Data Processing Addendum

Last updated: January 29, 2024 

This Data Processing Addendum, which incorporates the Standard Contractual Clauses as necessary (“DPA”), is a formal agreement between Simbase Global Group B.V. ("Simbase") and the entity outlined in the Agreement (“Customer”). Both parties are herein individually referred to as a “Party” and together as the “Parties”. 

This DPA is seamlessly integrated into and forms an essential part of the subscription agreement that governs the usage of the Service (the “Agreement”) between the Parties. Any capitalized terms within this DPA, unless otherwise defined, shall carry the same meaning as specified in the Agreement. In instances of discrepancies or inconsistencies between this DPA, any previously executed data processing agreement, and other parts of the Agreement, the stipulations of this DPA shall prevail.

The essence of this DPA revolves around the conditions that apply when Simbase processes personal data under the Agreement. It's crafted to ensure that such processing aligns with Applicable Law and upholds the rights of individuals whose personal data are being processed. This agreement is not just a formality; it's our commitment to handle personal data with the utmost care and in accordance with legal standards.

1. Definitions

The terms used in this DPA shall have the meanings as defined in the Terms and conditions, as stated on https://www.simbase.com/terms. Additional terms to that list are provided below:

  1. Applicable Law(s)” means the entire spectrum of laws, regulations, and other legal or regulatory requirements relevant in any jurisdiction that pertain to privacy, data protection, security, or the management of personal data.

  2. The terms "controller," "business operator," "personal data," "process," "processing," "processor," and "data subject" will carry the meanings assigned to them by Applicable Law. Additionally, other pertinent terminology like "business," "business purpose," "consumer," "personal information," "sale" (along with its variations such as "sell," "selling," "sold," etc.), "service provider," "share" or "sharing" in the context of "cross-context behavioral advertising," and "third party" will also adhere to the definitions provided under Applicable Law.

  3. "Customer Personal Data" means any personal data, personal information, or personally identifiable information that the Customer uploads or inputs into the Service, which Simbase processes as part of providing the Service under the Agreement. This encompasses all relevant data provided by the Customer for the purpose of utilizing our services effectively. However, it's important to note that unless specifically agreed upon in writing, Customer Personal Data processed under the Agreement does not include Restricted Data. This distinction ensures clarity in the scope of data we handle and maintain under the terms of our service provision.

  4. "EEA" means the European Economic Area, encompassing the member states of the European Union along with Norway, Iceland, and Liechtenstein. 

  5. "Restricted Data" means a subset of personal data that is classified as "special categories of data" under Applicable Laws. This typically includes, but is not limited to, highly sensitive information such as social security numbers, financial account numbers, credit card details, or health information.

  6. "Security Incident" means a confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data that Simbase and/or its subprocessors process while providing the Service.

2. Data processing

The Party processing the Personal Data shall:

  1. at all times comply with the provisions of the Data Protection Laws in its processing of Personal Data in connection with this Agreement.

  2. process that personal data only for the purposes of this Agreement or on the written instructions of the other Party, taking account the reasonable written instructions of the other party;

  3. keep the personal data confidential and not disclose that Personal Data to any person except as required or permitted by this Agreement or with the other Party's prior written consent;

  4. ensure that all employees and personnel authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

  5. at the written request of other party, delete or return Personal Data (and any copies of the same) to the other party on termination of this Agreement unless required by Applicable Law or for billing purposes to store the personal data;

  6. make available to the other Party all information necessary to demonstrate compliance with the obligations in this section and allow for and meaningfully contribute to audits, including inspections, conducted by the other Party or its auditor (at the other Party’s cost and expense unless otherwise agreed);

  7. notify the other Party without undue delay after becoming aware of a Personal Data breach or of an incident occurring in relation to or otherwise in connection with the Personal Data which is, or may reasonably be considered to be, adverse to the protection and safeguarding of that Personal Data;

  8. maintain complete and accurate records and information to demonstrate compliance with this Clause 2.

  9. ensure that it has in place appropriate technical or organizational measures to protect against unauthorized or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, personal data, appropriate to the harm that might result from the unauthorized or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures.

3. Subprocessing

Customer acknowledges and agrees that Simbase’s Affiliates and certain third parties may be engaged as subprocessors (“Subprocessors”) to process Customer Personal Data on behalf of Simbase in order to provide the Service. Simbase’s Subprocessors are listed on Simbase’s Subprocessors page. Simbase will impose contractual obligations on any Subprocessor it appoints, requiring them to protect Customer Personal Data to standards that are no less protective than those set forth under this DPA. Simbase remains liable for its Subprocessors’ performance under this DPA to the same extent Simbase is liable for its own performance.

4. Data Security

At Simbase, we implement a multi-layered security strategy. A more detailed explanation of our security measures can be found on our dedicated webpage: www.simbase.com/terms/data-security-standards.