Data Processing Agreement

Any capitalized terms used but not defined in this DPA have the meaning provided in the Agreement.

‍

(a) "Affiliate" refers to any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. Control, for the purposes of this definition, means direct or indirect ownership or control of over 50% of the voting interests of the subject entity.

‍

(b) "Applicable Data Protection Law" encompasses (a) all data protection laws and regulations applicable to the European Economic Area and Switzerland, including the General Data Protection Regulation 2016/679 ("GDPR"), and EU Member State laws supplementing the GDPR; (b) any other laws and regulations applicable to Processor's Processing of Controller Data under the Agreement.

‍

(c) "Authorized Affiliate" means an entity that owns or controls, is owned or controlled by, or is under common control or ownership with the Customer, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise.

‍

(d) "California Privacy Law" refers to the California Consumer Privacy Act until January 1, 2023, and subsequently the California Privacy Rights Act.

‍

(e) "Controller" as used in this DPA, refers to the Customer.

‍

(f) "Controller Data" refers to any Personal Data Processed by Processor on behalf of Customer in connection with the Agreement.

‍

(g) "Customer" refers to the entity determining the purposes and means of the Processing of Personal Data, and includes any Authorized Affiliates of the Customer, to the extent applicable, as well as a "Business" as defined under the California Privacy Law.

‍

(h) "Data Breach" refers to a security breach that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Controller Data transmitted, stored, or otherwise processed by Processor.

‍

1. “Instructions” refers to the documented commands and directions provided by the Controller to the Processor regarding the processing of Personal Data. Since Processor is a SaaS service, these instructions are primarily given by the Controller (i) using the functionalities of the Services: any action the Controller takes within the Services that involves processing Personal Data, such as inputting, uploading, modifying, or deleting data, constitutes an instruction; (ii) specific written agreements-this includes the  Agreement and the DPA itself, which contain general instructions for processing; (iii) explicit written requests-where the UI doesn't allow for a specific instruction, the Controller might provide additional written instructions.

‍

(j) "Permitted Purpose" means the use of Controller Data to the extent necessary for the provision of Services by Processor to the Controller.

‍

k) "Personal Data" refers to information relating to an identified or identifiable natural person that relates to or describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, to a particular natural person.

‍

(l) "Processing" refers to any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organization, sharing, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

‍

(m) "Processor" refers to Writesonic, Inc. and any Writesonic entities, including its Affiliates, which Processes Personal Data on behalf of the Customer, and to the extent applicable, includes a "Service Provider" as defined under the California Privacy Law.

‍

(n) "Regulator" means any supervisory authority with authority under Applicable Data Protection Law concerning all or any part of the provision or receipt of the Services or the Processing of Personal Data.

‍

(o) "Restricted Transfer" refers to: (i) transfers of Personal Data from the EEA to a country outside the EEA not subject to an adequacy determination by the European Commission, for cases where the EU GDPR applies; (ii) transfers of Personal Data from the United Kingdom to another country not subject to adequacy regulations under Section 17A of the United Kingdom Data Protection Act 2018, for cases where the UK GDPR applies; and (iii) transfers of Personal Data to a country outside Switzerland not included on the list of adequate jurisdictions published by the Swiss Federal Data Protection and Information Commissioner, for cases where the Swiss Federal Act on Data Protection of June 19, 1992 ("Swiss DPA") applies.

‍

(p) "Services" refers to products and services purchased by the Controller under the Agreement and made available online by Processor.

‍

(q) "Sub-processor" means any third-party data processor engaged by Processor who receives Personal Data from Processor for processing on behalf of the Controller and according to the Controller's Instructions (as communicated by Processor) and the terms of its written subcontract.

‍

(r) The terms "Commission", "Data Subject", "Member State", and "Supervisory Authority" maintain the same meanings as in the Applicable Data Protection Laws, and their cognate terms should be construed accordingly.

2.1

Controller and Processor have entered into the Agreement, which grants the Controller the right to access and use the Services. Processor will engage in the processing of Personal Data that Controller submits and stores within the Services on Controller's behalf in providing the Services.

2.2

The Parties enter this DPA to ensure that such Processing by Processor of Controller Data, within the Services provided by Controller and/or on its behalf, complies with Applicable Data Protection Law and the requirements regarding collection, use, and retention of Personal Data for Data Subjects. The details of such Processing, including categories of data subjects, types of data, purpose, and duration, are set forth in Schedule 1 (Details of Processing).

3.1 Roles of the Parties

(a) When the GDPR or UK Data Protection Laws apply to Controller Data, the Parties acknowledge and agree that Customer is a Controller and Writesonic is a Processor acting on behalf of Customer. When Customer is acting as a Processor of Controller Data, Writesonic is a Sub-processor of the Customer.

(b) For purposes of the California Privacy Law, Writesonic will act as a Service Provider in performing its obligations under the Agreement. Writesonic (i) will use Controller Data solely to provide the Services under the Agreement; (ii) will not collect, retain, use, sell, disclose or otherwise process Controller Data for any purpose other than providing the Services under the Agreement or as otherwise permitted. Despite any provisions in the Agreement (including this DPA), Controller acknowledges that Processor has the right to process Personal Data for legitimate business purposes, such as billing, account management, technical support, product development, sales, and marketing. Writesonic understands the restrictions in Section 3.1(b) and certifies its compliance with the California Privacy Law.

3.2 Controller’s Instructions.

Customer warrants that (i) it has complied, and will continue to comply, with all applicable laws, including Applicable Data Protection Law, concerning its Processing of Controller Data and any processing Instructions issued to Processor; and (ii) it has provided, and will continue to provide, all notice and obtained, and will continue to obtain, all consents and rights necessary under Applicable Data Protection Law for Processor to process Controller Data for the purposes described in the Agreement. Customer is solely responsible for the accuracy, quality, and legality of Controller Data and the means by which Customer acquired it. Controller specifically recognizes that its use of the Services will not violate the rights of any Data Subject who has opted out of sales or other disclosures of Personal Data, to the extent applicable under the California Privacy Law.

3.3 Purpose Limitation.

Processor will process Controller Data only according to Customer's Instructions, as outlined in this DPA, for Permitted Purposes, as required to comply with applicable law or as otherwise agreed upon in writing. The Parties agree that the Agreement and this DPA set forth Customer's complete and final instructions to Processor concerning the processing of Controller Data, with processing outside the scope of these instructions requiring prior written agreement between the Parties.

3.4 Data Subject and Regulator Requests.

Customer will be responsible for communications and leading any efforts to comply with all requests made by Data Subjects under Applicable Data Protection Law and all communications from Regulators relating to Controller Data.

4.1 Confidentiality.

Processor shall limit access to Controller Data to its personnel who need access to fulfill Processor's obligations under the Agreement. Processor will take commercially reasonable steps to ensure the reliability of any Processor personnel engaged in the Processing of Controller Data.

4.2 Disclosure to Third Parties.

Processor will not disclose Controller Data to third parties except as permitted by this DPA or the Agreement. If required or requested by a competent governmental authority to disclose Controller Data, Processor, to the extent legally permissible and practicable, shall provide Customer with sufficient prior written notice to allow Customer the opportunity to oppose such disclosure.

4.3 Retention.

Processor will retain Controller Data as long as Customer deems it necessary for the Permitted Purpose or as required by Applicable Data Protection Law. Upon the termination of this DPA, or at Customer's written request, Processor will either destroy or return the Controller Data to Customer, unless legal obligations necessitate the storage of Controller Data. Such deletion or return shall occur within thirty (30) days of termination or request, and Processor shall certify completion in writing upon request from the Controller.

4.4 Data Subject and Regulator Requests.

Processor shall, to the extent legally permitted, promptly notify Controller in writing of any complaints, questions, or requests received from Data Subjects or Regulators regarding Controller Data. Taking into account the nature of the Processing and the extent possible, Processor will provide Customer with commercially reasonable assistance in handling a Data Subject's request. If Controller, in its use of the Services, does not have the ability to correct, block, or delete Controller Data, Processor shall comply with any commercially reasonable request by Controller to facilitate such actions, to the extent Processor is legally permitted to do so.

4.5 Data Protection Impact Assessment.

If required under Applicable Data Protection Law, Processor will, upon Customer's request, provide reasonable assistance necessary for Customer to fulfill its obligation to carry out a data protection impact assessment related to Customer's use of the Services, to the extent Customer does not otherwise have access to the relevant information and that such information is available to Processor.

4.6 Security.

Processor will implement and maintain appropriate technical, physical, and administrative measures to protect Controller Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure, or access, as further described in Schedule 2 (Technical and Organizational Security Measures). These measures will consider the state of the art, costs of implementation, nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, ensuring a level of security suitable to the risks associated with the processing and nature of Controller Data.

(a) Customer acknowledges that security measures are subject to technical progress and development, allowing Processor to update or modify the security measures if such updates or modifications do not result in the degradation of the overall security level of Services purchased by Customer. Customer is responsible for reviewing the information provided by Processor concerning data security and making an independent determination as to whether the Services meet Controller's requirements and legal obligations under Applicable Data Protection Law.

(b) Notwithstanding the above, Customer agrees that, except as provided by this DPA, Customer is responsible for the secure use of the Services, which includes securing its account authentication credentials, ensuring the security of Controller Data in transit to and from the Services, and taking appropriate steps to securely encrypt or back up any Controller Data uploaded to the Services.

5.1 Data Breach.

If Processor becomes aware of a Data Breach, Processor will notify the Controller without undue delay and in any event within 72 hours of becoming aware; investigate the Data Breach and provide Customer with information about the Data Breach; and take reasonable steps to mitigate the effects and minimize any damage resulting from the Data Breach. Processor's obligation to report or respond to a Data Breach under this Section does not imply an acknowledgment by Processor of any fault or liability concerning the Data Breach.

5.2 Coordination.

Processor will provide reasonable assistance to Customer in fulfilling its obligations to notify Data Subjects and relevant authorities concerning a Data Breach, provided that nothing in this section will prevent either party from complying with its obligations under Applicable Data Protection Laws. The Parties agree to cooperate in good faith on developing the content of any related public statements.

5.3 Caused by Controller.

The obligations in this section do not apply to a Data Breach caused by the Customer.

Customer may audit Processor's compliance with this DPA up to once per year unless requested by a Supervisory Authority. An audit will be conducted by an independent third party ("Auditor") reasonably acceptable to Processor. Before commencing any on-site audit, Customer must submit a detailed proposed audit plan to Processor at least thirty (30) business days in advance of the proposed audit date. The proposed audit plan must describe the proposed scope, duration, and date of the audit, as well as the proposed Auditor. Processor will review the proposed audit plan and provide Customer with any concerns or questions, working cooperatively with Customer to agree on a final audit plan. Prior to the start of an audit, the Parties will agree upon reasonable time, duration, place, and manner conditions for the audit, as well as a reasonable reimbursement rate payable by Customer to Processor for Processor's audit expenses. The audit results and all information reviewed during the inspection will be deemed Processor's confidential information and subject to the Confidentiality provisions in the Agreement. The Auditor may only disclose to the Customer specific violations of the DPA, if any, and the basis for such findings but cannot disclose to the Customer any records or information reviewed during the inspection. The Customer will bear all costs associated with the aforementioned. If any deficiencies are identified in the audit, Processor undertakes to rectify them within the timeframe reasonably agreed between the parties. Customer may also request copies of industry-standard certifications (e.g., ISO 27001, SOC 2) as alternative evidence.

7.1 General Consent.

Customer acknowledges and agrees that Processor may appoint Sub-processors to assist in providing the Service and Processing Controller Data, provided that such Sub-processors agree to (a) act only on Processor’s instructions when Processing the Controller Data (which instructions will be consistent with Controller's processing instructions to Processor), and (b) protect the Controller Data to a standard consistent with the requirements of this DPA.

7.2 Sub-processor List.

The list of all Sub-processors used as of the Effective Date for processing Controller Data under this DPA is available at https://writesonic.com/legal/sub-processors.

7.3 Objection to New Sub-Processor.

Processor will provide thirty (30) days' notice of a new sub-processor to Customer. Customer may object to Processor's appointment or replacement of a sub-processor before its appointment or replacement, provided such objection is in writing and based on reasonable grounds relating to data protection, and made within ten (10) days after Processor provides notice of the new sub-processor. Any such written objection must include Customer's specific reasons for its objection and proposed options to mitigate any alleged risk. The Parties agree to discuss commercially reasonable alternative solutions in good faith. If a resolution cannot be reached within sixty (60) days from the date of Processor’s receipt of Customer's written objection, Customer may discontinue the use of the affected Services by providing written notice to Processor. In the absence of a timely and valid objection by Customer, the new Sub-processor may be commissioned to Process Controller Data.

7.4 Liability.

Processor shall be liable for the acts and omissions of its Sub-processors in providing the Services to the same extent that Processor would be liable if performing the services of each Sub-processor directly under the terms of this DPA, except as set forth otherwise in the Agreement.

8.1 Restricted Transfers.

In cases where Customer’s use of the Services involves a Restricted Transfer of Controller Data, Processor shall ensure that such transfers comply with Applicable Data Protection Law. To facilitate such compliance, Processor will implement appropriate safeguards, such as Standard Contractual Clauses (SCCs) approved by the European Commission, the UK International Data Transfer Agreement, or other legally recognized transfer mechanisms, as required by the relevant jurisdiction’s data protection laws. If an adequacy decision or other legal basis for transfer is established for the destination country by the relevant Supervisory Authority (e.g., the European Commission, the UK Information Commissioner’s Office, or the Swiss Federal Data Protection and Information Commissioner), Processor may rely on such decision or basis to effect the transfer.

9.1

Neither Party or their respective directors, officers, agents, or employees will be liable to the other party for any reason, whether in contract or tort, for any claims or liability arising out of or based upon this DPA. The maximum liability shall be the amount actually paid by the Customer to Processor in the twelve months preceding the first incident from which the liability arose, regardless of the form in which any legal or equitable action may be brought.

9.2

For the avoidance of doubt, Processor's and its Affiliates' total liability for all claims from the Customer and all of its Authorized Affiliates arising out of or related to the Agreement and each DPA shall apply in the aggregate for all claims under both the Agreement and all DPAs established under this Agreement, including by Customer and all Authorized Affiliates, and shall not be understood to apply individually and severally to Customer and/or to any Authorized Affiliate that is a contractual party to any such DPA.

10.1

If any provision of this DPA is prohibited or unenforceable in any jurisdiction, such provision shall be ineffective to the extent of such prohibition or unenforceability in that jurisdiction alone without invalidating the remaining provisions of this DPA. The parties will attempt in good faith to agree upon a valid and enforceable provision that is a reasonable substitute and will incorporate such substitute provision into this DPA.

10.2

This DPA shall be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement unless otherwise required by Applicable Data Protection Law.

10.3

Customer enters into this DPA on behalf of itself and, to the extent required under applicable Data Protection Law, in the name and on behalf of its Authorized Affiliates if and to the extent Processor processes Personal Data for which such Authorized Affiliates qualify as the Controller.

10.4

This DPA may not be amended or modified except through the mutual agreement of the Parties; however, Customer will be notified thirty (30) days in advance of any amendments or modifications to this DPA, which will take effect in the next billing cycle. Customer's continued use of the Services shall constitute acceptance of any such amendments and/or modifications. This DPA may be executed in counterparts. The terms and conditions of this DPA are confidential, and each Party agrees and represents, on behalf of itself, its employees, and agents to whom it is permitted to disclose such information, that it will not disclose such information to any third party. Each Party has the right to disclose such information to its officers, directors, employees, auditors, attorneys, and third-party contractors under an obligation to maintain confidentiality and may disclose such information as necessary to comply with an order or subpoena of any administrative agency or court of competent jurisdiction or as reasonably necessary to comply with any applicable law or regulation. Controller may not directly or indirectly assign any part of its rights under this DPA or delegate performance of its duties under this DPA without Processor's prior consent, which consent will not be unreasonably withheld. Processor may, without Controller's consent, assign this DPA to any affiliate or in connection with any merger or change of control of Processor or the sale of all or substantially all of its assets, provided that any such successor agrees to fulfill its obligations pursuant to this DPA. Subject to the foregoing restrictions, this DPA will be fully binding, inure to the benefit of, and enforceable by the Parties and their respective successors and assigns.

1. Categories of Data Subjects

The  Personal Data transferred concern the following categories of Data Subjects: 

‍

The categories of Data Subjects are within the control of the Controller and may include individuals about whom data is provided to Processor by or at the direction of the Controller pursuant to the Agreement.

2. Types of Personal Data Transferred

The Personal Data transferred concern the following categories of data: 

‍

the categories of Personal Data are within the control of the Controller and may include data relating to individuals to the extent provided to Processor by or at the direction of the Controller pursuant to applicable terms of service between them.

3. Sensitive Data Transferred

The Personal Data transferred concern the following special categories of data:

‍

the categories of Personal Data are within the control of the Controller and may include data relating to individuals to the extent provided to Processor by or at the direction of the Controller pursuant to applicable terms of service between them.

4. Frequency of the Transfer

Continuous.

5. Nature of Processing

The Personal Data transferred will be subject to the following basic processing activities:

‍

Processor will Process Controller Data as necessary to perform the Services pursuant to the Agreement, and as further instructed by Customer in its use of the Services. The processing operations are the Services that are used by the Controller.

6. Purpose of Processing

The purpose of the Processing of Controller Data by Processor is to provide Customer with the Services under the Agreement.

7. Duration of the Processing

The Term of the Agreement plus the period from the expiry of such Term until deletion of all Controller Data by the Processor in accordance with the DPA.

Description of the technical and organizational measures implemented by the Processor (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context, and purpose of the processing and the risks for the rights and freedoms of natural persons.

• Measures of pseudonymization and encryption of personal data
• Measures designed to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services
• Measures designed to ensure the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
• Processes for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures to ensure the security of the processing
• Measures for user identification and authorization
• Measures designed to protect data during transmission
• Measures designed to protect data during storage
• Measures for event logging
• Measures for system configuration, including default configuration
• Measures for internal IT and IT security governance and management
• Measures for certification/assurance of processes and products
• Measures for data minimization
• Measures designed to ensure data quality
• Measures for allowing data portability and ensuring erasure

‍