Data Processing Agreement

Click here to view our Data Processing Agreement.

DATA PROCESSING AGREEMENT

[Last Updated November 2023]

This Data Processing Agreement (“DPA”) forms an integral part of the Master Service Agreement or End User License Agreement (collectively “Agreement”), executed by and between Radix Technologies Ltd including any of its subsidiary companies which provides services under the Agreement (“Radix”) and the customer which is a party to the Agreement (“Customer”), implementing, downloading and using Radix services and products (including its technology and solutions designed to enable device management solutions (MDM/EMM), focusing on  interactive touch screens, Android TV, enterprise single-purpose, VR/AR and further includes cloud-based solutions, browser extensions, OEM solutions and applications and cloud-based classroom management solution) (“Product” and collectively “Services”).

This DPA applies to the extent that Radix Processes Personal Data (as these terms are defined below) in the course of its performance of the Services.

This DPA forms an integral part of the Agreement, and is incorporated therein by reference.

1.       DEFINITIONS

1.1.    “Affiliates” means any entity which is controlled by, controls or is in common control with one of the parties.

1.2.    “Adequate Country” is a country that was determined by the EU Commission to offer an adequate level of data protection.

1.3.    The terms “Business”, “Business Purpose”, “Consumer”, “Controller”, “Covered Information”, “De-identified Data”, “Data Subject“, “Personal Data Breach”, “Processing” or “Processor”, “Service Provider”, “Sale”, “Sell” and “Share”, “Special Categories of Personal Data” and “Sensitive Data”, shall all have the same meanings as ascribed to them under the European Data Protection Legislation and the U.S. Data Protection Laws, as applicable. Under this DPA, the term “Controller” shall include a “Business”; the term “Processor” shall include a “Service Provider”; and the term “Data Subject” shall include “Consumer” (as defined under the U.S. Data Protection Law), as well as any equivalent terms under Data Protection Laws;

1.4.    “Data Protection Law” means any and all applicable privacy and data protection laws and regulations, including, without limitations, European Data Protection Legislation and the U.S. Data Protection Law;

1.5.    “European Data Protection Legislation” means: (i) the EU General Data Protection Regulation (Regulation 2016/679 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data) (“EU GDPR”); (ii) the EU e-Privacy Directive (Directive 2002/58/EC), as amended (e-Privacy Law); (iii) the Swiss Federal Act on Data Protection of June 19, 1992, SR 235.1 (“Swiss Data Protection Laws” or “FADP”); (iv) the UK Data Protection Act 2018 (DPA 2018), as amended, and GDPR, as incorporated into UK law as the UK GDPR, as amended (“UK GDPR” and “UK Data Protection Laws”); and (v) any national laws implementing or supplementing the same. Any references to the GDPR in this DPA shall mean the GDPR and UK GDPR.

1.6.    “Personal Data” or “Personal Information” means any information which can be related, describes, or is capable of being associated with, an identifiable individual, including any information that can be linked to an individual or used to directly or indirectly identify an individual, including as defined under Data Protection Law, and under this DPA shall refer to Personal Data Processed as part of, or in connection with, the Services agreed to in the Agreement, as detailed under ANNEX I.

1.7.    “Security Incident” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.

1.8.    “Standard Contractual Clauses” or “SCC” mean collectively: (i) the standard contractual clauses for the transfer of Personal Data to third countries pursuant to the GDPR and adopted by the European Commission Decision 2021/914 of 4 June 2021 which is attached herein by linked reference: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN (“EU SCC”); (ii) the UK ‘International data transfer addendum to the European Commission’s standard contractual clauses for international data transfers’, available at: https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf ,as adopted, amended or updated by the UK’s Information Commissioner’s Office, Parliament or Secretary of State (“UK SCC”); and (iii) the applicable standard data protection clauses issued, approved or recognized by the Swiss Federal Data Protection and Information Commissioner (“Swiss SCC”).

1.9.    “U.S. Data Protection Laws” means any U.S. federal and state privacy laws effective as of the effective date of this DPA, and any implementing regulations and amendment thereto, including without limitation, the: (i) California Consumer Privacy Act (Cal. Civ. Code §§ 1798.100 – 1798.199) of 2018, as may be amended as well as all regulations promulgated thereunder from time to time (“CCPA”); (ii) Colorado Privacy Act C.R.S.A. § 6-1-1301 et seq. (SB 21-190), including any implementing regulations and amendments (“CPA”); (iii) Connecticut Data Privacy and Online Monitoring Act, S.B. 6 (Connecticut 2022), including any implementing regulations and amendments thereto (“CTDPA”); (iv) Virginia Consumer Data Protection Act, Va. Code Ann. § 59.1-575 et seq. (SB 1392), including any implementing regulations and amendments thereto (“VCDPA”); and (v) Utah Consumer Privacy Act, Utah Code Ann. § 13-61-101 et seq (effective as of January 2024) (“UCPA”).

2.       PARTIES’ ROLES & COMPLIANCE WITH DATA PROTECTION LAW

2.1.    The parties agree and acknowledge that, with regards to Personal Data Processed as part of the Services, Radix is acting as a Processor on behalf of the Customer, which is acting as the Controller. The purpose, subject matter and duration of the Processing carried out by Radix on behalf of the Customer, the nature and purpose of the Processing, the type of Personal Data and categories of Data Subjects are described in ANNEX I attached hereto.

2.2.    For the purpose of the applicable U.S. Data Protection Laws (including the CCPA), with regards to Personal Data Processed as part of the Services, the Customer is the Business and Radix is a Service Provider, as defined therein. It is hereby agreed that the Processing of Personal Data is made solely for fulfilling a Business Purpose and Radix shall Process the Personal Data only on behalf of and under the instructions of the Customer and in accordance with U.S. Data Protection Laws and shall not: (i) Sell or Share Personal Data or otherwise make Personal Data available to any third party for monetary or other valuable consideration; (ii) retain, use or disclose the Personal Data for any purpose other than for a Business Purpose or as specified in the Agreement; (iii) combine the Personal Data with other data that it receives from, or on behalf of, another third party, or collects independently, other than as required for the purpose of the Services.

2.3.    Where the GDPR applies, Radix further represents and warrants that it shall Process Personal Data as set forth under Article 28(3) of the GDPR, on behalf of the Customer, and in accordance with the written instructions of the Customer and this DPA.  Radix shall inform the Customer if, in Radix’s opinion, an instruction for the Processing of Personal Data given by the Customer infringes applicable Data Protection Laws. In the event required by Radix under applicable laws, to Process Personal Data other than as instructed by the Customer, Radix shall promptly inform the Customer of such legal requirement before Processing and shall reasonably cooperate with the Customer, at its request, as required to protect the Personal Data.

2.4.  Without derogating from the above: (i) it is hereby agreed that Radix is also a Controller of certain Personal Data related to the Customer, such as (without limitation) Customer’s account registration data, the contact details of Customer’s personnel, which shall be shall be used and processed in accordance with Radix Privacy Policy and is not governed by this DPA; (ii) the Customer represents and warrants its Processing instructions shall comply with applicable Data Protection Laws, and specifically, the Customer is fully responsible to provide Data Subjects with needed notices and disclosures, as well as to obtain consent where required under applicable Data Protection Laws, in order to enable the lawful Processing of Personal Data.

3.       RADIX PERSONNEL

Radix shall ensure the reliability of its staff and any other person acting under its supervision who have access to the Personal Data. Radix shall ensure that the individuals who are authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality and ensure that such personnel are aware of their responsibilities under this DPA and any applicable Data Protection Law.

4.       RIGHTS OF DATA SUBJECTS AND COOPERATION OBLIGATIONS

4.1.    It is agreed that where Radix receives a request from a Data Subject or an applicable authority in respect of Personal Data Processed by Radix, Radix will notify the Customer and shall provide the Customer with reasonable cooperation and assistance in relation to handling of a Data Subject’s or applicable authority’s request, to the extent permitted under Data Protection Law.

4.2.    Radix will provide reasonable cooperation and assistance to the Customer, at the Customer’s expense, in ensuring compliance with its obligation to carry out data protection impact assessments with respect to the processing of Personal Data and with its obligation to consult with the supervisory authority (as applicable).

5.       SUB-PROCESSOR

5.1.    The Customer acknowledges that Radix may transfer Personal Data to and otherwise interact with third party data processors (“Sub-Processor”). The Customer hereby authorizes Radix to engage and appoint such Sub-Processors as listed in ANNEX III, to process Personal Data, as well as permits each Sub-Processor to appoint a Sub-Processor on its behalf. Radix may continue to use those Sub-Processors already engaged by Radix, as listed in ANNEX III, or to engage an additional or replace an existing Sub-Processors to process Personal Data, subject to the provision of prior notice of its intention to do so to the Customer. In case the Customer has not objected to the adding or replacing of a Sub-Processor within five (5) days of Radix’s notice, such Sub-Processor shall be considered approved by the Customer. In the event the Customer objects to the adding or replacing of a Sub-Processor, Radix may, under Radix’s sole discretion, suggest the engagement of a different Sub-Processor for the same course of services, or otherwise terminate the Agreement. 

5.2.    Radix shall, where it engages any Sub-Processor, impose, through a legally binding contract between Radix and the Sub-Processor, data protection obligations similar to those set out in this DPA. Radix shall ensure that such contract will require the Sub-Processor to provide sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of Data Protection Law. 

5.3.    Radix shall remain responsible to the Customer for the performance of the Sub-Processor’s obligations in accordance with this DPA.

6.       TECHNICAL AND ORGANIZATIONAL MEASURES

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, without prejudice to any other security standards agreed upon by the parties, Radix shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk of the Processing and which will be in accordance with best industry practices for the protection data from a Security Incident. The security measures are further detailed in Annex II.

7.       SECURITY INCIDENT

Radix will notify the Customer without undue delay upon becoming aware of a confirmed Security Incident and will take such steps as are necessary to contain, remediate, minimize any effects of and investigate any Security Incident and to identify its cause, as well as reasonably co-operate with the Customer and provide the Customer with such assistance and information as it may require in connection with the containment, investigation, remediation or mitigation of the Security Incident and keep the Customer informed of all material developments in connection with the Security Incident.

8.       AUDIT RIGHTS

8.1.    Radix shall maintain accurate written records of any and all the processing activities of any Personal Data carried out under this DPA and shall make such records available to the Customer and applicable supervisory authorities upon written request. Such records provided shall be considered Radix’s confidential information and shall be subject to confidentiality obligations. 

8.2.    In the event the records and documentation provided subject to Section 8.1 above are not sufficient, Radix shall make available, solely upon prior reasonable written notice and no more than once per year, to a reputable auditor nominated by the Customer, information necessary to reasonably demonstrate compliance with this DPA, and shall allow for audits, including inspections, by such reputable auditor solely in relation to the Processing of the Personal Data (“Audit”) in accordance with the terms and conditions hereunder. The auditor shall be subject to the terms of this DPA and standard confidentiality obligations (including towards third parties).  Radix may object to an auditor appointed by the Customer in the event Radix reasonably believes the auditor is not suitably qualified or independent, is a competitor of Radix or otherwise unsuitable (“Objection Notice”). The Customer will appoint a different auditor or conduct the Audit itself upon its receipt of an Objection Notice from Radix. Customer shall bear all expenses related to the Audit and shall (and ensure that each of its auditors shall) over the course of such Audit, avoid causing any damage, injury or disruption to Radix’s premises, equipment, personnel and business while its personnel are on those premises in the course of such Audit. Any and all conclusions of such Audit shall be confidential and reported back to Radix immediately.

9.       DATA TRANSFER

9.1.    Transfer of Personal Data by Radix shall be made in accordance with Data Protection Laws.

9.2.    Without derogating from the above, where the GDPR applies, if the Processing of Personal Data by Radix includes transfer of Personal Data (either directly or through an onward transfer) to a third country, outside the EEA, UK or Switzerland, that is not an Adequate Country, such transfer shall only occur if an appropriate safeguard approved by the applicable Data Protection Law for the lawful transfer of Personal Data under is in place.

9.3.    When Customer and Radix relies on the Standard Contractual Clauses to facilitate a transfer to a third country that is not an Adequate Country, then: (i) the EU SCC – Module Two – Controller to Processor, shall apply to the transfer of Personal Data from the EEA, as further detailed under Annex IV; (ii) the UK SCC – Module Two – Controller to Processor, shall apply to the transfer of Personal Data from the UK, as further detailed under Annex V; (iii) the Swiss SCC, as further detailed under Annex VI;

10.   TERMINATION, RETURN & DELETION OF PERSONAL DATA

10.1.  This DPA shall be effective as of the effective date of the Agreement and shall remain in force until the Agreement terminates. 

10.2.  Radix shall be entitled to terminate this DPA or terminate the processing of Personal Data in the event that processing of Customer Data under the Customer’s instructions or this DPA infringe applicable legal requirements. 

10.3.  Following the termination of this DPA, Radix shall, at the request of the Customer, delete all Customer Data processed on behalf of the Customer, unless applicable law or regulatory requirements requires that Radix continue to store Personal Data. Until the Personal Data is deleted or returned, the parties shall continue to ensure compliance with this DPA.

ANNEX I

DETAILS OF PROCESSING

This Annex includes certain details of the Processing of Personal Data as required by Article 28(3) GDPR.

Categories of Data Subjects:

Customer may submit Personal Data to the Service or enable the collection of Personal Data by implementing the Product or using the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects:

Customer’s authorized users; Customer’s end users.

Categories of Personal Data Processed:

Customer’s authorized users or end users account information – name, email, Google account and profile picture; Device Geolocation (approximate location extracted from the IP, time zone, or GPS location, where made available through your device); Online Identifiers (IP address, MAC address); Device Information (operating system type and version, device model, manufacturer, serial number, memory, storage, CPU model, screen size and resolution, device settings such as language, etc.); Network Information (connected WiFi); Usage Data and Installed Apps (access time and date, apps installed on the device, apps’ usage statistics); Filesystems Information;

Special Categories of Personal Data:

NA

Nature of Processing:

Collection, storage, organization, communication, transfer, host and other uses in performance of the Services as set out in the Agreement.

Purpose(s) of Processing:

To provide the Services.

Retention Period:

For as long as is necessary to provide the Services by Radix to the Customer; provided there is no legal obligation to retain the Personal Data past termination or unless otherwise requested by the Customer.

Process Frequency:

Continuous basis.

ANNEX II

TECHNICAL AND ORGANIZATIONAL MEASURES

Radix Security Overview available HERE

ANNEX III

LIST OF SUB-PROCESSORS

ANNEX IV

EU INTERNATIONAL TRANSFERS AND SCC

1.       The parties agree that the terms of the Standard Contractual Clauses are hereby incorporated by reference and shall apply to transfer of Personal Data from the EEA to other countries that are not deemed as Adequate Countries.

2.       Module Two (Controller to Processor) of the Standard Contractual Clauses shall apply where the transfer is effectuated by Customer as the data controller of the Personal Data and Radix is the data processor of the Personal Data.

3.       The Parties agree that for the purpose of transfer of Personal Data between Customer (as Data Exporter) and Radix (as Data Importer), the following shall apply:

a)         Clause 7 of the Standard Contractual Clauses shall not be applicable.

b)         In Clause 9, option 2 (general written authorization) shall apply and the method for appointing and time period for prior notice of Sub-processor changes shall be as set forth in the Sub-Processing Section of the DPA.

c)         In Clause 11, the optional language will not apply, and data subjects shall not be able to lodge a complaint with an independent dispute resolution body.

d)         In Clause 17, option 1 shall apply. The parties agree that the Standard Contractual Clauses shall be governed by the laws of the EU Member State in which the Customer is established (where applicable).

e)         In Clause 18(b) the parties choose the courts of the Republic of Ireland, as their choice of forum and jurisdiction.

4.       Annex I.A of the Standard Contractual Clauses shall be completed as follows:

4.a.1.”Data Exporter“: Customer

4.a.2.”Data Importer“: Radix

4.a.3.Roles: (A) With respect to Module Two: (i) Data Exporter is a data controller and (ii) the Data Importer is a data processor.

4.a.4.Data Exporter and Data Importer Contact details: As detailed in the Agreement.

4.a.5.Signature and Date: By entering into the Agreement and DPA, Data Exporter and Data Importer are deemed to have signed these Standard Contractual Clauses incorporated herein, including their Annexes, as of the Effective Date of the Agreement.

5.       Annex I.B of the Standard Contractual Clauses shall be completed as follows:

a)         The purpose of the processing, nature of the processing, categories of data subjects, categories of personal data and the parties’ intention with respect to the transfer of special categories are as described in Annex I (Details of Processing) of this DPA.

b)         The frequency of the transfer and the retention period of the personal data is as described in Annex I (Details of Processing) of this DPA.

c)         The sub-processor which Personal Data is transferred are listed in Annex III.

6.       Annex I.C of the Standard Contractual Clauses shall be completed as follows: the competent supervisory authority in accordance with Clause 13 is the supervisory authority in the Member State stipulated in Section 3 above.

7.       Annex II of this DPA (Technical and Organizational Measures) serves as Annex II of the Standard Contractual Clauses.

8.       Annex III of this DPA (List of Sub-processors) serves as Annex III of the Standard Contractual Clauses.

ANNEX V

UK INTERNATIONAL TRANSFERS AND SCC

1.       The parties agree that the terms of the Standard Contractual Clauses as amended by the UK Standard Contractual Clauses, and as amended in this Annex V, are hereby incorporated by reference and shall apply to transfer of Personal Data from the UK to other countries that are not deemed as Adequate Countries.

2.       This Annex V is intended to provide appropriate safeguards for the purposes of transfers of Personal Data to a third country in reliance on Article 46 of the UK GDPR and with respect to data transfers from controllers to processors or from the processor to its sub-processors.

3.       Terms used in this Annex V that are defined in the Standard Contractual Clauses, shall have the same meaning as in the Standard Contractual Clauses.

4.       This Annex V shall (i) be read and interpreted in the light of the provisions of UK Data Protection Laws, and so that if fulfils the intention for it to provide the appropriate safeguards as required by Article 46 of the UK GDPR, and (ii) not be interpreted in a way that conflicts with rights and obligations provided for in UK Data Protection Laws.

5.       Amendments to the UK Standard Contractual Clauses:

5.1.    Part 1: Tables

5.1.1. Table 1 Parties: shall be completed as set forth in Section 4 within Annex IV above.

5.1.2. Table 2 Selected SCCs, Modules and Selected Clauses: shall be completed as set forth in Section 2 and 3 within Annex IV above.

5.1.3.Table 3 Appendix Information:

Annex 1A: List of Parties: shall be completed as set forth in Section 2 within Annex IV above.

Annex 1B: Description of Transfer: shall be completed as set forth in Annex I above.

Annex II: Technical and organizational measures including technical and organizational measures to ensure the security of the data: shall be completed as set forth in Annex II above.

Annex III: List of Sub processors: shall be completed as set forth in Annex III above.

5.1.4.Table 4 ending this Addendum when the Approved Addendum Changes: shall be completed as “neither party”.

ANNEX VI

SUPPLEMENTARY TERMS FOR SWISS DATA PROTECTION LAW TRANSFERS ONLY

The following terms supplement the Clauses only if and to the extent the Clauses apply with respect to data transfers subject to Swiss Data Protection Law, and specifically the FDPA:

·         The term ’Member State’ will be interpreted in such a way as to allow data subjects in Switzerland to exercise their rights under the Clauses in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the Clauses.

·         The clauses in the DPA protect the Personal Data of legal entities until the entry into force of the Revised Swiss FDPA.

·         All references in this DPA to the GDPR should be understood as references to the FDPA insofar as the data transfers are subject to the FDPA.  

·         References to the “competent supervisory authority”, “competent courts” and “governing law” shall be interpreted as Swiss Data Protection Laws and Swiss Information Commissioner, the competent courts in Switzerland, and the laws of Switzerland (for Restricted Transfers from Switzerland).

·         In respect of data transfers governed by Swiss Data Protection Laws and Regulations, the EU SCCs will also apply to the transfer of information relating to an identified or identifiable legal entity where such information is protected similarly as Personal Data under Swiss Data Protection Laws and Regulations until such laws are amended to no longer apply to a legal entity.

·         The competent supervisory authority is the Swiss Federal Data Protection Information Commissioner.