Data Processing Addendum
Data Processing Addendum (DPA)
This Data Processing Addendum (“DPA”) forms part of the Agreement between the party identified in the Agreement (“Customer”) and FaceFirst and applies if FaceFirst processes Personal Data on behalf of Customer while providing Services. This DPA does not apply where FaceFirst is the Controller. All capitalized terms used but not defined in this DPA will have the meanings set forth in the Agreement.
1.1 Role of the Parties. FaceFirst will process Personal Data under the Agreement only as a Processor acting on behalf of Customer. Customer may act either as a Controller or as a Processor of Personal Data.
1.2 Customer Processing of Personal Data. Customer's use of the Software and processing instructions must comply with Data Protection Law and Customer must obtain all rights and authorizations necessary for FaceFirst to process Personal Data under the Agreement.
1.3 FaceFirst Processing of Personal Data. FaceFirst must comply with Data Protection Laws applicable to its provision of the Services and will process Personal Data in accordance with Customer’s documented instructions. Customer agrees that the Agreement is its complete and final instructions to FaceFirst regarding the processing of Personal Data. Processing any Personal Data outside the scope of the Agreement requires prior written agreement between FaceFirst and Customer and may incur additional fees. Customer may terminate the Agreement upon written notice if FaceFirst declines or is unable to accept any reasonable modification to processing instructions that (a) are necessary to enable Customer to comply with Data Protection Laws, and (b) the parties were unable to agree upon after good faith discussions.
1.4 Processing of Personal Data Details.
1.4.1 Subject matter. The subject matter of the processing under the Agreement is Personal Data, in particular images containing customers but also any other Personal Data provided to FaceFirst by Customer.
1.4.2 Duration. The duration of the processing under the Agreement is determined by Customer and as set forth in the Agreement.
1.4.3 Purpose. The purpose of the processing under the Agreement is the provision of the Services by FaceFirst to Customer as specified in the Agreement.
1.4.4 Nature of the processing. FaceFirst and its Sub-processors are providing Services and fulfilling contractual obligations to Customer as described in the Agreement. These Services may include the processing of Personal Data by FaceFirst and its Sub-processors.
1.4.5 Categories of data subjects. Customer determines the data subjects, which may include Customer’s consumers, employees, contractors, suppliers, and other third parties.
1.4.6 Categories of data. Customer controls the categories of Personal Data that it submits to the Services.
2.1 Use of Sub-Processors. Customer authorizes FaceFirst to engage Sub-processors to process
Personal Data to provide the Services. FaceFirst is responsible for any acts, errors, or omissions of its Sub-processors to the same extent FaceFirst would be liable if performing the Services directly under the terms of the Agreement.
2.2 Obligations. FaceFirst will enter into an agreement requiring each Sub-processor to process Personal Data in a manner substantially similar to the standards in the DPA, and at a minimum, at the level required by Data Protection Law.
2.3 Notice. FaceFirst’s list of Sub-processors is available upon written request.
2.4 Changes to Sub-processors. FaceFirst will provide prior notice to Customer of any new Subprocessor. If Customer objects to a new Sub-processor on reasonable data protection grounds within 10 days of receiving notice, FaceFirst will discuss those concerns with Customer in good faith with a view to achieving resolution.
3 SECURITY MEASURES.
3.1 Security Measures by FaceFirst. FaceFirst will implement and maintain appropriate technical and organizational security measures designed to protect against Personal Data Breaches in accordance with the Agreement.
3.2 Security Measures by Customer. Customer must implement appropriate technical and organizational measures in its use and configuration of the Software.
3.3 Personnel. FaceFirst restricts its personnel from processing Personal Data without authorization (except as required by applicable law). Any person authorized by FaceFirst to process Personal Data is subject to confidentiality obligations.
4 PERSONAL DATA BREACH RESPONSE.
Upon becoming aware of a Personal Data Breach, FaceFirst will notify Customer without undue delay and will provide information relating to the Personal Data Breach as reasonably requested by Customer. FaceFirst will use reasonable endeavors to assist Customer to mitigate, where possible, the adverse effects of any Personal Data Breach.
5 DELETION OF PERSONAL DATA.
Following expiration or termination of the Agreement, FaceFirst will delete or return to Customer all Personal Data to the extent feasible as set forth in the Agreement. If FaceFirst is required by applicable law to retain Personal Data, FaceFirst will implement reasonable measures to prevent any further processing. The terms of this DPA will continue to apply to that retained Personal Data.
6.1 Data Subject Requests. If FaceFirst receives any requests from individuals wishing to exercise their rights in relation to Personal Data processed under the Agreement (a “Request”), FaceFirst will promptly redirect the Request to Customer to the extent the individual is known to be a data subject of Customer. FaceFirst will not respond to the Request directly unless authorized by Customer or required by law. Customer may address Requests using the Services. If Customer needs assistance, Customer will request FaceFirst’s reasonable cooperation, which FaceFirst will provide, at Customer’s expense.
6.2 DPIAs and Prior Consultations. If required by Data Protection Law, FaceFirst will, with reasonable notice and at Customer's expense, provide reasonably requested information regarding the Services to enable Customer to carry out data protection impact assessments (“DPIAs”) and prior consultations with data protection authorities.
6.3 Legal Disclosure Requests. If FaceFirst receives a valid request for the disclosure of Personal Data that is subject to this DPA, that request will be addressed in accordance with the Agreement.
7.1 Relationship with Agreement. Any claims brought under this DPA will be subject to the terms of the Agreement (including its exclusions and limitations).
7.2 Conflicts. In the event of any conflict between this DPA and any provisions in the Agreement, the terms of this DPA will prevail.
7.3 DPA Updates. FaceFirst may update this DPA: (a) if required to do so by a data protection authority or other government or regulatory entity; or (b) to comply with Data Protection Law. FaceFirst may further exchange, adopt, or update its data transfer or compliance mechanisms provided they are recognized by Data Protection Law. The modified DPA will become effective when published on FaceFirst’s website or as otherwise provided in the Agreement.
Agreement means the written or electronic agreement between Customer and FaceFirst for the provision of Services to Customer.
Controller means an entity that determines the purposes and means of the processing of Personal Data.
Data Protection Law means all data protection and privacy laws applicable to the processing of Personal Data in relation to the Services.
Personal Data means any information relating to an identified or identifiable natural person contained within Customer Data.
Personal Data Breach means a breach of security of the Services leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
Processor means an entity that processes Personal Data on behalf of a Controller. Services means, for the purposes of this DPA, any Cloud Service or Services provided by FaceFirst to Customer pursuant to the Agreement.
Services means the Support Services provided by under the Agreement.
Sub-processor means any Processor engaged by FaceFirst or any member of its group of companies that processes Personal Data pursuant to the Agreement. Sub-processors may include third parties or any member of FaceFirst’s group of companies.
CCPA Supplemental Terms
To the extent that the California Consumer Privacy Act of 2018, as amended, Cal. Civ. Code § 1798.100 et seq. (“CCPA”) applies to Personal Data that Customer discloses to FaceFirst for a ‘business purpose’ and where FaceFirst is acting as Customer’s ‘service provider’ pursuant to the Agreement, as such terms are defined under CCPA, the following supplemental terms apply:
1. FaceFirst is processing the Personal Data for the limited and specific ‘business purpose’ of providing the FaceFirst Services purchased pursuant to the Agreement, which may be further detailed in the Support and Maintenance Program set forth at www.FaceFirst.com/support-terms, as applicable.
2. FaceFirst will comply with the requirements of CCPA that are applicable to FaceFirst as a service provider and will provide the level of privacy protection as further described in the Agreement, including facilitating Customer’s responses to, and compliance with, its consumers’ requests as detailed in Section 6 (Cooperation), and implementing security measures as described in Section 3 (Security Measures).
3. To ensure that FaceFirst uses Personal Data in a manner consistent with Customer’s obligations under the CCPA, Customer may take the reasonable and appropriate steps set forth in Section 5 (Audit Reports).
4. FaceFirst will notify Customer if FaceFirst determines that it can no longer meet its obligations under CCPA.
5. If Customer reasonably believes that FaceFirst is using Personal Data in a manner not authorized by the Agreement or by the CCPA, Customer may take the following reasonable and appropriate steps: (i) notify FaceFirst so that the parties may work together in good faith to resolve the matter, or (ii) exercise any other rights provided in the Agreement.
6. FaceFirst will not ‘sell’ or ‘share’ Personal Data (as those terms are defined under CCPA).
7. FaceFirst will not retain, use, or disclose Personal Data outside of the direct business relationship between FaceFirst and Customer or for commercial or any other purposes other than for the business purpose identified above, except as otherwise permitted by CCPA.
8. FaceFirst will not combine Personal Data with data received from another source or with data collected by FaceFirst from its own interactions with Customer’s consumers, except as permitted by CCPA.