Data Processing Addendum

Last updated: January 07, 2021.

This Data Processing Addendum (“Addendum”) forms part of the Terms of Service available at: https://startpack.io/terms and Privacy Policy available at: https://www.startpack.io/privacy-policy (collectively, the “Agreement”) between Distributed, Inc. (“StartPack”) and you (as defined in the Agreement). StartPack and you are collectively deemed the “Parties”.    

1.     Subject Matter and Duration.  

a)     Subject Matter. This Addendum reflects the Parties’ commitment to abide by Applicable Data Protection Laws concerning theProcessing of Your Personal Data in connection with StartPack’s execution of the Agreement. All capitalized terms that are not expressly defined in this Data ProcessingAddendum will have the meanings given to them in the Agreement. If and to the extent language in this Addendum or any of its Exhibits conflicts with the Agreement, this Addendum shall control.

b)     Duration and Survival.This Addendum will become legally binding upon date that you accept andagree to the Agreement. StartPack will Process Your Personal Data until therelationship terminates as specified in the Agreement. StartPack’s obligationsand your rights under this Addendum will continue in effect so long as StartPackProcesses Your Personal Data.

2.    
Definitions.  For the purposes of this Addendum, the following terms and those defined within the body of thisAddendum apply.

a)     “Applicable Data Protection Law(s)” means the relevant data protection and data privacy laws, rules and regulations to which the Your Personal Data are subject. “Applicable Data Protections Law(s)” shall include, but not be limited to, EU General Data Protection Regulation 2016/679 (“GDPR”) principles and requirements.

b)     “Your Personal Data” means PersonalData pertaining to you or your employees Processed by StartPack. The YourPersonal Data and the specific uses of the Your Personal Data are detailed in Exhibit 1 attached hereto, as required by the GDPR.

c)     “Controller” means the natural or legalp erson, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

d)     “Personal Data” shall have the meaning assigned to the terms “personal data” or “personal information” underApplicable Data Protection Law(s).  

e)     “Process,” “Processes,” “Processing,”“Processed” means any operation or set of operations which is performed on data or sets of data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.

f)      “Processor” means a natural or legal person, public authority, agency or other body which Processes Your Personal Data on behalf of you subject to this Addendum.

g)     “Security Incident(s)” means the breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Your Personal Data Processed by StartPack.  

h)     “Third Party(ies)” means StartPack’s authorized contractors, agents, vendors and third party service providers that Process Your Personal Data.

3.     Data Use and Processing.

a)     Compliance with Laws.  Your Personal Data shall be Processed in compliance with the terms of this Addendum and all Applicable Data Protection Law(s).  

b)    Documented Instructions. StartPack and itsThird Parties shall Process Your Personal Data only in accordance with your documented instructions or as specifically authorized by this Addendum, or the Agreement. StartPack will, unless legally prohibited from doing so, inform you in writing if it reasonably believes that there is a conflict between your instructions and applicable law or otherwise seeks to Process Your Personal Data in a manner that is inconsistent with your instructions.

c)     Authorization to Use Third Parties. To the extent necessary to fulfill StartPack’s contractual obligations under theAgreement, you hereby authorize

(i) StartPack to engage Third Parties and

(ii) Third Parties to engage subprocessors. Any Third Party Processing of YourPersonal Data shall be consistent with your reasonable documented instruction sand comply with all Applicable Data Protection Law(s).  

d)    StartPack and Third Party Compliance. StartPack agrees to (i) enter into a written agreement with Third Parties regarding suchThird Parties’ Processing of Your Personal Data that imposes on such ThirdParties (and their sub processors) data protection and security requirements forYour Personal Data that are compliant with Applicable Data Protection Law(s);and (ii) remain responsible to you for StartPack’s Third Parties’ (and their subprocessors if applicable) failure to perform their obligations  with respect to the Processing of Your Personal Data.  

e)     Right to Object to Third Parties. StartPack shall make available to you a list of Third Parties that Process Your PersonalData upon reasonable request. You may reasonably object to StartPack’s use of anew Third Part(ies) by notifying StartPack promptly in writing within ten business days after receipt of StartPack’s notice by updating this Addendum. If you have legitimate objections to the appointment of any new Third Party, the Parties will work together in good faith to resolve the grounds for the objection for no less than 30 days, and failing any such resolution, you may terminate the part of the service performed under the Agreement that cannot be performed by StartPack without use of the objectionable Third Party.

f)      Confidentiality. Any person or Third Party authorized to Process Your Personal Data must agree to maintain the confidentiality of such information or be under an appropriate statutory or contractual obligation of confidentiality.

g)    Personal Data Inquiries and Requests. StartPack agrees to comply with all reasonable instructions from you related to any requests from individuals exercising their rights in Personal Data granted to them under Applicable Data Protection Law(s) (“Privacy Request”). At your request and without undue delay, StartPack agrees to assist you in answering or complying with any Privacy Request in so far as it is possible.  

h)    Data Protection Impact Assessment and PriorConsultation. StartPack agrees to provide reasonable assistance at your expense to you where, in your judgement, the type of Processing performed by StartPack is likely to result in a high risk to the rights and freedoms of natural persons (e.g., systematic and extensive profiling, Processing sensitivePersonal Data on a large scale and systematic monitoring on a large scale, or where the Processing uses new technologies) and thus requires a data protection impact assessment and/or prior consultation with the relevant data protection authorities.

i)      Demonstrable Compliance. StartPack agrees to keep records of its Processing in compliance with Applicable Data ProtectionLaw(s) and provide any necessary records to you to demonstrate compliance upon reasonable request.  

4.     Cross-Border Transfers of PersonalData.  

a)     Cross-Border Transfers of Personal Data. You authorizeStartPack and its Third Parties to transfer Your Personal Data across international borders, including from the European Economic Area to the UnitedStates. Any cross-border transfer of Your Personal Data must be supported by an approved adequacy mechanism.  

b)    Standard Contractual Clauses. StartPack and you will use the European Commission Decision C(2010)593 Standard Contractual Clauses forControllers to Processors (“ModelClauses”) as the adequacy mechanism supporting the transfer and Processing of Your Personal Data, the terms of which are herein incorporated by reference and made part hereto. Under Appendix 1 of the Model Clauses, the “data exporter” is you and the “data importer” is StartPack and the information required by Appendix 1 can be found in Exhibit 1. For the purposes of Appendix 2 of the Model Clauses, the technical and organizational measures implemented by the data importer are those listed in Section 5 of this Addendum.Pursuant to clause 5(h) of the Model Clauses, you agree that StartPack may engage new Third Parties in accordance with Section(s) 3(c) – 3(e) of thisAddendum. The Parties agree that the Illustrative Clause (Optional) is expressly not included in the ModelClauses. Each party’s agreement to this Addendum shall be considered a signature to the Model Clauses. If required by the laws or regulatory procedures of any jurisdiction, the Parties shall execute or re-execute the Model Clauses as separate documents.  

5.     Information Security Program.

a) StartPack agrees toimplement appropriate technical and organizational measures designed to protectYour Personal Data as required by Applicable Data Protection Law(s) (the “Information Security Program”). Such measures shall be designed to include:  

i)Pseudonymisation of Your Personal Data where appropriate, and encryption ofYour Personal Data in transit and at rest;

ii)The ability to ensure the ongoing confidentiality, integrity, availability of StartPack’s Processing and Your Personal Data;  

iii)    The ability to restore the availability and access to Your Personal Data in the event of a physical or technical incident;

iv)    A process for regularly testing, assessing and evaluating of the effectiveness of the StartPack’s Information Security Program to ensure the security of YourPersonal Data from reasonably suspected or actual accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access.  

6.     Security Incidents.  

a)     Security Incident Procedure. StartPack will deploy and follow policies and procedures to detect, respond to, and otherwise address Security Incidents including procedures to

(i) identify and respond to reasonably suspected or known Security Incidents, mitigate harmful effects ofSecurity Incidents, document Security Incidents and their outcomes, and

(ii)restore the availability or access to Your Personal Data in a timely manner.  

b)     Notice. StartPack agrees to provide prompt written notice without undue delay and within the time frame required underApplicable Data Protection Law(s) (but in no event longer than 48 hours) to your Designated POC upon becoming aware that a Security Incident has taken place.Such notice will include all available details required under Applicable DataProtection Law(s) for you to comply with its own notification obligations to regulatory authorities or individuals affected by the Security Incident.  

7.     Data Storage and Deletion.

a) Data Storage. StartPack will abide by the following with respect to storage of Your Personal Data:

i)      StartPack will not store or retain any Your Personal Data except as necessary to perform the Services under the Agreement.

ii)     StartPack will

(i) inform you in writing of all countries where Your Personal Data isProcessed or stored and

(ii) obtain consent from you for Processing or storage in the identified countries. As of the Effective Date, StartPack stores Your Personal Data in the following countries to which you hereby consents: United States.

b) Data Deletion. StartPack will abide by the following with respect to deletion of Your Personal Data:

i)      Within ninety (90) calendar days of the Agreement’s expiration or termination, StartPack will securely destroy(per subsection (iii) below) all copies of Your Personal Data (including automatically created archival copies).

ii)    
Upon your request, StartPack will promptly return to you a copy of all Your PersonalData within 30 calendar days and, if you also request deletion of the YourPersonal Data, will carry that out as set forth above.

iii)   All deletion of Your Personal Data will be conducted in accordance with standard industry practices for deletion of sensitive data.

iv)   Tapes, printed output, optical disks, and other physical media will be physically destroyed by a secure method, such as shredding performed by a bonded provider. Upon your request, StartPack will provide evidence that StartPack has deleted all YourPersonal Data. StartPack will provide the “Certificate of Deletion” within 30 calendar days of your request.