- 1.1 Tartabit’s provision of the Services to Customer involves processing ‘personal data’ or ‘personal information’, as defined under applicable data protection and privacy laws. This Data Protection Addendum (the “Addendum”), seeks to regulate Tartabit’s processing of such data.
- 1.2 The Addendum consists of three parts:
- (a) EU Data Security and Privacy Provisions, which apply to the extent specified in Section 2 below.
- (b) California Privacy Provisions, which apply to the extent specified in Section 3 below.
- (c) General Data Security and Privacy Provisions, which apply to the extent specified in Section 4 below.
- 1.3 In addition, for purposes of Annex A, the following words shall have the following meanings:
- (a) “Data Protection Laws” shall mean the GDPR, its implementing legislation and all applicable laws and regulations relating to Personal Data and privacy that are enacted from time to time in any relevant jurisdiction, including (where applicable) relevant guidance and codes of practice issued by any competent authority.
- (b) “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 as applied, modified, added to, limited, widened, substituted, replaced or repealed by law or regulation (and references to any Article or provision of the Regulation shall be interpreted accordingly).
- (c) “Personal Data” shall mean any information relating to an identified or identifiable individual; an identifiable individual is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity (including Special Categories of Personal Data defined below and as listed in Article 9(1) of GDPR).
- (d) “Personal Data Breach” shall mean accidental, unauthorized, or unlawful destruction, loss, alteration, or disclosure of, or access to, Personal Data.
- (e) "Privacy Notice" shall mean Tartabit's Privacy Policy as such appears on its website at: https://docs.tartabit.com/legal/privacy-policy/.
- (f) “Special Categories of Personal Data” shall mean Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, data concerning health or sex life and data consisting of information as to the commission or alleged commission of any offense or any proceedings for any offense or alleged offense or the disposal of such proceedings or the sentence of any court in such proceedings.
- (g) "Products" shall mean software delivered to the Customer, hosted and operated by the Customer without the involvement of Tartabit.
- (h) “Application Services” shall mean those software platforms used by the Customer or its End Users to receive the Services hosted and operated by Tartabit.
To the extent applicable, the terms capitalized herein that are not otherwise defined shall have such meaning attributed to them by the GDPR.
¶ 2. EU DATA SECURITY AND PRIVACY
- 2.1 Subject to Section 2.3 below, where the Tartabit entity or Customer entity that enters into this agreement is a Controller or a Processor established in the EU, Annex A shall apply to the Processing of Personal Data, regardless of whether the Processing takes place in the Union or not.
- 2.2 Subject to Section 2.3 below, Annex A also applies to the Processing of personal data of Data Subjects who are in the EU by a Controller or Processor not established in the Union, where the Processing activities are related to either the offering of goods or services to those Data Subject or to the monitoring of their behavior as far as their behavior takes place within the EU.
- 2.3 To the extent that the conditions set out in Section 2.1 and 2.2 above are met, then depending on the Services ordered by the Customer the Annexes shall apply as follows:
(a) where the Customer orders Application Services and/or Units – Annex A shall apply.
- 3.1 To the extent that the Services involve processing personal information governed by the California Consumer Privacy Act of 2018 (CCPA) (Cal. Civ. Code §1798.100 et seq.).
- 3.2 Definitions. In Annex B, the following terms shall have the meaning attributed to the under the CCPA (Cal. Civ. Code §1798.140): ‘consumer’, ‘personal information’, ‘processing’, ‘selling’, ‘service provider’. Additionally, the term “Unit” shall have such meaning as specified in Section 1.4(g) above.
¶ 4. GENERAL DATA SECURITY AND PRIVACY
To the extent that the Services involve processing personal information that is not covered by Annexes A, or B, then the provisions of Annex C shall apply.
¶ ANNEX A: Application Services and Products
¶ 1. DATA SECURITY AND PRIVACY
- 1.1 Tartabit may Process Personal Data related to the use and provision of the Services (the "Processed Data").
- 1.2 The Processed Data may include, but is not limited to, metrics, telemetry, traffic data sent from or received by the Units, logs of call sent from or received by the Units, text messages sent from or received by the Units, other logs of the Platform Services and Products, mobile network measurements related to the Units, Unit activity times, Unit location and data stored on the Units.
- 1.3 Processed Data is subject to the GDPR. Processed Data may be collected and obtained through third party providers (e.g. MNOs) and underlying platforms (e.g. CDP) (the "Third Party Providers").
- 1.4 Customer grants Tartabit a right to register with, engage and communicate with such Third Party Providers in Customer's name and on Customer's behalf and the Customer agrees to secure rights in the Processed Data (including all relevant consents) necessary for Tartabit to provide the Services.
- 1.5 If the Order Form of the Agreement specifies a geographical region in which the servers hosting and operating the Platform Services and Products shall be physically situated (a "Data Center Region"), then to the extent applicable to and supported in the Platform Services and Products offerings ordered by Tartabit, Tartabit will provide production, test, and backup environments for such Processed Data in the Data Center Region stated in the applicable the Order Form. Otherwise, Tartabit may transfer, store and Process the Processed Data outside of the European Economic Area or outside the country in which the End-users of the Units are located and/or outside the country in which the Processed Data is collected (including in the USA), and in jurisdictions which do not provide the same level of data protection as does the jurisdiction in which the Customer is incorporated or conducts business.
- 1.6 Tartabit Processes the Processed Data for the following purposes:
- 1.6.1 to provide the Services;
- 1.6.2 conduct administrative and technical activities necessary to maintain and provide the Services and to improve and customize the Services;
- 1.6.3 to bill and collect fees;
- 1.6.4 enforce the Agreement;
- 1.6.5 take any action in any case of dispute, or legal proceeding of any kind involving Customer, End Users, or other third parties, with respect to the Services;
- 1.6.6 to prevent:
- (a) fraud;
- (b) misappropriation;
- (c) infringements; and
- (d) identity theft and other illegal activities and misuse of the Services.
- 1.7 If Tartabit is required, or reasonably believes it is required, by law, to share or disclose Processed Data, or if such sharing or disclosure is required pursuant to a subpoena, order, or decree, issued by a competent judicial or administrative authority, provided that, to the extent legally permitted, Tartabit will endeavor to give the Customer prompt notice of the requirement prior to such disclosure, to allow Customer, at its cost and expense, to intervene and protect its interests in the Processed Data.
- 1.8 It is Customer’s responsibility as the Controller of the Personal Data it Processes through Tartabit to comply with the GDPR requirements including (without limitation) by:
- 1.8.1 transferring the Personal Data to Tartabit only as necessary for Tartabit to provide the Services as a Processors;
- 1.8.2 having a lawful basis for Processing the Personal Data through Tartabit;
- 1.8.3 providing all the information required to be provided by the GDPR, in the applicable circumstances (the "Required Information"), to the relevant individuals concerning the Processing of their Personal Data; and
- 1.8.4 Exercising responsibility for responding to Data Subject access requests in relation to Personal Data that Customer has Processed through Tartabit.
- 1.9 Neither Tartabit nor its licensors claim ownership of the Processed Data submitted for use with the Services. The Customer shall be the Data Controller and Tartabit the Data Processor, save in respect of Service security, performance and operability data, for which Tartabit is the Data Controller. Tartabit’s EU Privacy Notice describes Tartabit’s Processing activities as Controller, in accordance with GDPR requirements.
- 2.1 Tartabit will act only on documented instructions from the Customer in relation to the Processing of Personal Data (including those set out in the Agreement) unless Processing is required by Data Protection Laws to which Tartabit is subject, in which case Tartabit shall to the extent permitted by such Data Protection Laws inform the Customer of that legal requirement before the relevant Processing of that data.
- 2.2 Tartabit shall ensure that all persons authorized to Process Personal Data in relation to the Services have committed themselves to confidentiality in respect of the data.
- 2.3 Tartabit shall assist the Customer, as far as is possible, in fulfilling the Customer’s obligation to respond to the requests of Data Subjects seeking to exercise their rights under the GDPR, in so far as they relate to the provision of the Services.
- 2.4 To ensure the security of the Personal Data that Tartabit Processes on the Customer’s behalf, and to safeguard the rights of Data Subjects, Tartabit have put in place and will maintain technical and organizational measures appropriate to the risks associated with the Services.
- 2.5 On receiving a written request, Tartabit shall assist the Customer in meeting the Customer’s GDPR obligations in relation to the following:
- (a) the security of the Processing of Personal Data in relation to the Services;
- (b) the notification of Personal Data breaches where required; and
- (c) the conduct of data protection impact assessments, where necessary.
- 2.6 Upon termination of the Services and the Customer’s written request, Tartabit shall either delete or return all Personal Data to the Customer, unless Tartabit is legally obliged to keep such data.
- 2.7 Upon Customer’s written request, Tartabit shall provide the Customer with information necessary to demonstrate Tartabit’s compliance with the obligations set out in this Section 2, and shall allow for and contribute to audits, including inspections, conducted by the Customer in relation to the Processing activities connected to the provision of the Services. The Customer’s right to audit will be limited to once in any twelve-month period, and limited in time to a maximum of two (2) business days and in the scope reasonably agreed in advance between the parties. Reasonable advance notice of at least sixty (60) days is required, unless a Data Protection Law requires earlier audit. Tartabit will use current certifications or other audit reports to minimise unnecessary and repetitive audits. The parties will each bear their own expenses of audit. If an audit determines that Tartabit has breached its obligations under the Agreement, Tartabit will promptly remedy the breach at its own cost.
- 2.8 Tartabit will promptly inform the Customer if Tartabit becomes aware of any Personal Data Breach that is confirmed or suspected with reasonable certainty involving Personal Data of the Customer.
- 2.9 Tartabit shall immediately inform the Customer if an instruction relating to this Section 2 would, in Tartabit’s opinion, infringe the GDPR or other Data Protection Laws of the EU or an EU Member State having jurisdiction over the Agreement.
- 2.10 Tartabit shall not engage any sub-Processors to assist in providing the Services, unless Tartabit has:
- (a) entered into a written contract with the sub-Processor that obligates the sub-Processor to comply with all relevant obligations applicable to Tartabit under this Addendum.
- 2.11 A list of Tartabit’s existing sub-Processors, their roles, and the location of the Processing carried out by them is available in Annex D. Customer can sign-register online to receive advance notifications of changes to the list of sub-Processors. By entering into the Agreement, the Customer agrees that Tartabit may use these sub-Processors (as shall be updated from time to time) for the purposes of providing the Services.
- 2.12 Where Tartabit's use of a sub-Processor involves the transfer of Personal Data to countries outside of the EEA for which the EU Commission has not made an 'adequacy' decision for the purposes of cross-border data transfers pursuant to Article 45 of the GDPR, then Tartabit, acting on behalf of the Customer as the "data exporter", shall enter with the sub-Processor into appropriate standard data protection clauses pursuant to Articles 46(2)(c) and 46(5) of the GDPR. To this end, Customer authorizes Tartabit to enter into such standard data protection clauses on behalf of the Customer.
- 3.1 Tartabit shall only be liable for processing Customer’s personal information where Tartabit has not complied with its obligations under this Annex A.
- 1.1 Tartabit will, and Customer grants Tartabit a right to, collect, process, manipulate and retain information and data related to the use and provision of the Services (the "Processed Data"). Customer acknowledges and agrees that Processed Data may include, but is not limited to, metrics, telemetry, traffic data sent from or received by the Units, logs of call sent from or received by the Units, text messages sent from or received by the Units, other logs of the Platform Services and Products, mobile network measurements related to the Units, Unit activity times, Unit location and data stored on the Units. The parties acknowledge and agree that Processed Data may include personal information.
- 1.2 Processed Data may be collected and obtained through third party providers (e.g. MNOs) and underlying platforms (e.g. CDP) (the "Third Party Providers"). Customer grants Tartabit a right to register with, engage and communicate with such Third Party Providers in Customer's name and on Customer's behalf and the Customer agrees to secure rights in the Processed Data (including all relevant consents) necessary for Tartabit to provide the Services.
- 1.3 If the Order Form specifies a geographical region in which the servers hosting and operating the Platform Services and Products shall be physically situated (a "Data Center Region"), then to the extent applicable to and supported in the Platform Services and Products offerings ordered by Tartabit, Tartabit will provide production, test, and backup environments for such Processed Data in the Data Center Region stated in the applicable the Order Form. Otherwise, Tartabit may store and process the Processed Data elsewhere.
- 2.1 The Customer represents and warrants that it has obtained and will maintain valid, and further undertakes to provide Tartabit upon its request, copies of documents substantiating, any and all authorizations, permissions and informed consents, including those of individuals about whom the Processed Data may include personal information, as may be necessary under applicable laws and regulations, in order to allow Tartabit to lawfully collect, transfer, store, handle, retain, process and use the Processed Data in the manners and for the purposes set forth in this Annex C.
- 3.1 The parties acknowledge and agree that Tartabit is a service provider. To that end, and unless otherwise required by law:.
- 3.1.1 Tartabit is prohibited from retaining, using or disclosing Customer’s personal information for: (i) any purpose other than the purpose of properly performing, or for any commercial purpose other than as reasonably necessary to provide, the Services; (ii) ‘selling’ Customer’s personal information; and (iii) retaining, using or disclosing the Customer’s personal information outside of the direct business relationship between the parties. Tartabit certifies that it understands the restriction specified in this subsection and will comply with it.
- 3.1.2 If Tartabit receives a request from a consumer about his or her personal information, Tartabit shall not comply with the request itself, and shall promptly inform the consumer that Tartabit’s basis for denying the request is that the Tartabit is merely a service provider that follows Customer’s instructions, and promptly inform the consumer that they should submit the request directly to the Customer and provide the consumer with the Customer’s contact information.
- 4.1 Customer authorizes Tartabit to subcontract any of its Service-related activities which include the processing of personal information or requiring personal information to be processed by any Third Party Providers. Tartabit shall ensure that Third Party Providers are bound by obligations consistent with this Annex C. However, Tartabit has no responsibility for any actions taken by such Third Party Providers with respect to the Processed Data. Customer specifically waives any and all claims against Tartabit with respect to any actions (or failure to take action) of any Third Party Provider.
- 5.1 At the end of the term of the Agreement, if no subsequent further processing is required by Tartabit, Tartabit shall, at the choice of the Customer, either delete, destroy or return to Customer, the personal information that Tartabit and its third party suppliers process for Customer. The Customer agrees that Tartabit has no obligation to continue to hold, export or return the Processed Data and/or has no liability whatsoever for deletion of the Processed Data, after the end of the term of the Agreement.
- 6.1 Tartabit shall assist Customer by appropriate technical and organizational measures, insofar as possible, for the fulfilment of Customer’s obligation to respond to requests for exercising the consumer rights under the CCPA.
- 7.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Tartabit’s processing of personal information for Customer, as well as the nature of personal information processed for Customer, Tartabit shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure (including data breaches).
- 8.1 Tartabit shall only be liable for processing Customer’s personal information where Tartabit has not complied with its obligations under this Annex B.
- 9.1 For the avoidance of doubt, this Annex B does not apply to Tartabit’s processing Customer’s personal information for any of the following:
- 9.1.1 Administration of the contractual relationship with the Customer (including liaising with Customer’s staff, billing and collecting fees, enforcing the Agreement);
- 9.1.2 Tartabit’s marketing activities to the Customer;
- 9.1.3 Taking any action in any case of dispute, or legal proceeding of any kind involving Relevant Third Parties or relevant vendors, with respect to the Services;
- 9.1.4 Compiling statistical and other information related to the performance, operation and use of the Services, and using data from the Services in aggregated form for security and operations management, to create statistical analyses, and for research and development purposes (collectively, "Service Analyses"). Tartabit may make Service Analyses publicly available, however, Service Analyses will not incorporate Processed Data in a form that could serve to identify Customer or any individual. Tartabit retains all intellectual property rights in Service Analyses;
- 9.1.5 Where Tartabit is required, or reasonably believes it is required, by law, to share or disclose Customer’s personal information, such as, by way of example only, pursuant to a subpoena, order, or decree, issued by a competent judicial or administrative authority. Tto the extent legally permitted, Tartabit will endeavor to give the Customer prompt notice of the requirement prior to such disclosure, to allow Customer, at its cost and expense, to intervene and protect its interests in the personal information.
¶ ANNEX C: General Data Security and Privacy
- 1.1 Tartabit will, and Customer grants Tartabit a right to, collect, process, manipulate and retain information and data related to the use and provision of the Services (the "Processed Data"). Customer acknowledges and agrees that Processed Data may include, but is not limited to, metrics, telemetry, traffic data sent from or received by the devices used in the Application Services and Products ("Units"), logs of call sent from or received by the Units, text messages sent from or received by the Units, other logs of the Platform Services and Products, mobile network measurements related to the Units, Unit activity times, Unit location and data stored on the Units. The parties acknowledge and agree that Processed Data may include information that relates to individuals (“Personal Information”).
- 1.2 Processed Data may be collected and obtained through third party providers (e.g. MNOs) and underlying platforms (e.g. CDP) (the "Third Party Providers"). Customer grants Tartabit a right to register with, engage and communicate with such Third Party Providers in Customer's name and on Customer's behalf and the Customer agrees to secure rights in the Processed Data (including all relevant consents) necessary for Tartabit to provide the Services.
- 1.3 If the Order Form specifies a geographical region in which the servers hosting and operating the Platform Services and Products shall be physically situated (a "Data Center Region"), then to the extent applicable to and supported in the Platform Services and Products offerings ordered by Tartabit, Tartabit will provide production, test, and backup environments for such Processed Data in the Data Center Region stated in the applicable the Order Form. Otherwise, Tartabit may store and process the Processed Data elsewhere.
- 2.1 The Customer represents and warrants that it has obtained and will maintain valid, and further undertakes to provide Tartabit upon its request, copies of documents substantiating, any and all authorizations, permissions and informed consents, including those of individuals about whom the Processed Data may include Personal Information, as may be necessary under applicable laws and regulations, in order to allow Tartabit to lawfully collect, transfer, store, handle, retain, process and use the Processed Data in the manners and for the purposes set forth in this Annex D.
- 3.1 Tartabit will only use the Processed Data as follows:
- 3.1.1 To provide the Services, conduct administrative and technical activities necessary to maintain and provide the Services and to improve and customize the Services
- 3.1.2 For administration of the contractual relationship with the Customer (including liaising with Customer’s staff, billing and collecting fees, enforcing the Agreement);
- 3.1.3 For Tartabit’s marketing activities to the Customer;
- 3.1.4 To take any action in any case of dispute, or legal proceeding of any kind involving Relevant Third Parties or relevant vendors, with respect to the Services;
- 3.1.5 To compile statistical and other information related to the performance, operation and use of the Services, and using data from the Services in aggregated form for security and operations management, to create statistical analysis, and for research and development purposes (collectively, "Service Analyses"). Tartabit may make Service Analysis publicly available, however, Service Analysis will not incorporate Processed Data in a form that could serve to identify Customer or any individual. Tartabit retains all intellectual property rights in Service Analysis;
- 3.1.6 Where Tartabit is required, or reasonably believes it is required, by law, to share or disclose Customer’s Processed Data, such as, by way of example only, pursuant to a subpoena, order, or decree, issued by a competent judicial or administrative authority. To the extent legally permitted, Tartabit will endeavor to give the Customer prompt notice of the requirement prior to such disclosure, to allow Customer, at its cost and expense, to intervene and protect its interests in the Processed Data.
- 4.1 Customer authorizes Tartabit to subcontract any of its Service-related activities consisting (party) of the processing of the Processed Data or requiring Processed Data to be processed by any Third Party Providers. However, Tartabit has no responsibility for any actions taken by such Third Party Providers with respect to the Processed Data. Customer specifically waive any and all claims against Tartabit with respect to any actions (or failure to take action) of any Third Party Provider.
- 5.1 At the end of the term of the Agreement, if no subsequent further processing is required by Tartabit, Tartabit shall, at the choice of the Customer, either delete, destroy or return to Customer, the Processed Data that Tartabit and its third party suppliers process for Customer. The Customer agrees that Tartabit has no obligation to continue to hold, export or return the Processed Data and/or has no liability whatsoever for deletion of the Processed Data, after the end of the term of the Agreement.
- 6.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Tartabit’s processing of Processed Data for Customer, as well as the nature of Processed Data processed for Customer, Tartabit shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the Processed Data from unauthorized access, destruction, use, modification, or disclosure (including data breaches).
- 7.1 Tartabit shall only be liable for processing Customer’s Processed Data where Tartabit has not complied with its obligations under this Annex C.
- Microsoft Azure (Hosting services) (Nov, 2020)