Data Protection Addendum
This Data Protection Addendum (“DPA”) supplements and forms part of the current version of the Master Service Agreement, defined as either the Terms of Service (available at https://www.cartesia.ai/legal/terms.html) agreed to and accepted by customer and any of its affiliates (together, “Customer”) or the separate written service agreement executed by Service Provider and Customer, and Cartesia AI, Inc. (“Service Provider”), each a “Party” and collectively the “Parties”. This DPA applies to and takes precedence over the Master Service Agreement and any associated contractual document between the Parties, such as an order form or statement of work thereunder (collectively, the “Agreement”). To the extent of any conflict between the Master Service Agreement and the terms of this DPA, this DPA shall govern.
Service Provider hereby certifies that it understands its restrictions and obligations set forth in this DPA and will comply with them. Service Provider agrees as follows:
1. Definitions and Interpretation
Unless otherwise defined herein, capitalized terms and expressions
used in this DPA shall have the following meaning:
“Applicable Data Protection Laws” means any applicable
privacy or data protection legislation or regulations, including but not
limited to European Data Protection Laws, and the California Consumer
Privacy Act, as amended by the California Privacy Rights Act and its
implementing regulations as amended or superseded from time to time
(“CCPA”) as well as similar laws adopted in other
states. In the event of a conflict in the meanings of defined terms in
the Applicable Data Protection Laws, the meaning from the law applicable
to the region of residence of the relevant Data Subject applies;
“Controller” shall be interpreted consistent with
Applicable Data Protection Laws and includes, at a minimum and where
applicable “controller” as that term is defined under European Data
Protection Laws and Applicable Data Protection Laws in the U.S. and
“business” as the term is defined under the CCPA;
“Customer Personal Data” means any Personal Data
Processed by Service Provider as a Processor on behalf of Customer or
Third-Party Controller pursuant to the Agreement;
“Data Subject” shall be interpreted consistent with
Applicable Data Protection Laws, and includes at a minimum and where
applicable “data subject” as that term is defined under European Data
Protection Laws and “consumer” as the term is defined under the CCPA and
Applicable Data Protection Laws in the U.S.;
“Data Subject Rights” means all rights granted to Data
Subjects under Applicable Data Protection Laws, which may include, as
applicable, rights to information, access, rectification, erasure,
restriction, portability, objection, the right to withdraw consent, and
the right not to be subject to automated individual decision-making in
accordance with Applicable Data Protection Laws;
“Data Transfer” means a disclosure of Customer Personal
Data by an organization subject to European Data Protection Laws to
another organization located outside the EEA, the UK, or
Switzerland;
“DPA” means this Data Processing Agreement;
“EEA” means the European Economic Area;
“European Data Protection Laws” means the General Data
Protection Regulation (EU) 2016/679 (“GDPR”) and the
e-Privacy Directive 2002/58/EC (as amended by Directive 2009/136/EC),
their national implementations in the EEA, including the European Union,
and all other data protection laws of the EEA, the United Kingdom
(“UK”), and Switzerland, each as applicable, and as may
be amended or replaced from time to time;
“EU-US Data Privacy Framework” means the adequacy
decision laid down in the Commission Implementing Decision of July 10,
2023, pursuant to Regulation (EU) 2016/679 of the European Parliament
and of the Council on the adequate level of protection of personal data
under the EU-US Data Privacy Framework, C(2023) 4745 final;
“Personal Data” shall be interpreted consistent with
Applicable Data Protection Laws, and includes at a minimum and where
applicable “personal data” as that term is defined under European Data
Protection Laws and “personal information” as the term is defined under
the CCPA;
“Process” and ”Processing” shall be
interpreted consistent with Applicable Data Protection Laws;
“Processor” shall be interpreted consistent with
Applicable Data Protection Laws, and includes at a minimum and where
applicable a “processor” as the term is defined under European Data
Protection Laws and “service provider” or “contractor” as those terms
are defined under the CCPA;
“SCCs” means the clauses annexed to the EU Commission
Implementing Decision 2021/914 of June 4, 2021 on standard contractual
clauses for the transfer of personal data to third countries pursuant to
Regulation (EU) 2016/679 of the European Parliament and of the Council
as amended or replaced from time to time;
“Services” means the services provided by Service
Provider to the Customer under the Agreement.
“Subprocessor” means any person appointed by Service
Provider to Process Personal Data on behalf of the Customer in
connection with the Agreement;
“Data Transfer” means a disclosure of Customer Personal
Data by an organization subject to European Data Protection Laws to
another organization located outside the EEA, the UK, or
Switzerland;
“Third-Party Controller” means a Controller for which
the Customer is a Processor; and
“UK Addendum” means the addendum to the SCCs issued by
the UK Information Commissioner under Section 119A(1) of the UK Data
Protection Act 2018 (version B1.0, in force March 21, 2022).
The terms, ”Commission”, ”Member
State”, ”Personal Data
Breach”and ”Supervisory Authority” shall have
the same meaning as in the GDPR, and their cognate terms shall be
construed accordingly.
The terms, ”Business
Purpose”, ”Share”,
and ”Shared” shall have the same meaning given to them
under the CCPA. The
terms ”Sell” and ”Selling” shall have
the meaning defined in Applicable Data Protection Laws in the U.S.
2. Scope
2.1. This DPA applies to the Processing of Customer Personal Data by Service Provider. The subject matter, nature and purposes of the Processing, the types of Customer Personal Data and categories of Data Subjects are set out in Annex I, which is an integral part of this DPA.
2.2. If Customer is a Controller of Customer Personal Data, Customer hereby appoints Service Provider as a Processor of such data. Customer is responsible for compliance with the requirements of Applicable Data Protection Laws applicable to Controllers. In particular, and where applicable, Customer acknowledges and agrees that it will provide notice to Data Subjects about the Processing of Personal Data by Service Provider as described in this DPA, and obtain Data Subjects’ consent to such Processing by Service Provider as necessary to comply with Applicable Data Protection Law. Service Provider shall comply with the obligations of Applicable Data Protection Laws and, as applicable, shall provide the level of privacy protection to Customer Personal Data required by such Applicable Data Protection Laws.
2.3. If Customer is a Processor on behalf of a Third-Party Controller, then Customer: is the single point of contact for Service Provider; must obtain all necessary authorizations from such Third-Party Controller; will ensure that the Third Party Controller provided notice and obtained any consents necessary for Processing by Service Provider as set forth in Section 2.2; and undertakes to issue all instructions and exercise all rights on behalf of such other Third-Party Controller.
3. Processing of Customer Personal Data
3.1. Service Provider shall not Process Customer Personal Data other than on the relevant Customer’s documented instructions.
3.2. The Customer’s instructions are documented in this DPA, the Agreement, and any applicable statement of work, and Service Provider shall process Customer Personal Data for the limited and specific purposes of carrying out these documented instructions or as otherwise expressly permitted by Applicable Data Protection Laws. Where permitted by Applicable Data Protection Laws, Customer has the right to take reasonable and appropriate steps to ensure that Service Provider uses Customer Personal Data consistent with Customer’s obligations under Applicable Data Protection Laws.
3.3. Solely for the purposes of the CCPA, and except as expressly permitted by the CCPA, Service Provider will not: (i) Sell or Share Customer Personal Data, (ii) retain, use, or disclose Customer Personal Data for any purpose other than for the specific purpose of performing the Services, (iii) retain, use, or disclose Customer Personal Data with Personal Data obtained from, or on behalf of, sources other than Customer, except as expressly permitted under the CCPA. The Parties acknowledge and agree that the exchange of Personal Data between the Parties does not form part of any monetary or other valuable consideration exchanged between the Parties with respect to the Agreement or this DPA.
3.4. Unless prohibited by applicable law, Service Provider will inform Customer if Service Provider is subject to a legal obligation that requires Service Provider to Process Customer Personal Data in contravention of Customer’s documented instructions.
4. Personnel
Service Provider shall take reasonable steps to ensure the reliability of any employee, agent, or contractor who may have access to the Customer Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know/access the relevant Customer Personal Data, as strictly necessary for the purposes of the Agreement, and ensuring that all such individuals are subject to contractual confidentiality obligations or professional or statutory obligations of confidentiality.
5. Security
5.1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Service Provider shall, in relation to the Customer Personal Data, implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures listed in Annex II.
5.2. In assessing the appropriate level of security, Service Provider shall take into account the risks that are presented by Processing the Customer Personal Data, in particular from a Personal Data Breach.
6. Subprocessing
6.1. Customer hereby authorizes Service Provider to engage Subprocessors. A list of Service Provider’s current Subprocessors can be found in our Trust Center under the “Subprocessors” tab.
6.2. Service Provider will enter into a written agreement with its Subprocessors which imposes the same obligations as required by this DPA and Applicable Data Protection Laws.
6.3. Customer may provide an email address to receive security and privacy notifications, including updates to the Approved Subprocessor List by subscribing to notifications from our Trust Center. If Customer provides an email address for security and privacy notifications, Service Provider will notify Customer at least thirty (30) days prior to any intended change to Subprocessors. Customer may object to the addition of a Subprocessor by providing written notice detailing the grounds of such objection within thirty (30) days following Service Provider’s notification of the intended change. Customer and Service Provider will work together in good faith to address Customer’s objection. If Service Provider chooses to retain the Subprocessor, Service Provider will inform Customer at least thirty (30) days before authorizing the Subprocessor to Process Customer Personal Data, and either party may immediately discontinue providing or using the relevant parts of the Services, as applicable, and may terminate the relevant parts of the Services within thirty (30) days.
7. Data Subject Rights
7.1. Taking into account the nature of the Processing and the information available to Service Provider, Service Provider shall assist Customer by implementing appropriate technical and organisational measures, as appropriate, for the fulfillment of the Customer’s obligations to respond to requests to exercise Data Subject Rights.
7.2. Service Provider shall:
7.2.1. promptly notify Customer if it receives a request from a Data Subject under any Applicable Data Protection Laws in respect of Customer Personal Data; and
7.2.2. ensure that it does not respond to that request except on the documented instructions of Customer or as required by applicable laws.
8. Personal Data Breach
8.1. Service Provider shall notify Customer without undue delay upon becoming aware of a Personal Data Breach affecting Customer Personal Data, providing Customer with sufficient information to allow the Customer to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Applicable Data Protection Laws.
8.2. Service Provider shall co-operate with the Customer and take reasonable commercial steps as directed by Customer to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
9. Data Protection Impact Assessment and Prior Consultation
Service Provider shall provide reasonable assistance to the Customer with any data protection impact assessments, and prior consultations with Supervisory Authorities or other competent data privacy authorities, which Customer reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Applicable Data Protection Laws, in each case solely in relation to Processing of Customer Personal Data by Service Provide and taking into account the nature of the Processing and information available to Service Provider.
10. Deletion or Return of Customer Personal Data
10.1. This DPA is terminated upon the termination of the Agreement.
10.2. The Customer may request return of Customer Personal Data in Service Provider’s or Service Provider’s Subprocessors’ possession up to ninety (90) days after termination of the Agreement. Unless required or permitted by applicable law, Service Provider will delete all remaining copies of Customer Personal Data within one hundred eighty (180) days after returning Customer Personal Data to Customer. Service Provider may retain Customer Personal Data to the extent required by applicable law but only to the extent and for such period as required by such law and always provided that Service Provider shall ensure the confidentiality of all such Customer Personal Data.
11. Audit rights and Compliance
11.1. Subject to this Section 11, and upon reasonable request of Customer, Service Provider shall make available to the Customer on request all information and documentation necessary to demonstrate compliance with this Agreement. Where permitted by law, Service Provider may instead make available to Customer a summary of the results of a third-party audit or certification reports relevant to Service Provider’s compliance with this DPA.
11.2. Where permitted by Applicable Data Protection Laws, Customer has the right to monitor Service Provider’s compliance with this DPA through reasonable audits and inspections by Customer or the Customer’s designated auditor. Service Provider shall cooperate with any audit or inspection initiated by Customer, provided that such audit or inspection will not unreasonably interfere with the normal conduct of Service Provider’s business. Unless the audit or inspection reveals a breach by Service Provider of this DPA or Applicable Data Protection Law, Customer shall bear the costs of the audit or inspection.
11.3. Information rights of the Customer only arise under Section 11.1 to the extent that the Agreement does not otherwise give the Customer information rights meeting the relevant requirements of Applicable Data Protection Law.
11.4. Solely for the purpose of the CCPA, Service Provider shall promptly notify Customer if it determines that it can no longer meet its obligations under the CCPA. Upon receiving notice from Service Provider in accordance with this subsection, Customer may direct Service Provider to take reasonable and appropriate steps to stop and remediate unauthorized use of Customer Personal Data.
12. Data Transfer
12.1. Customer hereby authorizes Service Provider to perform Data Transfers to any country deemed to have an adequate level of data protection by the European Commission, including on the basis of the EU-US Data Privacy Framework, or by other competent authorities (including in the UK and Switzerland), as appropriate; on the basis of adequate safeguards in accordance with European Data Protection Laws; or pursuant to the SCCs and the UK Addendum referred to in Sections 12.2 and 12.3 below.
12.2. By entering into this DPA, Customer and Service Provider conclude Module 2 (controller-to-processor) of the SCCs and, to the extent Customer is a Processor on behalf of a Third-Party Controller, Module 3 (Processor-to-Subprocessor) of the SCCs, which are hereby incorporated and completed as follows: the “data exporter” is Customer; the “data importer” is Service Provider; the optional docking clause in Clause 7 is not implemented; Option 2 of Clause 9(a) is implemented and the time period therein is specified in Section 6.3 above; the optional redress clause in Clause 11(a) is struck; Option 1 in Clause 17 is implemented and the governing law is the law of Ireland; the courts in Clause 18(b) are the Courts of Ireland; Annex I and II to Module 2 and 3 of the SCCs are Annex I and II to this DPA respectively. For Data Transfers from Switzerland, Data Subjects who have their habitual residence in Switzerland may bring claims under the SCCs before the courts of Switzerland.
12.3 By entering into this DPA, Customer and Service Provider conclude the UK Addendum, which is hereby incorporated and applies to Data Transfers outside the UK. Part 1 of the UK Addendum is completed as follows: (i) in Table 1, the “Exporter” is Customer and the “Importer” is Service Provider, their details are set forth in this DPA, and the Agreement; (ii) in Table 2, the first option is selected and the “Approved EU SCCs” are the SCCs referred to in Section 12.2 of this DPA; (iii) in Table 3, Annexes 1 (A and B) and II to the “Approved EU SCCs” are Annex I and II respectively; and (iv) in Table 4, both the “Importer” and the “Exporter” can terminate the UK Addendum.
ANNEX I
DESCRIPTION OF THE TRANSFER
A. LIST OF PARTIES
Data exporter:
Customer (as defined above)
Role (controller/processor): Controller, or Processor on behalf of Third-Party Controller
Data importer:
Name: Service Provider (as defined above)
Role (controller/processor): Processor on behalf of Customer, or Subprocessor on behalf of Third-Party Controller
B. DESCRIPTION OF PROCESSING OR INTERNATIONAL DATA TRANSFER
Categories of Data Subjects whose Personal Data is processed or
transferred:
Data subjects whose characteristics are present in content uploaded
by the Customer.
Categories of Personal Data processed or transferred:
Audio or voice recordings, text input, or other content uploaded by
the Customer.
Sensitive Data processed or transferred (if applicable) and
applied restrictions or safeguards that fully take into consideration
the nature of the data and the risks involved, such as for instance
strict purpose limitation, access restrictions (including access only
for staff having followed specialized training), keeping a record of
access to the data, restrictions for onward transfers or additional
security measures.
Personal Data may include biometric data. Such Sensitive Data will
only be collected and processed according to Customer’s instructions for
providing the Services and access to Sensitive Data will be restricted
to staff requiring access to perform the services.
The frequency of the processing or International Data Transfer
(e.g. whether the Personal Data is transferred on a one-off or
continuous basis):
On a continuous basis.
Nature of the processing:
The Personal Data will be processed and transferred as described in
the Agreement.
Purpose(s) of the International Data Transfer and further
Processing:
The Personal Data will be transferred and further processed for the
provision of the services as described in the Agreement.
The period for which the Personal Data will be retained, or, if
that is not possible, the criteria used to determine that period:
Personal Data will be retained for as long as necessary taking into
account the purpose of the Processing, and in compliance with applicable
laws, including laws on the statute of limitations and Data Protection
Law.
For International Data Transfer to (Sub)Processors, also specify
subject matter, nature and duration of the Processing:
For the subject matter and nature of the Processing, reference is
made to the Agreement and this DPA. The Processing will take place for
the duration of the Agreement.
C. COMPETENT SUPERVISORY AUTHORITY
The competent authority for the Processing of Personal Data relating to Data Subjects located in the EEA is the Supervisory Authority of the EU Member State in which the data exporter is established.
The competent authority for the Processing of Personal Data relating to Data Subjects located in the UK is the UK Information Commissioner.
The competent authority for the Processing of Personal Data relating to Data Subjects located in Switzerland is the Swiss Federal Data Protection and Information Commissioner.
ANNEX II
TECHNICAL AND ORGANIZATIONAL MEASURES INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Service Provider will, at a minimum, implement the following types of security measures when Processing Customer Personal Data:
1. Physical access control
Technical and organizational measures to prevent unauthorized persons from gaining access to the data processing systems available in premises and facilities (including databases, application servers and related hardware), where Customer Personal Data are Processed, include:
Establishing security areas, restriction of access paths;
Establishing access authorizations for employees and third parties;
Securing decentralized data processing equipment and personal computers.
2. Virtual access control
Technical and organizational measures to prevent data processing systems from being used by unauthorized persons include:
User identification and authentication procedures;
ID/password security procedures (special characters, minimum length, change of password);
Automatic blocking (e.g. password or timeout);
Monitoring of break-in-attempts and automatic turn-off of the user ID upon several erroneous passwords attempts;
Creation of one master record per user, user-master data procedures per data processing environment; and
Encryption of archived data media.
3. Data access control
Technical and organizational measures to ensure confidentiality and that persons entitled to use a data processing system gain access only to such Customer Personal Data in accordance with their access rights, and that Customer Personal Data cannot be read, copied, modified or deleted without authorization, include:
Internal policies and procedures;
Control authorization schemes;
Default configuration;
Differentiated access rights (profiles, roles, transactions and objects);
Disciplinary action against employees who access Personal Data without authorization;
Reports of access;
Access procedure;
Change procedure;
Deletion procedure; and
Encryption.
4. Disclosure control
Technical and organizational measures to ensure that Customer Personal Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage on storage media (manual or electronic), and that it can be verified to which companies or other legal entities Customer Personal Data are disclosed, include:
Encryption/Pseudonymization/tunneling;
Logging; and
Transport security.
5. Entry control
Technical and organizational measures to monitor whether Customer Personal Data have been entered, changed or removed (deleted), and by whom, from data processing systems, include:
Logging and reporting systems; and
Audit trails and documentation.
6. Control of instructions
Technical and organizational measures to ensure that Customer Personal Data are Processed solely in accordance with the instructions of the Controller include:
Unambiguous wording of the contract;
Formal commissioning (request form); and
Criteria for selecting the Processor.
7. Availability control
Technical and organizational measures to ensure the integrity, availability and resilience of the processing systems, and that Customer Personal Data are protected against accidental destruction or loss (physical/logical) include:
Backup procedures;
Mirroring of hard disks;
Uninterruptible power supply (UPS);
Remote storage;
Anti-virus/firewall systems; and
Disaster recovery plan, in the event of a physical or technical incident.
8. Separation control
Technical and organizational measures to ensure that Customer Personal Data collected for different purposes can be Processed separately include:
Separation of databases;
“Internal client” concept / limitation of use;
Segregation of functions (production/testing); and
Procedures for storage, amendment, deletion, transmission of data for different purposes.
9. Testing controls
Technical and organizational measures to test, assess and evaluate the effectiveness of the technical and organizational measures implemented in order to ensure the security of the processing include:
Periodical review and test of disaster recovery plan;
Testing and evaluation of software updates before they are installed;
Authenticated (with elevated rights) vulnerability scanning; and
Test bed for specific penetration tests.
10. IT governance
Technical and organizational measures to improve the overall management of IT and ensure that the activities associated with information and technology are aligned with the compliance efforts include:
Certification/assurance of processes and products;
Processes for data minimization;
Processes for data quality;
Processes for limited data retention;
Processes for ensuring accountability; and
Data subject rights handling policies.
The measures in this Annex apply to all transfers described in this DPA.