Personal Information Processing Addendum

Introduction

This Personal Information Processing Addendum (the “PIPA”) is attached to and incorporated by reference into the Browsertrix Hosted Service Terms & Conditions (the “Agreement”) between Webrecorder (hereinafter “Provider”) and Customer. This PIPA sets out the additional terms, requirements, and conditions on which the Provider will obtain, handle, process, disclose, transfer, or store Personal Information when providing services under the Master Agreement.

1. Definitions and Interpretation

1.1 The following definitions and rules of interpretation apply in this PIPA:

2. Personal Information Types and Processing Purposes

2.1 The Customer retains control of the Personal Information and remains responsible for its compliance obligations under the applicable Privacy and Data Protection Requirements, including providing any required notices and obtaining any required consents, and for the processing instructions it gives to the Provider.

2.2 Appendix A describes the general Personal Information categories and related types of Data Subjects the Provider may process to fulfill the Business Purposes of the Master Agreement. The Customer discloses Personal Information to the Provider only for the limited and specified Business Purposes.

3. Provider’s Obligations

3.1 The Provider will only process, retain, use, or disclose the Personal Information to the extent, and in such a manner, as is necessary for the Business Purposes in accordance with the Customer’s instructions. The Provider will not process, retain, use, or disclose the Personal Information for any other purpose, outside of the parties’ business relationship, or in a way that does not comply with this PIPA or the Privacy and Data Protection Requirements. The Provider must promptly notify the Customer if, in its opinion, the Customer’s instruction would not comply with the Privacy and Data Protection Requirements.

3.2 The Provider must promptly comply with any Customer request or instruction requiring the Provider to amend, transfer, or delete the Personal Information, or to stop, mitigate, or remedy any unauthorized processing.

3.3 The Provider will maintain the confidentiality of all Personal Information and will not sell it to anyone, share it for cross-contextual (targeted) advertising with anyone, or disclose it to third parties without specific authorization from the Customer or this PIPA, unless required by law. If a law requires the Provider to process or disclose Personal Information, the Provider must first inform the Customer of the legal requirement and give the Customer an opportunity to object or challenge the requirement, unless the law prohibits such notice.

3.4 The Provider will reasonably assist the Customer with meeting the Customer’s compliance obligations under the Privacy and Data Protection Requirements, taking into account the nature of the Provider’s processing and the information available to the Provider.

3.5 The Provider must promptly notify the Customer of any changes to Privacy and Data Protection Requirements, or its ability to meet those obligations, that may adversely affect the Provider’s performance of the Master Agreement or this PIPA.

3.6 The Customer acknowledges that the Provider is under no duty to investigate the completeness, accuracy, or sufficiency of any specific Customer instructions from Authorized Persons or the Personal Information other than as required under the Privacy and Data Protection Requirements.

4. Provider’s Employees

4.1 The Provider will limit Personal Information access to:

5. Security

5.1 The Provider must at all times implement appropriate technical and organizational measures designed to safeguard Personal Information against unauthorized or unlawful processing, access, copying, modification, storage, reproduction, display, or distribution, and against accidental loss, destruction, unavailability, or damage.

5.2 The Provider will immediately notify the Customer if it becomes aware of any advance in technology and methods of working, which indicate that the parties should adjust their security measures.

5.3 The Provider must take reasonable precautions to preserve the integrity of any Personal Information it processes and to prevent any corruption or loss of the Personal Information, including but not limited to establishing effective back-up and data restoration procedures.

6. Security Breaches and Personal Information Loss

6.1 The Provider will promptly notify the Customer if any Personal Information is lost or destroyed or becomes damaged, corrupted, or unusable. The Provider will restore such Personal Information at its own expense.

6.2 The Provider will promptly notify Customer if it becomes aware of:

7. Cross-Border Transfers of Personal Information

7.1 Appendix A lists all of the countries where the Provider may receive, access, transfer, or store Personal Information. The Provider must not receive, access, transfer, or store Personal Information outside the countries listed on Appendix A without the Customer’s prior written consent.

7.2 The Provider will not transfer any Personal Information to another country unless the transfer complies with the Privacy and Data Protection Requirements.

8. Subcontractors

8.1 The Provider may only authorize a third party (subcontractor) to process the Personal Information if:

9. Data Subject Requests, Complaints, and Third Party Rights

9.1 The Provider must promptly notify the Customer if it receives a request from a Data Subject to exercise any rights the individual may have regarding their Personal Information, such as access, correction, deletion, or to opt-out of or limit certain activities like sales, disclosures, or other processing actions.

9.2 The Provider must notify the Customer promptly if it receives any other complaint, notice, or communication that directly or indirectly relates to the Personal Information processing or to either party’s compliance with the Privacy and Data Protection Requirements.

9.3 The Provider will give the Customer its full co-operation and assistance in responding to any complaint, notice, communication, or Data Subject request.

9.4 The Provider must not disclose the Personal Information to any Data Subject or to a third party unless the disclosure is either at the Customer’s request or instruction, permitted by this PIPA, or is otherwise required by law.

10. Term and Termination

10.1 This PIPA will remain in full force and effect so long as:

11. Data Return and Destruction

11.1 At the Customer’s request, the Provider will give the Customer a copy of or access to all or part of the Customer’s Personal Information in its possession or control in the format and on the media reasonably specified by the Customer. Customers by default will have 30 days to export all data before the Provider permanently deletes data. Upon a written request, the Provider can expedite data deletion before 30 days.

11.2 On termination of the Master Agreement for any reason or expiration of its term, the Provider will securely destroy or, if directed in writing by the Customer, return and not retain, all or any Personal Information related to this agreement in its possession or control.

11.3 If any law, regulation, or government or regulatory body requires the Provider to retain any documents or materials that the Provider would otherwise be required to return or destroy, it will notify the Customer in writing of that retention requirement, giving details of the documents or materials that it must retain, the legal basis for retention, and establishing a specific timeline for destruction once the retention requirement ends. The Provider may only use this retained Personal Information for the required retention reason or audit purposes.

12. Records

12.1 The Provider will keep detailed, accurate, and up-to-date records regarding any processing of Personal Information it carries out for the Customer, including but not limited to, the access, control, and security of the Personal Information, approved subcontractors and affiliates, the processing purposes, and any other records required by the applicable Privacy and Data Protection Requirements (the “Records”).

12.2 The Provider will ensure that the Records are sufficient to enable the Customer to verify the Provider’s compliance with its obligations under this PIPA.

13. Audit

13.1 The Provider will permit the Customer and its third-party representatives to audit the Provider’s compliance with its PIPA obligations, upon at least 30 days’ notice, during the Term and for 1 year after this PIPA terminates. The Provider will give the Customer and its third-party representatives all necessary assistance to conduct such audits. The assistance may include, but is not limited to:

14. Notice

14.1 Any notice or other communication given to a party under or in connection with this PIPA must be in writing, by email. Customer shall be notified by email sent to the address set forth in the Master Agreement. Provider shall be notified by email sent to: support@webrecorder.org.


Appendix A

Personal Information Processing Purposes and Details

Business Purposes

The Personal Information will be processed as necessary to provide the Services pursuant to the Master Agreement as instructed by the Customer, including:

Personal Information Categories

The Personal Information archived in the course of using the Service is determined and controlled by the Customer, and may include any Personal Information of Data Subjects contained on websites archived by the Customer using the Services.

Data Subject Types

Individuals whose Personal Information is publicly displayed on websites archived by the Customer using the Services.

Processing Duration

Archived data is retained for the period specified by the Customer, or until termination of the Agreement.

Approved Subcontractors

Locations

Countries where the Provider may receive, access, transfer or store Personal Information: