Data Processing Agreement
PENNY DATA PROCESSING ADDENDUM
This Data Processing Addendum (including all Schedules attached hereto, the “DPA”) is incorporated into, and is subject to the terms and conditions of, the Terms of Service (“Agreement”) between Penny AI Technologies, Inc. (“Penny”) and the sales associate, brand affiliate, or other user of the Services (“User”). This DPA applies to the extent Penny’s Processing of User Personal Data is subject to the Data Protection Laws. This DPA shall be effective for the term of the Agreement.
- 1. Definitions
- 1.1. For this DPA:
- 1.1.1. “CCPA” means the California Consumer Privacy Act, including as modified by the California Privacy Rights Act (“CPRA”) once the CPRA takes effect, together with any implementing regulations;
- 1.1.2. “Controller” means the entity which determines the purposes and means of the Processing of Personal Data;
- 1.1.3. “Data Protection Laws” means all laws relating to data protection and privacy applicable to Penny’s Processing of User Personal Data, including without limitation, the CCPA, the GDPR and member state laws implementing the GDPR, the United Kingdom’s Data Protection Act 2018, and applicable privacy and data protection laws of any other jurisdiction, each as amended, repealed, consolidated or replaced from time to time;
- 1.1.4. “Data Subjects” means the individuals identified in Schedule 1;
- 1.1.5. “EU SCCs” means the Standard Contractual Clauses approved with Commission Implementing Decision (EU) 2021/914 of June 4, 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as amended, supplemented, updated or replaced from time to time;
- 1.1.6. “GDPR” means the General Data Protection Regulation (EU) 2016/679 together with any national implementing laws in any member state of the EEA (“EU GDPR”) and the EU GDPR as incorporated into the laws of the United Kingdom (“UK GDPR”)
- 1.1.7. “Personal Data” and “Processing” will each have the meaning given to them in the Data Protection Laws. The term “Personal Data” includes “personal information,” “personally identifiable information,” and equivalent terms as such terms may be defined by the Data Protection Laws.
- 1.1.8. “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to User Personal Data where Data Protection Laws require notification of governmental authorities or affected Data Subjects
- 1.1.9. “Processor” means the entity which Processes Personal Data on behalf of the Controller;
- 1.1.10. “Sell” has the meaning given in the Data Protection Laws;
- 1.1.11. “UK Addendum” means the International Data Transfer Addendum to the EU SCCs, issued by the UK Information Commissioner for parties making restricted transfers, which entered into force on 21 March 2022 (collectively, with the EU SCCs, “the SCCs”); and
- 1.1.2. “User Personal Data” means the Personal Data described under Schedule 1 to this DPA
- 1.2. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement.
- 1.1. For this DPA:
- 2. Processing of User Personal Data
- 2.1. User is a Controller of User Personal Data and Penny is a Processor of User Personal Data. The Parties acknowledge that User accesses the Services in connection with selling goods for a multi-level marketing company (the “Brand”). The parties acknowledge that, depending on the circumstances, User and Brand may be joint controllers and/or independent controllers of User Personal Data, as provided in the agreements between or as otherwise determined by User and Brand.
- 2.2. Penny will only Process User Personal Data as a Processor on behalf of and in accordance with User’s prior written instructions, including any instructions provided through User’s use of the Service. User hereby instructs Penny to Process User Personal Data to the extent necessary to provide the Service as set forth in the Agreement and this DPA. Penny shall not (1) retain, use, or disclose User Personal Data other than: as provided for in the Agreement, as needed to provide the Service, or as otherwise permitted by Data Protection Laws; (2) retain, use, or disclose User Personal Data outside of the direct business relationship between User and Penny, including by combining User Personal Data with Personal Data Penny receives from third parties (which, for the avoidance of doubt, does not include Brand) except as permitted by the CCPA; or (3) Sell or Share (as the term “Share” is defined in the CCPA) User Personal Data. Penny shall notify User if it determines that it cannot meet its obligations under the Data Protection Laws. Upon receiving written notice from User that Penny has Processed User Personal Data without authorization, Penny will stop or remediate such Processing; or allow User to take reasonable and appropriate steps to remediate such Processing.
- 2.3. Penny will immediately inform User if, in its opinion, an instruction from User infringes the Data Protection Laws.
- 2.4. The details of Penny’s Processing of User Personal Data are described in Schedule 1.
- 2.5. If applicable laws preclude Penny from complying with User’s instructions, Penny will inform User of its inability to comply with the instructions, to the extent permitted by law.
- 2.6. Each of User and Penny will comply with their respective obligations under the Data Protection Laws.
- 3. Cross-Border Transfers of Personal Data
- 3.1. With respect to User Personal Data originating from the European Economic Area (“EEA”), the United Kingdom (the “UK”) or Switzerland that is transferred from User to Penny, the parties agree to comply with the general clauses and with “Module Two” (Controller to Processor) of the EU SCCs, which are incorporated herein by reference, with User as the “data exporter” and Penny as the “data importer.”
- 3.2. For purposes of the EU SCCs the parties agree that:
- 3.2.1. In Clause 7, the optional docking clause will not apply;
- 3.2.2. In Clause 9, Option 2 will apply and the time period for prior notice of Sub-Processor changes will be as set forth in Section 5.1 of this DPA;
- 3.2.3. In Clause 11, the optional language will not apply;
- 3.2.4. For the purposes of Clause 15(1)(a), Penny shall notify User and/or Brand and not the Data Subject(s) in case of government access requests and User and/or Brand shall be solely responsible for promptly notifying the affected Data Subjects as necessary;
- 3.2.5. In Clause 17, Option 1 applies and the EU SCCs shall be governed by the laws of Ireland;
- 3.2.6. In Clause 18(b), the parties agree to submit to the jurisdiction of the courts of Ireland;
- 3.2.7. In Annex I, Section A (List of Parties), (i) the User is the data exporter and Penny is the data importer and their identity and contact details and, where applicable, information about their respective data protection officer and/or representative in the EEA are those set forth in the Agreement or as otherwise communicated by each party to the other party; (ii) User is a Controller, and Penny is a Processor; (iii) the activities relevant to the data transferred under the EU SCCs relate to the provision of the Services pursuant to the Agreement; and (iv) entering into this DPA shall be treated as each party’s signature of Annex I, Section A, as of the effective date of this DPA;
- 3.2.8. In Annex I, Section B (Description of Transfer): (i) Schedule 1 to this DPA describes Penny’s Processing of User Personal Data; (ii) the frequency of the transfer is continuous (for as long as User uses the Services); (iii) User Personal Data will be retained in accordance with Clause 8.5 of the EU SCCs and this DPA; (iv) Penny uses the Sub-Processors identified at https://getpenny.com/sub-processors/ (the “Sub-Processor List”) to support the provision of the Services.
- 3.2.9. In Annex I, Section C (Competent Supervisory Authority), the competent supervisory authority identified in accordance with Clause 13 of the EU SCCs is the competent supervisory authority communicated by User to Penny.
- 3.2.10. In Annex II, data importer has implemented and will maintain appropriate technical and organizational measures to protect the security, confidentiality and integrity of User Personal Data as described at https://getpenny.com/security/ (the “Security Page”).
- 3.3. If the transfer of User Personal Data is subject to the Swiss Federal Act on Data Protection (“FADP”), the parties agree to rely on the EU SCCs with the following modifications: (i) the Federal Data Protection and Information Commissioner (FDPIC) will be the competent supervisory authority under Clause 13 of the EU SCCs; (ii) the parties agree to abide by the GDPR standard in relation to all Processing of User Personal Data that is governed by the FADP; (iii) the term “Member State” in the EU SCCs will not prevent Data Subjects who habitually reside in Switzerland from initiating legal proceedings in Switzerland in accordance with Clause 18(c) of the EU SCCs; and (iv) references to the ‘GDPR’ in the EU SCCs will be understood as references to the FADP.
- 3.4. With respect to transfers from User to Penny of User Personal Data originating from the United Kingdom, the parties agree that the UK Addendum will complement the EU SCCs to the extent required under Data Protection Law. The UK Addendum is incorporated herein by reference. The parties agree that the UK Addendum is completed as follows:
- 3.4.1.For the purpose of Part 1 of the UK Addendum:
- 126.96.36.199 Table 1: the start date is the effective date of the Agreement, the exporter is the User and the importer is Penny, the table is deemed to be completed with the information set out in Section 3.2 of this DPA, and by signing this DPA, parties are deemed to have signed the UK Addendum.
- 188.8.131.52. Table 2: the “Approved EU SCCs” which the UK Addendum is appended to are the EU SCCs incorporated into this DPA and completed as set out in Section 3.2 of this DPA.
- 184.108.40.206. Table 3: the information requested in Annex 1 is provided in Section 3.2.8 and 3.2.9 of this DPA; the security measures requested in Annex 2 is provided at https://getpenny.com/security/; the list of Subprocessors is available at https://getpenny.com/sub-processors/.
- 220.127.116.11. Table 4: the importer may end the UK Addendum as set out in section 19 of the UK Addendum.
- 3.4.1.For the purpose of Part 1 of the UK Addendum:
- 4. Confidentiality and Security
- 4.1. Penny will require Penny’s personnel who access User Personal Data to commit to protect the confidentiality of User Personal Data.
- 4.2. Penny will implement commercially reasonable technical and organisational measures, as further described at the Security Page, that are designed to protect against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to User Personal Data.
- 4.3. To the extent required by Data Protection Laws, Penny will provide User with reasonable assistance as necessary for the fulfilment of User’s obligations under Data Protection Laws to maintain the security of User Personal Data.
- 5. Sub-Processing
- 5.1. User agrees that Penny may engage Sub-Processors to Process User Personal Data on User’s behalf. Penny’s current list of Sub-Processors is available at the Sub-Processor List. User may sign up to receive notice of any intended changes concerning the addition or replacement of Sub-Processors on the Sub-Processor List by completing the form at https://getpenny.com/subprocessor-update/ (the “Notice Form”). User acknowledges that Penny satisfies its obligation to inform User of changes to the Sub-Processor List by updating the Sub-Processor List and sending a notice to all email addresses added to the Notice Form (the “Notice”). Penny will send the Notice at least 10 days prior to permitting the Sub-Processor to access User Personal Data. Through Brand, User may submit objections to changes to the Sub-Processor List, provided such objections have reasonable grounds and are sent to Penny by Brand within five days of receiving the Notice. If Penny and Brand are unable to resolve such objection, Penny or User may terminate the Agreement by providing written notice to the other party. Any termination pursuant to this Section 5.1 will not affect User’s obligation to pay fees incurred prior to the termination.
- 5.2. Penny will impose on its Sub-Processors substantially the same data protection obligations that apply to Penny under this DPA. Penny will be liable to User for its Sub-Processors’ acts or omissions as it would be for its own.
- 5.3. The parties agree that the copies of the Sub-Processor agreements that must be provided by Penny to User pursuant to the SCCs, if applicable, may have commercial information or clauses unrelated to the SCCs removed by Penny beforehand; and, that such copies will be provided by Penny, in a manner to be determined in its discretion, only upon User’s written request.
- 6. Data Subject Rights
User is responsible for responding to any Data Subject requests relating to User Personal Data (“Requests”). If Penny receives any Requests during the term, Penny will advise the Data Subject to submit the request directly to User, Brand, or the appropriate Controller. Penny will provide User with self-service functionality or other reasonable assistance to permit User to respond to Requests.
- 7. Personal Data Breaches
Upon becoming aware of a Personal Data Breach affecting User Personal Data, Penny will (i) promptly take measures designed to remediate the Personal Data Breach and (ii) notify User and/or Brand without undue delay. User is solely responsible for complying with Personal Data Breach notification requirements applicable to User. Through Brand, User may request that Penny reasonably assist User’s efforts to notify Personal Data Breaches to the competent data protection authorities and/or affected Data Subjects, if User is required to do so under the Data Protection Laws. Penny’s notice of or response to a Personal Data Breach under this Section 7 will not be an acknowledgement or admission by Penny of any fault or liability with respect to the Personal Data Breach.
- 8. Data Protection Impact Assessment; Prior Consultation
Through Brand, User may request reasonable assistance from Penny in connection with conducting data protection impact assessments and consultation with data protection authorities if User is required to engage in such activities under applicable Data Protection Laws, Penny’s assistance is necessary, and the data protection impact assessment or consultation relate to the Processing by Penny of User Personal Data.
- 9. Deletion of User Personal Data
User instructs Penny to delete User Personal Data within 90 days of the termination of the Agreement and delete existing copies unless applicable law requires otherwise. The parties agree that the certification of deletion described the SCCs, if applicable, shall be provided only upon User’s written request. Notwithstanding the foregoing, Penny may retain User Personal Data to the extent and for the period required by applicable laws provided that Penny maintains the confidentiality of all such User Personal Data and Processes such User Personal Data only as necessary for the purpose(s) specified in the applicable laws requiring its storage.
- 10. Audits
Through Brand, User may audit Penny’s compliance with its obligations under this DPA up to once per year. Penny will contribute to such audits by providing Brand with the information and assistance reasonably necessary to conduct the audit as described in Penny’s agreements with Brand.
- 11. Analytics Data
User acknowledges and agrees that Penny may create and derive from Processing related to the Service anonymized and/or aggregated data that does not identify or relate to User or any Data Subject (“Analytics Data”), and use such Analytics Data to improve the Service.
- 12. Liability
- 12.1. Each party’s liability towards the other party under or in connection with this DPA will be limited in accordance with the provisions of the Agreement.
- 12.2. User acknowledges that Penny is reliant on User for direction as to the extent to which Penny is entitled to Process User Personal Data on behalf of User in performance of the Service. Consequently, Penny will not be liable under the Agreement for any claim brought by a Data Subject arising from (a) any action or omission by Penny in compliance with User’s instructions or (b) from User’s failure to comply with its obligations under the Data Protection Laws.
- 13. General Provisions
With regard to the subject matter of this DPA, in the event of inconsistencies between the provisions of this DPA and the Agreement, the provisions of this DPA shall prevail. In the event of inconsistencies between the DPA and the SCCs, the SCCs will prevail.
Details of Processing
- Categories of Data Subjects. This DPA applies to Penny’s Processing of User Personal Data relating to User’s customers, prospective customers, and other marketing contacts (“Data Subjects”).
- Types of Personal Data. The extent of User Personal Data Processed by Penny is determined and controlled by User in its sole discretion and includes names, email addresses, phone numbers, mailing addresses, billing information, order history, and any other Personal Data that may be transmitted through the Service by Data Subjects.
- Subject-Matter and Nature of the Processing. User Personal Data will be subject to the Processing activities that Penny needs to perform in order to provide the Service pursuant to the Agreement.
- Purpose of the Processing. Penny will Process User Personal Data for purposes of providing the Service as set out in the Agreement.
- Duration of the Processing. User Personal Data will be Processed for the duration of the Agreement, subject to Section 9 of the DPA.