Data Processing Agreement
Last updated: October 18, 2023
This Data Processing Agreement, including its schedules and appendices (collectively, the “DPA”), reflects the parties’ agreement with respect to the Processing of Personal Data by AudioEye on behalf of Company in connection with an Agreement. This DPA is supplemental to, and forms an integral part of, the Agreement and is effective upon its incorporation into the Agreement, which may be specified in the Agreement, an Order Form or an executed amendment to the Agreement. Capitalized terms not otherwise defined in the Agreement or in the text shall have the meanings ascribed to them in Section 16.
1. Use and Disclosure of Personal Data
1.1 AudioEye’s Processing of Personal Data shall be governed by the Agreement, which sets out the subject matter, duration, nature, and purpose of the Processing, type of Personal Data and categories of Data Subjects, instructions for Processing Personal Data, and obligations and rights of the Parties.
1.2 AudioEye shall only Process Personal Data in accordance with Company’s instructions (which if Company is acting as a Data Processor, could be based on the instructions of its Data Controllers) or as necessary to carry out an obligation under the Agreement in accordance with the requirements of any Data Protection Laws. AudioEye will only Process the minimum amount of Personal Data required to meet its obligations under the Agreement or Data Protection Laws. In addition, except as permitted under any Data Protection Laws, AudioEye will not:
- sell or share Personal Data it collects pursuant to the Agreement,
- retain, use, or disclose Personal Data it collects pursuant to the Agreement for any purpose other than the Business Purpose(s),
- retain, use, or disclose Personal Data it collects pursuant to the Agreement outside the direct business relationship between the Parties, or
- combine Personal Data it collects pursuant to the Agreement with Personal Data it receives from another source or collects from its own interaction with consumers.
The business purpose for processing Personal Data under the Agreement shall be to perform services on behalf of Company, including:
- maintaining or servicing accounts,
- providing customer service,
- processing or fulfilling orders and transactions,
- verifying customer information, processing payments,
- providing analytic services,
- providing governance and compliance services and software,
- providing storage, or
- providing similar services on behalf of Company (collectively, the “Business Purpose”).
1.3 AudioEye shall comply with Data Protection Laws with respect to Personal Data it collects pursuant to the Agreement, including providing the same level of privacy protection to such Personal Data as required of businesses by the Data Protection Laws. Company shall have the right to take reasonable and appropriate steps to ensure that AudioEye uses the Personal Data it collects pursuant to the Agreement in a manner consistent with Company’s obligations under the Data Protection Laws. Further, if AudioEye engages in any unauthorized use of Personal Data it collects pursuant to the Agreement, Company shall have the right to take reasonable and appropriate steps to stop and remediate such unauthorized use. This Section 1.3 shall be applicable only to the extent that the Personal Data Processed by AudioEye under the Agreement falls within the scope of the CCPA.
1.4 AudioEye certifies that it understands the restrictions contained in this DPA and will comply with them. AudioEye agrees that it shall promptly inform Company if it makes a determination that it or its Subprocessors can no longer meet their obligations under this DPA or under Data Protection Laws.
2. Identification of Parties
2.1 This DPA applies when Personal Data is processed by AudioEye. When processing such Personal Data, AudioEye will act as Data Processor to Company, who can act either as Data Controller or Data Processor of Personal Data.
2.2 The Parties acknowledge that AudioEye may act as a Data Controller with respect to some Personal Data it collects for purposes of the Agreement (including Personal Data AudioEye collects in conjunction with providing customer service to Web Visitors) (the “AudioEye Personal Data”). AudioEye shall be independently responsible for ensuring that it processes the AudioEye Personal Data in compliance with Data Protection Laws. Other provisions of this DPA shall not apply to the AudioEye Personal Data.
3. Compliance with Data Protection Laws
3.1 Both Parties agree to comply with all Data Protection Laws throughout the term of the Agreement and mutually covenant not to place the other in violation of Data Protection Laws. AudioEye will immediately inform Company if it believes any of Company’s instructions are inconsistent with Data Protection Laws.
3.2 Where Data Protection Laws may require AudioEye to Process Personal Data for a purpose unrelated to the delivery of the services (including to respond to a government investigation, subpoena, request for information, or similar process), AudioEye shall, to the extent permitted by Data Protection Laws and other applicable law, notify Company of any required Processing, accommodate reasonable efforts and requests by Company to limit any such required Processing, and process only the Personal Data necessary to meet its legal obligations.
4. Data Protection Assistance & Security Measures
4.1 AudioEye shall reasonably cooperate with Company with respect to any data protection impact assessments and/or prior consultations that may be required in respect of Processing carried out under the Agreement.
4.2 AudioEye shall promptly make available to Company all information reasonably necessary to demonstrate compliance with this DPA and Data Protection Laws. Further, during the term of the Agreement, AudioEye will implement and maintain reasonable security measures designed to ensure a level of security and confidentiality appropriate to the risk represented by the Processing and the nature of the data to be protected and designed to allow AudioEye to reasonably restore availability and access to data, where reasonably possible, in the event of a Data Security Breach.
5. Oversight of Personnel
5.1 AudioEye shall ensure that any persons authorized to Process Personal Data on its behalf have committed themselves to confidentiality or are under an appropriate statutory or contractual obligation of confidentiality.
5.2 AudioEye shall ensure that access to Personal Data is limited to those employees, contractors, and Subprocessors performing services in accordance with the Agreement. AudioEye shall ensure that any processing by its employees and Subprocessors is done pursuant to the Agreement or as required by Data Protection Laws.
6. Data Security Breaches
6.1 AudioEye agrees to notify Company without undue delay following discovery of any actual or suspected Data Security Breach of which it becomes aware. AudioEye agrees to take such reasonable, remedial actions warranted to investigate and halt the root cause of such Data Security Breach to the extent it is ongoing.
6.2 In the course of notification to Company, AudioEye will provide to Company, to the extent reasonably available, sufficient information for Company to assess the Data Security Breach and make any required notification to any Government Authority and/or Data Subjects. Such information shall include, to the extent reasonably available (i) the nature of the Data Security Breach; (ii) the categories and approximate number of Data Subjects and Personal Data records involved; and (iii) any measures taken or proposed to be taken to address or mitigate the incident. Company will decide on the basis of all available information and Data Protection Laws if notification to Data Subjects and/or Government Authorities is required by law and shall make any such notifications.
7. Rights of Data Subjects
In the event AudioEye receives a request from a Data Subject to exercise the Data Subject’s rights under Data Protection Laws, AudioEye shall advise Company of such request and follow reasonable instructions by Company relating to such request. Company shall inform AudioEye of Company’s receipt of any such request and shall provide information necessary for AudioEye to comply with the request. AudioEye shall assist Company as needed in responding to or fulfilling requests from Data Subjects to exercise their rights under Data Protection Laws.
8. Cross-Border Data Transfers
In the event that cross-border transfers of Personal Data are necessary or appropriate for performance of the Agreement, the Parties shall cooperate to implement appropriate contractual, technical, and/or organizational measures to facilitate such transfers, to the extent required by Data Protection Laws, the terms of which may be outlined in a separate agreement.
AudioEye agrees to retain Personal Data received from Company for only so long as necessary to conduct the services under the Agreement or as may otherwise be required under Data Protection Laws.
Upon termination or expiration of the Agreement (or the conclusion of any post-expiration transition period), or earlier upon written request by Company, AudioEye agrees to return or destroy, at Company’s choice, all Personal Data received pursuant to the Agreement, to the extent permitted by Data Protection Laws.
AudioEye shall promptly notify Company of any inability to return or destroy Personal Data and agrees that any Personal Data retained as required by law shall remain subject to the requirements of this DPA, which shall survive termination of the Agreement with respect to such Personal Data.
Company grants AudioEye general written authorization to engage Subprocessors to Process Personal Data for performance of the Agreement as set forth below and as may be subsequently listed at www.audioeye.com/dpa/. AudioEye will update Company with any changes to the Subprocessors via email and by updating the list of Subprocessors that can be viewed at www.audioeye.com/dpa/. If Company does not object to AudioEye’s engagement of any particular Subprocessor within five (5) business days of receiving such notice, Company shall be deemed to have accepted AudioEye’s engagement of such Subprocessor to Process Personal Data for performance of the Agreement. If Company objects to AudioEye’s engagement of a particular Subprocessor, the Parties will negotiate in good faith to resolve such objection. If the Parties are unable to agree within a thirty (30) day period following Company’s objection, AudioEye shall have the right to terminate the Agreement.
- Subprocessor: Amazon Web Services
- Subprocessor Location: US-West
- Nature and Subject Matter of Processing: Hosting
AudioEye shall ensure that all Subprocessors are engaged pursuant to a written contract that complies with the Data Protection Laws and contains terms that are substantially similar to this DPA. Subject to any terms in the Agreement, AudioEye shall be responsible for any noncompliance with the Data Protection Laws by any Subprocessor.
12. Right to Audit
Company shall have the right to audit AudioEye during AudioEye’s normal business hours and on sixty (60) days’ notice in order to monitor compliance with the terms of this DPA to the extent required by the Data Protection Laws. AudioEye agrees to make available to Company all information reasonably necessary to demonstrate AudioEye’s compliance with this DPA and with Data Protection Laws. Company shall compensate AudioEye at AudioEye’s then-standard rates for all time and expenses incurred in facilitating such audits and in providing information to Company to demonstrate compliance with this DPA and Data Protection Laws.
13. Effect of Violation
If AudioEye breaches the terms of this DPA, AudioEye will have thirty (30) days to cure the breach. If the breach is not cured within such thirty (30) day period, Company shall have the right to terminate the Agreement.
14. Limitation of Liability
14.1 AudioEye’s and Company’s, and each of their Affiliates' liability, taken together in the aggregate, arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, is subject to any section of the Agreement disclaiming liability, limiting liability for damages or types of damages, and excluding certain types of damages. Any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and all DPAs together. For the avoidance of doubt, AudioEye’s and its Affiliates' total liability for all claims from Company and all of its Affiliates arising out of or related to the Agreement shall apply in the aggregate for all claims under both the Agreement and this DPA.
14.2 IN ADDITION TO THE TERMS OF SECTION 14.1, EACH PARTY’S LIABILITY UNDER THE DPA ARISING UNDER ANY THEORY OF LIABILITY, WHETHER IN AN EQUITABLE, LEGAL, OR COMMON LAW ACTION ARISING HEREUNDER FOR CONTRACT, STRICT LIABILITY, TORT (INCLUDING NEGLIGENCE), OR OTHERWISE SHALL BE LIMITED TO THE AMOUNTS PAID OR PAYABLE TO AUDIOEYE COMPANY DURING THE SIX-MONTH PERIOD IMMEDIATELY PRECEDING THE EVENT GIVING RISE TO THE CLAIM FOR DAMAGES AND NOTWITHSTANDING THE FAILURE OF ESSENTIAL PURPOSE OF ANY REMEDY.
15.1 The obligations of confidentiality, data privacy, and data security under this DPA will survive the termination and/or expiration of the Agreement, including any Statements of Work thereunder.
15.2 The headings contained in this DPA are intended solely for ease of reference and shall be given no effect in the construction or interpretation of this DPA.
15.3 AudioEye has the authority to unilaterally amend this DPA solely for the purpose of complying with existing or new Data Privacy Laws. When AudioEye changes this DPA, AudioEye will update the ‘Last Updated’ date at the top of this page at www.audioeye.com/dpa/ and notify Company via email that material changes have been made to this DPA. Any such changes will become effective no earlier than thirty (30) days after they are posted except to the extent required by Data Privacy Laws. Company’s continued use of any Services after the date any such change becomes effective constitutes acceptance of the DPA, as amended. This DPA shall constitute the entire agreement between the Parties regarding the subject matter hereof and supersede all proposals and prior discussions and writings between the Parties with respect thereto. No failure or delay in enforcing any right or exercising any remedy will be deemed a waiver of any right or remedy.
“Agreement” means the agreement between AudioEye and Company pursuant to which AudioEye will provide any services such as (i) AudioEye’s terms of service and any amendment, addendum or Order referencing those terms of service or (ii) a Master Services Agreement, Master Services and Reseller Agreement, Reseller Agreement or similar agreement governing the provision of any services and any addendum referencing those agreements.
“Affiliate” means any entity that directly or indirectly controls, is controlled, or is under common control with AudioEye or Company, respectively, through ownership or control of more than 50% of the voting interests of AudioEye or Company, as applicable.
“AudioEye” means AudioEye, Inc. and for purposes of this DPA shall include AudioEye’s Affiliates.
“Company” means the counterparty to the Agreement and for purposes of this DPA shall include Company’s Affiliates.
“Data Protection Laws” mean any applicable laws, regulations and other legal or self-regulatory requirements, as may be amended from time to time, relating to privacy, data protection, data security, breach notification, or the Processing of Personal Data, including but not limited to:
- the California Consumer Protection Act, as amended, including by the California Privacy Rights Act (collectively, the “CCPA”)
- the Colorado Privacy Act
- the Connecticut Data Privacy Act
- the Utah Consumer Privacy Act
- the Virginia Consumer Data Protection Act
- the Iowa Consumer Data Protection Act
- the Indiana Consumer Data Protection Act
- the Montana Consumer Data Privacy Act
- the Tennessee Information Protection Act
- the Texas Data Privacy and Security Act
- the European Union’s General Data Protection Regulation (Regulation (EU) 2016/679) (the “GDPR”), and
- the UK General Data Protection Regulation.
“Data Controller” means an entity which alone or jointly with others determines the purposes and means of the Processing of Personal Data as further defined by the GDPR. Data Controller also refers to a “Business” as defined in Data Protection Laws.
“Data Processor” means an entity which Processes Personal Data on behalf of the Data Controller. Data Processor also refers to a “Service Provider” as defined in Data Protection Laws.
“Data Security Breach” means the accidental or unlawful destruction, loss, alteration, unauthorized disclosure and acquisition of, or access to, Personal Data.
“Data Subject” means any person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. The term includes persons who have already been identified as well as those who might be identified by reference to the identifiers set forth above.
“Government Authority” means a legislative, executive, administrative, or regulatory entity, judicial body, or other public agency or authority of any jurisdiction that is authorized by law to enforce individual rights with respect to Personal Data, or to oversee or monitor compliance with privacy, data protection, or data security laws, rules, regulations, or other Data Protection Laws.
“Order” shall mean a statement of work, SoW or purchase order relating to an Offering or an addendum that contains additional terms.
“Personal Data” means all information received pursuant to the services performed under the Agreement that Data Protection Laws treat as “personal information” (or equivalent terms, including without limitation, “personal data,” “personally identifiable information,” “nonpublic personal information”, “sensitive personal information” or “sensitive data”).
“Process” (and its conjugates, including without limitation, “processes,” “processed” and “processing,” regardless of whether such terms are capitalized or not) means any operation or set of operations which is performed upon Personal Data, including (without limitation) collection, creation, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
“Sell” (and its conjugates, including without limitation, “selling,” “sale,” and “sold,” regardless of whether such terms are capitalized or not) shall have the meaning afforded to it under Data Protection Laws.
“Share” (and its conjugates, including without limitation, “sharing” and “shared”, regardless of whether such terms are capitalized or not) shall have the meaning afforded to it under Data Protection Laws. The term also means disclosing Personal Data to a third party for purposes of “targeted advertising,” as such term is defined by Data Protection Laws.
“Subprocessor” means any third party engaged by AudioEye to Process Personal Data for performance of the Agreement excluding any Affiliate of AudioEye.
CROSS-BORDER TRANSFER APPENDIX
1. Annex I to EU SCCs (including details for UK Addendum)
A. LIST OF PARTIES
- Name: The Customer (as defined in the DPA) and its Affiliates.
- Trading Name (if different from name): The data exporter’s trading name shall be the trading name of the data exporter as listed on the Agreement or shall read “N/A” if not listed in the Agreement.
- Official Registration Number: The data exporter’s official registration number shall be as listed in the Agreement, if any, and shall read “N/A” if not listed in the Agreement.
- Address: The data exporter’s address shall be as listed in the Agreement.
- Contact person’s name, position and contact details: The data exporter’s contact person’s name, position, and contact details shall be as listed in the Agreement or in Company’s Account.
- Activities relevant to the data transferred under these Clauses: For performance of the Agreement.
- Role (controller/processor): For Modules One and Two, Controller; for Module Four, Processor
- Name: AudioEye, Inc. and its Affiliates.
- Trading Name (if different from name): The data importer’s trading name shall be the trading name of the data importer as listed on the Agreement or shall read “N/A” if not listed in the Agreement.
- Official Registration Number: The data importer’s official registration number shall be as listed in the Agreement, if any, and shall read “N/A” if not listed in the Agreement.
- Address: The data importer’s address shall be as listed in the Agreement.
- Contact person’s name, position and contact details: Joel Tavarez, Data Protection Officer, AudioEye, Inc. 5210 East Williams Cir., STE 750, Tucson, AZ 85711.
- Activities relevant to the data transferred under these Clauses: For performance of the Agreement.
- Role (controller/processor): For Modules One and Four, Controller; for Module Two, Processor
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose Personal Information is transferred
As applicable, the following categories of Data Subjects:
Company may submit Personal Data in the course of using the AudioEye services, the extent of which is determined and controlled by Company in Company’s sole discretion. Such Personal Data may include, but is not limited to, Personal Data relating to the following categories of Data Subjects:
- Employees, Applicants, and/or Independent Contractors
- Customers, prospects, suppliers, and subcontractors
- Business Contacts
Categories of Personal Information transferred:
Company may submit Personal Data to the AudioEye services, the extent of which is determined and controlled by Company in Company’s sole discretion, and which may include, but is not limited to, the following categories of Personal Data:
- Contact information
- Other personal data submitted by Company or Company’s end users via AudioEye’s services.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
The parties do not anticipate the transfer of sensitive data.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Nature of the processing
- For the performance of the Agreement.
Purpose(s) of the data transfer and further processing
- For the purposes of performing the Agreement.
The period for which the Personal Information will be retained, or, if that is not possible, the criteria used to determine that period.
- For the duration of the Agreement and as otherwise permitted by Data Protection Laws.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing.
- For Modules One and Four, N/A; For Module Two, as provided in the Agreement.
C. COMPETENT SUPERVISORY AUTHORITY
As provided by Clause 13 depending on the options listed in Clause 13.
2. UK Addendum to the EU SCCs. The UK Addendum shall include the following details:
2.1 In Table 1: (1) the Start date shall be the Effective Date of the DPA; (2) the Parties’ details and Key contact information shall be the information provided in Section 1 of this Exhibit A; and (3) the Signatures shall be the Parties’ signatures on the DPA or the Agreement, as applicable.
2.2 In Table 2: (1) the first checkbox (“The version of the Approved SCCs which this Addendum is appended to, detailed below, including the DPA Information:”) and subsequent Date, Reference, and Other Identifier fields shall be left blank; (2) the second checkbox (“the Approved EU SCCs, including the DPA Information and with only the following modules, clauses or optional provisions of the Approved EU SCCs brought into effect for the purposes of this Addendum:”) shall be checked; and (3) the chart below the second checkbox shall be completed as provided in Section 9.1, depending on the applicable module.
2.3 In Table 3: (1) the List of Parties shall read “See Section 1 of DPA Exhibit A”; (2) the Description of Transfer shall read “See Section 1 of DPA Exhibit A”; (3) the Technical and Organisational Measures shall read “See Section 4 of DPA Exhibit A”; and (4) the List of Sub processors shall read “See Section 5 of DPA Exhibit A.”
2.4 In Table 4: The “Importer” and “Exporter” checkboxes shall be checked.
3. Swiss Standard Contractual Clauses. Pursuant to the Swiss Federal Data Protection and Information Commissioner’s (“FDPIC”) guidance of 27 August 2021, “The transfer of personal data to a country with an inadequate level of data protection based on recognised standard contractual clauses and model contracts,” the Parties agree to adopt the GDPR standard for data transfers subject to the Swiss Federal Act on Data Protection and for data transfers subject to the GDPR (Case Two, Option Two), subject to the following details:
3.1 The competent supervisory authority in Annex I.C under Clause 13 shall be the FDPIC, insofar as the data transfer is governed by the Swiss Federal Act on Data Protection, and shall be the appropriate EU authority as specified in Exhibit A, Section 1(C) insofar as the data transfer is governed by the GDPR.
3.2 Applicable law for purposes of Clause 17 and place of jurisdiction for purposes of Clause 18(b) shall be as provided in Section 9.1 of the DPA.
3.3 To the extent applicable, the term “member state” in the EU SCCs must not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c).
3.4 The EU SCCs shall be interpreted to protect the data of legal entities until the entry into force of the revised version of 25 September 2020 of the Swiss Federal Act on Data Protection.
4. Technical & Organizational Measures. (Applicable to Modules One and Two)
- See AudioEye Information Security Overview document
5. Subprocessors. (Applicable to Module Two)
- The controller has authorised the use of the sub-processors listed in Section 11 of the DPA.