Digital Processing Agreement (DPA)
Data Processing Addendum
Last Updated: November 25, 2024
This Data Processing Addendum (“DPA”) forms a part of the Customer Terms of Service found at https://theysaid.io/terms between TheySaid, Inc. (“TheySaid”) and you, the customer (“Customer”), unless Customer has entered into a superseding written master subscription agreement with TheySaid, in which case, it forms a part of such written agreement (in either case, the “Agreement”). Customer enters into this DPA on behalf of itself and, to the extent required under applicable Data Protection Laws, in the name and on behalf of its Controller Affiliates (defined below). For the purposes of this DPA only, and except where indicated otherwise, the term “Customer” shall include Customer and Controller Affiliates. All capitalized terms not defined herein shall have the meaning set forth in the Agreement. In the course of providing access to the Platform and related Services under the Agreement, TheySaid may Process certain Personal Data (such terms defined below) on behalf of Customer and where TheySaid Processes such Personal Data on behalf of Customer the parties agree to comply with the terms and conditions in this DPA in connection with such Personal Data.
1. Definitions(a)
“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
“Controller Affiliate” means any of Customer's Affiliate(s) (a) (i) that are subject to applicable Data Protection Laws of the European Union, the European Economic Area and/or their member states, Switzerland and/or the United Kingdom, and (ii) permitted to use the Services pursuant to the Agreement between Customer and TheySaid, but have not signed their own Order Form and are not a “Customer” as defined under the Agreement, (b) if and to the extent TheySaid processes Personal Data for which such Affiliate(s) qualify as the Controller.
“Customer Data” means any content or information submitted by Customer to the Services, such as messages or files.
“Data Protection Laws” means all applicable laws, regulations, and other legal or regulatory requirements in any jurisdiction relating to privacy, data protection, data security, breach notification, or the Processing of personal data, including withoutlimitation, to the extent applicable, the General Data Protection Regulation, Regulation (EU) 2016/679 (“GDPR”); the United Kingdom Data Protection Act of 2018; the Swiss Federal Act on Data Protection (“FADP”); and the California Consumer Privacy Act, Cal.
Civ. Code § 1798.100 et seq., as amended and including its regulations (“CCPA”), and other applicable U.S. state and federal laws.
“Data Subject” means the identified or identifiable person to whom Personal Data relates.
“Europe” means the European Union, the EEA, Switzerland and the United Kingdom.
“GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
“Personal Data” means any Customer Data that relates to an identified or identifiable natural person, to the extent that such information is protected as personal data under applicable Data Protection Laws.
“Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Public Authority” means a government agency or law enforcement authority, including judicial authorities.
“Privacy Policy” means TheySaid’s Privacy Policy, as updated from time to time, and currently accessible at https://theysaid.io/privacy “TheySaid” means TheySaid, Inc., a company incorporated in Delaware.
“TheySaid Group” means TheySaid and its Affiliates engaged in the Processing of Personal Data.
“Security Incident” means any confirmed breach of security that results in the accidental or unlawful acquisition, destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
“Standard Contractual Clauses” means Standard Contractual Clauses for the transfer of Personal Data to third countries set out in Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as currently set out at http://data.europa.eu/eli/dec_impl/2021/914/oj
“Sub-processor” means any entity engaged by TheySaid or a member of the TheySaid Group to Process Personal Data in connection with the Services.
The terms “Controller,” “Processor,” and “Service Provider” are defined as in Data Protection Laws. “Controller” is deemed to also refer to “Business,” and “Processor” is deemed to also refer to “Service Provider.”
2. Processing of Personal Data
Roles of the Parties.
To the extent that Customer is the Controller of Personal Data, TheySaid is its Processor. To the extent that Customer is a Processor of Personal Data, TheySaid is its Subprocessor.
Customer’s Processing of Personal Data Customer shall, in its use of the Services and provision of instructions, Process Personal Data in accordance with the requirements of applicable Data Protection Law (including where the Customer is a Processor, by ensuring that the ultimate Controller does so). Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data.
3. Personal Data Processing Requirements
(a) Restrictions on Processing. TheySaid will:
- not retain, use, or disclose Personal Data outside of the direct business relationship between Customer and TheySaid, or for any purpose (including any commercial purpose) not set forth in this DPA or the Agreement;
- not “sell” or “share” any Personal Data, or use Personal Data for purposes of “targeted advertising,” as such terms are defined in Data Protection Laws; and
- comply with any applicable restrictions under the CCPA on combining Personal Data with personal data that TheySaid receives from, or on behalf of, another person or persons, or that TheySaid collects from any interaction between it and any individual.
(b) Confidentiality. TheySaid will ensure that the persons Processing the Personal Data have are bound by obligations of confidentiality no less protective than those set forth in the Agreement or are under an appropriate statutory obligation of confidentiality.
(c) Assistance. TheySaid will provide Customer with reasonable assistance:
- by implementing appropriate technical and organizational measures for the fulfilment of Customer’s obligation to respond to requests for exercising Data Subjects’ rights as set forth in Data Protection Laws, taking into account the nature of the Processing; and
- in performing any required data protection impact assessment of Processing or proposed Processing of Personal Data, and in consulting with regulatory authorities in relation to the Processing or proposed Processing of Personal Data, including any applicable obligation upon TheySaid to consult with a regulatory authority in relation to TheySaid’s Processing or proposed Processing of Personal Data.
(d) Notice Regarding Compliance and Instructions. TheySaid will promptly notify Customer if TheySaid determines that it can no longer meet its obligations under Data Protection Laws or if it believes that Customer’s instructions violate Data Protection Laws, and TheySaid is not deemed to be in breach of this DPA if it declines to Process Personal Data in a way that TheySaid reasonably and in good faith believes would cause TheySaid to violate Data Protection Laws.
4. Sub-processors
(a) Appointment of Sub-processors. Customer acknowledges and agrees that (a) TheySaid’s Affiliates may be retained as Sub-processors through written agreement with TheySaid and (b) TheySaid and TheySaid’s Affiliates respectively may engage third-party Sub-processors in connection with the provision of the Services. As a condition to permitting a third-party Sub-processor to Process Personal Data, TheySaid or a TheySaid Affiliate will enter into a written agreement with each Sub-processor containing in substance data protection obligations that provide at least the same level of protection for Personal Data as those in this DPA, to the extent applicable to the nature of the Services provided by such Sub-processor. In the event Customer enters into the Standard Contractual Clauses, then Customer hereby grants TheySaid a general written authorization to appoint Sub-processors in accordance with clause 9 of the Standard Contractual Clauses and this section.
(b) List of Current Sub-processors and Notification of New Sub-processors. The current list of Sub-processors engaged in Processing Personal Data for the performance of the Services, including a description of their processing activities and countries of location has been provided in Exhibit A attached hereto. Customer hereby consents to TheySaid’s use of Sub-processors, their locations and processing activities as it pertains to their Personal Data. Customer may receive notifications of new Sub processors by e-mailing privacy@theysaid.io with the subject “Subprocessor List”, and TheySaid shall provide the subscriber with a list of current Subprocessors, along with future notification of new Sub-processor(s) before authorizing such new Sub processor(s) to Process Personal Data in connection with the provision of the applicable Services.
(c) Objection Right for New Sub-processors. Customer may reasonably object to TheySaid’s use of a new Sub-processor by notifying TheySaid promptly in writing within ten (10) business days after receipt of TheySaid’s notice. Such notice shall explain the reasonable grounds for the objection. If Customer objects to a new Sub-processor, as permitted in the preceding sentence,TheySaid will use commercially reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer’s configuration or use of the Services to avoid Processing of Personal Data by the objected-to new Sub-processor without unreasonably burdening Customer.
(d) Liability. TheySaid shall be liable for the acts and omissions of its Sub-processors to the same extent TheySaid would be liable if performing the Services of each Sub-processor directly under the terms of this DPA.
5. Security Incident
(a) Notice. TheySaid will notify Customer of any Security Incident without undue delay or within the time period required under Data Protections Law. To the extent available, this notification will include TheySaid’s then-current assessment of the following:
- the nature of the Security Incident, including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
- the likely consequences of the Security Incident; and
- measures taken or proposed to be taken by TheySaid to address the Security Incident, including, where applicable, measures to mitigate its possible adverse effects. TheySaid will provide timely and periodic updates to Customer as additional information regarding the Security Incident becomes available. Customer acknowledges that any updates may be based on incomplete information.
(b) Responsibilities of the Parties. TheySaid will comply with the Security Incident-related obligations applicable to it under Data Protection Laws and will assist Customer in Customer’s compliance with its Security Incident-related obligations. TheySaid will not assess the contents of Customer Data for the purpose of determining if such data is subject to any requirements under Data Protection Laws. Nothing in this DPA or in the EU SCCs will be construed to require TheySaid to violate, or delay compliance with, any legal obligation it may have with respect to a Security Incident or other security incidents generally.
6. Data Transfers
(a) Authorization to Transfer Personal Data. Customer authorizes TheySaid and its Subprocessors to make international transfers of Personal Data in accordance with this DPA and Data Protection Laws.
(b) Order of Precedence. The Parties acknowledge that Data Protection Laws may require the Parties to implement certain safeguards (a “Transfer Mechanism”) for Customer to transfer Personal Data to TheySaid. In the event a transfer of Personal Data is covered by more than one Transfer Mechanism, the transfer will be subject to a single Transfer Mechanism, in accordance with the following order of precedence:
- the Data Privacy Frameworks;
- to the extent that the Data Privacy Frameworks do not apply to a given transfer or are invalidated, the EU SCCs and/or UK Addendum as set forth in Sections 7(d)-(f), as applicable; and
- if neither of the preceding is applicable, the Parties will cooperate in good faith to enter into an alternative Transfer Mechanism to the extent required by Data Protection Laws.
(c) Data Privacy Frameworks. To the extent TheySaid processes Personal Data originating from the EEA, United Kingdom, or Switzerland and TheySaid is self-certified under the Data Privacy Frameworks, TheySaid will adhere to the Data Privacy Principles with respect to Personal Data transferred to TheySaid, as applicable.
(d) EU SCCs. To the extent legally required, by entering into this DPA, Customer and TheySaid are deemed to have signed the EU SCCs, which form part of this DPA and (except as described in Sections 7(e) and (f) below) are deemed completed as follows:
- Module 2 of the EU SCCs applies to transfers of Personal Data from Customer (as a Controller) to TheySaid (as a Processor), and Module 3 of the EU SCCs applies to transfers of Personal Data from Customer (as a Processor) to TheySaid (as a Subprocessor);
- Clause 7 (the optional docking clause) is not included;
- Clause 9 (Use of sub-processors): Option 2 (General written authorization) will apply and the time period for prior notice of Subprocessor changes is set forth in Section 6 of this DPA.;
- Clause 11 (Redress): The optional language will not apply;
- Clause 17 (Governing law): The Parties choose Option 1 (the law of an EU Member State that allows for third-Party beneficiary rights) and select the law of Ireland; and
- Clause 18 (Choice of forum and jurisdiction): The Parties select the courts of Ireland;
(e) UK Addendum. To the extent legally required, by entering into this DPA, the Parties are deemed to be signing the UK Addendum, which forms part of this DPA and takes precedence over the rest of this DPA as set forth in the UK Addendum. The Tables within the UK Addendum are deemed completed as follows:
- Table 1: The Parties’ details shall be the Parties to the extent any of them is involved in such transfer, and the Key Contact shall be the contacts set forth in the Agreement.
- Table 2: The Approved EU SCCs referenced in Table 2 shall be the EU SCCs as executed by the Parties and completed in Section 7(d) of this DPA.
- Table 3: Annexes I and II are set forth below in Exhibit B, respectively. Annex III is inapplicable.
- Table 4: Either Party may end this DPA as set out in Section 19 of the UK Addendum.
(f) Transfers of Swiss Personal Data. For transfers of Personal Data that are subject to the FADP, the EU SCCs form part of this DPA as set forth in Section 7(d) of this DPA, but with the following differences to the extent required by the FADP:
- references to the GDPR in the EU SCCs are to be understood as references to the FADP insofar as the data transfers are subject exclusively to the FADP and not to the GDPR;
- the term “member state” in EU SCCs shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the EU SCCs; and
- the relevant supervisory authority is the Swiss Federal Data Protection and Information Commissioner (for transfers subject to the FADP and not the GDPR), or both such Commissioner and the supervisory authority identified in the EU SCCs (where the FADP and GDPR apply, respectively).
7. Audits
(a) Standard Audit Process. TheySaid will make available to Customer documentation, data, certifications, reports, and records (“Records”) relating to TheySaid’s Processing of Personal Data to demonstrate compliance with this DPA (an “Audit”) provided the Agreement remains in effect and such audit is at Customer’s sole expense. Customer may request an Audit upon fourteen (14) days’ prior written notice to TheySaid, no more than once annually, except, in the event of a Security Incident occurring on TheySaid’s systems, in which case Customer may request an Audit within a reasonable period of time following such Security Incident.
(b) Written Requests and Inspections. If Customer has a reasonable objection that the Records provided are not sufficient to demonstrate TheySaid’s compliance with this DPA, Customer may, as necessary:
- request additional information from TheySaid in writing, and TheySaid will respond to such written requests in within a reasonable period of time (“Written Requests”); and
- only where TheySaid’s responses to such Written Requests do not provide the necessary level of information required by Customer, request access to TheySaid’s premises, systems and staff, upon twenty one (21) days prior written notice to TheySaid (an “Inspection”) subject to the parties having mutually agreed upon (a) the scope, timing, and duration of the Inspection, (b) the use of an auditor to conduct the Inspection, (c) the Inspection being carried out only during TheySaid’s regular business hours, with minimal disruption to TheySaid’s business operations, and (d) all costs associated with the Inspection being borne by Customer (including TheySaid’s time in connection with facilitating the Inspection, charged at TheySaid’s then-current rates). Inspections will be permitted no more than once annually, except in the event of a Security Incident.
8. Return and deletion of Personal Data
Upon termination of the Services for which TheySaid is Processing Personal Data, TheySaid shall, upon Customer’s request, and subject to the limitations described in the Agreement and the Privacy Policy, return all Personal Data in TheySaid’s possession to Customer or securely destroy such Personal Data and demonstrate to the satisfaction of Customer that it has taken such measures, unless applicable law prevents it from returning or destroying all or part of Personal Data. For clarification, depending on the Service plan purchased by Customer, access to export functionality may incur additional charge(s) and/or require purchase of a Service upgrade. Until Personal Data is deleted or returned, TheySaid shall continue to comply with this DPA and its Schedules.
9. Controller Affiliates
(a) Contractual Relationship. The parties acknowledge and agree that, by executing the DPA, Customer enters into the DPA on behalf of itself and, as applicable, in the name and on behalf of its Controller Affiliates, thereby establishing a separate DPA between TheySaid and each such Controller Affiliate and subject to the provisions of the Agreement. Each Controller Affiliate agrees to be bound by the obligations under this DPA and, to the extent applicable, the Agreement. For the avoidance of doubt, a Controller Affiliate is not and does not become a party to the Agreement, and is a party only to the DPA. All access to and use of the Services by Controller Affiliates must comply with the terms and conditions of the Agreement and any violation of the terms and conditions of the Agreement by a Controller Affiliate shall be deemed a violation by Customer.
(b) Communication. The Customer that is the contracting party to the Agreement shall remain responsible for coordinating all communication with TheySaid under this DPA and be entitled to make and receive any communication in relation to this DPA on behalf of its Controller Affiliates.
(c) Rights of Controller Affiliates. If a Controller Affiliate becomes a party to the DPA with TheySaid, it shall, to the extent required under applicable Data Protection Laws, also be entitled to exercise the rights and seek remedies under this DPA, subject to the following:
Except where applicable Data Protection Laws require the Controller Affiliate to exercise a right or seek any remedy under this DPA against TheySaid directly by itself, the parties agree that
- solely the Customer that is the contracting party to the Agreement shall exercise any such right or seek any such remedy on behalf of the Controller Affiliate, and
- the Customer that is the contracting party to the Agreement shall exercise any such rights under this DPA not separately for each Controller Affiliate individually but in a combined manner for all of its Controller Affiliates together.
10. Survival; Amendments
The provisions of this DPA survive the termination or expiration of the Agreement for so long as TheySaid or its Subprocessors Process Personal Data. TheySaid may amend this DPA in order to comply with Data Protection Laws and will notify Customer of such changes. By continuing to use the Services after the DPA has been updated, Customer is deemed to have agreed to the updated DPA.
11. List of Schedules
- (a) Exhibit A: List of Subprocessors
- (b) Exhibit B: Annex I and II to EU SCCS
Exhibit B
Annex I to the EU SCCS
A. List of Parties
Data exporter(s):
- Name: Customer, as identified in the Agreement.
- Address: As provided in the Agreement.
- Contact person’s name, position, and contact details: As provided in the Agreement.
- Activities relevant to the data transferred under these Clauses: The data exporter receives access to the data importer’s services pursuant to their underlying Agreement.
- Signature and date: The Parties agree that execution of the Agreement shall constitute execution of these EU SCCs by both parties.
- Role: Controller or Processor, as relevant.
Data importer(s):
- Name: TheySaid, as identified in the Agreement.
- Address: As provided in the Agreement.
- Contact person’s name, position, and contact details: As provided in the Agreement.
- Activities relevant to the data transferred under these Clauses: The data importer provides the Services to the data exporter pursuant to their underlying Agreement.
- Signature and date: The Parties agree that execution of the Agreement shall constitute execution of these EU SCCs by both parties.
- Role: Processor or Subprocessor, as applicable.
B. Description of Transfer
Categories of data subjects whose personal data is transferred: The categories of data subjects whose personal data is transferred are determined solely by the data exporter. In the normal course of the data importer’s provision of the Services, the categories of data subjects might include (but are not limited to): the data exporter’s personnel, customers, service providers, business partners, affiliates and other end users.
Categories of personal data transferred: The categories of personal data transferred are determined solely by the data exporter. In the normal course of the data importer’s provision of the Services, the categories of personal data transferred might include (but are not limited to) any Personal Data submitted by Customer’s data subjects in connection with their use of the Services.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures: At its sole discretion, the data exporter determines all categories and types of personal data it may submit and transfer to the data importer as part of its provision of the Services. If the data exporter chooses to transmit sensitive data through the Services or permits its end users to, the data exporter is responsible for ensuring that suitable safeguards are in place prior to transmitting or processing, or prior to permitting the data exporter’s end users to transmit or process, any sensitive data through the Services.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): Continuous for the duration of the Agreement.
Nature of the processing: The data importer’s Processing activities shall be limited to those discussed in the Agreement and the DPA.
Purpose(s) of the data transfer and further processing: The purpose of the transfer to and further Processing of Personal Data by the data importer is for the data importer to provide the Services to the data exporter as set forth in the Agreement.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: Personal Data will be retained for the period of time necessary for the data importer to provide the Services to the data exporter under the Agreement and/or in accordance with applicable legal requirements.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: Same as above to the extent that Personal Data is provided to Subprocessors for purposes of providing the Services.
C. Competent Supervisory Authority
To the extent legally permitted, the competent supervisory authority is the Irish Data
Annex II to the EU SCCS
Data Security Measures
Data importer will maintain administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Personal Data uploaded to the Services, as described in the Privacy Policy applicable to the specific Services purchased by data exporter, and currently accessible at https://theysaid.io/privacy or otherwise made reasonably available by data importer. Data importer will not materially decrease the overall security of the Services during a subscription term. Data Subject Requests shall be handled in accordance with the DPA.