data processing addendum
This Data Processing Addendum ("DPA") was published on 22 March, 2021
All capitalized terms not defined in this DPA shall have the meanings set forth in the Agreement. For the avoidance of doubt, all references to the Agreement shall include this DPA (including the SCCs (where applicable), as defined herein.
- "Child Data"
- means any personal data that eyeZy processes on behalf of You via the eyeZy Services, as more particularly described in this DPA.
- "Data Protection Laws"
- means all data protection laws and regulations applicable to a party’s processing of personal data under the Agreement, including, where applicable, EU Data Protection Law and Non-EU Data Protection Laws.
- "EU Data Protection Law"
- means all data protection laws and regulations applicable to Europe, including (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) ("GDPR"); (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector; (iii) applicable national implementations of (i) and (ii); and (iii) in respect of the United Kingdom ("UK") any applicable national legislation that replaces or converts in domestic law the GDPR, or any other law relating to data and privacy as a consequence of the UK leaving the European Union).
- means, for the purposes of this DPA, the European Union, the European Economic Area and/or their member states, Switzerland and the United Kingdom.
- "Non-EU Data Protection Laws"
- means the California Consumer Privacy Act (“CCPA”); the Canadian Personal Information Protection and Electronic Documents Act (“PIPEDA”); the Brazilian General Data Protection Law ("LGPD"), Federal Law no. 13,709/2018; and the Privacy Act 1988 (Cth) of Australia, as amended ("Australian Privacy Law"), and any other national laws relating to data and privacy that may be applicable to You as a User.
- means the standard contractual clauses as approved by the European Commission (as applicable).
- means a person under the age of 16 or a lower age provided that such lower age is not below 13 years according to EU Data Protection Laws, or any other age specified under Non-EU Data Protection Laws.
- "Security Incident"
- means any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, or alteration of, or unauthorized disclosure of or access to, Child Data on systems managed or otherwise controlled by eyeZy.
- "Sensitive Data"
- means (a) social security number, tax file number, passport number, driver’s license number, or similar identifier (or any portion thereof); (b) credit or debit card number (other than the truncated (last four digits) of a credit or debit card); (c) employment, financial, credit, genetic, biometric or health information; (d) racial, ethnic, political or religious affiliation, trade union membership, information about sexual life or sexual orientation, or criminal record; (e) account passwords; or (f) other information that falls within the definition of "special categories of data" under applicable Data Protection Laws.
- means any processor engaged by eyeZy or its Affiliates to assist in fulfilling its obligations with respect to providing the eyeZy Services pursuant to the Agreement or this DPA.
The terms "personal data", "controller", "data subject", "processor" and "processing" shall have the meaning given to them under applicable Data Protection Laws or if not defined thereunder, the GDPR, and "process", "processes" and "processed", with respect to any personal data, shall be interpreted accordingly.
roles and responsibilities
- Parties’ roles. If EU Data Protection Law or any other data privacy law applies to either party’s processing of Child Data, the parties acknowledge and agree that with regard to the processing of Child Data, User is the controller and eyeZy is the processor acting on behalf of the User, as further described in Annex A (Details of Data Processing) of this DPA. For the avoidance of doubt, this DPA shall not apply to instances where eyeZy is the controller (as defined by EU Data Protection Law) unless otherwise described in Annex D hereto.
- Purpose limitation. eyeZy shall process Child Data only in accordance with User’s instructions as set forth in this DPA, as necessary to comply with applicable law, or as otherwise agreed in writing ("Permitted Purposes"). The parties agree that the Agreement sets out User’s complete and final instructions to eyeZy in relation to the processing of Child Data, and processing outside the scope of these instructions (if any) shall require prior written agreement between the parties.
- Prohibited data. User will not provide (or cause to be provided) any third-party data, except for his child, over the data of which the User is parentally responsible (Child Data), to eyeZy for processing under the Agreement, and eyeZy will have no liability whatsoever for third-party data, whether in connection with a Security Incident or otherwise. For the avoidance of doubt, this DPA will not apply to third-party data.
- User compliance. User represents and warrants that (i) it has complied, and will continue to comply, with all applicable laws, including Data Protection Laws, in respect of its processing of Child Data and any processing instructions it issues to eyeZy; and (ii) it has provided, and will continue to provide, all notice and has obtained, and will continue to obtain, all consents and rights necessary under Data Protection Laws for eyeZy to process Child Data for the purposes described in the Agreement. User shall have sole responsibility for the accuracy, quality, and legality of Child Data and the means by which User obtained Child Data. Without prejudice to the generality of the foregoing, User agrees that it shall be responsible for complying with all laws (including Data Protection Laws) applicable to any Target devices (as defined in the Agreement) that User connects to eyeZy Services and any personal data obtained, controlled or accessed through the eyeZy Services, including those relating to obtaining consents (where required).
- Lawfulness of User’s instructions. User will ensure that eyeZy’s processing of the Child Data in accordance with User’s instructions will not cause eyeZy to violate any applicable law, regulation, or rule, including, without limitation, EU Data Protection Laws. eyeZy shall promptly notify User in writing, unless prohibited from doing so under EU Data Protection Laws, if it becomes aware or believes that any data processing instruction from User violates the GDPR or any other data protection laws.
- Authorized Sub-processors. User agrees that eyeZy may engage Sub-processors to process Child Data on User’s behalf. The Sub-processors currently engaged by eyeZy and authorized by User are listed in Annex E.
- Sub-processor obligations. eyeZy shall: (i) enter into a written agreement with each Sub-processor containing data protection obligations that provide at least the same level of protection for Child Data as those in this DPA, to the extent applicable to the nature of the service provided by such Sub-processor; and (ii) remain responsible for such Sub-processor’s compliance with the obligations of this DPA and for any acts or omissions of such Sub-processor that cause eyeZy to breach any of its obligations under this DPA.
- Security Measures. eyeZy shall implement and maintain appropriate technical and organizational security measures that are designed to protect Child Data from Security Incidents and designed to preserve the security and confidentiality of Child Data in accordance with eyeZy’s security standards described in Annex B ("Security Measures").
- Confidentiality of processing. eyeZy shall ensure that any person who is authorized by eyeZy to process Child Data (including its staff, agents and subcontractors) shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).
- Updates to Security Measures. User is responsible for reviewing the information made available by eyeZy relating to data security and making an independent determination as to whether the Service meets User’s requirements and legal obligations under Data Protection Laws. User acknowledges that the Security Measures are subject to technical progress and development and that eyeZy may update or modify the Security Measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Service provided to User.
- Security Incident response. Upon becoming aware of a Security Incident, eyeZy shall: (i) notify User without undue delay, and where feasible, in any event no later than 48 hours from becoming aware of the Security Incident; (ii) provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by User; and (iii) promptly take reasonable steps to contain and investigate any Security Incident. eyeZy’s notification of or response to a Security Incident under this Section 4.4 shall not be construed as an acknowledgment by eyeZy of any fault or liability with respect to the Security Incident.
- User responsibilities. Notwithstanding the above, User agrees that except as provided by this DPA, User is responsible for its secure use of the eyeZy Services, including securing its account authentication credentials, including password and private encryption key, protecting the security of Child Data when in transit to and from the eyeZy Service.
security due diligence
- Security due diligence. eyeZy shall respond to all reasonable requests for information made by User to confirm eyeZy’s compliance with this DPA, including responses to information security, due diligence, by making additional information available regarding its information security program upon User’s written request to [email protected] , provided that User shall not exercise this right more than once per calendar year.
- Data center locations. Subject to Section 6.2, User acknowledges that eyeZy may transfer and process Child Data to and in the European Union and anywhere else in the world where eyeZy, its Affiliates or its Sub-processors maintain data processing operations. eyeZy shall at all times ensure that such transfers are made in compliance with the requirements of Data Protection Laws and this DPA.
- European data. To the extent that eyeZy is a recipient of Child Data protected by the European Data Protection Law, the parties acknowledge and agree that eyeZy may transfer such Child Data outside of EU to its Sub-processors as permitted by the terms agreed upon by the parties and subject to eyeZy complying with this DPA, SCC and the EU Data Protection Law.
- International Data transfers. To the extent that User may be a recipient of Child Data protected by EU Data Protection Laws ("EU Data") in a country outside of Europe that is not recognized as providing an adequate level of protection for personal data (as described in applicable EU Data Protection Law), the parties agree to the following:
- eyeZy agrees to abide by and process EU Data in compliance with the SCCs in the form set out in Annex C. For the purposes of the descriptions in the SCCs, eyeZy agrees that it is the "data exporter" and User is the "data importer".
- Alternative transfer mechanism. To the extent eyeZy adopts an alternative data export mechanism (including any new version of or successor to the SCCs or Privacy Shield) for the transfer of EU Data not described in this DPA ("Alternative Transfer Mechanism"), the Alternative Transfer Mechanism shall apply instead of the transfer mechanisms described in this DPA (but only to the extent such Alternative Transfer Mechanism complies with applicable EU Data Protection Law and extends to the countries to which EU Data is transferred). In addition, if and to the extent that a court of competent jurisdiction or supervisory authority orders (for whatever reason) that the measures described in this DPA cannot be relied on to lawfully transfer EU Data (within the meaning of applicable EU Data Protection Law), eyeZy may implement any additional measures or safeguards that may be reasonably required to enable the lawful transfer of EU Data.
return or deletion of data
Deletion or return on termination. Upon termination or expiration of the Agreement, eyeZy shall (at User’s election) delete or return to User all Child Data (including copies) in its possession or control, except that this requirement shall not apply to the extent eyeZy is required by applicable law to retain some or all of the Child Data, or to Child Data it has archived on back-up systems, which Child Data eyeZy shall securely isolate, protect from any further processing and eventually delete in accordance with eyeZy’s deletion policies, except to the extent required by applicable law.
data subject rights and cooperation
- Data subject requests. As part of the Service, eyeZy provides User with a number of service features, that User may use to retrieve, correct, delete or restrict the use of Child Data, which User may use to assist it in connection with its obligations under the Data Protection Laws with respect to responding to requests from data subjects via User’s account at no additional cost. In addition, eyeZy shall, taking into account the nature of the processing, provide reasonable additional assistance to User to the extent possible to enable User to comply with its data protection obligations with respect to data subject rights under Data Protection Laws. In the event that any such request is made to eyeZy directly, eyeZy shall not respond to such communication directly except as appropriate (for example, to direct the data subject to contact User) or legally required, without User’s prior authorization. If eyeZy is required to respond to such a request, eyeZy shall promptly notify User and provide User with a copy of the request unless eyeZy is legally prohibited from doing so. For the avoidance of doubt, nothing in the Agreement (including this DPA) shall restrict or prevent eyeZy from responding to any data subject or data protection authority requests in relation to personal data for which eyeZy is a controller.
- Data protection impact assessment. To the extent required under applicable Data Protection Laws, eyeZy shall (taking into account the nature of the processing and the information available to eyeZy) provide all reasonably requested information regarding the Service to enable User to carry out data protection impact assessments or prior consultations with data protection authorities as required by Data Protection Laws. eyeZy shall comply with the foregoing by: (i) providing the information contained in the Agreement, including this DPA; and (ii) if the foregoing sub-section is insufficient for User to comply with such obligations, upon request, providing additional reasonable assistance (at User’s expense).
To the extent eyeZy processes Child Data originating from and protected by Data Protection Laws in one of the jurisdictions listed in Annex D, then the terms specified in Annex D with respect to the applicable jurisdiction(s) (“Jurisdiction-Specific Terms”) apply in addition to the terms of this DPA. In the event of any conflict or ambiguity between the Jurisdiction-Specific Terms and any other terms of this DPA, the applicable Jurisdiction-Specific Terms will take precedence, but only to the extent of the Jurisdiction-Specific Terms’ applicability to eyeZy.
limitation of liability
- Each party’s and all of its Affiliates’ liability taken together in the aggregate arising out of or related to this DPA (including the SCCs) shall be subject to the exclusions and limitations of liability set forth in the Agreement.
- Any claims made against eyeZy or its Affiliates under or in connection with this DPA (including, where applicable, the SCCs) shall be brought solely by the User entity that is a party to the Agreement.
- In no event shall any party limit its liability with respect to any individual’s data protection rights under this DPA or otherwise.
relationship with the agreement
- This DPA shall remain in effect for as long as eyeZy carries out Child Data processing operations on behalf of User or until termination of the Agreement (and all Child Data has been returned or deleted in accordance with Section 7.1 above).
- The parties agree that this DPA shall replace any existing data processing agreement or similar document that the parties may have previously entered into in connection with the Service.
- Except for any changes made by this DPA, the Agreement remains unchanged and in full force and effect.
- No one other than a party to this DPA, its successors and permitted assignees shall have any right to enforce any of its terms.
- This DPA shall be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless required otherwise by applicable Data Protection Laws.
annex a – details of data processing
- Processor (data exporter): eyeZy, a Cyprus limited company, whose legal name is Fortunex Limited d/b/a eyeZy.
- Subject matter: The subject matter of the data processing under this DPA is the Child Data.
- Duration of processing: eyeZy will process Child Data as outlined in Section 7 (Return or Deletion of Data) of this DPA.
- Purpose of processing: eyeZy shall only process Child Data for the Permitted Purposes, which shall include: (i) processing as necessary to provide the eyeZy Service in accordance with the Agreement; (ii) processing initiated by User in its use of the eyeZy Service; and (iii) processing to comply with any other reasonable instructions provided by User (e.g., via Control Panel, email or support tickets) that are consistent with the terms of the Agreement.
- Nature of the processing: eyeZy provides parental control SaaS, application and cloud control, eyeAssistance and other related services, as more particularly described in the Agreement.
- Types of User Data: User may upload, submit or otherwise provide certain personal data to the Service, the extent of which is typically determined and controlled by User in its sole discretion, and may include the following types of personal data:
- Child: identification and contact data (address); personal interests or preferences (including purchase history, marketing preferences and publicly available social media profile information);) sensitive data (photos, videos, notes, calendar events); IT data (target device model, IMEI, BSSID, Wi-Fi point name, IP addresses, applications installed, online navigation data, location data, browser data, browser history, URLs); communication data (SMS, MMS, calls, emails, text messengers);
- Child’s Contacts: identification and contact data (name, contact details, including phone number, email, etc.); communication data (SMS, MMS, iMessage, calls, emails, text messengers);
- Processing Operations: User Data will be processed in accordance with the Agreement (including this DPA) and may be subject to the following processing activities:
- Encryption and other security measures necessary to provide, maintain and improve the Service provided to User pursuant to the Agreement;
- Storage and other processing necessary to provide, maintain and improve the Service provided to User pursuant to the Agreement; and\or
- Disclosures in accordance with the Agreement and/or as compelled by applicable law.
annex b – security measures
The Security Measures applicable to the Service are described here (as updated from time to time in accordance with Section 4.3 of this DPA).
annex c - standard contractual clauses
Standard Contractual Clauses
annex d - jurisdiction-specific terms
- Government data access requests. As a matter of general practice, eyeZy does not voluntarily provide government agencies or authorities (including law enforcement) with access to or information about eyeZy accounts (including Child Data). If eyeZy receives a compulsory request (whether through a subpoena, court order, search warrant, or other valid legal process) from any government agency or authority (including law enforcement) for access to or information about an eyeZy account (including Child Data) belonging to User whose primary contact information indicates the User is located in Europe, eyeZy shall: (i) inform the government agency that eyeZy is a processor of the data; (ii) attempt to redirect the agency to request the data directly from User; and (iii) notify User via email sent to User’s primary contact email address of the request to allow User to seek a protective order or other appropriate remedy. As part of this effort, eyeZy may provide User’s primary and billing contact information to the agency. eyeZy shall not be required to comply with this paragraph 2 if it is legally prohibited from doing so, or it has a reasonable and good-faith belief that urgent access is necessary to prevent an imminent risk of serious harm to any individual, public safety, or eyeZy’s property, Sites, or eyeZy Services.
- For the avoidance of doubt, when European Union law ceases to apply to the UK upon the UK’s withdrawal from the European Union and until such time as the UK is deemed to provide adequate protection for personal data (within the meaning of applicable EU Data Protection Law) then to the extend eyeZy processes (or causes to be processed) any Child Data protected by EU Data Protection Law applicable to EEA and Switzerland in the United Kingdom, eyeZy shall process such Child Data in compliance with the SCCs or any applicable Alternative Transfer Mechanism implemented in accordance with Section 6.3 and 6.4 of this DPA.
- Except as described otherwise, the definitions of: “controller” includes “Business”; "processor" includes “Service Provider”; “data subject” includes “Consumer”; “personal data” includes “Personal Information”; in each case as defined under CCPA.
- EyeZy’s obligations regarding data subject requests, as described in Section 8 (Data Subject Rights and Cooperation) of this DPA, apply to Consumer’s rights under the CCPA.
- Where Sub-processors process the Child Data, eyeZy takes steps to ensure that such Sub-processors are Service Providers under the CCPA with whom eyeZy has entered into a written contract that includes terms substantially similar to this DPA or are otherwise exempt from the CCPA’s definition of “sale”. eyeZy conducts appropriate due diligence on its Sub-processors.
- eyeZy shall process Child Data in compliance with the SCCs or any applicable Alternative Transfer Mechanism implemented in accordance with Section 6.3 and 6.4 of this DPA.
- eyeZy takes steps to ensure that eyeZy’s Sub-processors, as described in Section 3 (Sub-processing) of the DPA, are third parties under PIPEDA, with whom eyeZy has entered into a written contract that includes terms substantially similar to this DPA. eyeZy conducts appropriate due diligence on its Sub-processors.
- eyeZy will implement technical and organizational measures as set forth in Section 4 (Security) of the DPA.