AppHub
Data Privacy Addendum

APPHUB DATA PRIVACY ADDENDUM

This Data Privacy Addendum (“DPA” or “Addendum”) is incorporated by reference into the Terms of Service or other agreement (“Agreement”) between the parties regarding the use of applications (“Apps”) and other services (collectively “Services”) between AppHub LLC, a Delaware corporation and provider of the Services (“AppHub”), and the customer who is party to the Agreement (“Customer”). AppHub and Customer are each referred to here as a “Party” and collectively the “Parties.” In the event of a conflict between this DPA and any other agreement between the parties, this DPA takes precedence but only with respect to the subject matter of this Addendum. 

Customer and AppHub agree as follows:

1. Definitions. For purposes of this Addendum:

1. “Data Privacy Laws” means all applicable laws, regulations, and other legal or self-regulatory requirements in any jurisdiction relating to privacy, data protection, data security, breach notification, or the Processing of Personal Information, including without limitation, to the extent applicable, the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. (“CCPA”), the General Data Protection Regulation, Regulation (EU) 2016/679 (“GDPR”) the United Kingdom Data Protection Act (2018) (“UK 2018 Privacy Act”), and the Swiss Federal Act on Data Protection (“Swiss FADP”). For the avoidance of doubt, if AppHub’s Processing activities involving Personal Information are not within the scope of a given Data Privacy Law, such law is not applicable for purposes of this Addendum.
2. “Consumer” means an identified or identifiable natural person about whom Personal Information relates.
3. “Personal Information” includes “personal data,” “personal information,” “personally identifiable information,” and similar terms, and such terms shall have the same meaning as defined by applicable Data Privacy Laws.
4. “Process” and “Processing” mean any operation or set of operations performed on Personal Information or on sets of Personal Information, whether or not by automated means, such as collection, recording, organization, creating, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
5. “Security Breach” means any accidental or unlawful acquisition, destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Information.
6. “Standard Contractual Clauses” means one or both of the following, as the context requires:

1. For Personal Information subject to the UK Data Protection Law, the “2010 Standard Contractual Clauses,” defined as the clauses issued pursuant to EU Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council, available at http://data.europa.eu/eli/dec/2010/87/2016-12-17 and completed as described in the “Data Transfers” section below, until such time as the United Kingdom recognizes the 2021 Standard Contractual Clauses, in which case such clauses shall apply to Personal Information Transferred from the UK; and
2. For Personal Information subject to the GDPR or the Swiss FADP, the “2021 Standard Contractual Clauses,” defined as the clauses issued pursuant to the EU Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, available at http://data.europa.eu/eli/dec_impl/2021/914/oj and completed as described in the “Data Transfers” section below.

1. Scope and Purposes of Processing.

AppHub will Process Personal Information solely: (1) to fulfill its obligations to Customer under the Agreement, including this Addendum; (2) pursuant to Customer’s instructions; and (3) in compliance with Data Privacy Laws.

3. CCPA Acknowledgment.

The parties acknowledge and agree that AppHub is a service provider for the purposes of the California Consumer Privacy Act (the “CCPA”). AppHub certifies that it understands the rules, restrictions, requirements and definitions of the CCPA. AppHub agrees to refrain from taking any action that would cause any transfers of Personal Information to or from AppHub to qualify as a sale of Personal Information under the CCPA.

4. Personal Information Processing Requirements. AppHub will:

1. Ensure that the persons it authorizes to Process the Personal Information have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
2. Assist Customer in the fulfilment of Customer’s obligations to respond to verifiable requests by Consumers (or their lawful representatives) for exercising their rights under Data Privacy Laws (such as rights to access or delete Personal Information).
3. Promptly notify Customer of (i) any third-party or Consumer complaints regarding the Processing of Personal Information; or (ii) any government or Consumer requests for access to or information about AppHub’s Processing of Personal Information on Customer’s behalf, unless prohibited by Data Privacy Laws. AppHub will provide Customer with reasonable cooperation and assistance in relation to any such request.

4. Data Security. AppHub will implement appropriate administrative, technical, physical, and organizational measures to protect Personal Information, as set forth in Exhibit A.
5. Security Breach. AppHub will notify Customer without undue delay, and in no event later than seventy-two (72) hours after discovery, of any Security Breach and will assist Customer in Customer’s compliance with its Security Breach-related obligations, including without limitation, by:

1. Taking steps to mitigate the effects of the Security Breach and reduce the risk to Consumers whose Personal Information was involved; and
2. Providing Customer with the following information, to the extent known:

1. The nature of the Security Breach, including, where possible, how the Security Breach occurred, the categories and approximate number of Consumers concerned, and the categories and approximate number of Personal Information records concerned;
2. The likely consequences of the Security Breach; and
3. Measures taken or proposed to be taken by AppHub to address the Security Breach, including, where appropriate, measures to mitigate its possible adverse effects.

7. Subcontractors.

1. Customer acknowledges and agrees that AppHub may use AppHub affiliates and other subcontractors to Process Personal Information in accordance with the provisions within this Addendum and Data Privacy Laws. Where AppHub sub-contracts any of its rights or obligations concerning Personal Information, including to any affiliate, AppHub will take steps to select and retain subcontractors that are capable of maintaining appropriate privacy and security measures to protect Personal Information consistent with applicable Data Privacy Laws.
2. AppHub has provided a current list of AppHub’s subprocessors listed herein as Exhibit B, and Customer hereby consents to AppHub’s use of such subprocessors. AppHub will maintain an up-to-date list of its subprocessors, and it will provide Customer with at least thirty (30) days’ notice of any new subprocessor added to the list prior to transferring Customer Personal Information to such a new subprocessor. In the event Customer objects to a new subprocessor, AppHub will not transfer Customer Personal Information to the new subprocessor and will use reasonable efforts in the circumstances to make available to Customer a change in the services or recommend a commercially reasonable change to, Customer’s use of the services to avoid Processing of Personal Information by the objected-to subprocessor. Customer may, in its sole discretion, terminate the Agreement for convenience by providing written notice at the end of the thirty (30) day period to AppHub, in the event that Customer objects to a subprocessor and AppHub is unable to change the Services to Customer’s satisfaction.

1. Data Transfers.

1. Customer authorizes AppHub to make international transfers of the Personal Information only if (i) applicable Data Privacy Law for such transfers is respected and (ii) the transfer is otherwise permitted by this DPA.
2. With respect to Personal Information transferred from the United Kingdom for which UK Data Protection Law (and not the law in any European Economic Area (“EEA”) jurisdiction or Switzerland) governs the international nature of the transfer, and such law permits use of the 2010 Standard Contractual Clauses but does not permit use of the 2021 Standard Contractual Clauses, the 2010 Standard Contractual Clauses form part of this DPA and take precedence over the rest of this DPA to the extent of any conflict and shall be deemed completed as follows:

• The “exporter” is Customer, and the exporter’s contact information is set forth below,
• The “importer” is AppHub, and AppHub’s contact information is set forth below.
• Where Clause 9 of the 2010 Standard Contractual Clauses requires specification of the law that governs the Clauses, the parties select the law of the United Kingdom.
• The “illustrative indemnification clause” labelled “optional” is deemed stricken.
• Appendices 1 and 2 of the 2010 Standard Contractual Clauses are set forth in Schedule A below.
• By entering into this DPA, the Parties are deemed to be signing the 2010 Standard Contractual Clauses and their applicable Appendices.

1. With respect to Personal Information transferred from the EEA and Switzerland, the 2021 Standard Contractual Clauses form part of this DPA and take precedence over the rest of this DPA to the extent of any conflict, and they will be deemed completed as follows:

• Customer acts as a controller and AppHub acts as Customer’s processor with respect to the Personal Information subject to the 2021 Standard Contractual Clauses, and its Module 2 applies.
• Clause 7 (the optional docking clause) is included.
• Under Clause 9 (Use of sub-processors), the parties select Option 2 (General written authorization). The initial list of sub-processors is set forth as indicated in Section 11(b) of this DPA and AppHub shall update that list and provide notice to Customer at least twenty (20) days in advance of any intended additions or replacements of sub-processors.
• Under Clause 11 (Redress), the optional requirement that data subjects be permitted to lodge a complaint with an independent dispute resolution body does not apply.
• Under Clause 17 (Governing law), the parties choose Option 1 (the law of an EU Member State that allows for third-party beneficiary rights). The parties select the laws of Ireland.
• Under Clause 18 (Choice of forum and jurisdiction), the parties select the courts of Ireland.
• Annexes I and II of the 2021 Standard Contractual Clauses are set forth in Schedule B of the DPA.
• Annex III of the 2021 Standard Contractual Clauses (List of subprocessors) is inapplicable.

1. Additional Safeguards for the Transfer and Processing of Personal Information from the EEA, Switzerland, and the United Kingdom. To the extent that AppHub Processes Personal Information of Data Subjects located in or subject to the applicable Data Privacy Laws of the EEA, Switzerland, or the United Kingdom, AppHub agrees to the following safeguards to protect such data to an equivalent level as applicable Data Privacy Laws:

• AppHub and Customer shall encrypt all transfers of the Personal Information between them, and AppHub shall encrypt any onward transfers it makes of such personal data, to prevent the acquisition of such data by third parties.
• AppHub will use all reasonably available legal mechanisms to challenge any demands for data access through national security process it receives as well as any non-disclosure provisions attached thereto.
• At 12-month intervals or more often if required by applicable Data Privacy Law, AppHub shall create a transparency report that it will make available to Customer upon request, indicating the types of binding legal demands for the Personal Information it has received, including national security orders and directives, which shall encompass any process issued under FISA Section 702.
• AppHub will promptly notify Customer if AppHub can no longer comply with the applicable Standard Contractual Clauses or the clauses in this Section. AppHub shall not be required to provide Customer with specific information about why it can no longer comply, if providing such information is prohibited by applicable law. Such notice shall entitle Customer to terminate the Agreement (or, at Customer’s option, affected statements of work, order forms, and like documents thereunder) and receive a prompt pro-rata refund of any prepaid amounts thereunder. This is without prejudice to Customer’s other rights and remedies with respect to a breach of the Agreement.

8. Audits. AppHub will make available to Customer all information necessary to demonstrate compliance with this Addendum and will allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer, provided that, such audit shall occur not more than once every twelve (12) calendar months, upon reasonable prior written notice, and to the extent AppHub’s personnel are required to cooperate thereupon, during AppHub’s normal business hours.
9. Return or Destruction of Personal Information. Except to the extent required otherwise by Data Privacy Laws, AppHub will, at the choice of Customer, return to Customer and/or securely destroy all Personal Information upon (a) written request of Customer or (b) termination of the Addendum. Except to the extent prohibited by Data Privacy Laws, AppHub will inform Customer if it is not able to return or delete the Personal Information.
10. Term; Survival. The term of this Addendum shall commence as of the Effective Date and will continue until terminated by the parties upon a 30-day prior written notice or until the underlying Addendum between the parties has been terminated. The provisions of this Addendum shall survive the termination or expiration of this Addendum for so long as AppHub or its subcontractors Process the Personal Information.

Schedule A

Appendix 1 to the 2010 Standard Contractual Clauses

This Appendix forms part of the Standard Contractual Clauses.

Data exporter

The data exporter is: Customer, who is engaging AppHub for the purposes described in the Agreement and any relevant order or statement of work.

Data importer

The data importer is: AppHub, who will process the Personal Information for the purposes described in the Agreement and any relevant order or statement of work.

Data subjects

The personal data transferred concern the following categories of data subjects:

Data subjects located in the EEA, UK, or Switzerland whose information is provided from Customer to AppHub for processing pursuant to the Agreement and this DPA.

Categories of data

The personal data transferred concern the following categories of data:

Any categories of personal data provided by Customer to AppHub regarding data subjects in the EEA, UK, or Switzerland whose information is provided from Customer to AppHub for processing pursuant to the Agreement and this DPA.

Special categories of data (if applicable)

The personal data transferred concern the following special categories of data (please specify):

Customer does not require data subjects to provide special category information, but data subjects may optionally provide information falling within that category and Customer is responsible for ensuring that the Processing of Personal Information under this DPA is lawful so long as AppHub and its subprocessors are in compliance with the requirements of the Agreement.

Processing operations (including subject matter, nature, purpose and duration of Processing)

The personal data transferred will be subject to the following basic processing activities (please specify): All Processing activities set forth in the Agreement and any relevant order or statement of work.

Appendix 2 to the 2010 Standard Contractual Clauses

This Appendix forms part of the Standard Contractual Clauses.

Description of the technical and organizational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):

See Exhibit A.

Schedule B

Annexes I and II of the 2021 Standard Contractual Clauses ANNEX I

1. LIST OF PARTIES

MODULE TWO: Transfer controller to processor

Data exporter(s): Customer

Contact person’s name, position and contact details: As provided in the Notices provision of the Agreement.

Activities relevant to the data transferred under these Clauses: The processing activities as described in the Agreement and any relevant order or statements of work.

Signature and date: …

Role (controller/processor): Controller

The exporter (Controller) is Customer and Customer’s contact details and signature are as provided in the Agreement and the DPA.

Data importer(s): AppHub LLC, 116 Huntington Ave, 15th Floor, Boston Massachusetts 02116 USA 

Activities relevant to the data transferred under these Clauses: The processing activities as described in the Agreement and any relevant order or statements of work.

Role (controller/processor): Processor

The importer (Processor) is AppHub and AppHub’s contact details and signature are as provided in the Agreement and the DPA.

2. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred:

Data subjects located in the EEA, UK, or Switzerland whose information is provided from Customer to AppHub for processing pursuant to the Agreement and this DPA.

Categories of personal data transferred:

Any categories of personal data provided by Customer to AppHub regarding data subjects in the EEA, UK, or Switzerland whose information is provided from Customer to AppHub for processing pursuant to the Agreement and this DPA.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measure:

Customer does not require data subjects to provide special category information, but data subjects may optionally provide such information, and the restrictions and safeguards applicable are as shown in Exhibit A. Customer is responsible for ensuring that the Processing of Personal Information under this DPA is lawful so long as AppHub and its subprocessors are in compliance with the requirements of the Agreement.

‍

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): On a continuous basis for as long as Customer is engaging AppHub to provide the Services.

Nature of the processing:

The nature of the Processing is as forth in the Agreement and any relevant orders or statements of work. 

Purpose(s) of the data transfer and further processing:

The purposes for the data transfer are to facilitate AppHub’s provision of Services pursuant to the Agreement and any relevant Statements of Work.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:

The data will be retained for the time period needed to accomplish the purposes of Processing, unless otherwise required by applicable law and record-keeping requirements.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: Transfers to subprocessors are for the same purposes as transfers to the processor.

3. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with Clause 13: Ireland Data Protection Commissioner

ANNEX II - TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

See Exhibit A.

‍

Exhibit A

APPHUB DATA SECURITY MEASURES

AppHub implements and maintains the following administrative, technical, physical, and organizational security measures for the Processing of Personal Information:

AppHub’s Information Security Program includes specific security requirements for its personnel and all subcontractors or agents who have access to Personal Information (“Data Personnel”). AppHub’s security requirements cover the following areas:

1. Information Security Policies and Standards. AppHub will maintain written information security policies, standards and procedures addressing administrative, technical, and physical security controls and procedures. These policies, standards, and procedures shall be kept up to date, and revised whenever relevant changes are made to the information systems that use or store Personal Information.
2. Physical Security. AppHub will maintain commercially reasonable security systems at all AppHub sites at which an information system that uses or stores Personal Information is located (“Processing Locations”) that include reasonably restricting access to such Processing Locations, and implementing measures to detect, prevent, and respond to intrusions.
3. Organizational Security. AppHub will maintain information security policies and procedures addressing data disposal, data minimization, data classification, and incident response protocols.
4. Network Security. AppHub maintains commercially reasonable information security policies and procedures addressing network security.
5. Access Control. AppHub agrees that: (1) only authorized AppHub staff can grant, modify or revoke access to an information system that Processes Personal Information; and (2) it will implement commercially reasonable physical and technical safeguards to create and protect passwords.
6. Virus and Malware Controls. AppHub protects Personal Information from malicious code and will install and maintain anti-virus and malware protection software on any system that handles Personal Information.
7. Personnel. AppHub has implemented and maintains a security awareness program to train employees about their security obligations. Data Personnel follow established security policies and procedures. Disciplinary process is applied if Data Personnel fail to adhere to relevant policies and procedures.
8. Subcontractor security. AppHub shall only select and contract with subcontractors that are capable of maintaining appropriate security safeguards that are no less onerous than those contained in the Addendum and this Exhibit.

Business Continuity. AppHub implements disaster recovery and business resumption plans that are kept up to date and revised on a regular basis. AppHub also adjusts its Information Security Program in light of new laws and circumstances, including as AppHub’s business and Processing change.

Exhibit B

Current Subprocessors