Data Processing Addendum
This agreement is a legally binding document to be entered into between the controller and the processor.
This Data Processing Addendum (“Addendum”) is entered into as of the date of the last signature below, (the “Effective Date”), by and between CREATIVEFORCE.IO, INC, a Delaware corporation with its primary place of business at 237 A. St. PMB 48388, San Diego, CA 92101 (“Creative Force”), and the customer using Creative Force’s services (“Customer”) pursuant to the Creative Force Software as a Service Agreement available at SaaS Agreement, as updated from time to time, or other agreement between Customer and Creative Force governing Customer’s use of the Service, as applicable (“the Agreement”).
This Addendum is incorporated into and forms part of the Agreement. The terms used in this Addendum have the meaning set forth in this Addendum. Capitalized terms not otherwise defined herein have the meaning given to them in the Agreement. Except as modified below, the Agreement remains in full force and effect.
How to execute this addendum
- This Addendum consists of two parts: (i) the main body of the Addendum and (ii) Appendixes A, B, and C.
- This Addendum has been pre-signed on behalf of Creative Force.
- To complete this Addendum, Creative Force must:
- complete the information in the signature box and sign on Page 9.
- Send the signed Addendum to Creative Force by email to email@example.com.
- Upon mutual execution of the Addendum by Creative Force and Customer, this Addendum will become legally binding.
For the avoidance of doubt, executing this Addendum shall be deemed to constitute signature and acceptance of the Standard Contractual Clauses incorporated herein, including their Appendices.
How this addendum applies
Creative Force provides services to Customer under the Agreement. Pursuant to the Agreement, Creative Force may from time to time process Personal Data (as defined below) for which Customer may be a “Data Controller” as defined by applicable privacy laws, including the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”).
Because such processing may, from time to time, require the maintenance and implementation of appropriate technical and organizational safeguards, and because such processing may, from time to time, involve the transfer of Personal Data from the European Union to the United States, Customer and Creative Force have agreed to execute this Addendum in order to ensure that adequate safeguards are established with respect to the protection of Personal Data.
- “Affiliate” means an entity that directly or indirectly Controls, or is Controlled by or is under common Control with an entity.
- “Agreement” means Creative Force’s Software as a Service Agreement or other written or electronic agreement, which governs the provision of the Service to Customer as agreement may be updated from time to time.
- "Applicable Data Protection Law" shall mean all laws and regulations applicable to the processing of personal data under the Agreement. For the sake of clarity, Applicable Data Protection Law includes, without limitation 1) data protection laws and regulations of the European Union, the European Economic Area and their member states and Switzerland; 2) data protection laws and regulations of the United Kingdom; 3) the California Consumer Privacy Act (“CCPA”); 4) the Canadian Personal Information Protection and Electronic Documents Act (“PIPEDA”); and (5) the Brazilian General Data Protection Law (“LGPD”), Federal Law no. 13,709/2018.
- “Control” means an ownership, voting, or similar interest representing fifty percent (50%) or more of the total interests then outstanding of the entity in question. The term “Controlled” shall be construed accordingly.
- “Controller" (controller includes “Business” as defined by the CCPA), "processor" (processor includes “Service Provider” as defined by the CCPA), "data subject" (data subject includes “Consumer” as defined by the CCPA), “personal data” (personal data includes “Personal Information” as defined by the CCPA) and "processing" (and "process") shall have the meanings given in Applicable Data Protection Law.
- “Creative Force Services” shall mean the services Creative Force is providing pursuant to the Agreement.
- “Customer” shall mean the Customer entities or affiliates that are party to the Agreement.
- “Customer Information” means any personal data that Creative Force processes on behalf of Customer via the Creative Force Service, as more particularly described in this Addendum.
- “EU Data Protection Law” means all data protection laws and regulations applicable to Europe, including (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation (“GDPR”); (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector; (iii) applicable national implementations of (i) and (ii); and (iii) in respect of the United Kingdom (“UK”) any applicable national legislation that replaces or converts in domestic law the GDPR or any other law relating to data and privacy as a consequence of the UK leaving the European Union.
- “Europe” means, for the purposes of this Addendum, the European Union, the European Economic Area, and/or their member states, Switzerland, and the United Kingdom.
- “Privacy Shield Framework” shall mean the EU-U.S. and/or Swiss-U.S. Privacy Shield self-certification program operated by the US Department of Commerce.
- “Privacy Shield Principles” shall mean the Privacy Shield Framework Principles (as supplemented by the Supplemental Principles).
- “SCCs” mean the standard contractual clauses for processors as approved by the European Commission or Swiss Federal Data Protection Authority (as applicable).
- “Security Incident” means any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, or alteration of, or unauthorized disclosure of or access to, Customer Information on systems managed or otherwise controlled by Creative Force.
- “Sensitive Data” means personal data revealing racial, ethnic, political, or religious affiliation, trade union membership, or information about sexual life or sexual orientation.
- “Service Data” means any data relating to the Customer’s use, support, and/or operation of the Service.
- “Sub-processor” means any processor engaged by Creative Force or its Affiliates to assist in fulfilling its obligations with respect to providing the Service pursuant to the Agreement or this Addendum. Sub-processors may include third parties or Affiliates of Creative Force, but shall exclude Creative Force’s employees or consultants.
2. Processing of Personal Data
- Roles of the Parties. The parties acknowledge and agree that with regard to the processing of Customer Information, Customer is the data controller and Creative Force is the data processor as further described in Appendix A (Details of Data Processing) of this Addendum. Each party shall comply with its obligations under Applicable Data Protection Law, and this Addendum, when processing Customer Information.
- Customer Instructions. Creative Force shall process Customer Information only in accordance with Customer’s documented lawful instructions as set forth in the Agreement, including this Addendum; as necessary to comply with applicable law; or as otherwise agreed in writing (“Permitted Purposes”).
- Prohibited Data. Customer will not provide (or cause to be provided) any Sensitive Data to Creative Force for processing under the Agreement and Creative Force will have no liability whatsoever for Sensitive Data, whether in connection with a Security Incident or otherwise. For the avoidance of doubt, this Addendum, will not apply to Sensitive Data.
- Customer Obligations. Customer represents and warrants that (i) it has complied, and will continue to comply, with all applicable laws, including Applicable Data Protection Law, in respect of its processing of Customer Information and any processing instructions it issues to Creative Force; and (ii) it has provided, and will continue to provide, all notice and has obtained, and will continue to obtain, all consents and rights necessary under Applicable Data Protection Law for Creative Force to process Customer Information for the purposes described in the Agreement. Customer shall have the sole responsibility for the accuracy, quality, and legality of Customer Information and the means by which Customer acquired Customer Information. Without prejudice to the generality of the foregoing, Customer agrees that it shall be responsible for complying with all laws (including Applicable Data Protection Law) applicable to any content created, sent, or managed through the Service.
- Violations of Applicable Data Protection Law. Customer will ensure that Creative Force’s processing of the Customer Information in accordance with Customer’s instructions will not cause Creative Force to violate any applicable law, regulation, or rule, including without limitation Applicable Data Protection Law. Creative Force will inform Customer if it becomes aware or reasonably believes that Customer’s data processing instructions violate Applicable Data Protection Law.
- Confidentiality Obligations of Creative Force Personnel. Creative Force will ensure that any person it authorizes to process the Customer Information shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).
- Return or Deletion of Customer Information. Upon Customer's request or upon termination of the Agreement, Creative Force agrees, at Customer’s option, to either deliver to Customer or destroy in a manner that prevents Customer Personal Data from being reconstructed, any Customer Personal Data and any copies in Creative Force's control or possession, except that this requirement shall not apply to the extent Creative Force is required by applicable law to retain some or all of the Customer Information or to Customer Information it has archived on back-up systems, which Customer Information Creative Force shall securely isolate, protect from any further processing, and eventually delete in accordance with Creative Force’s deletion policies, except to the extent required by applicable law.
- No Sale of Information. Creative Force will not sell Customer Information, nor retain, use, or disclose Customer Information for any commercial purpose other than providing the Creative Force Services. Creative Force will not disclose Customer Information outside the scope of the Agreement. Creative Force understands its obligations under Applicable Data Protection Law and will comply with them.
3. Rights of Data Subjects
- Data Subject Rights. To the extent Customer, in its ordinary use of the Creative Force Services, does not have the ability to address a data subject request to exercise his/her rights under Applicable Data Protection Law, Creative Force shall, upon Customer’s request, provide commercially reasonable assistance to Customer in responding to such data subject request.
- Responding to Requests. In the event that any request, correspondence, enquiry or complaint from a data subject, regulator, or third party, including, but not limited to law enforcement, is made directly to Creative Force in connection with Creative Force’s processing of Customer Information, Creative Force shall promptly inform Customer providing details of the same, to the extent legally permitted. Unless legally obligated to do so, Creative Force shall not respond to any such request, inquiry, or complaint without Customer’s prior consent. In the case of a legal demand for disclosure of Customer Information in the form of a subpoena, search warrant, court order, or other compulsory disclosure request, Creative Force shall attempt to redirect the requesting party or agency to request disclosure from Customer. Customer agrees that Creative Force may provide Customer’s basic contact information for this purpose. If Creative Force is legally compelled to respond to such a request, Creative Force shall give Customer reasonable notice of the demand to allow Customer to seek a protective order or other appropriate remedy, unless Creative Force is legally prohibited from doing so. For the avoidance of doubt, nothing in the Agreement, including this Addendum shall restrict or prevent Creative Force from responding to any data subject or data protection authority requests in relation to personal data for which Creative Force is a controller.
- Data Protection Impact Assessments. If Creative Force believes or becomes aware that its processing of Customer personal data is likely to result in a high risk to the data protection rights and freedoms of data subjects, Creative Force shall inform Customer and (taking into account the nature of the processing and the information available to Creative Force) provide reasonable cooperation to Customer in connection with any data protection impact assessment or consultations with supervisory authorities that may be required under Applicable Data Protection Law. Creative Force shall comply with the foregoing by: (i) complying with Section 4.5 (Audits); (ii) providing the information contained in the Agreement, including this Addendum; and (iii) if the foregoing sub-sections (i) and (ii) are insufficient for Customer to comply with such obligations, upon request, providing additional reasonable assistance at Customer’s expense.
- Technical and Organizational Measures. Creative Force has implemented and will maintain appropriate technical and organizational security measures designed to preserve the security and confidentiality of Customer Information in accordance with Creative Force’s security standards described in Appendix B (“Security Measures”).
- Updates to Security Measures. Customer is responsible for reviewing the information made available by Creative Force relating to data security and making an independent determination as to whether the Creative Force Services meets Customer’s requirements and legal obligations under Applicable Data Protection Law. Customer acknowledges that the Security Measures are subject to technical progress and development and that Creative Force may update or modify the Security measures from time to time, provided that such updates and modifications do not materially decrease the overall security of the Service provided to Customer.
- Security Incident Response. Creative Force shall, to the extent permitted by law, notify Customer without undue delay of any reasonably suspected or actual Security Incident which affects Customer Information. The notice shall summarize in reasonable detail the nature and scope of the Security Incident, to the extent known, and the corrective action already taken or to be taken by Creative Force. Furthermore, Creative Force shall provide timely information relating to the Security Incident as it becomes known or as reasonably requested by Customer and shall promptly take reasonable steps to remedy or mitigate the effect of any Security Incident. Creative Force’s notification of or response to a Security Incident shall not be construed as an acknowledgement by Creative Force of any fault or liability with respect to the Security Incident. The parties will collaborate on whether any notice of breach is required to be given to any person, and if so, the content of that notice. Unless prohibited by an applicable statute or court order, Creative Force shall also notify Customer of any third-party legal process relating to any Security Incident, including, but not limited to, any legal process initiated by any governmental entity. Customer agrees that an unsuccessful Security Incident will not be subject to this Section 4.3 (Security Incident Response). An unsuccessful Security Incident is one that results in no unauthorized access to Customer Information or to any of Creative Force’s equipment or facilities used to store or process Customer Information.
- Customer Responsibilities. Notwithstanding the above, Customer agrees that except as provided in this Addendum, Customer is responsible for its secure use of the Service, including securing its account authentication credentials, protecting the security of Customer Information when in transit to and from the Creative Force Service, and taking appropriate steps to securely encrypt or backup any Customer Information uploaded to the Create Force Service.
- Audits. Subject to reasonable notice, Creative Force shall provide Customer an opportunity to conduct a privacy and security audit of Creative Force’s security program and systems and procedures that are applicable to the services provided by Creative Force to Customer. Audits will occur at most annually or following notice of a Security Incident and will be completed in no more than thirty (30) calendar days. In lieu of such an audit, in the event that Creative Force independently obtains third-party annual audits of its privacy and security program, Creative Force may, upon Customer’s written request at reasonable intervals, and subject to the confidentiality obligations set forth in this Addendum, make available to Customer a copy of Creative Force’s then most recent third-party audit. If any audit reveals any material vulnerability, Creative Force shall take commercially reasonable steps to correct such vulnerability.
- Authorized Sub-processors. Customer agrees that Creative Force may engage third-party sub-processors to fulfill its contractual obligations under this Addendum or to provide certain services on its behalf. The sub-processors Creative Force currently engages to carry out processing activities can be found at Creative Force Subprocessors. At least 10 days prior to engaging or removing any sub-processor, Creative Force will update this list and provide Customer with a mechanism to obtain notice of that update. Customer may object in writing to Creative Force's appointment or replacement of a sub-processor prior to its appointment or replacement, provided such objection is based on reasonable grounds relating to data protection. In such event, the parties shall discuss commercially reasonable alternative solutions in good faith. If the parties cannot reach resolution, Creative Force will, in its sole discretion, either not appoint such Sub-processor, or permit Customer to suspend or terminate the Agreement without liability to either party.
- Sub-processor obligations. Creative Force shall: (i) conduct appropriate due diligence on each Sub-processor it engages to perform services on its behalf; (ii) enter into a written agreement with each Sub-processor containing data protection obligations that provide at least the same level of protection for Customer Information as those in this Addendum, to the extent applicable to the nature of the service provided by such Sub-processor; and (iii) remain responsible for such Sub-processor’s compliance with the obligations of this Addendum and for any acts or omissions of such Sub-processor that cause Creative Force to breach any of its obligations under this Agreement.
6. International Transfers of Customer Personal Data
- Data Center Locations. Customer agrees that Creative Force may transfer and process Customer Information to the pre-approved sub-processors and their locations defined in the Creative Force sub-processor list (https://www.creativeforce.io/legal/creative-force-subprocessors/). Creative Force shall notify Customer at least 10 business days prior to a change in any of the pre-approved sub-processors listed in the same manner provided for notification under Section 5.1 (Authorized Sub-processors) above. Customer may object in writing to Creative Force’s changes as per the above, provided such objection is based on reasonable grounds relating to data protection (including, but not limited to, changes of location for processing (including access) from the EU to the US or another non-EU country). In such event, the parties shall discuss commercially reasonable alternative solutions in good faith. If the parties cannot reach resolution, Creative Force will, in its sole discretion, either not proceed with the change, or permit Customer to suspend or terminate the Agreement without liability to either party in which case, however, and notwithstanding anything to the contrary in this Addendum, the SCCs or the Agreement, Creative Force shall refund Customer any prepaid fees covering the remainder of the Term of the Agreement from the date of suspension/termination of the Agreement as per the foregoing. Creative Force shall ensure that such transfers comply with the requirements of Applicable Data Protection Law.
- European Data Transfers. To the extent that Creative Force receives Customer Information protected by EU Data Protection Laws, Creative Force agrees to abide by and process such data in compliance with the SCCs, which are incorporated in full by reference and form an integral part of this Addendum. For the purposes of the SCCs: (i) Creative Force is the “data importer” and Customer is the “data exporter” under the SCCs (notwithstanding that Customer may be an entity located outside the EU); and (ii) Appendixes A and B of this Addendum shall replace Appendixes 1 and 2 of the SCCs, respectively. For the avoidance of doubt, the SCCs will apply to personal data processed by Creative Force in the context of providing the Services to Customer that are transferred from Europe to outside Europe, either directly or via onward transfer, to any country or recipient not recognized by the European Commission as providing an adequate level of protection under EU Data Protection Law.
7. Limitation of Liability
- Liability Cap. Each party and all of its Affiliates’ liability towards the other party and its Affiliates, taken together arising out of or related this this Addendum, including the SCCs, shall be subject to the exclusions and limitations of liability set forth in the Agreement.
- Liability to Data Subjects. Each party agrees that it will be liable to data subjects for the entire damage resulting from a violation of Applicable Data Protection Law. If one party paid full compensation for the damage suffered, it is entitled to claim back from the other party that part of the compensation corresponding to the other party’s part of the responsibility for the damage. Fort that purpose, both parties agree that Customer will be liable to data subjects for the entire damage resulting from a violation of EU Data Protection Law with regard to processing of personal data for which it is a controller, and that Creative Force will only be liable to data subjects for the entire damage resulting from a violation of the obligations of EU Data Protection Law directed to processor where it has acted outside of or contrary to Customer’s lawful instructions. Creative Force will be exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage.
8. Modification and Termination of this Addendum
This Addendum shall remain in effect for so long as Creative Force processes Customer Information on behalf of Customer or until termination of the Agreement. Failure to comply with any of the material provisions of this Addendum is considered a material breach of the Agreement. In the event of termination, Creative Force will return or destroy data pursuant to Section 2.7 (Return or Deletion of Customer Information). This Addendum may only be modified by a written amendment signed by each of the parties.
9. Entire Agreement; Conflict
This Addendum supersedes and replaces all prior and contemporaneous agreements, oral and written, with regard to the subject matter of this Addendum, including any prior data processing addenda entered into between Customer and Creative Force. If there is any conflict between this Addendum and any agreement, including the Agreement, the provisions of the following documents (in order of precedence) shall prevail: (a) SCCs; then (b) this Addendum; then (c) the Agreement.
10. Service Data
11. Invalidity and Severability
If any provision of this Addendum is found by any court or administrative body of competent jurisdiction to be invalid and unenforceable, the invalidity or unenforceability of such provision shall not affect any other provision of this Addendum and all provisions not affected by such invalidity or unenforceability will remain in full force and effect.
IN WITNESS WHEREOF, the Parties acknowledge their agreement to the foregoing by due execution of the Addendum by their respective authorized representatives.
Customer Legal Name:
DPO/Contact for data protection enquiries:
DPO/Contact for data protection enquiries:
APPENDIX A – DETAILS OF PROCESSING
The subject matter of the data processing under this Addendum is the Customer Information.
Duration of the processing
Creative Force will process Customer Information as outlined in Section 2.2 (Customer Instructions), 2.7 (Return or Deletion of Customer Information), and 8 (Modification and Termination of this Addendum) of this Addendum.
Creative Force shall only process Customer Information for the Permitted Purposes, which shall include: (i) processing as necessary to provide the Service in accordance with the Agreement; (ii) processing initiated by Customer in its use of the Service; and (iii) processing to comply with any other reasonable instructions provided by Customer (e.g. via email or support tickets) that are consistent with the terms of the Agreement.
Categories of data subjects
Customer may upload, submit, or otherwise provide personal data concerning the following categories of data subjects:
- Customer and customer’s authorized users
- Persons in photographs belonging to, purchased by, or otherwise legally obtained by the Customer
Types of Customer Information
Customer may upload, submit, or otherwise provide certain personal data to the Creative Force Services, the extent of which is typically determined and controlled by Customer in its sole discretion, and may include the following types of personal data:
- Name, phone number, and email address of data subjects
- Photographs of data subjects
Creative Force does not want to, nor does it intentionally, collect or process any Sensitive Data in connection with the provision of the Service. However, special categories of data may from time to time be processed through the Services where the Customer or its authorized users choose to include this type of data within the data it transmits using the Services. As such, the Customer is solely responsible for ensuring the legality of any Sensitive Data it or its authorized users choose to process using the Creative Force Services.
Customer Information will be processed in accordance with the Agreement (including this Addendum) and may be subject to the following processing activities:
- Storage and other processing necessary to provide, maintain, and improve the service provided to Customer pursuant to the Agreement; and/or
- Disclosures in accordance with the Agreement, Customer’s instructions, and/or as compelled by applicable law.
APPENDIX B – SECURITY MEASURES
Creative Force currently observes the following security measures:
Physical Access Control (measures to prevent unauthorized persons from gaining physical access to IT systems that handle personal data)
Buildings and systems used for data processing are secured. Data processing media is stored securely, kept locked when unattended, and is not available to unauthorized third parties. Creative Force regularly updates all hardware and software used in its business.
System Access Control (measures to prevent unauthorized persons from using IT systems)
Creative Force requires multi-factor authentication to access personal data processing systems. Employee accounts are not shared and inactive sessions are terminated after 60 minutes. Through CloudWatch and network event monitoring, Creative Force keeps network logs and an intrusion detection log.
Data Access Control (measures to ensure that Creative Force employees only have access to the personal data pursuant to their access rights)
Access to personal data is role-based and data can only be accessed by Creative Force or the Customer. Access to databases are IP-restricted. Creative Force has also introduced log-in and password procedures that ensure that only employees with access rights may access personal data. Creative Force keeps a list of employees that have access to the Customer’s data, and limits the employees who have access to databases.
Transmission Access Control (measures to ensure that personal data cannot be read, copied, altered, or deleted by unauthorized persons during electronic transmission or during transport or storage on data media)
All data submitted by the Customer is encrypted upon transfer to Creative Force and stored encrypted.
Entry Control and Traceability (measures to ensure that entry, alteration, and deletion of personal data is logged as well as measures to ensure the accountability and traceability of the processing of personal data)
Creative Force applies a log monitoring solution to collect and compare logged events. All Elastic Load Balancing traffic is monitored via CloudWatch. CloudWatch alerts Creative Force of any issues in the system. Creative Force keeps both a log of all Service access and errors and a Windows event log. All logs are collected by logbeat and filebeat services and stored for 30 days. The logs contain information on who accessed data, from which IP address, the data was accessed, which data were accessed, and when data was accessed. Creative Force performs internal audits to ensure that all security measures stated in this Appendix are taken and that each new feature or amendment to services provided by Creative Force live up to these standards.
Availability Control (measures to ensure that personal data is protected against accidental destruction or loss)
Creative Force uses web application firewalls and anti-virus software as well as back-up procedures to provide multiple layers of security. Creative Force uses AWS API Gateway and Firewall to prevent distributed-denial-of-service (DDOS) attacks. In addition, Creative Force maintains an Auto Scale Group able to scale up in case of a sharp increase in traffic. Creative Force uses Amazon Inspector and W3AF vulnerability scanning tools. Creative Force also uses a ERCore (Entity Framework)/SQL Parameter to prevent SQL Injection and uses Sonarqube and npmaudit to scan code and detect security issues. Creative Force maintains recovery processes to allow for continuation of data processing and to provide effective and accurate recovery of personal data.
Transparency (measures to ensure an adequate level of transparency to the Customer regarding Creative Force and its sub-processors)
Customer can always access data submitted to Creative Force and can download such data after submission.
Interveneability (measures to ensure that the Customer is allowed to access, rectify, delete, block, and manage objections to the processing of personal data)
Customer can download data submitted to the Service. Customer can also correct, delete, or object to the processing of personal data using either self-help tools Creative Force makes available to Customers or by contacting Creative Force.
Portability (measures to ensure the portability of personal data, if the migration of data is requested by the Customer or data subjects)
Data submitted by the Customer may be downloaded through the Create Force Services.
Data Retention and Deletion (measures to ensure that personal data is adequately erased or destroyed when use of personal data is no longer necessary)
Personal data is stored for the duration of the Agreement. After termination or expiration of the Agreement, Section 2.7 (Return or Deletion of Customer Information) of this Addendum applies.