Ir al contenido principal

Flycrew Data Protection Addendum

Joe Peña avatar
Escrito por Joe Peña
Actualizado hace más de 9 meses

1. Introduction

This Data Protection Addendum (“Addendum”) is supplemental to, and made pursuant to, the Platform Terms of Service by and between Flycrew Interactive, Inc., a Delaware C-Corp (“Flycrew”), and Customer (“Customer”). This Addendum applies to Flycrew’s Processing of Personal Data under the Platform Terms of Service between Flycrew and Customer for Flycrew’s provision of Services (the “Agreement”).

Customer enters into this Addendum on behalf of itself and, to the extent required under applicable Data Protection Laws and Regulations, in the name and on behalf of its Affiliates. For the purposes of this DPA only, and except where indicated otherwise, the term “Customer” shall include Customer and Affiliates.

This Addendum shall become legally binding upon Customer entering into the Agreement.

2. Definitions

Capitalized terms that are used but not defined in this Addendum have the meanings given in the Agreement.

  • “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interest of the subject entity.

  • “Applicable Data Protection Laws” means, with respect to a party, all privacy, data protection, and information security-related laws and regulations applicable to such party’s Processing of Personal Data.

  • “Contact Data” means the Personal Data that Flycrew Processes as a controller, such as account information, payment information, on-site visitor information, and event attendee information.

  • “Customer Data” means all information or data, electronic or otherwise, that is provided to Flycrew by, or on behalf of, Customer through the use of the Platform. Customer Data includes Content as defined in the Agreement.

  • “Data Subject” means the identified or identifiable natural person who is the subject of Personal Data.

  • “Processing” or “Process” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment, or combination, restriction, erasure, or destruction.

  • “Personal Data” means “personal data,” “personal information,” “personally identifiable information” or similar information defined in and governed by Applicable Data Protection Laws.

  • “Security Incident” means any confirmed unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data being Processed by Flycrew. Security Incidents do not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems.

  • “Service-Generated Data” means usage data and metadata that is generated through the use of the Services, including data generated through the use of customer support and other services unrelated to the Product. This Addendum applies to Service-Generated Data to the extent Service-Generated Data constitutes Personal Data.

  • “Services” means the collective products and services that may be provided by Flycrew as defined in the Agreement, including, without limitation, the “Platform.”

  • “Subprocessor” means any third party authorized by Flycrew to Process any Personal Data.

3. General; Termination

a. This Addendum forms part of the Agreement and except as expressly set forth in this Addendum, the Agreement remains unchanged and in full force and effect. If there is any conflict between this Addendum and the Agreement, this Addendum will govern.

b. Any liabilities arising under this Addendum are subject to the limitations of liability in the Agreement.

c. This Addendum will be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement unless required otherwise by Applicable Data Protection Laws.

d. This Addendum will remain in effect until, and automatically terminate upon, deletion of Personal Data or expiration or termination of the Agreement.

4. Relationship of the Parties

a. Flycrew as Processor. The parties acknowledge and agree that with regard to the Processing of Customer Data, Customer may act as a controller or processor and Flycrew is a processor. Flycrew will process Customer Data in accordance with Customer’s instructions as outlined in Section 6 (Role and Scope of Processing).

b. Flycrew as Controller. To the extent that any Service-Generated Data is considered Personal Data and as to any Contact Data, Flycrew is the controller with respect to such data and will Process such data in accordance with its Privacy Policy, which can be found at https://flycrew.com/policies/privacy.

5. Compliance with Law

Each party will comply with its obligations under Applicable Data Protection Laws with respect to its Processing of Personal Data.

6. Role and Scope of the Processing

a. Customer Responsibilities. Customer is solely responsible for obtaining and maintaining all necessary consents prior to accessing, storing, uploading, processing, or storing Customer Data in the Service. Customer has provided, and will continue to provide, all notices and has obtained, and will continue to obtain, all consents, permissions, and rights necessary under applicable laws, including Applicable Data Protection Laws, for Flycrew to lawfully process Customer Data for the purposes contemplated by the Agreement. Customer has complied with all applicable laws, rules, and regulations, including Applicable Data Protection Laws, in the collection and provision to Flycrew and its Subprocessors of such Customer Data.

b. Customer Instructions. Flycrew will Process Personal Data only in accordance with Customer’s documented lawful instructions on behalf of the controller, except to the extent required by Applicable Data Protection Laws to which Flycrew is subject or where Flycrew becomes aware or believes that Customer’s instructions violate Applicable Data Protection Laws, in which case Flycrew will notify Customer. By entering into the Agreement, Customer instructs Flycrew to Process Customer Data to provide the Services and pursuant to any other written instructions given by Customer and acknowledged in writing by Flycrew as constituting instructions for purposes of this Addendum. Customer acknowledges and agrees that such instruction authorizes Flycrew to Process Customer Data (a) to perform its obligations and exercise its rights under the Agreement; (b) to perform its legal obligations and to establish, exercise or defend legal claims in respect of the Agreement; and (c) does not conflict with the instructions given to the Customer by the controller to Process Personal Data.

7. Subprocessing

a. Customer specifically authorizes Flycrew to use its Affiliates as Subprocessors and generally authorizes Flycrew to engage Subprocessors to Process Customer Data. In such instances, Flycrew: (i) will enter into a written agreement with each Subprocessor, imposing data protection obligations substantially similar to those set out in this Addendum; and (ii) remains liable for compliance with the obligations of this Addendum and for any acts or omissions of the Subprocessor that cause Flycrew to breach any of its obligations under this Addendum.

b. A list of Flycrew’s current Subprocessors, including their functions and locations, is available at this page or such other website as Flycrew may designate (“Subprocessor Page”), and may be updated by Flycrew from time to time in accordance with this Addendum.

c. If Flycrew appoints new Subprocessors or intends to make changes concerning the addition or replacement of Subprocessors, such changes will be made to our Subprocessor Page. You will have seven (7) calendar days from the date of our Subprocessor Page to object to the change. If You object to the appointment of a Subprocessor, Customer, as its sole and exclusive remedy, may terminate the Agreement for convenience with no refunds, and Customer will remain liable to pay any committed fees in the Agreement.

8. Security

a. Security Measures. Flycrew will implement and maintain technical and organizational security measures designed to protect Personal Data from Security Incidents and to preserve the security and confidentiality of the Personal Data, in accordance with Flycrew’s security standards referenced in the Agreement (“Security Measures”).

b. Customer Responsibility.

(i) Customer is responsible for reviewing the information made available by Flycrew relating to data security and making an independent determination as to whether the Services meet Customer’s requirements and legal obligations under Applicable Data Protection Laws. Customer acknowledges that the Security Measures may be updated from time to time upon reasonable notice to Customer to reflect process improvements or changing practices (but the modifications will not materially decrease Flycrew’s obligations as compared to those reflected in such terms as of the Effective Date).

(ii) Customer agrees that, without limitation of Flycrew’s obligations under this Section 8, Customer is solely responsible for its use of the Services, including (a) making appropriate use of the Services to ensure a level of security appropriate to the risk with respect to the Customer Data; (b) securing the account authentication credentials, systems, and devices Customer uses to access the Services; (c) securing Customer’s systems and devices that it uses with the Services; and (d) maintaining its own backups of Customer Data.

c. Security Incident. Upon becoming aware of a confirmed Security Incident, Flycrew will notify Customer without undue delay unless prohibited by applicable law. A delay in giving such notice requested by law enforcement and/or in light of Flycrew’s legitimate needs to investigate or remediate the matter before providing notice will not constitute an undue delay. Such notices will describe, to the extent possible, (a) the details of the Security Incident as known or as reasonably requested by Customer, and (b) the steps taken, deemed necessary and reasonable by Flycrew, to mitigate the potential risks, to the extent that the remediation is within Flycrew’s reasonable control. Without prejudice to Flycrew’s obligations under this Section 8.c., Customer is solely responsible for complying with Security Incident notification laws applicable to Customer and fulfilling any third-party notification obligations related to any Security Incidents. Flycrew’s notification of or response to a Security Incident under this Section 8.c. will not be construed as an acknowledgement by Flycrew of any fault or liability with respect to the Security Incident. These obligations will not apply to Security Incidents to the extent they are caused by Customer.

9. Audits and Reviews of Compliance

‍The parties acknowledge that Customer must be able to assess Flycrew’s compliance with its obligations under Applicable Data Protection Law and this Addendum, insofar as Flycrew is acting as a processor on behalf of Customer. Flycrew uses internal auditors to verify the adequacy of its security measures with respect to its processing of Customer Data. In the event Applicable Data Protection Laws require audit of Flycrew’s data security practices, Flycrew will work with Customer in good faith, and subject to reasonable confidentiality controls, to comply with audit requirements legally compelled or required under such laws. If Flycrew is not able to comply with the above-referenced audit, Customer, as its sole and exclusive remedy, may terminate the Agreement for convenience with no refunds, and Customer will remain liable to pay any committed fees in an order form, order, statement of work, or other similar ordering document.

10. Impact Assessments and Consultations

Flycrew will provide reasonable cooperation to Customer in connection with any data protection impact assessment (at Customer’s expense only if such reasonable cooperation will require Flycrew to assign significant resources to that effort) or consultations with regulatory authorities that may be required in accordance with Applicable Data Protection Laws.

11. Data Subject Requests

Flycrew will, upon Customer’s request (and at Customer’s expense), provide Customer with such assistance as it may reasonably require to comply with its obligations under Applicable Data Protection Laws to respond to requests from individuals to exercise their rights under Applicable Data Protection Laws (e.g., rights of data access, rectification, erasure, restriction, portability, and objection) in cases where Customer cannot reasonably fulfill such requests independently by using the self-service functionality of the Services. If Flycrew receives a request from a Data Subject in relation to their Personal Data, Flycrew will advise the Data Subject to submit their request to Customer, and Customer will be responsible for responding to any such request.

12. Return or Deletion of Personal Data

a. Upon termination of the Agreement, Flycrew will initiate its purge process to delete or anonymize the Personal Data within a commercially reasonable timeframe. You may also request, within 60 days of termination, that Flycrew return such Personal Data. Termination or expiration of the Agreement serves as instruction for Flycrew to delete all Personal Data within a commercially reasonable timeframe.

b. Notwithstanding the foregoing, Customer understands that Flycrew may retain Customer Data if required by law, and such data will remain subject to the requirements of this Addendum.

13. International Provisions

a. Processing in the United States. Customer acknowledges that, as of the Effective Date, Flycrew’s primary processing facilities are in the United States. Notwithstanding the foregoing, Customer acknowledges that Flycrew may, in connection with the provision of Services, need to transfer and process Customer data to and in the United States and anywhere else in the world where Flycrew and its Subprocessors maintain data processing operations. Flycrew will ensure such transfers are made in compliance with the requirements of Applicable Data Protection Laws and this Addendum.

b. Jurisdiction Specific Terms. To the extent that Flycrew Processes Personal Data originating from and protected by Applicable Data Protection Laws in one of the Jurisdictions listed in Schedule 4 (Jurisdiction Specific Terms), then the terms specified therein with respect to the applicable jurisdiction(s) will apply in addition to the terms of this Addendum.

c. Cross Border Data Transfer Mechanism. To the extent that Customer’s use of the Services requires an onward transfer mechanism to lawfully transfer personal data from a jurisdiction (i.e., the European Economic Area (“EEA”), the United Kingdom (“UK”), Switzerland, or any other jurisdiction listed in Schedule 3) to Flycrew located outside of that jurisdiction (a “Transfer Mechanism”), the terms and conditions of Schedule 3 (Cross Border Transfer Mechanisms) will apply.

SCHEDULE 1 SUBJECT MATTER & DETAILS OF PROCESSING

  1. Nature and Purpose of the Processing. Flycrew will process Personal Data as necessary to provide the Services under the Agreement. Flycrew does not sell Personal Data (or end user information within such Personal Data) and does not share such end users’ information with third parties for compensation or for those third parties’ own business interests. a. Customer Data. Flycrew will process Customer Data as a processor in accordance with Customer’s instructions as outlined in Section 6.a (Customer Instructions) of this Addendum. b. Service-Generated Data and Contact Data. Flycrew will process Service-Generated Data and Contact Data as a controller for the purposes outlined in Section 4.b (Flycrew as Controller) of this Addendum.

  2. Processing Activities. a. Customer Data. Customer Data will be subject to the following basic processing activities: the provision of Services and disclosures in accordance with the Agreement and/or as compelled by applicable laws. b. Service-Generated Data and Contact Data. Personal Data contained in Service-Generated Data and Contact Data will be subject to the following processing activities by Flycrew: Flycrew may use Service-Generated Data and/or Contact Data to operate, improve, and support the Services, to provide marketing and service-related messages, and for other lawful business practices, such as analytics, benchmarking, and reporting.

  3. Duration of the Processing. The period for which Personal Data will be retained and the criteria used to determine that period is as follows: a. Customer Data. Prior to the termination of the Agreement, Flycrew will process stored Customer Data for the purpose of providing the Services until Customer elects to delete such Customer Data via the Platform or in accordance with the Agreement. b. Service-Generated Data and/or Contact Data. Upon termination of the Agreement, Flycrew may retain, use, and disclose Service-Generated Data and/or Contact Data for the purposes set forth above in Section 2.b (Services-Generated and Contact Data) of this Schedule 1, subject to the confidentiality obligations set forth in the Agreement. Flycrew will anonymize or delete Personal Data contained within Service-Generated Data and/or Contact Data when Flycrew no longer requires it for the purpose set forth in Section 2.b (Service-Generated Data and/or Contact Data) of this Schedule 1.

  4. Categories of Data Subjects. a. Customer Data. Individuals whose Personal Data is included in Customer Data. b. Service-Generated Data and Contact Data: Customer’s Permitted Users with access to a Flycrew account, Customers, suppliers, and end users.

  5. Categories of Personal Data. a. Personal Data. The categories of Personal Data are: any Personal Data that Customer, or third parties acting on their behalf, may submit to Flycrew in connection with the performance of the Service, to the extent of which is exclusively determined and controlled by the Customer. b. Service-Generated Data and Contact Data. Flycrew processes Personal Data within Service-Generated Data and/or Contact Data, such as name, email address, phone number, account preferences, and content of communications with any support services.

  6. Sensitive Data or Special Categories of Data. a. Customer Data. Customers are prohibited from including sensitive data or special categories of data in Customer Data. b. Service-Generated Data and Contact Data. Sensitive Data is not contained in Service-Generated Data and/or Contact Data.

SCHEDULE 2 TECHNICAL & ORGANIZATIONAL SECURITY MEASURES Where applicable, this Schedule 2 will serve as Annex II to the Standard Contractual Clauses. The following provides more information regarding Flycrew’s technical and organizational security measures set forth below.

Technical and Organizational Security Measures:

  1. Measures of pseudonymization and encryption of personal data. Personal Data is encrypted in transit, at rest, and protected by role-based access controls.

  2. Measures for ensuring ongoing confidentiality, integrity, availability, and resilience of processing systems and services. Flycrew's Customer agreements contain strict confidentiality obligations. Additionally, Flycrew requires every downstream Subprocessor to sign confidentiality provisions that are substantially similar to those contained in Flycrew's Customer agreements. Flycrew ensures that Customer Data is restricted to business responsibilities or subject matter experts.

  3. Measures for ensuring the ability to restore availability and access to Personal Data in a timely manner in the event of a physical or technical incident. Flycrew ensures that all backups are analyzed to ensure successful recovery and maintain required availability. Backups are stored within the encrypted production environment to preserve their confidentiality and integrity. Best practices are employed within our infrastructure to ensure resiliency and ease of recovery in the event of an incident. Tests are conducted at least annually.

  4. Processes for regular testing, assessing, and evaluating the effectiveness of technical and organizational measures in order to ensure the security of processing. Flycrew ensures effectiveness of technical and organizational measures via internal and external assessments.

  5. Measures for user identification and authorization. Flycrew personnel are required to use unique user access credentials and passwords for authorization. Flycrew follows the principles of least privilege through role-based models when provisioning system access. Flycrew personnel are authorized to access Customer Data based on their job function, role, and responsibilities, and such access requires approval prior to access provisioning. Access is promptly removed upon role change or termination.

  6. Measures for the protection of data during transmission. Customer Data is encrypted in transit and protected by role-based access controls.

  7. Measures for the protection of data during storage. Customer data is encrypted at rest and protected by role-based access controls.

  8. Measures for ensuring physical security of locations at which personal data are processed. Flycrew is hosted in certified data centers that meet the requirements of ISO 27001, PCI DSS Service Provider Level 1, and SOC 2. Physical security controls at our data centers include but are not limited to 24x7 monitoring, surveillance cameras, visitor logs, and stringent entry requirements.

  9. Measures for ensuring events logging. Flycrew monitors access to applications, tools, and resources that process or store Customer Data, including user activity, administrator and privileged user activity, processing activity, network and firewall activity, audit activity, and scanning. Monitoring of security logs is centralized by the security team. Log activities are investigated when necessary and escalated appropriately.

Application and infrastructure systems log information to a centrally managed log repository for troubleshooting, security reviews, and analysis by authorized Flycrew personnel. Logs are preserved in accordance with regulatory requirements.

  1. Measures for ensuring systems configuration, including default configuration. Flycrew implements a baseline configuration for its computer and network devices that includes but is not limited to: (a) removing and disabling unnecessary user accounts; (b) changing default or guessable account passwords; (c) authenticating users before enabling internet-based access to sensitive data or critical data.

Our development team employs secure coding techniques and best practices, focused around mitigating risk to the OWASP Top Ten. Developers are trained in secure web application development practices regularly. Development, testing, and production environments are logically segmented. All changes are peer-reviewed and logged for performance, audit, and forensic purposes prior to deployment into the production environment.

  1. Measures for internal IT and IT security governance and management. Flycrew maintains a risk-based assessment security program. The framework for Flycrew’s security program includes administrative, organizational, technical, and physical safeguards reasonably designed to protect the Services and confidentiality, integrity, and availability of Customer Data. Flycrew’s security program is intended to be appropriate to the nature of the Services and the size and complexity of Flycrew’s business operations. Flycrew has dedicated Privacy & Security personnel who focus on application, network, and system security. These individuals are responsible for security compliance, education, and incident response. Further, these individuals are integrated throughout the organization and provide strategic guidance on best practices regularly.

  2. Measures for certifications/assurance of processes and products. Flycrew conducts various internal and third-party audits to attest to various frameworks.

  3. Measures for ensuring data minimization. Flycrew Customers unilaterally determine what Customer Data they route through the Flycrew Services and how the Services are configured. As such, Flycrew operates on a shared responsibility model. Flycrew provides tools within the Services that give Customers control over exactly what data enters the platform.

  4. Measures for ensuring data quality. Customer shall have sole responsibility for the accuracy, quality, and legality of the Customer Data and the means by which Customer acquired the Customer Data. Data that is processed is monitored by Flycrew to ensure it is accurate, complete, and reliable for purposes of providing the Services and Platform.

  5. Measures for ensuring limited data retention. Customers unilaterally determine what Customer Data they route through the Flycrew Services and how the Services are configured. As such, Flycrew operates on a shared responsibility model. If a Customer is unable to delete Customer Data via the self-services functionality of the Services, then Flycrew deletes Customer Data upon the Customer's written request, within the timeframe specified in the Data Protection Addendum and in accordance with Applicable Data Protection Law.

  6. Measures for ensuring accountability. Flycrew has adopted measures for ensuring accountability, such as implementing data protection policies across the business, maintaining documentation of processing activities, recording and reporting Security Incidents involving Personal Data, and appointing a Data Protection Officer. Additionally, Flycrew conducts third-party audits to ensure compliance with our privacy and security standards.

  7. Measures for allowing data portability and ensuring erasure. Flycrew's Customers have direct relationships with their end users and are solely responsible for responding to requests from their end users who wish to exercise their rights under Applicable Data Protection Laws. Flycrew has built-in self-service functionality to the Services that allow Customers to delete and suppress Personal Data, with product documentation available at this page. If a Customer is unable to use such self-service functionality, Flycrew specifies in the Data Protection Addendum that it will provide assistance to such Customer as may reasonably be required to comply with Customer's obligations under Applicable Data Protection Laws to respond to requests from individuals to exercise their rights under Applicable Data Protection Laws (e.g., rights of data access, rectification, erasure, restriction, portability, and objection). If Flycrew receives a request from a Data Subject in relation to their Personal Data, Flycrew will advise the Data Subject to submit their request to Customer, and Customer will be responsible for responding to any such request.

  8. For transfers to [sub]-processors, also describe the specific technical and organizational measures to be taken by the [sub]-processor to be able to provide assistance to the controller and, for transfers from a processor to a [sub]-processor, to the data exporter. When Flycrew engages a sub-processor under this Addendum, Flycrew and the sub-processor enter into an agreement with data protection terms substantially similar to those contained herein. Each sub-processor agreement must ensure that Flycrew is able to meet its obligations to Customer. In addition to implementing technical and organizational measures to protect personal data, sub-processors must (a) notify Flycrew in the event of a Security Incident so Flycrew may notify Customer; (b) delete data when instructed by Flycrew in accordance with Customer’s instructions to Flycrew; (c) not engage additional sub-processors without authorization; (d) not change the location where data is processed; or (e) process data in a manner that conflicts with Customer’s instructions to Flycrew.

SCHEDULE 3 CROSS BORDER DATA TRANSFER MECHANISM

  1. Definitions

    • “Standard Contractual Clauses” means the 2021 Standard Contractual Clauses approved by the European Commission in decision 2021/914.

  2. The 2021 Standard Contractual Clauses. For data transfers from the European Economic Area, the UK, and Switzerland that are subject to the 2021 Standard Contractual Clauses, the 2021 Standard Contractual Clauses will apply in the following manner: a. Module One (Controller to Controller) will apply where Customer is a controller of Service-Generated Data and/or Contact Data and Flycrew is a controller of Service-Generated Data and/or Contact Data. b. Module Two (Controller to Processor) will apply where Customer is a controller of Customer Data and Flycrew is a processor of Customer Data. c. Module Three (Processor to Processor) will apply where Customer is a processor of Customer Data and Flycrew is a sub-processor of Customer Data. d. For each Module, where applicable: (i) in Clause 7, the option docking clause will not apply; (ii) in Clause 9, Option 2 will apply, and the time period for prior notice of sub-processor changes will be as set forth in Section 7 (Subprocessing) of this Addendum; (iii) in Clause 11, the optional language will not apply; (iv) in Clause 17 (Option 1), the 2021 Standard Contractual Clauses will be governed by Irish law; (v) in Clause 18(b), disputes will be resolved before the courts of Ireland; (vi) In Annex I, Part A:
    - Data Exporter: Customer and authorized Affiliates of Customer. - Contact Details: Customer’s account owner email address, or to the email address(es) for which Customer elects to receive privacy communications. - Data Exporter Role: The Data Exporter’s role is outlined in Section 4 of this Addendum. - Signature & Date: By entering into the Agreement, Data Exporter is deemed to have signed these Standard Contractual Clauses incorporated herein, including their Annexes, as of the Effective Date of the Agreement. - Data Importer: Flycrew - Contact Details: Flycrew Privacy Team – privacy@flycrew.com. - Data Importer Role: The Data Importer’s role is outlined in Section 4 of this Addendum. - Signature & Date: By entering into the Agreement, Data Importer is deemed to have signed these Standard Contractual Clauses, incorporated herein, including their Annexes, as of the Effective Date of the Agreement. (vii) In Annex I, Part B: - The categories of data subjects are described in Schedule 1, Section 4. - The sensitive data transferred is described in Schedule 1, Section 6. - The frequency of the transfer is a continuous basis for the duration of the Agreement. - The nature of the processing is described in Schedule 1, Section 1. - The purpose of the processing is described in Schedule 1, Section 1. - The period of the processing is described in Schedule 1, Section 3. - For transfers to sub-processors, the subject matter, nature, and duration of the processing is outlined at our Subprocessor Page. (viii) In Annex I, Part C: The Irish Data Protection Commission will be the competent supervisory authority.

  3. As to the specific modules, the parties agree that the following checked modules apply, as the circumstances of the transfer may apply:

    • Controller-Controller - Module One

    • Controller-Processor - Module Two

    • Processor-Processor - Module Three

  4. To the extent there is any conflict between the Standard Contractual Clauses and any other terms in this Addendum, including Schedule 4 (Jurisdiction Specific Terms), the provisions of the Standard Contractual Clauses will prevail.

SCHEDULE 4 JURISDICTION SPECIFIC TERMS

  1. California a. The definition of “Applicable Data Protection Law” includes the California Consumer Privacy Act (“CCPA”). b. The terms “business,” “commercial purpose,” “service provider,” “sell,” and “personal information” have the meanings given in the CCPA. c. With respect to Personal Data, Flycrew is a service provider under the CCPA. d. Flycrew will not (a) sell Personal Data; (b) retain, use, or disclose any Personal Data for any purpose other than for the specific purpose of providing the Services, including retaining, using, or disclosing the Personal Data for a commercial purpose other than providing the Services; or (c) retain, use, or disclose the Personal Data outside of the direct business relationship between Flycrew and Customer. e. The parties acknowledge and agree that the Processing of Customer Data authorized by Customer’s instructions described in Section 6 of this Addendum is integral to and encompassed by Flycrew’s provision of the Services and the direct business relationship between the parties. f. Notwithstanding anything in the Agreement or any Order Form entered in connection therewith, the parties acknowledge and agree that Flycrew’s access to Customer Data does not constitute part of the consideration exchanged by the parties in respect of the Agreement. g. To the extent that any Service-Generated and/or Contact Data (as defined in the Agreement) is considered Personal Data, Flycrew is the business with respect to such data and will Process such data in accordance with its Privacy Policy, which can be found at https://flycrew.com/policies/privacy.

  2. EEA a. The definition of “Applicable Data Protection Laws” includes the General Data Protection Regulation (EU 2016/679)(“GDPR”). b. When Flycrew engages a Subprocessor under Section 7 (Subprocessing), it will: (i) require any appointed Subprocessor to protect Personal Data to the standard required by Applicable Data Protection Laws, such as including the same data protection obligations referred to in Article 28(3) of the GDPR, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR; and (ii) require any appointed Subprocessor to agree in writing to only process data in a country that the European Union has declared to have an “adequate” level of protection; or to only process data on terms equivalent to the Standard Contractual Clauses. c. GDPR Penalties. Notwithstanding anything to the contrary in this Addendum or in the Agreement (including, without limitation, either party’s indemnification obligations), neither party will be responsible for any GDPR fines issued or levied under Article 83 of the GDPR against the other party by a regulatory authority or governmental body in connection with such other party’s violation of the GDPR.

  3. Switzerland a. The definition of “Applicable Data Protection Laws” includes the Swiss Federal Act on Data Protection. b. When Flycrew engages a Subprocessor under Section 7 (Subprocessing), it will: (i) require any appointed Subprocessor to protect Personal Data to the standard required by Applicable Data Protection Laws, such as including the same data protection obligations referred to in Article 28(3) of the GDPR, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR; and (ii) require any appointed Subprocessor to agree in writing to only process data in a country that the European Union has declared to have an “adequate” level of protection; or to only process data on terms equivalent to the Standard Contractual Clauses.

  4. United Kingdom a. References in this Addendum to GDPR will to that extent be deemed to be references to the corresponding laws of the United Kingdom (including the UK GDPR and Data Protection Act 2018). b. When Flycrew engages a Subprocessor under Section 7 (Subprocessing), it will: (i) require any appointed Subprocessor to protect Personal Data to the standard required by Applicable Data Protection Laws, such as including the same data protection obligations referred to in Article 28(3) of the GDPR, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR; and (ii) require any appointed Subprocessor to agree in writing to only process data in a country that the European Union has declared to have an “adequate” level of protection; or to only process data on terms equivalent to the Standard Contractual Clauses.

¿Ha quedado contestada tu pregunta?