This Addendum discloses the privacy practices of Outrun Global Limited and its subsidiaries (collectively being, "Outrun" or "we", "us" and "our"). This Data Processing Addendum forms part of and is subject to the provisions of, the Outrun Global Terms of Service.
1. Additional Definitions
The following definitions apply solely to this Data Processing Addendum:
- the terms "controller", "data subject", "personal data", "process," "processing" and "processor" have the meanings given to these terms in EU Data Protection Law.
- "Breach" means a breach of the Security Measures resulting in access to equipment or facilities storing Your Controlled Data and the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Your Controlled Data transmitted, stored or processed by us on your behalf.
- "User Content" means users of the services (whether you or others) may provide us with content, including without limitation text, photos, images, audio, video, code and any other materials.
- "End Users" means your Sites may have their own visitors, customers and users.
- "Content" means your User Content and any content provided to us by your End Users, including without limitation text, photos, images, audio, video, code, and any other materials.
- "EU Data Protection Law" means any data protection or data privacy law or regulation of Switzerland or any European Economic Area ("EEA") country applicable to Your Controlled Data, including, as applicable, the GDPR and the e-Privacy Directive 2002/58/EC.
- "GDPR" means the EU General Data Protection Regulation 2016/679.
- "Security Measures" means technical and organisational measures employed by us to protect Your Controlled Data from unauthorized access, loss, or damage. These measures are designed to provide a level of security appropriate to the risk and include controls such as data encryption, access restrictions, and regular security monitoring.
- "Sub-Processor" means an entity engaged by us to process Your Controlled Data.
- "Your Controlled Data" means the personal data in the content we process on your behalf and instructions as part of the Services, but only to the extent that you are subject to EU Data Protection Law in respect of such personal data. Your Controlled Data does not include personal data when controlled by us, including without limitation data we collect (including IP address, device/browser details and web pages visited prior to coming to your site) with respect to your End Users' interactions with your site through their browser and technologies like cookies.
2. Applicability
This Data Processing Addendum only applies to you if you or your End Users are data subjects located within the EEA or Switzerland and only applies in respect of Your Controlled Data. You agree that we are not responsible for personal data that you have elected to process through Third Party Services or outside of the Services, including the systems of any other third-party cloud services, offline or on-premises storage.
3. Details of Data Processing
- Subject Matter. The subject matter of the data processing under this Data Processing Addendum is Your Controlled Data.
- Duration. As between you and us, the duration of the data processing under this Data Processing Addendum is determined by you.
- Purpose. The purpose of the data processing under this Data Processing Addendum is the provision of the Services initiated by you from time to time.
- Nature of the Processing. The Services as described in the Agreement and initiated by you from time to time.
- Type of Personal Data. Your Controlled Data relating to you, your End Users or other individuals whose personal data is included in Content which is processed as part of the Services in accordance with instructions given through your Account.
- Categories of Data Subjects. You, Your End Users and any other individuals whose personal data is included in Content.
4. Processing Roles and Activities
- We as the Processor and You as the Controller. You are the controller and we are the processor of Your Controlled Data.
- We as the Controller. We may also be an independent controller for some personal data relating to you or your End Users. Please see our Privacy Policy and Terms of Service for details about this personal data which we control. We decide how to use and process that personal data independently and use it for our own purposes. When we process personal data as a controller, you acknowledge and confirm that the Agreement does not create a joint-controller relationship between you and us. If we provide you with personal data controlled by us, such as in any access to data regarding your End Users' interactions with Your Site, you receive that as an independent data controller and are responsible for compliance with EU Data Protection Law in that regard.
- Description of Processing Activities. We will process Your Controlled Data for the purpose of providing you with the Services, as may be used, configured or modified from within your Account (the "Purpose"). For example, depending on how you use the Services, we may process Your Controlled Data in order to: (a) enable you to integrate content or features from a social media platform on your site; or (b) email your End Users on your behalf.
- Compliance with Laws. You will ensure that your instructions comply with all laws, regulations and rules applicable in relation to Your Controlled Data and that Your Controlled Data is collected lawfully by you or on your behalf and provided to us by you in accordance with such laws, rules and regulations. You will also ensure that the processing of Your Controlled Data in accordance with your instructions will not cause or result in us or you breaching any laws, rules or regulations (including EU Data Protection Law). You are responsible for reviewing the information available from us relating to data security pursuant to the Agreement and making an independent determination as to whether the Services meet your requirements and legal obligations as well as your obligations under this Data Processing Addendum. We will not access or use Your Controlled Data except as provided in the Agreement, as necessary to maintain or provide the Services or as necessary to comply with the law or binding order of a governmental, law enforcement or regulatory body.
5. Our Processing Responsibilities
- How We Process. We will process Your Controlled Data for the Purpose and in accordance with the Agreement or instructions you give us through your Account. You agree that the Agreement and the instructions given through your Account are your complete and final documented instructions to us in relation to your Controlled Data. Additional instructions outside the scope of this Data Processing Addendum require prior written agreement between you and us, including agreement on any additional fees payable by you to us for carrying out such instructions. We will notify you when applicable laws prevent us from complying with your instructions, except if such disclosure is prohibited by applicable law on important grounds of public interest, such as a prohibition under the law to preserve the confidentiality of a law enforcement investigation or request.
- Notification of Breach. We will provide you notice without undue delay after becoming aware of and confirming the occurrence of a Breach for which notification to you is required under applicable EU Data Protection Laws. We will assist you in complying with your notification obligations under Articles 33 and 34 of the GDPR, provide you with such information about the Breach as we are reasonably able to disclose to you, taking into account the nature of the Services, the information available to us and any restrictions on disclosing the information such as for confidentiality. Our obligation to report or respond to a Breach under this Section is not and will not be construed as an acknowledgement by us of any fault or liability of ours with respect to the Breach. Despite the foregoing, Our obligations under this Section do not apply to incidents that are caused by you, any activity on your Account and/or Third-Party Services.
- Notification of Inquiry or Complaint. We will provide you notice, if permitted by applicable law, upon receiving an inquiry or complaint from an End User, or other individual whose personal data is included in your Content, or a binding demand (such as a court order) from a government, law enforcement, regulatory or other body in respect of Your Controlled Data that we process on your behalf and instructions.
- Reasonable Assistance with Compliance. We will, to the extent that you cannot reasonably do so through the Services, your Account or otherwise, provide reasonable assistance to you in respect of the fulfillment of your obligation as controller to respond to requests by data subjects under Chapter 3 of the GDPR, taking into account the nature of the Services and information available to us. You will be responsible for our reasonable costs arising from our provision of such assistance.
- Security Measures. We will maintain the Security Measures. We may change these Security Measures but will not do so in a way that adversely affects the security of Your Controlled Data. We will take steps to ensure that any natural person acting under our authority who has access to Your Controlled Data does not process it except on our instructions, unless such person is required to do so under applicable law, and that personnel authorised by us to process Your Controlled Data have committed themselves to relevant confidentiality obligations or are under an appropriate statutory obligation of confidentiality.
- Sub-Processors. You agree that we can share Your Controlled Data with Sub-Processors in order to provide you the services. We will impose contractual obligations on our Sub-Processors, and contractually obligate our Sub-Processors to impose contractual obligations on any further sub-contractors which they engage to process Your Controlled Data, which provide the same level of data protection for Your Controlled Data in all material respects as the contractual obligations imposed in this Data Processing Addendum, to the extent applicable to the nature of the Services provided by such Sub-Processor.
- Customer Audits and Information Requests. You agree to exercise any right you may have to conduct an audit or inspection by instructing us to carry out the audit to verify the adequacy of our Security Measures. You will pay our costs in considering and addressing any Request. Any information and documentation provided by us or our auditors will be provided at your cost. If we decline to follow any instruction requested by you regarding audits or inspections, you may cancel any affected services.
- Questions. Upon your reasonable requests to us for information regarding our compliance with the obligations set forth in this Data Processing Addendum, we shall, where such information is not otherwise available to you, provide you with written responses. The information to be made available by us under this Section 5.9 is limited to solely that information necessary, taking into account the nature of the Services and the information available to us, to assist you in complying with your obligations under the GDPR in respect of data protection impact assessments and prior consultation. You agree that you may be required to agree to a non-disclosure agreement with us before we share any such information with you.
- Requests. You can delete or access a copy of some of Your Controlled Data through your site admin. For any of Your Controlled Data which may not be deleted or accessed through your site admin, upon your written request, we will, with respect to any of Your Controlled Data in our or our Sub-Processor's possession that we can associate with a data subject, subject to the limitations described in the Agreement and unless prohibited by applicable law or the order of a governmental, law enforcement or regulatory body return such data and copies of such data to you.
6. Data Transfers
You authorise us to transfer Your Controlled Data away from the country in which such data was originally collected.
7. Liability
The liability of each party under this document is subject to the exclusions and limitations of liability set out in this document, our Terms of Service and Privacy Policy ("Agreement"). You agree that any penalties or claims by data subjects, customers or others incurred by us in relation to Your Controlled Data that arise as a result of, or in connection with, your failure to comply with your obligations under this Data Processing Addendum or EU Data Protection Law shall reduce our maximum aggregate liability to you under the Agreement in the same amount as the fine and/or liability incurred by us as a result.
8. Conflict
In the event of a conflict between this Data Processing Addendum and the Terms of Service, this Data Processing Addendum shall apply and shall be paramount and will supersede the conflicting provisions.
9. Miscellaneous
You are responsible for any costs and expenses arising from our compliance with your instructions or requests pursuant to the Agreement (including this Data Processing Addendum) which fall outside the standard functionality made available by us.