Personal Information Processing Addendum

Introduction

This Personal Information Processing Addendum (the “PIPA”) is attached to and incorporated by reference into the Browsertrix Hosted Service Terms & Conditions (the “Agreement”) between Webrecorder (hereinafter “Provider”) and Customer. This PIPA sets out the additional terms, requirements, and conditions on which the Provider will obtain, handle, process, disclose, transfer, or store Personal Information when providing services under the Master Agreement.

1. Definitions and Interpretation

1.1 The following definitions and rules of interpretation apply in this PIPA:

• “Business Purpose” means the services described in the Master Agreement or any other purpose specifically identified in Appendix A.

• “Data Subject” means an individual who is the subject of the Personal Information and to whom or about whom the Personal Information relates or identifies, directly or indirectly.

• “Personal Information” means any information the Provider processes for the Customer that:

  • (a) identifies or relates to an individual who can be identified directly or indirectly from that data alone or in combination with other information in the Provider’s possession or control or that the Provider is likely to have access to, or
  • (b) the relevant Privacy and Data Protection Requirements otherwise define as protected personal information.

• “Processing, processes, or process” means any activity that involves the use of Personal Information or that the relevant Privacy and Data Protection Requirements may otherwise include in the definition of processing, processes, or process. It includes obtaining, recording, or holding the data, or carrying out any operation or set of operations on the data including, but not limited to, organizing, amending, retrieving, using, disclosing, erasing, or destroying it. Processing also includes transferring Personal Information to third parties.

• “Privacy and Data Protection Requirements” means all applicable federal, state, and foreign laws and regulations relating to the processing, protection, or privacy of the Personal Information, including where applicable, the guidance and codes of practice issued by regulatory bodies in any relevant jurisdiction.

• “Security Breach” means any act or omission that compromises the security, confidentiality, or integrity of Personal Information or the physical, technical, administrative, or organizational safeguards put in place to protect it. The loss of or unauthorized access, disclosure, or acquisition of Personal Information is a Security Breach whether or not the incident rises to the level of a security breach under the Privacy and Data Protection Requirements.

  1.2 This PIPA is subject to the terms of the Master Agreement and is incorporated into the Master Agreement. Interpretations and defined terms set forth in the Master Agreement apply to the interpretation of this PIPA.

  1.3 The Appendices form part of this PIPA and will have effect as if set out in full in the body of this PIPA. Any reference to this PIPA includes the Appendices.

  1.4 A reference to writing or written includes email.

  1.5 In the case of conflict or ambiguity between:

• Any provision contained in the body of this PIPA and any provision contained in the Appendices, the provision in the body of this PIPA will prevail;

• The terms of any accompanying invoice or other documents annexed to this PIPA and any provision contained in the Appendices, the provision contained in the Appendices will prevail; and

• Any of the provisions of this PIPA and the provisions of the Master Agreement, the provisions of this PIPA will prevail.

2. Personal Information Types and Processing Purposes

2.1 The Customer retains control of the Personal Information and remains responsible for its compliance obligations under the applicable Privacy and Data Protection Requirements, including providing any required notices and obtaining any required consents, and for the processing instructions it gives to the Provider.

2.2 Appendix A describes the general Personal Information categories and related types of Data Subjects the Provider may process to fulfill the Business Purposes of the Master Agreement. The Customer discloses Personal Information to the Provider only for the limited and specified Business Purposes.

3. Provider’s Obligations

3.1 The Provider will only process, retain, use, or disclose the Personal Information to the extent, and in such a manner, as is necessary for the Business Purposes in accordance with the Customer’s instructions. The Provider will not process, retain, use, or disclose the Personal Information for any other purpose, outside of the parties’ business relationship, or in a way that does not comply with this PIPA or the Privacy and Data Protection Requirements. The Provider must promptly notify the Customer if, in its opinion, the Customer’s instruction would not comply with the Privacy and Data Protection Requirements.

3.2 The Provider must promptly comply with any Customer request or instruction requiring the Provider to amend, transfer, or delete the Personal Information, or to stop, mitigate, or remedy any unauthorized processing.

3.3 The Provider will maintain the confidentiality of all Personal Information and will not sell it to anyone, share it for cross-contextual (targeted) advertising with anyone, or disclose it to third parties without specific authorization from the Customer or this PIPA, unless required by law. If a law requires the Provider to process or disclose Personal Information, the Provider must first inform the Customer of the legal requirement and give the Customer an opportunity to object or challenge the requirement, unless the law prohibits such notice.

3.4 The Provider will reasonably assist the Customer with meeting the Customer’s compliance obligations under the Privacy and Data Protection Requirements, taking into account the nature of the Provider’s processing and the information available to the Provider.

3.5 The Provider must promptly notify the Customer of any changes to Privacy and Data Protection Requirements, or its ability to meet those obligations, that may adversely affect the Provider’s performance of the Master Agreement or this PIPA.

3.6 The Customer acknowledges that the Provider is under no duty to investigate the completeness, accuracy, or sufficiency of any specific Customer instructions from Authorized Persons or the Personal Information other than as required under the Privacy and Data Protection Requirements.

4. Provider’s Employees

4.1 The Provider will limit Personal Information access to:

• (a) those employees who require Personal Information access to meet the Provider’s obligations under this PIPA and the Master Agreement; and

• (b) the part or parts of the Personal Information that those employees strictly require for the performance of their duties.

  4.2 The Provider will ensure that all employees:

• (a) are informed of the Personal Information’s confidential nature and use restrictions and are obliged to keep the Personal Information confidential;

• (b) have undertaken training on the Privacy and Data Protection Requirements relating to handling Personal Information and how it applies to their particular duties; and

• (c) are aware both of the Provider’s duties and their personal duties and obligations under the Privacy and Data Protection Requirements and this PIPA.

  4.3 The Provider will take reasonable steps to ensure the reliability, integrity, and trustworthiness of all of the Provider’s employees with access to the Personal Information.

5. Security

5.1 The Provider must at all times implement appropriate technical and organizational measures designed to safeguard Personal Information against unauthorized or unlawful processing, access, copying, modification, storage, reproduction, display, or distribution, and against accidental loss, destruction, unavailability, or damage.

5.2 The Provider will immediately notify the Customer if it becomes aware of any advance in technology and methods of working, which indicate that the parties should adjust their security measures.

5.3 The Provider must take reasonable precautions to preserve the integrity of any Personal Information it processes and to prevent any corruption or loss of the Personal Information, including but not limited to establishing effective back-up and data restoration procedures.

6. Security Breaches and Personal Information Loss

6.1 The Provider will promptly notify the Customer if any Personal Information is lost or destroyed or becomes damaged, corrupted, or unusable. The Provider will restore such Personal Information at its own expense.

6.2 The Provider will promptly notify Customer if it becomes aware of:

• (a) any unauthorized or unlawful processing of the Personal Information; or

• (b) any Security Breach.

  6.3 Immediately following any unauthorized or unlawful Personal Information processing or Security Breach, the parties will co-ordinate with each other to investigate the matter. The Provider will reasonably co-operate with the Customer in the Customer’s handling of the matter, including:

• (a) providing Customer with sufficient information to allow Customer to meet any obligations to report or inform Data Subjects of the Security Breach under the Data Protection requirements; and

• (b) taking reasonable steps as are directed by Customer to assist in the investigation, mitigation, and remediation of the Security Breach.

  6.4 The Provider will not inform any third party of a Security Breach without first obtaining the Customer’s prior written consent, except when law or regulation requires it.

  6.5 The Provider agrees that the Customer has the sole right to determine:

• (a) whether to provide notice of the Security Breach to any Data Subjects, regulators, law enforcement agencies, or others, as required by law or regulation or in the Customer’s discretion, including the contents and delivery method of the notice; and

• (b) whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy.

7. Cross-Border Transfers of Personal Information

7.1 Appendix A lists all of the countries where the Provider may receive, access, transfer, or store Personal Information. The Provider must not receive, access, transfer, or store Personal Information outside the countries listed on Appendix A without the Customer’s prior written consent.

7.2 The Provider will not transfer any Personal Information to another country unless the transfer complies with the Privacy and Data Protection Requirements.

8. Subcontractors

8.1 The Provider may only authorize a third party (subcontractor) to process the Personal Information if:

• (a) the Customer is given an opportunity to object within 14 days after the Provider supplies the Customer with full details regarding such subcontractor;
• (b) the Provider enters into a written contract with the subcontractor that contains terms substantially the same as those set out in this PIPA and, upon the Customer’s written request, provides the Customer with copies of such contracts;
• (c) the Provider maintains control over all Personal Information it entrusts to the subcontractor; and
• (d) the subcontractor’s contract terminates automatically on termination of this PIPA for any reason.

9. Data Subject Requests, Complaints, and Third Party Rights

9.1 The Provider must promptly notify the Customer if it receives a request from a Data Subject to exercise any rights the individual may have regarding their Personal Information, such as access, correction, deletion, or to opt-out of or limit certain activities like sales, disclosures, or other processing actions.

9.2 The Provider must notify the Customer promptly if it receives any other complaint, notice, or communication that directly or indirectly relates to the Personal Information processing or to either party’s compliance with the Privacy and Data Protection Requirements.

9.3 The Provider will give the Customer its full co-operation and assistance in responding to any complaint, notice, communication, or Data Subject request.

9.4 The Provider must not disclose the Personal Information to any Data Subject or to a third party unless the disclosure is either at the Customer’s request or instruction, permitted by this PIPA, or is otherwise required by law.

10. Term and Termination

10.1 This PIPA will remain in full force and effect so long as:

• (a) the Master Agreement remains in effect; or

• (b) the Provider retains any Personal Information related to the Master Agreement in its possession or control (the “Term”).

  10.2 Any provision of this PIPA that expressly or by implication should come into or continue in force on or after termination of the Master Agreement in order to protect Personal Information will remain in full force and effect.

11. Data Return and Destruction

11.1 At the Customer’s request, the Provider will give the Customer a copy of or access to all or part of the Customer’s Personal Information in its possession or control in the format and on the media reasonably specified by the Customer. Customers by default will have 30 days to export all data before the Provider permanently deletes data. Upon a written request, the Provider can expedite data deletion before 30 days.

11.2 On termination of the Master Agreement for any reason or expiration of its term, the Provider will securely destroy or, if directed in writing by the Customer, return and not retain, all or any Personal Information related to this agreement in its possession or control.

11.3 If any law, regulation, or government or regulatory body requires the Provider to retain any documents or materials that the Provider would otherwise be required to return or destroy, it will notify the Customer in writing of that retention requirement, giving details of the documents or materials that it must retain, the legal basis for retention, and establishing a specific timeline for destruction once the retention requirement ends. The Provider may only use this retained Personal Information for the required retention reason or audit purposes.

12. Records

12.1 The Provider will keep detailed, accurate, and up-to-date records regarding any processing of Personal Information it carries out for the Customer, including but not limited to, the access, control, and security of the Personal Information, approved subcontractors and affiliates, the processing purposes, and any other records required by the applicable Privacy and Data Protection Requirements (the “Records”).

12.2 The Provider will ensure that the Records are sufficient to enable the Customer to verify the Provider’s compliance with its obligations under this PIPA.

13. Audit

13.1 The Provider will permit the Customer and its third-party representatives to audit the Provider’s compliance with its PIPA obligations, upon at least 30 days’ notice, during the Term and for 1 year after this PIPA terminates. The Provider will give the Customer and its third-party representatives all necessary assistance to conduct such audits. The assistance may include, but is not limited to:

• (a) physical access to, remote electronic access to, and copies of the Records and any other information held at the Provider’s premises or on systems storing Personal Information;
• (b) access to and meetings with any of the Provider’s personnel reasonably necessary to provide all explanations and perform the audit effectively; and
• (c) inspection of all Records and the infrastructure, electronic data, or systems, facilities, equipment, or application software used to store, process, or transport Personal Information.

14. Notice

14.1 Any notice or other communication given to a party under or in connection with this PIPA must be in writing, by email. Customer shall be notified by email sent to the address set forth in the Master Agreement. Provider shall be notified by email sent to: support@webrecorder.org.

Appendix A

Personal Information Processing Purposes and Details

Business Purposes

The Personal Information will be processed as necessary to provide the Services pursuant to the Master Agreement as instructed by the Customer, including:

• hosting website archives at the direction of the Customer; and
• displaying archived websites to Customer’s authorized users, upon request.

Personal Information Categories

The Personal Information archived in the course of using the Service is determined and controlled by the Customer, and may include any Personal Information of Data Subjects contained on websites archived by the Customer using the Services.

Data Subject Types

Individuals whose Personal Information is publicly displayed on websites archived by the Customer using the Services.

Processing Duration

Archived data is retained for the period specified by the Customer, or until termination of the Agreement.

Approved Subcontractors

• Digital Ocean
  • Data processing agreement: digitalocean.com/legal/data-processing-agreement
• Wasabi
  • Data processing agreement: wasabi.com/legal/data-processing-agreement

Locations

Countries where the Provider may receive, access, transfer or store Personal Information:

• USA
• Canada
• Germany (EU)
• Netherlands (EU)