data processing environment;
Encryption of archived data media.
3. Data access control
Technical and organizational measures to ensure that persons entitled to use a data processing system gain access only to such Customer Personal Data in accordance with their access rights, and that Customer Personal Data cannot be read, copied, modified or deleted without authorization, include:
Internal policies and procedures;
Control authorization schemes;
Differentiated access rights (profiles, roles, transactions and objects);
Monitoring and logging of accesses;
Disciplinary action against employees who access Customer Personal Data without authorization;
Reports of access;
Deletion procedure; and
4. Disclosure control
Technical and organizational measures to ensure that Customer Personal Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage on storage media (manual or electronic), and that it can be verified to which companies or other legal entities Customer Personal Data are disclosed, include:
5. Entry control
Technical and organizational measures to monitor whether Customer Personal Data have been entered, changed or removed (deleted), and by whom, from data processing systems, include:
Logging and reporting systems; and
Audit trails and documentation.
6. Control of instructions
Technical and organizational measures to ensure that Customer Personal Data are Processed solely in accordance with the instructions of the Controller include:
Unambiguous wording of the contract;
Formal commissioning (request form); and
Criteria for selecting the Processor.
7. Availability control
Technical and organizational measures to ensure that Customer Personal Data are protected against accidental destruction or loss (physical/logical) include:
Mirroring of hard disks (e.g. RAID technology);
Uninterruptible power supply (UPS);
Anti-virus/firewall systems; and
Disaster recovery plan.
8. Separation control
Technical and organizational measures to ensure that Customer Personal Data collected for different purposes can be Processed separately include:
Separation of databases;
“Internal client” concept / limitation of use;
Segregation of functions (production/testing); and
Procedures for storage, amendment, deletion, transmission of data for different purposes.