Data Processing Addendum (DPA)

1) Scope & Roles

• Controller/Processor. For Customer Personal Data contained in Customer Content and processed on Customer’s behalf, Customer is the Controller and Swarmify is the Processor (or Service Provider under U.S. state privacy laws).
• Customer Personal Data. Personal data contained in Customer Content that Swarmify processes on Customer’s behalf via the Service.

2) Processing Instructions

Swarmify will process Customer Personal Data only (a) to provide, maintain, and improve the Service; (b) per the MSA and this DPA; and (c) per Customer’s written instructions, including through Service configurations and documented use. Swarmify will promptly inform Customer if, in its opinion, an instruction infringes applicable law.

3) Confidentiality

Swarmify will ensure personnel authorized to process Customer Personal Data are bound by confidentiality obligations and receive appropriate privacy and security training.

4) Security

Taking into account the state of the art, costs, nature, scope, context, and purposes of processing, and risks to data subjects, Swarmify implements and maintains appropriate technical and organizational measures (“TOMs“) described in Annex 2.

5) Subprocessors

Customer authorizes Swarmify to engage affiliates and third-party subprocessors to provide the Service. A current list of subprocessors, including each subprocessor’s name and the services it performs, will be made available to Customer upon written request to Swarmify’s data protection contact at privacy [at] swarmify.com. Swarmify remains responsible for the acts and omissions of its authorized subprocessors to the same extent as if Swarmify had performed the services itself.

6) International Transfers

• EEA/CH/UK Data. Where Customer Personal Data is subject to the GDPR (EU/EEA), FADP (Switzerland), or UK GDPR and is transferred to a country lacking an adequacy decision, the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries (“SCCs“) Controller-to-Processor, Module 2 are hereby incorporated by reference between Customer (data exporter) and Swarmify (data importer). For transfers subject to UK GDPR, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner’s Office (the “UK Addendum“) applies. For transfers subject to Swiss law, the SCCs are adapted as required by the Swiss Federal Data Protection and Information Commissioner (FDPIC).
• By entering into the MSA/DPA, the parties are deemed to have executed the SCCs (including the UK Addendum and Swiss adaptations where applicable), with the details set out in Annex 1 and security measures in Annex 2. In the event of conflict, the SCCs prevail for transfers they govern.
• Data Privacy Framework. Notwithstanding the foregoing, if Swarmify’s certification under the EU-U.S. Data Privacy Framework, the Swiss-U.S. Data Privacy Framework, and the UK Extension to the EU-U.S. DPF (collectively, “DPF“) is effective and applicable to the transfer, such transfer shall be made in accordance with the DPF principles, which shall prevail over the SCCs for such transfers.

7) Assistance

• Data Subject Rights. Taking into account the nature of processing, Swarmify will assist Customer by appropriate technical and organizational measures in responding to verified requests to exercise data subject rights (access, deletion, correction, portability, restriction, objection).
• Impact Assessments & Consultation. Swarmify will provide information reasonably necessary for Customer’s data protection impact assessments (DPIAs) and prior consultations with supervisory authorities, to the extent related to the Service.

8) Security Incidents

Swarmify will notify Customer without undue delay and in any event within seventy-two (72) hours after confirming a Security Incident involving Customer Personal Data within Swarmify’s control, and will provide updates reasonably required for Customer’s incident response and regulatory obligations. Notification is not an admission of fault.

9) Audits & Reports

• Upon request up to once in any twelve (12) month period, Swarmify will make available information reasonably necessary to demonstrate compliance with this DPA (e.g., security summaries, third-party audit reports where available).
• Where additional review is required by law, Customer may conduct (or have a reputable independent auditor conduct) a reasonable audit of the TOMs, subject to confidentiality, scheduling, scope, and safety constraints. Audits occur during normal business hours, do not unreasonably interfere with operations, and are at Customer’s expense. If similar information has already been provided, Swarmify may satisfy the request with existing reports.

10) Return & Deletion

Following termination or expiration of the Service, Customer may export Customer Content as described in the MSA. After the post-termination export window, Swarmify will delete Customer Personal Data from active systems and, within a reasonable period, from backups per standard retention, unless retention is required by law or for a lawful legal hold. Any retained data remains subject to this DPA.

11) CCPA/CPRA and Other U.S. State Laws

• Swarmify acts as a “Service Provider” or “Processor” with respect to Customer Personal Data. Swarmify will not sell or share (for cross-context behavioral advertising) Customer Personal Information, will not combine it with other personal information except as permitted by law and this DPA, and will not use it for purposes other than providing the Service and as otherwise permitted by the MSA/DPA. Swarmify certifies that it understands the restrictions of this section and will comply with them.
• Swarmify will notify Customer if it can no longer meet its obligations under applicable state privacy laws.

12) Government Requests

Where legally permitted, Swarmify will notify Customer of legally binding requests from public authorities for disclosure of Customer Personal Data and will challenge unlawful or overbroad requests.

13) Liability; Order of Precedence

Liability is as set forth in the MSA. If there is a conflict between this DPA and the MSA, this DPA controls with respect to processing of Customer Personal Data; if there is a conflict between this DPA and the SCCs for transfers they govern, the SCCs control.

14) Term

This DPA remains in effect for as long as Swarmify processes Customer Personal Data on Customer’s behalf under the MSA.