Penny Brand Data Processing Agreement
PENNY DATA PROCESSING ADDENDUM
This Data Processing Addendum (including all Schedules attached hereto, the “DPA”) is incorporated into, and is subject to the terms and conditions of, the SaaS Agreement (“Agreement”) between Penny AI Technologies, Inc. (“Penny”) and the entity identified as [Brand] in the Agreement (“Brand”). This DPA applies to the extent Penny’s Processing of Brand Personal Data is subject to the Data Protection Laws. This DPA shall be effective for the term of the Agreement.
- 1. Definitions
- 1.1. For this DPA:
- 1.1.1. Brand Personal Data” means the Personal Data described under Schedule 1 to this DPA;
- 1.1.2. “CCPA” means the California Consumer Privacy Act, including as modified by the California Privacy Rights Act (“CPRA”) once the CPRA takes effect, together with any implementing regulations;
- 1.1.3. “Controller” means the entity which determines the purposes and means of the Processing of Personal Data;
- 1.1.4. “Data Protection Laws” means all laws relating to data protection and privacy applicable to Penny’s Processing of Brand Personal Data, including without limitation, the CCPA, the GDPR and member state laws implementing the GDPR, the United Kingdom’s Data Protection Act 2018, and applicable privacy and data protection laws of any other jurisdiction, each as amended, repealed, consolidated or replaced from time to time;
- 1.1.5. “Data Subjects” means the individuals identified in Schedule 1;
- 1.1.6. “EU SCCs” means the Standard Contractual Clauses approved with Commission Implementing Decision (EU) 2021/914 of June 4, 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as amended, supplemented, updated or replaced from time to time;
- 1.1.7 “GDPR” means the General Data Protection Regulation (EU) 2016/679 together with any national implementing laws in any member state of the EEA (“EU GDPR”) and the EU GDPR as incorporated into the laws of the United Kingdom (“UK GDPR”);
- 1.1.8. “Personal Data” and “Processing” will each have the meaning given to them in the Data Protection Laws. The term “Personal Data” includes “personal information,” “personally identifiable information,” and equivalent terms as such terms may be defined by the Data Protection Laws.
- 1.1.9. “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Brand Personal Data where Data Protection Laws require notification of governmental authorities or affected Data Subjects;
- 1.1.10. “Processor” means the entity which Processes Personal Data on behalf of the Controller;
- 1.1.11. “Sell” has the meaning given in the Data Protection Laws;
- 1.1.12. “UK Addendum” means the International Data Transfer Addendum to the EU SCCs, issued by the UK Information Commissioner for parties making restricted transfers, which entered into force on 21 March 2022 (collectively, with the EU SCCs, “the SCCs”)
- 1.2. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement.
- 1.1. For this DPA:
- 2. Processing of Brand Personal Data
- 2.1. Brand is a Controller of Brand Personal Data and Penny is a Processor of Brand Personal Data. The Parties acknowledge that Brand’s sales associates, brand affiliates, or other authorized users (“Users”) may also be joint controllers and/or independent controllers of Brand Personal Data, as provided in the agreements between or as otherwise determined by Brand and Users.
- 2.2. Penny will only Process Brand Personal Data as a Processor on behalf of and in accordance with Brand’s prior written instructions, including any instructions provided through Brand’s use of the Service. Brand hereby instructs Penny to Process Brand Personal Data to the extent necessary to provide the Service as set forth in the Agreement and this DPA. Penny shall not (1) retain, use, or disclose Brand Personal Data other than: as provided for in the Agreement, as needed to provide the Service, or as otherwise permitted by Data Protection Laws; (2) retain, use, or disclose Brand Personal Data outside of the direct business relationship between Brand and Penny, including by combining Brand Personal Data with Personal Data Penny receives from third parties (which, for the avoidance of doubt, does not include Users), except as permitted by the CCPA; or (3) Sell or Share (as the term “Share” is defined in the CCPA) Brand Personal Data. Penny shall notify Brand if it determines that it cannot meet its obligations under the Data Protection Laws. Upon receiving written notice from Brand that Penny has Processed Brand Personal Data without authorization, Penny will stop or remediate such Processing; or allow Brand to take reasonable and appropriate steps to remediate such Processing.
- 2.3. Penny will immediately inform Brand if, in its opinion, an instruction from Brand infringes the Data Protection Laws.
- 2.4. The details of Penny’s Processing of Brand Personal Data are described in Schedule 1.
- 2.5. If applicable laws preclude Penny from complying with Brand’s instructions, Penny will inform Brand of its inability to comply with the instructions, to the extent permitted by law.
- 2.6. Each of Brand and Penny will comply with their respective obligations under the Data Protection Laws.
- 3. Cross-Border Transfers of Personal Data
- 3.1. With respect to Brand Personal Data originating from the European Economic Area (“EEA”), the United Kingdom (the “UK”) or Switzerland that is transferred from Brand to Penny, the parties agree to comply with the general clauses and with “Module Two” (Controller to Processor) of the EU SCCs, which are incorporated herein by reference, with Brand as the “data exporter” and Penny as the “data importer.”
- 3.2. For purposes of the EU SCCs the parties agree that:
- 3.2.1. In Clause 7, the optional docking clause will not apply;
- 3.2.2. In Clause 9, Option 2 will apply and the time period for prior notice of Sub-Processor changes will be as set forth in Section 5.1 of this DPA;
- 3.2.3. In Clause 11, the optional language will not apply;
- 3.2.4. For the purposes of Clause 15(1)(a), Penny shall notify Brand and/or Brand (only) and not the Data Subject(s) in case of government access requests and Brand and/or Brand shall be solely responsible for promptly notifying the affected Data Subjects as necessary;
- 3.2.5. In Clause 17, Option 1 applies and the EU SCCs shall be governed by the laws of Ireland;
- 3.2.6. In Clause 18(b), the parties agree to submit to the jurisdiction of the courts of Ireland;
- 3.2.7. In Annex I, Section A (List of Parties), (i) the Brand is the data exporter and Penny is the data importer and their identity and contact details and, where applicable, information about their respective data protection officer and/or representative in the EEA are those set forth in the Agreement or as otherwise communicated by each party to the other party; (ii) Brand is a Controller, and Penny is a Processor; (iii) the activities relevant to the data transferred under the EU SCCs relate to the provision of the Services pursuant to the Agreement; and (iv) entering into this DPA shall be treated as each party’s signature of Annex I, Section A, as of the effective date of this DPA;
- 3.2.8. In Annex I, Section B (Description of Transfer): (i) Schedule 1 to this DPA describes Penny’s Processing of Brand Personal Data; (ii) the frequency of the transfer is continuous (for as long as Brand uses the Services); (iii) Brand Personal Data will be retained in accordance with Clause 8.5 of the EU SCCs and this DPA; (iv) Penny uses the Sub-Processors identified at https://getpenny.com/sub-processors/ (the “Sub-Processor List”) to support the provision of the Services.
- 3.2.9. In Annex I, Section C (Competent Supervisory Authority), the competent supervisory authority identified in accordance with Clause 13 of the EU SCCs is the competent supervisory authority communicated by Brand to Penny.
- 3.2.10. In Annex II, data importer has implemented and will maintain appropriate technical and organizational measures to protect the security, confidentiality and integrity of Brand Personal Data as described at https://getpenny.com/security/ (the “Security Page”).
- 3.3. If the transfer of Brand Personal Data is subject to the Swiss Federal Act on Data Protection (“FADP”), the parties agree to rely on the EU SCCs with the following modifications: (i) the Federal Data Protection and Information Commissioner (FDPIC) will be the competent supervisory authority under Clause 13 of the EU SCCs; (ii) the parties agree to abide by the GDPR standard in relation to all Processing of Brand Personal Data that is governed by the FADP; (iii) the term “Member State” in the EU SCCs will not prevent Data Subjects who habitually reside in Switzerland from initiating legal proceedings in Switzerland in accordance with Clause 18(c) of the EU SCCs; and (iv) references to the ‘GDPR’ in the EU SCCs will be understood as references to the FADP.
- 3.4. With respect to transfers from Brand to Penny of Brand Personal Data originating from the UK, the parties agree that the UK Addendum will complement the EU SCCs to the extent required under Data Protection Law. The UK Addendum is incorporated herein by reference. The parties agree that the UK Addendum is completed as follows:
- 3.4.1. For the purpose of Part 1 of the UK Addendum:
- 3.4.1.1. Table 1: the start date is the effective date of the Agreement, the exporter is the Brand and the importer is Penny, the table is deemed to be completed with the information set out in Section 3.2 of this DPA, and by signing this DPA, parties are deemed to have signed the UK Addendum.
- 3.4.1.2. Table 2: the “Approved EU SCCs” which the UK Addendum is appended to are the EU SCCs incorporated into this DPA and completed as set out in Section 3.2 of this DPA.
- 3.4.1.3. Table 3: the information requested in Annex 1 is provided in Section 3.2.8 and 3.2.9 of this DPA; the security measures requested in Annex 2 is provided at https://getpenny.com/security/; the list of Subprocessors is available at https://getpenny.com/sub-processors/.
- 3.4.1.4. Table 4: the importer may end the UK Addendum as set out in section 19 of the UK Addendum.
- 3.4.1. For the purpose of Part 1 of the UK Addendum:
- 4. Confidentiality and Security
- 4.1. Penny will require Penny’s personnel who access Brand Personal Data to commit to protect the confidentiality of Brand Personal Data.
- 4.2. Penny will implement commercially reasonable technical and organisational measures, as further described at the Security Page, that are designed to protect against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Brand Personal Data.
- 4.3. To the extent required by Data Protection Laws, Penny will provide Brand with reasonable assistance as necessary for the fulfilment of Brand’s obligations under Data Protection Laws to maintain the security of Brand Personal Data.
- 5. Sub-Processing
- 5.1. Brand agrees that Penny may engage Sub-Processors to Process Brand Personal Data on Brand’s behalf. Penny’s current list of Sub-Processors is available at the Sub-Processor List. Brand may sign up to receive notice of any intended changes concerning the addition or replacement of Sub-Processors on the Sub-Processor List by completing the form at https://getpenny.com/subprocessor-update/ (the “Notice Form”). Brand acknowledges that Penny satisfies its obligation to inform Brand of changes to the Sub-Processor List by updating the Sub-Processor List and sending a notice to all email addresses added to the Notice Form (the “Notice”). Penny will send the Notice at least 15 days prior to permitting the Sub-Processor to access Brand Personal Data. Brand may object to changes to the Sub-Processor List within seven days of receiving the Notice. If Penny and Brand are unable to resolve such objection, Penny or Brand may terminate the Agreement by providing written notice to the other party. Any termination pursuant to this Section 5.1 will not affect Brand’s obligation to pay fees incurred prior to the termination.
- 5.2. Penny will impose on its Sub-Processors substantially the same data protection obligations that apply to Penny under this DPA. Penny will be liable to Brand for its Sub-Processors’ acts or omissions as it would be for its own.
- 5.3. The parties agree that the copies of the Sub-Processor agreements that must be provided by Penny to Brand pursuant to the SCCs, if applicable, may have commercial information or clauses unrelated to the SCCs removed by Penny beforehand; and, that such copies will be provided by Penny, in a manner to be determined in its discretion, only upon Brand’s written request.
- 6. Data Subject Rights
Brand is responsible for responding to any Data Subject requests relating to Brand Personal Data (“Requests”). If Penny receives any Requests during the term, Penny will advise the Data Subject to submit the request directly to Brand or the appropriate User. Penny will provide Brand with self-service functionality or other reasonable assistance to permit Brand to respond to Requests. - 7. Personal Data Breaches
Upon becoming aware of a Personal Data Breach affecting Brand Personal Data, Penny will (i) promptly take measures designed to remediate the Personal Data Breach and (ii) notify Brand without undue delay. Brand is solely responsible for complying with Personal Data Breach notification requirements applicable to Brand. Brand may request that Penny reasonably assist Brand’s efforts to notify Personal Data Breaches to the competent data protection authorities and/or affected Data Subjects, if Brand is required to do so under the Data Protection Laws. Penny’s notice of or response to a Personal Data Breach under this Section 7 will not be an acknowledgement or admission by Penny of any fault or liability with respect to the Personal Data Breach. - 8. Data Protection Impact Assessment; Prior Consultation
Brand may request reasonable assistance from Penny in connection with conducting data protection impact assessments and consultation with data protection authorities if Brand is required to engage in such activities under applicable Data Protection Laws and the data protection impact assessment or consultation relate to the Processing by Penny of Brand Personal Data. - 9. Deletion of Brand Personal Data
Brand instructs Penny to delete Brand Personal Data within 90 days of the termination of the Agreement and delete existing copies unless applicable law requires otherwise. The parties agree that the certification of deletion described in the SCCs, if applicable, shall be provided only upon Brand’s written request. Notwithstanding the foregoing, Penny may retain Brand Personal Data to the extent and for the period required by applicable laws provided that Penny maintains the confidentiality of all such Brand Personal Data and Processes such Brand Personal Data only as necessary for the purpose(s) specified in the applicable laws requiring its storage. - 10. Audits
- 10.1. Brand may audit Penny’s compliance with its obligations under this DPA up to once per year. In addition, Brand may perform more frequent audits (including inspections) in the event: (1) Penny suffers a Personal Data Breach affecting Brand Personal Data; (2) Brand has genuine, documented concerns regarding Penny’s compliance with this DPA or the Data Protection Laws; or (3) where required by the Data Protection Laws, including where mandated by regulatory or governmental authorities with jurisdiction over Brand Personal Data. Penny will contribute to such audits by providing Brand or Brand’s regulatory or governmental authority with the information and assistance reasonably necessary to conduct the audit, including any relevant records of Processing activities applicable to the Service, as described below.
- 10.2. To request an audit, Brand must submit a detailed proposed audit plan to privacy@pennyapp.com at least one month in advance of the proposed audit start date. The proposed audit plan must describe the proposed scope, duration, start date of the audit, and the identity of any third party Brand intends to appoint to perform the audit. Penny will review the proposed audit plan and provide Brand with any concerns or questions (for example, Penny may object to the third party auditor as described in Section 10.3, provide an Audit Report as described in Section 10.4, or identify any requests for information that could compromise Penny confidentiality obligations or security, privacy, employment or other relevant policies). The parties will negotiate in good faith to agree on a final audit plan at least two weeks in advance of the proposed audit start date. Nothing in this Section 10 shall require Penny to breach any duties of confidentiality.
- 10.3. Penny may object to third party auditors that are, in Penny’s reasonable opinion, not suitably qualified or independent, a competitor of Penny, or otherwise manifestly unsuitable. Brand will appoint another auditor or conduct the audit itself if the parties cannot resolve Penny’s auditor objection after negotiating in good faith.
- 10.4. If the requested audit scope is addressed in an SSAE 18/ISAE 3402 Type 2, ISO, NIST or similar audit report performed by a qualified third party auditor on Penny’s systems that Process Brand Personal Data (“Audit Reports”) within twelve (12) months of Brand’s audit request and Penny confirms there are no known material changes in the controls audited, Brand agrees to accept the Audit Report in lieu of requesting an audit of the controls covered by the Audit Report.
- 10.5. The audit must be conducted at a mutually agreeable time during regular business hours at the applicable facility, subject to the agreed final audit plan and Penny’s health and safety or other relevant policies. The audit may not unreasonably interfere with Penny business activities.
- 10.6. Any audits are at Brand’s expense and Brand will promptly disclose to Penny any perceived non-compliance or security concerns discovered during the audit, together with all relevant details.
- 10.7. The parties agree that the audits described in the SCCs, if applicable, shall be performed in accordance with this Section 10.
- 11. Analytics Data
Brand acknowledges and agrees that Penny may create and derive from Processing related to the Service anonymized and/or aggregated data that does not identify or relate to Brand or any Data Subject (“Analytics Data”), and use such Analytics Data to improve the Service. - 12. Liability
- 12.1. Each party’s liability towards the other party under or in connection with this DPA will be limited in accordance with the provisions of the Agreement.
- 12.2. Brand acknowledges that Penny is reliant on Brand for direction as to the extent to which Penny is entitled to Process Brand Personal Data on behalf of Brand in performance of the Service. Consequently, Penny will not be liable under the Agreement for any claim brought by a Data Subject arising from (a) any action or omission by Penny in compliance with Brand’s instructions or (b) from Brand’s failure to comply with its obligations under the Data Protection Laws.
- 13. General Provisions
With regard to the subject matter of this DPA, in the event of inconsistencies between the provisions of this DPA and the Agreement, the provisions of this DPA shall prevail. In the event of inconsistencies between the DPA and the SCCs, the SCCs will prevail.
SCHEDULE 1
Details of Processing
- Categories of Data Subjects. This DPA applies to Penny’s Processing of Brand Personal Data relating to Brand’s customers, prospective customers, and other marketing contacts (“Data Subjects”).
- Types of Personal Data. The extent of Brand Personal Data Processed by Penny is determined and controlled by Brand in its sole discretion and includes names, email addresses, phone numbers, mailing addresses, billing information, order history, and any other Personal Data that may be transmitted through the Service by Data Subjects.
- Subject-Matter and Nature of the Processing. Brand Personal Data will be subject to the Processing activities that Penny needs to perform in order to provide the Service pursuant to the Agreement.
- Purpose of the Processing. Penny will Process Brand Personal Data for purposes of providing the Service as set out in the Agreement.
- Duration of the Processing. Brand Personal Data will be Processed for the duration of the Agreement, subject to Section 9 of the DPA.