StoryTap Data Processing Addendum
LAST UPDATED: MAY 2023
This Data Processing Addendum (the “Addendum”) forms part of the Terms of Service, available at https://storytap.com/terms/, as updated from time to time between you and StoryTap (as defined below) or other agreements between you and StoryTap governing your use of the StoryTap Application and any other services (“Services”) purchased by you from StoryTap (“Agreement”) when the GDPR applies to your use of the Services to process Client Personal Data.
The terms used in this Addendum shall have the meanings set forth in this Addendum and capitalized terms not defined herein shall have the meaning set forth in the Agreement. Except as modified below, the terms of the Agreement shall remain in full force and effect.
In consideration of the mutual obligations set out herein, the parties hereby agree that the terms and conditions set out below shall be added as an Addendum to the Agreement. Except where the context requires otherwise, references in this Addendum to the Agreement are to the Agreement as amended by, and including, this Addendum. Each reference to the Addendum in this Addendum means this Addendum including its Schedules and Appendices.
If you have any questions or concerns with respect to this Agreement or the Services you may contact the Company at email@example.com
In the course of providing the Services to Client pursuant to the Agreement, Provider may Process Personal Data on behalf of Client and the parties agree to comply with the following provisions with respect to any Personal Data.
Client Personal Data means any Personal Data Processed by StoryTap (or a Subprocessor) on behalf of Client pursuant to or in connection with the Agreement;
Data Protection Laws means all laws and regulations, including laws and regulations of the UK, the European Union, the European Economic Area and their member states , and the GDPR, applicable to the Processing of Client Personal Data under the Agreement which are applicable to Client., including:
i) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (the “EU GDPR”); and ii) the EU GDPR as implemented into the law of the United Kingdom by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 and the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2020 and the Data Protection Act 2018 (the “UK GDPR”).
StoryTap means StoryTap Technologies Inc. and any affiliate entity (“Affiliate Entity” being any corporation, partnership, limited liability company or other form of legal entity, which directly or indirectly controls, is controlled by or is under joint control, from time to time);
Sub-processor means any person (including any third party, but excluding an employee of Provider or any of its sub-contractors) appointed by or on behalf of Processor to Process Personal Data on behalf of Client under the Agreement;
Subsidiary means any entity that directly or indirectly controls, is controlled by, or is under common control of a party. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of a party;
Security Documentation means the security documents located at https://storytap.com/terms/ as amended from time to time, or as otherwise made available by the Processor to the Controller.
Standard Contractual Clauses means:
i) where the EU GDPR applies, the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“EU SCCs”); and ii) where the UK GDPR applies, the template Addendum B.1.0 issued by the UK’s Information Commissioner’s Office and laid before Parliament in accordance with s119A of the Data Protection Act 2018 (“UK Approved Addendum”) and the accompanying Mandatory Clauses of the UK Approved Addendum, as updated from time to time and/or replaced by any further version published by the Information Commissioner’s Office (“UK Mandatory Clauses”)
The terms, “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Processing”, “Processor”, and “Supervisory Authority” shall have the same meaning as in the GDPR, and shall be construed accordingly.
2.1 Legal Authority. Client signatory represents to StoryTap that he or she has the legal authority to bind Client and is lawfully able to enter into contracts.
2.2 Termination. This Addendum will terminate upon the earliest of: (i) termination of the StoryTap’s Terms and Conditions (and without prejudice to the survival of accrued rights and liabilities of the parties and any obligations of the parties which either expressly or by implication survive termination); (ii) as earlier terminated pursuant to the terms of this Addendum or (iii) as agreed by the parties in writing.
3. Processing of Personal Data
3.1 Roles of the Parties. The parties acknowledge and agree that with regard to the Processing of Personal Data, Client is the Data Controller, StoryTap is a Data Processor and that StoryTap will engage Sub-processors pursuant to the requirements set forth in Section 5 “Sub-processors” below.
3.2 Client Authority. Client represents and warrants that it is and will at all relevant times remain duly and effectively authorized to give the instruction set forth in Section 3.4 below on behalf of itself.
3.3 Client’s Processing of Personal Data. Client shall, in its use of the Services, Process Personal Data in accordance with the requirements of Data Protection Laws. Client’s instructions for the Processing of Personal Data shall comply with Data Protection Laws. In addition, Client shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Client acquired Personal Data. Personal Data provided by the Client shall not contain information that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric, data concerning health or data concerning an individual’s sex life or sexual orientation (“Special Categories of Data”).
3.4 StoryTap Processing of Personal Data.
a) StoryTap shall only Process Client Personal Data for the purpose of the provision of the Services under the Agreement and in accordance with Client’s documented instructions which are consistent with the terms of the Agreement, unless Processing is required by Data Protection Laws to which StoryTap (or the applicable sub-processor) is subject, in which case StoryTap shall to the extent permitted by the Data Protection Laws inform Client of that legal requirement before the relevant Processing of that Client Personal Data.
b) This Addendum, the Agreement, and any Order Forms thereunder, are Client’s complete and final instructions to StoryTap for the Processing of Client Personal Data. Any additional or alternate instructions must be agreed upon separately.
c) The following are deemed instructions of the Client to StoryTap: The processing of Client Personal Data (i) in accordance with the Agreement, this Addendum and any Order Forms under the Agreement, including without limitation with the transfer of Client Personal Data to any country or territory; and (ii) to comply with other documented instructions provided by Client where such instructions are consistent with the terms of the Agreement.
d) StoryTap is permitted to share information relating to this Data Processing Agreement or obtained pursuant to this agreement with StoryTap’s Subsidiaries to the extent necessary for the provision of the Services in accordance with clause 5. StoryTap may aggregate and anonymise Client Personal Data (such that it ceases to become Client Personal Data) in order to create reports, provide and improve the StoryTap Services and the services of its Subsidiaries, and to provide better functionality to StoryTap’s and StoryTap’s Subsidiaries’ clients.
3.5 Details of the Processing. The subject-matter of Processing of Client Personal Data by StoryTap is the performance of the Services pursuant to the Agreement. The duration of the Processing, the nature and purpose of the Processing, the types of Client Personal Data and categories of Data Subjects Processed under this Addendum, as required by article 28(3) of the GDPR (and, possibly, equivalent requirements of other Data Protection Laws), are further specified in Exhibit A to this Addendum, as may be amended by the parties from time to time.
3.6 If the Processor provides Services to multiple Customer Group Members, each such individual Customer Group Member shall be considered to be a Controller for Customer Personal Data related to that particular Customer Group Member and, in addition to Customer, shall be entitled to enforce the terms and conditions of this DPA on Processor. In such a case the reference to Customer in this DPA shall be read as a reference to the relevant Customer Group Member.
4. StoryTap Personnel
Throughout the term of this Addendum, StoryTap shall restrict its personnel from Processing Client Personal Data without authorization by StoryTap and shall limit the Processing to that which is needed for the specific individual’s job duties in connection with StoryTap’s provision of the Services under the Agreement. StoryTap will impose appropriate contractual obligations on its personnel, including relevant obligations regarding confidentiality, data protection and data security.
5.1 Appointment of Sub-Processors. The Client acknowledges and agrees that: (i) Subsidiaries of StoryTap may be used as Sub-processors; and (ii) StoryTap and its Subsidiaries respectively may engage Sub-processors in connection with the provision of the Services.
5.2 List of Current Sub-processors and Notification of New Sub-processors. When requested by the Client, StoryTap shall make available to Client an up-to-date list of all Sub-processors used for the processing of Client Personal Data.
5.3 Sub-processing Agreement; Liability. StoryTap has or shall enter into a written agreement with each Sub-processor (the “Sub-processing Agreement”) containing data protection obligations not less protective than those in the Agreement and/or this Addendum with respect to the protection of Client Personal Data to the extent applicable to the nature of the Services provided by such Sub-processor. StoryTap shall be liable for the acts and omissions of its Sub-processors to the same extent StoryTap would be liable if performing the services of each Sub-processor directly under the terms of this Addendum to the maximum value of the contracted services.
6.1 Adequate Measure. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, StoryTap shall in relation to the Client Personal Data implement and maintain throughout the term of this Addendum, the technical and organizational measures set forth in Exhibit B (the “Security Measures”). Client acknowledges and agrees that it has reviewed and assessed the Security Measures and deems the appropriate for the protection of Client Personal Data.
6.2 Personal Data Breach Risk. In assessing the appropriate level of security, StoryTap shall take account of the risks that are presented by Processing, in particular from an incident of accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the Client Personal Data (“Personal Data Breach”).
7. Data Subject Rights
7.1 Correction, Blocking and Deletion. StoryTap shall comply with any commercially reasonable request by Client to correct, amend, block, or delete Client Personal Data, as required by Data Protection Laws, to the extent StoryTap is legally permitted to do so.
7.2 Measures to assist with Data Subject Rights. Taking into account the nature of the Processing, StoryTap shall assist Client by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Client’s obligations, as reasonably understood by Client, to respond to requests to exercise Data Subject rights under the Data Protection Laws. To the extent legally permitted, Client shall be responsible for any costs arising from StoryTap’s provision of such assistance.
7.3 Response to Requests: StoryTap shall promptly notify Client if it or any Sub-processor receives a request from a Data Subject under any Data Protection Laws & Regulation in respect of Client Personal Data; and
8. Personal Data Breach
8.1 Notification of Data Breach. StoryTap shall, to the extent permitted by law, notify Client without undue delay upon StoryTap or any Sub-processor becoming aware of a Personal Data Breach, providing Client with sufficient information to allow Client to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.
8.2 Assistance. StoryTap shall cooperate with Client and take such reasonable commercial steps as are directed by Client to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
9. Data Protection Impact Assessment and Prior Consultation
9.1 StoryTap shall provide reasonable assistance to Client with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Client reasonably considers to be required of it by Article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law & Regulation, in each case solely in relation to Processing of Client Personal Data by, and taking into account the nature of the Processing and information available to, StoryTap or the Sub-processors.
10. Return or Destruction of Personal Data
10.1 Return or Deletion. Subject to the provisions of Section 10.2 below, at Client’s election, made by written notice to StoryTap following 90 days of the date of cessation of any Services involving the Processing of Client Personal Data (the “Cessation Date”), StoryTap shall, and shall procure that all Sub-processors delete and procure the deletion of all other copies of Client Personal Data Processed by StoryTap or any Sub-processor. StoryTap shall comply with any such written request within 90 days of the Cessation Date.
10.2 Retention of Copies. StoryTap and each Sub-processor may retain Client Personal Data to the extent required by applicable European Union law or the law of an EU Member State and only to the extent and for such period as required by such laws and always provided that StoryTap shall ensure the confidentiality of all such Client Personal Data and shall ensure that such Client Personal Data is only Processed as necessary for the purpose(s) specified in such law requiring its storage and for no other purpose.
11. Transfer of Data
11.1 Standard Contractual Clauses. Where Personal Data relating to an EU or UK Data Subject is transferred outside of the EEA it shall be processed only by entities which: (i) are located in a third country or territory recognised by the EU Commission to have an adequate level of protection; or (ii) have entered into Standard Contractual Clauses with the Processor; or (iii) have other legally recognised appropriate safeguards in place, such as a certification under the EU-US Privacy Shield (to the extent in force and applicable) or Binding Corporate Rules.
11.2 Applicability. Section 11.1 shall not apply to a cross border transfer unless its effect, together with other reasonably practicable compliance steps (which, for the avoidance of doubt, do not include obtaining consents from Data Subjects), is to allow the relevant cross border to take place without breach of applicable Data Protection Law and Regulation (a “Restricted Transfer”).
11.3 Transfers between Client and StoryTap. The Standard Contractual Clauses apply to (i) the legal entity that has executed the Standard Contractual Clauses as a Data Exporter and, (ii) all affiliates of Client, if any, established within the UK, the European Economic Area (EEA) and Switzerland that have purchased Services on the basis of an Order Form. For the purpose of the Standard Contractual Clauses and this Section 12, the Client and its affiliates shall be deemed to be “Data Exporters” and the following terms shall apply:
a) in relation to Client Personal Data that is protected by the EU GDPR, the EU SCCs will apply completed as follows:
i) Module Two will apply;
ii) in Clause 7, the optional docking clause will apply;
iii) in Clause 9, Option 2 will apply, and the time period for prior notice of Sub-processor changes shall be as set out in Section 5.3 of this Agreement;
iv) in Clause 11, the optional redress mechanism will not apply;
v) in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law;
vi) in Clause 18(b), disputes shall be resolved before the courts of Ireland;
vii) Annex I of the EU SCCs shall be deemed completed with the information set out in Exhibit A to this Agreement (Details of the Processing);
viii)Annex II of the EU SCCs shall be deemed completed with the information set out in Exhibit B to this Agreement (Security Measures).
b) In relation to Client Personal Data that is protected by the UK GDPR, the parties agree that the EU SCCs subject to the UK Approved Addendum will apply. The UK Approved Addendum is incorporated into this Agreement. The parties hereby agree that in relation to the UK Addendum:
i) the information required for Table 1 is contained in Exhibit A of this Agreement and the start date shall be deemed dated the same date as the EU SCCs;
ii) in relation to Table 2, the version of the EU SCCs to which the UK Approved Addendum applies shall be Module Two;
iii) in relation to Table 3, the description of the transfer are as set out in Exhibit A, and StoryTap technical and organisational measures are set in Exhibit B, and the list of StoryTap sub-processors provided by StoryTap from time to time. and Clause 5 of this Agreement; and
iv) in relation to Table 4, neither party will be entitled to terminate the UK Approved Addendum in accordance with clause 19 of the UK Mandatory Clauses.
11.4 Sub-processors. StoryTap warrants and represents that, before the commencement of any Restricted Transfer to a Sub-processor, it shall ensure that one of the following is in place: (i) the Standard Contractual Clauses are at all relevant times incorporated into the agreement between StoryTap, or a relevant intermediate Sub-processor, on the one hand and Sub-processor on the other hand; (ii) that Sub-processor enters into an agreement incorporating the Standard Contractual Clauses with Client or that (iii) StoryTap’s entry into the Standard Contractual Clauses under Section 12.1 above as agent for and on behalf of that Sub-processor, will have been duly and effectively authorized (or subsequently ratified) by that Sub-processor.
11.5 Conflict. In the event of any conflict or inconsistency between the body of this Addendum and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
12. Jurisdiction and Governing Law
12.1 Law. Save for as specified in relation to the Standard Contractual Clauses, this Addendum and all non-contractual or other obligations arising out of or in connection with it are governed by the laws in which the data exporter is established.
12.2 Jurisdiction. With respect to any disputes or claims howsoever arising under this Addendum, including disputes regarding its existence, validity or termination or the consequences of its nullity the parties submit to the jurisdiction of the competent courts in which the data exporter is established.
13. Indemnification; Limitation of Liability
If one party is held liable for a violation of this Addendum or, if applicable, any provision of the Standard Contractual Clauses, committed by the other party, the latter will, to the extent to which it is liable, indemnify the first party for any cost, charge, damages, expenses or loss it has incurred in accordance with the provisions of the “Indemnification” Section of the Agreement. Each party’s liability, taken together in the aggregate, arising out of or related to this Addendum and/or the Standard Contractual Clauses, whether in contract, tort or under any other theory of liability, is subject to the ‘Limitation of Liability’ section of the Agreement. For the avoidance of doubt, StoryTapl’s total liability for all claims from the Client or any third party arising out of or related to the Agreement and this Addendum shall apply in the aggregate for all claims under both the Agreement and this Addendum.
Exhibit A: Details of the Processing
Processor / Data Importer:
Name: StoryTap Technologies Inc.
Address: 1200-555 West Hasting Street, Vancouver, BC, Canada, V6B 4N6
Contact person’s name, position and contact details: Sean Braacx, CTO, firstname.lastname@example.org
Activities relevant to the data transferred under these Clauses: Client receives the Services described in the Terms.
Role (controller/processor): Processor
Description of Transfer
Duration of the Processing: The duration of data processing shall be for the term agreed between data exporter and Provider in the Agreement or an applicable Order Form.
Nature and Purpose of the Processing: The scope and purpose of processing of the data subjects’ personal data is to facilitate the provision of Provider’s and its Subsidiaries’ Services.
Types of Client Personal Data: The personal data transferred includes e-mail, name, IP address, video content, purchase information such as sku and other data in an electronic form provided in the context of Provider’s Services, which shall not include any Special Categories of Data.
Categories of Data Subjects: Data subjects include the Client’s representatives and end users including employees, contractors, collaborators, and Client’s customers. Data subjects may also include individuals attempting to communicate or transfer personal information to users of Provider’s Services. The data subjects exclusively determine the content of data submitted to Provider.
Frequency of Transfer: Continuous
Competent Supervisory Authority: Where the EU GDPR applies, the competent supervisory authority shall be the Irish Data Protection Commissioner. Where the UK GDPR applies, the competent supervisory authority shall be the UK Information Commissioner’s Office.
Exhibit B: Security Measures
Data Importer’s personnel will not process customer data without authorization. Personnel are obligated to maintain the confidentiality of any customer data and this obligation continues even after their engagement ends.
2. Data Privacy Contact
StoryTap Technologies Inc.
Attn: Sean Braacx – StoryTap CTO
1200-555 West Hasting Street, Vancouver, BC, Canada, V6B 4N6
3. Technical and Organization Measures
The Data Importer has implemented and will maintain appropriate technical and organizational measures, internal controls, and information security routines intended to protect customer data against accidental loss, destruction, or alteration; unauthorized disclosure or access; or unlawful destruction as follows:
3.1 Organization of Information Security.
a) Security Roles and Responsibilities. The Data Importer has appointed Sean Braacx as the security officer responsible for coordinating and monitoring the security rules and procedures.
b) Duty of Confidentiality. The Data Importer’s personnel with access to customer data are subject to confidentiality obligations.
3.2 Risk Management. The Data Importer conducts regular testing and monitoring of the effectiveness of its safeguards, controls, systems, including conducting penetration testing. The Data Importer implements measures, as needed, to address vulnerabilities discovered in a timely manner.
3.3 Storage. The Data Importer’s database servers are hosted in a data center operated by a third party vendor that has been qualified per the Data Importer’s vendor management procedure. The Data Importer maintains complete administrative control over the virtual servers, and no third-party vendors have logical access to customer data.
3.4 Asset Management.
a) Asset Inventory. The Data Importer maintains an inventory of all media on which customer data is stored. Access to the inventories of such media is restricted to authorized personnel.
i) The Data Importer employees are required to utilize encryption to store data in a secure manner.
ii) The Data Importer imposes restrictions on printing customer data.
iii) The Data Importer’s personnel must obtain authorization prior to storing customer data on portable devices, remotely accessing customer data, or processing customer data outside the Data Importer’s facilities.
3.5 Software Development and Acquisition. For the software developed by Data Importer, Data Importer follows secure coding standards and procedures set out in its standard operating procedures.
3.6 Change Management. Data Importer implements documented change management procedures that provide a consistent approach for controlling, implementing, and documenting changes (including emergency changes) for the Data Importer’s software, information systems or network architecture. These change management procedures include appropriate segregation of duties.
3.7 Third Party Provider Management. In selecting third party providers who may gain access to, store, transmit or use customer data, Data Importer conducts a quality and security assessment pursuant to the provisions of its standard operating procedures.
3.8 Human Resources Security. The Data Importer informs its personnel about relevant security procedures and their respective roles, as well as of possible consequences of breaching the security rules and procedures. Such consequences include disciplinary and/or legal action.
3.9 Physical and Environmental Security.
a) Physical Access to Facilities. The Data Importer limits access to facilities where information systems that process customer data are located to identified authorized individuals who require such access for the performance of their job function. Data Importer terminates the physical access of individuals promptly following the date of the termination of their employment or services or their transfer to a role no longer requiring access to customer data.
b) Physical Access to Components. The Data Importer maintains records of the incoming and outgoing media containing customer data, including the kind of media, the authorized sender/recipients, date and time, the number of media and the types of customer data they contain.
c) Protection from Disruptions. The Data Importer uses commercially reasonable systems and measures to protect against loss of data due to power supply failure or line interference.
d) Component Disposal. The Data Importer uses commercially reasonable processes to delete customer data when it is no longer needed.
3.10 Communications and Operations Management.
a) Security Documents. The Data Importer maintains security documents describing its security measures and the relevant procedures and responsibilities of its personnel.
b) Data Recovery Procedures.
i) On an ongoing basis, the Data Importer maintains multiple copies of customer data from which it can be recovered.
ii) The Data Importer has procedures in place governing access to copies of customer data.
iii) The Data Importer has anti-malware controls to help avoid malicious software gaining unauthorized access to customer data.
c) Encryption; Mobile Media. The Data Importer uses HTTPS encryption on all data connections.
d) Event Logging. The Data Importer logs the use of our data-processing systems. We maintain logs for at least 3 months.
3.11 Access Control.
a) Records of Access Rights. The Data Importer maintains a record of security privileges of individuals having access to customer data.
b) Access Authorization.
i) The Data Importer maintains and updates a record of personnel authorized to access systems that contain customer data.
ii) The Data Importer deactivates authentication credentials of employees or contract workers immediately upon the termination of their employment or services.
iii) The Data Importer identifies those personnel who may grant, alter, or cancel authorized access to data and resources.
c) Least Privilege.
i) Technical support personnel are only permitted to have access to customer data when needed for the performance of their job function.
ii) The Data Importer restricts access to customer data to only those individuals who require such access to perform their job function.
d) Integrity and Confidentiality.
i) The Data Importer instructs its personnel to disable administrative sessions when leaving the Data Importer’s premises or when computers are unattended.
ii) The Data Importer stores passwords in a way that makes them unintelligible while they are in force.
i) The Data Importer uses commercially reasonable practices to identify and authenticate users who attempt to access information systems.
ii) Where authentication mechanisms are based on passwords, the Data Importer requires the password to be at least twelve characters long.
iii) The Data Importer ensures that de-activated or expired identifiers are not granted to other individuals.
iv) The Data Importer maintains commercially reasonable procedures to deactivate passwords that have been corrupted or inadvertently disclosed.
v) The Data Importer uses commercially reasonable password protection practices, including practices designed to maintain the confidentiality and integrity of passwords when they are assigned and distributed, and during storage.
f) Network Design. The Data Importer has controls to avoid individuals assuming access rights they have not been assigned to gain access to customer data they are not authorized to access.
3.12 Network Security.
a) Network Security Controls. Data Importer’s information systems have security controls designed to detect and mitigate attacks by using logs and alerting.
b) Antivirus. Data Importer implements endpoint protection on its hosting environments including security releases in accordance with Data Importer’s server change control procedures.
3.13 Information Security Incident Management.
a) Record of Breaches. The Data Importer maintains a record of security breaches with a description of the breach, the time period, the consequences of the breach, the name of the reporter, and to whom the breach was reported, and the procedure for recovering data.
b) Record of Disclosure. The Data Importer tracks disclosures of customer data, including what data has been disclosed, to whom, and at what time.
3.14 Business Continuity Management. The Data Importer employs redundant storage and its procedures for recovering data are designed to attempt to reconstruct customer data in its original state from before the time it was lost or destroyed.