This Data Processing Addendum (“DPA”) governs Embeddable’s processing of Customer Data provided by Customer to Embeddable during the provision of Embeddable services under the terms of the Embeddable Business Terms (located at embeddable.com/policies/business-terms) or other agreement between Customer and Embeddable governing Customer’s use of the Services (the “Agreement”). If and to the extent language in this DPA conflicts with the Agreement, the conflicting terms in this DPA shall control. Capitalized terms not defined in this DPA have the meaning set forth in the Agreement.

Embeddable and Customer each agree to comply with their respective obligations under applicable data privacy and data protection laws (collectively, “Data Protection Laws”) in connection with the Services. Data Protection Laws may include, depending on the circumstances, U.S. Privacy Laws, the United Kingdom and/orEuropean Union General Data Protection Regulation (Regulation (EU) 2016/679) (collectively the “GDPR”), and applicable subordinate legislation and regulations implementing those laws. In connection with the Agreement, Customer is the person that determines the purposes and means for which Customer Data (as defined below) is processed (a “Data Controller”), whereas Embeddable processes Customer Data in accordance with the Data Controller’s instructions and on behalf of the Data Controller (as a “Data Processor”). “Data Controller” and “Data Processor” also mean the equivalent concepts under Data Protection Laws. For purposes of the Agreement and this DPA, (i) “Personal Data” has the meaning assigned to the term “personal data” or “personal information” under applicable Data Protection Laws; and (ii)“Customer Data” means Personal Data that Customer provides to Embeddable that Embeddable processes on behalf of Customer to provide the Services.

Embeddable will process Customer Data as Customer’s Data Processor to provide or maintain the Services and for the purposes set forth in this DPA, the Agreement and/or in any other applicable agreements between Customer and Embeddable.

1. Processing Requirements

As a Data Processor, Embeddable agrees to:

a. process Customer Data only (i) on Customer’s behalf for the purpose of providing and supporting Embeddable’s Services (including to provide insights, reporting, analytics and platform abuse, trust and safety monitoring); (ii) in compliance with the instructions received from Customer; and (iii) in a manner that provides no less than the level of privacy protection required of it by Data Protection Laws;

b. promptly inform Customer in writing if Embeddable cannot comply with the requirements of this DPA;

c. not provide Customer with remuneration in exchange for Customer Data from Customer. The parties acknowledge and agree that Customer has not “sold” (as such term is defined by the CCPA) Customer Data to Embeddable;

d. not “sell” (as such term is defined by U.S. Privacy Laws) or “share” (as such term is defined by the CCPA) Personal Data;

e. inform Customer promptly if, in Embeddable’s opinion, an instruction from Customer violates applicable Data Protection Laws;

f. require (i) persons employed by it and (ii) other persons engaged to perform on Embeddable’s behalf to be subject to a duty of confidentiality with respect to the Customer Data and to comply with the data protection obligations applicable to Embeddable under the Agreement and this DPA;

g. engage the organizations or persons listed at embeddable.com/policies/subprocessors to process Customer Data (each a “Subprocessor,” and the list at the foregoing URL, the “Subprocessor List”) to help Embeddable satisfy its obligations in accordance with this DPA or to delegate all or part of the processing activities to such Subprocessors. Customer hereby consents to the use of such Subprocessors. In the event that Customer does not wish to consent to the use of such additional Subprocessor, Customer may notify Embeddable that Customer does not consent within fifteen (15) days on reasonable grounds relating to the protection of Customer Data by following the instructions set forth in the Subprocessor List or contacting privacy@embeddable.com. In such case, Embeddable shall have the right to cure the objection through one of the following options: (i) Embeddable will cancel its plans to use the Subprocessor with regards to processing Customer Data or will offer an alternative to provide its Services or services without such Subprocessor; (ii) Embeddable will take the corrective steps requested by Customer in Customer objection notice and proceed to use the Subprocessor; (iii) Embeddable may cease to provide, or Customer may agree not to use whether temporarily or permanently, the particular aspect or feature of the Embeddable Services or services that would involve the use of such Subprocessor; or (iv) Customer may cease providing Customer Data to Embeddable for processing involving such Subprocessor. If none of the above options are commercially feasible, in Embeddable’s reasonable judgment, and the objection(s) have not been resolved to the satisfaction of the parties within thirty (30) days of Embeddable’s receipt of Customer’s objection notice, then either party may terminate any subscriptions, order forms or usage regarding the Services that cannot be provided without the use of the new Subprocessor for cause and in such case, Customer will be refunded any pre-paid fees for the applicable subscriptions, order forms or usage to the extent they cover periods or terms following the date of such termination. Such termination right is Customer’s sole and exclusive remedy if Customer objects to any new Subprocessor. Embeddable shall enter into contractual arrangements with each Subprocessor binding them to provide a comparable level of data protection and information security to that provided for herein.

h. upon reasonable request no more than once per year, provide Customer with Embeddabl’s privacy and security policies and other such information necessary to demonstrate compliance with the obligations set forth in this DPA and applicable Data Protection Laws;

i. where required by law and upon reasonable notice and appropriate confidentiality agreements, cooperate with assessments, audits, or other steps performed by or on behalf of Customer at Customer’s sole expense and in a manner that is minimally disruptive to Embeddabl’s business that are necessary to confirm that Embeddable is processing Customer Data in a manner consistent with this DPA. Where permitted by law, Embeddable may instead make available to customer a summary of the results of a third-party audit or certification reports relevant to Embeddable’s compliance with this DPA. Such results, and/or the results of any such assessments, audits, or other steps shall be the Confidential Information of Embeddable;

j. to the extent that Customer permits or instructs Embeddable to process Customer Data subject to U.S. Privacy Laws in a deidentified, anonymized, and/or aggregated form as part of the Services, Embeddable shall (i) adopt reasonable measures to prevent such deidentified data from being used to infer information about, or otherwise being linked to, a particular natural person or household; (ii) not attempt to reidentify the information, except that Embeddable may attempt to reidentify the information solely for the purpose of determining whether its deidentification processes comply with Data Protection Laws or are functioning as intended; and (iii) before sharing deidentified data with any other party, including Subprocessors, contractually obligate any such recipients to comply with the requirements of this provision;

k. where the Customer Data is subject to the CCPA, not (i) retain, use, disclose, or otherwise process Customer Data except as necessary for the business purposes specified in the Agreement or this DPA; (ii) retain, use, disclose, or otherwise process Customer Data in any manner outside of the direct business relationship between Embeddable and Customer; or (iii) combine any Customer Data with Personal Data that Embeddable receives from or on behalf of any other third party or collects from Embeddable’s own interactions with individuals, provided that Embeddable may so combine Customer Data for a purpose permitted under the CCPA if directed to do so by Customer or as otherwise permitted by the CCPA;

l. where required by law, grant Customer the rights to (i) take reasonable and appropriate steps to ensure that Embeddable uses Customer Data in a manner consistent with Data Protection Laws by exercising the audit provisions set forth in this DPA above; and (ii) stop and remediate unauthorized use of Customer Data, for example by requesting that Embeddable provide written confirmation that applicable Customer Data has been deleted.

2. Notice to Customer

Embeddable will inform Customer if Embeddable becomes aware of:

a. any legally binding request for disclosure of Customer Data by a law enforcement authority, unless Embeddable is otherwise forbidden by law to inform Customer, for example to preserve the confidentiality of an investigation by law enforcement authorities;

b. any notice, inquiry or investigation by an independent public authority established by a member state pursuant to Article 51 of the GDPR (a “Supervisory Authority”) with respect to Customer Data; or

c. any complaint or request (in particular, requests for access to, rectification or blocking of Customer Data) received directly from Customer’s data subjects. Embeddable will not respond to any such request without Customer’s prior written authorization.

3. Assistance to Customer

Embeddable will provide reasonable assistance to Customer regarding:

a. information necessary, taking into account the nature of the processing, to respond to requests received pursuant to Data Protection Laws from Customer’s data subjects in respect of access to or the rectification, erasure, restriction, portability, objection, blocking or deletion of Customer Data that Embeddable processes for Customer. In the event that a data subject sends such a request directly to Embeddable, Embeddable will promptly send such request to Customer;

b. the investigation of any breach of Embeddable’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to Customer Data processed by Embeddable for Customer (a “Personal Data Breach”); and

c. where doing so is mandatory, the preparation of Data Protection Impact Assessments (DPIA) with respect to the processing of Customer Data by Embeddable and, where necessary, carrying out consultations with any supervisory authority with jurisdiction over such processing.

4. Required Processing

If Embeddable is required by Data Protection Laws to process any Customer Data for a reason other than in connection with the Agreement, Embeddable will inform Customer of this requirement in advance of any such processing, unless legally prohibited.

5. Security

Embeddable will:

a. maintain reasonable and appropriate organizational and technical security measures (including with respect to personnel, facilities, hardware and software, storage and networks, access controls, monitoring and logging, vulnerability and breach detection, incident response, and encryption) to protect against unauthorized or accidental access, loss, alteration, disclosure or destruction of Customer Data and to protect the rights of the subjects of that Customer Data;

b. take appropriate steps to confirm that Embeddable personnel are protecting the security, privacy and confidentiality of Customer Data consistent with the requirements of this DPA; and

c. notify Customer of any Personal Data Breach by Embeddable, its Subprocessors, or any other third parties acting on Embeddable’s behalf without undue delay after Embeddable becomes aware of such Personal Data Breach.

6. Obligations of Customer

a. Customer represents, warrants and covenants that it has and shall maintain throughout the term all necessary rights, consents and authorizations to provide the Customer Data to Embeddable and to authorize Embeddable to use, disclose, retain and otherwise process Customer Data as contemplated by this DPA, the Agreement and/or other processing instructions provided to Embeddable.

b. Customer shall comply with all applicable Data Protection Laws.

c. Customer shall reasonably cooperate with Embeddable to assist Embeddable in performing any of its obligations with regard to any requests from Customer’s data subjects.

d. Without prejudice to Embeddable’s security obligations in Section 5 of this DPA, Customer acknowledges and agrees that it, rather than Embeddable, is responsible for certain configurations and design decisions for the services and that Customer, and not Embeddable, is responsible for implementing those configurations and design decisions in a secure manner that complies with applicable Data Protection Laws.

e. Customer shall not provide Customer Data to Embeddable except through agreed mechanisms. Without limitation to the foregoing, Customer represents, warrants and covenants that it shall only transfer Customer Data to Embeddable using secure, reasonable and appropriate mechanisms, to the extent such mechanisms are within Customer’s control.

f. Customer shall not take any action that would (i) render the provision of Customer Data to Embeddable a “sale” under U.S. Privacy Laws or a “share” under the CCPA (or equivalent concepts under U.S. Privacy Laws); or (ii) render Embeddable not a “service provider” under the CCPA or “processor” under U.S. Privacy Laws.

7. Standard Contractual Clauses

a. Embeddable will process Customer Data that originates in the European Economic Area in accordance with the standard contractual clauses adopted by the EU Commission on June 4, 2021 (“EU SCCs”) which are deemed entered into (and incorporated into this DPA by this reference) and completed as follows:

i. Module Two (Controller to Processor) of the EU SCCs apply when Customer is a controller and Embeddable is processing Customer Data as a processor.

ii. Module Three (Processor to Sub-Processor) of the EU SCCs apply when Customer is a processor and Embeddable is processing Customer Data as a sub-processor.

b. Customer Data originating from Switzerland shall be processed in accordance with the EU SCCs with the following amendments:

i. “FDPIC” means the Swiss Federal Data Protection and Information Commissioner.

ii. “Revised FADP” means the revised version of the FADP of 25 September 2020, which is scheduled to come into force on 1 January 2023.

iii. The term “EU Member State” must not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility for suing their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c).

iv. The EU SCCs also protect the data of legal entities until the entry into force of the Revised FADP.

v. The FDPIC shall act as the “competent supervisory authority” insofar as the relevant data transfer is governed by the FADP

c. With respect to Customer Data originating from the United Kingdom, the parties will comply with the terms of Part 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the Information Commissioner’s Office and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses (the “UK Addendum”). The parties also agree (i) that the information included in Part 1 of the UK Addendum is as set out in Annex I of Appendix A to this DPA and (ii) that either party may end the UK Addendum as set out in Section 19 of the UK Addendum.

8. Term; Data Return and Deletion

This DPA shall remain in effect as long as Embeddable carries out Customer Data processing operations on Customer’s behalf or until the termination of the Agreement (and all Customer Data has been returned or deleted in accordance with this DPA).

Where Embeddable receives Customer Data (retrieved from Customer’s Data Source to populate Customer’s dashboards or other Content Customer has created using the Services) it will be retained for a duration set by the Customer in the cache controls section of the Services, after which it will be automatically deleted. Customer may turn off data caching, in which case Customer Data will not be retained.

On the termination of the DPA, Embeddable will direct each Subprocessor to delete the Customer Data within thirty (30) days of the DPA’s termination, unless prohibited by law.

Exhibit A

A. LIST OF PARTIES

Data exporter(s): the Services customer identified on the applicable Services registration documents.

Data importer(s):

Name: TMD Technology Limited (Embeddable)

Address: International House, 142 Cromwell Road, London, United Kingdom, SW7 4EF

Contact Person’s name, position and contact details:

Henry Marshall

COO

privacy@embeddable.com

Activities relevant to the data transferred under these Clauses: The performance of the services described in the agreement to which this is attached.

Signature and date:

B. DESCRIPTION OF TRANSFER

Data subjects and categories

Customer may submit personal data to the Services, the extent of which is determined and controlled by Customer and which may include, but is not limited to, personal data relating to the following categories of data subject:

  • Users and Collaborators;
  • employees of Customer;
  • consultants of Customer;
  • contractors of Customer;
  • agents of Customer; and/or
  • third parties with which Customer conducts business.

Processing operations.‍

The personal data transferred will be processed in accordance with the Customer Agreement and any Order Form and may be subject to the processing activities described in this DPA.

Exhibit B

TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

INTRODUCTION

Embeddable’s mission is to enable companies to build remarkable analytics experiences for their own audiences, including their customers.  In accordance with this mission, Embeddable maintains an information security program designed to safeguard its systems, data, and Customer Data. This Addendum describes the information security program and security standards that Embeddable maintains with respect to the Services and handling of data submitted by or on behalf of Customer the Services (the “Customer Data”). Capitalized terms not defined in this Annex II have the meanings given in the DPA or Agreement.

SECURITY MEASURES

Accessing your data

  • ‍We do not store a copy of Customer’s database. Customer’s data stays safely and securely in their own database.
  • We send SQL over the wire and retrieve only the returned results.
  • We store these results for a duration set by Customer, after which they are permanently deleted.
  • Your SSH or database credentials are kept strictly private and are securely encrypted using industry standard 128-bit AES Encryption. All connections to your database use a read-only transaction. Embeddable will never write to your database or update / alter your data in any way.
  • Customer Data is encrypted at rest and when sent between services. Due to the nature of the Service we provide, Customer Data when presented to users is not encrypted beyond Customer’s own encryption settings.
  • All data transfers use SSL connections, which protect against eavesdropping and man-in-the-middle attacks.

Confidentiality

  • We place strict controls over our team’s access to your Customer Data.
  • The operation of the Services requires that some team members have access to the systems which store and process Customer Data. For example, in order to diagnose a problem we may need to run queries against the Customer’s database. We may also request to access Customer’s data in response to a support request. In such cases, we require written permission and will not access Customer’s Data before it is given.
  • The permissions required to access Customer Data are provided only to a limited number of senior members of the Embeddable team, who have received relevant training in regards to data security and privacy. These team members are prohibited from using these permissions to access Customer Data unless explicitly given permission by the customer to do so.
  • We have technical controls to ensure that all access to Customer Data is logged.

Access and Authentication

  • As a modern cloud platform, we use various third party systems. You can see a full list of subprocessors on embeddable.com/policies/subprocessors.
  • Access to specific systems is controlled, monitored, and reviewed by senior members of the Embeddable team. It is provided to team members on a need-to-use basis only, meaning that only members of our team who specifically require access to a given system to perform their jobs have access to it.
  • We use Google Sign-in, a secure authentication-system, to sign in to the systems we use. All members of our team are required to use 2-Step-Verification to keep their account secure. We do not allow account sharing under any circumstances.
  • When signing in from new browsers, devices, or locations, we receive security alerts via email. We track and review devices that are currently signed in or have been active in the last 28 days.
  • We can revoke a specific user’s access to our systems at any time (for example, if a team member leaves).

Hardware, Devices, and Storage

  • We place strict controls over the hardware we use, including laptops and other devices.
  • All company hardware, as well as personal hardware used for company purposes, and content must be encrypted at rest and protected by up to date anti-virus software. Laptops must be secured by a confidential password and locked when unattended. Old devices must be securely formatted before disposal.
  • When signing up to Embeddable, you can choose which servers to use. Our servers are provided by:
    • Google Cloud Platform, in the US-East region. Google Cloud’s industry-leading certifications and documentation are available here.
    • Amazon Web Services, in the EU-Central-1 region (Frankfurt). You can access AWS's security and compliance page here.

Logging

  • ‍We maintain an extensive, centralized logging environment in our production environment which contains information pertaining to security, monitoring, availability, access, and other metrics about the Embeddable services.