This Data Processing Addendum (“DPA”) forms part of the Everconnected Terms of Service (the “Agreement”) between Everconnected (“EC”, “we”, “us”, or “our”) and the Customer agreeing to these terms (“Customer”, “you”, or “your”).
“Controller”, “Processor”, “Data Subject”, “Personal Data”, “processing” (and “process”) and “Special Categories of Personal Data” shall have the meanings given in Applicable Data Protection Law.
“Applicable Data Protection Law” means all laws and regulations applicable to the processing of Personal Data under the Agreement, including but not limited to UK GDPR and the Data Protection Act 2018.
“Customer Data” means any Personal Data that EC processes on behalf of Customer as a Processor in the course of providing Services.
“Services” means the services provided by EC to Customer pursuant to the Agreement.
“UK GDPR” means the United Kingdom General Data Protection Regulation.
The parties acknowledge and agree that with regard to the processing of Personal Data, Customer is the Controller, EC is the Processor and that EC will engage Sub-processors pursuant to the requirements set forth in Section 5 “Sub-processors” below.
3.1. EC shall treat Customer Data as confidential and shall only process Customer Data on behalf of and in accordance with Customer’s documented instructions for the following purposes: (i) Processing in accordance with the Agreement; (ii) Processing initiated by users in their use of the Services; and (iii) Processing to comply with other documented reasonable instructions provided by Customer (e.g., via email) where such instructions are consistent with the terms of the Agreement.
3.2. EC shall inform Customer if, in its opinion, an instruction from Customer infringes Applicable Data Protection Law.
4.1. Subject matter: The subject matter of the processing under this DPA is the Customer Data.
4.2. Duration: The duration of the processing under this DPA is until the termination of the Agreement in accordance with its terms.
4.3. Nature and Purpose of the Processing: EC will process Customer Data as necessary to perform the Services pursuant to the Agreement, as further specified in the DPA, and as further instructed by Customer in its use of the Services.
4.4. Categories of Data Subjects: Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects:
– Prospects, customers, business partners and vendors of Customer (who are natural persons)
– Employees or contact persons of Customer’s prospects, customers, business partners and vendors
– Employees, agents, advisors, freelancers of Customer (who are natural persons)
– Customer’s users authorized by Customer to use the Services
4.5. Type of Personal Data: Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:
– Contact information (sign up: email, phone, google/apple/FB account login)
– Language (preference and proficiency)
– Age (18 and above)
– Gender identity
– Interests
– Lifestyle and habits
– Connection data (Time availability, local time)
– Credit card information (apple/google pay)
– Localization data – City name (manual data input/gps), time zone
– Beliefs and faith
– Relationship status
– Nature of employment and relevant skills
– Personality type / MBTI Personality Test Result
– Zodiac sign
– Personal life experiences (faced and looking forward)
– Audio data
– Video data
5.1. Appointment of Sub-processors: Customer acknowledges and agrees that (a) EC’s Affiliates may be retained as Sub-processors; and (b) EC and EC’s Affiliates respectively may engage third-party Sub-processors in connection with the provision of the Services.
5.2. List of Current Sub-processors and Notification of New Sub-processors: EC shall make available to Customer the current list of Sub-processors for the Services. Such Sub-processor list shall include the identities of those Sub-processors and their country of location. EC shall provide notification of a new Sub-processor(s) before authorizing any new Sub-processor(s) to process Personal Data in connection with the provision of the applicable Services.
5.3. Objection Right for New Sub-processors: Customer may object to EC’s use of a new Sub-processor by notifying EC promptly in writing within ten (10) business days after receipt of EC’s notice in accordance with the mechanism set out in Section 5.2. In the event Customer objects to a new Sub-processor, EC will use reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer’s configuration or use of the Services to avoid Processing of Personal Data by the objected-to new Sub-processor without unreasonably burdening the Customer. If EC is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, Customer may terminate the applicable Order Form(s) with respect only to those Services which cannot be provided by EC without the use of the objected-to new Sub-processor by providing written notice to EC.
EC shall implement and maintain appropriate technical and organizational measures to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access as described in EC’s security documentation. EC regularly monitors compliance with these measures. EC will not materially decrease the overall security of the Services during Customer’s subscription term.
EC shall, to the extent legally permitted, promptly notify Customer if EC receives a request from a Data Subject to exercise the Data Subject’s right of access, right to rectification, restriction of Processing, erasure, data portability, object to the Processing, or its right not to be subject to automated individual decision making (“Data Subject Request”). Taking into account the nature of the Processing, EC shall assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to a Data Subject Request under Applicable Data Protection Law. In addition, to the extent Customer, in its use of the Services, does not have the ability to address a Data Subject Request, EC shall, upon Customer’s request, provide commercially reasonable efforts to assist Customer in responding to such Data Subject Request, to the extent EC is legally permitted to do so and the response to such Data Subject Request is required under Applicable Data Protection Law.
EC shall notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Data. EC shall provide Customer with sufficient information to allow Customer to meet any obligations to report or inform Data Subjects of the Personal Data Breach under Applicable Data Protection Law. Such notification shall as a minimum:
9. Deletion or Return of Customer Data
EC shall, at the choice of Customer, delete or return all the Personal Data to Customer after the end of the provision of Services relating to processing, and delete existing copies unless Applicable Data Protection Law requires storage of the Personal Data.
EC shall make available to Customer all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer.
Any transfer of Customer Data made subject to this DPA from the United Kingdom to countries which do not ensure an adequate level of data protection within the meaning of Applicable Data Protection Law shall be made in compliance with the transfer restrictions set forth in the relevant Applicable Data Protection Law.
EC shall maintain a record of all processing activities performed on behalf of Customer, including the nature of processing, categories of data subjects, types of personal data processed, and any transfers to third countries or international organizations. This record will be made available to Customer upon request to demonstrate compliance with Applicable Data Protection Law.
EC shall provide reasonable assistance to Customer in conducting Data Protection Impact Assessments (DPIAs) and prior consultations with supervisory authorities, as required under Applicable Data Protection Law, where Customer deems the processing activities carried out by EC as likely to result in high risks to the rights and freedoms of individuals.
EC shall ensure that all Customer Data transmitted electronically is encrypted using industry-standard protocols, including but not limited to SSL/TLS, and that data stored at rest is encrypted using AES-256 or an equivalent standard.
EC shall ensure that its employees and contractors authorized to process Customer Data are adequately trained on data protection principles and security practices. Regular training sessions will be conducted to maintain awareness of data protection requirements.
EC agrees not to process Customer Data for any purposes other than those explicitly documented in this DPA or as required by law. Any deviation from the agreed-upon purposes must be communicated and approved by Customer in advance.
If EC receives a legally binding request for the disclosure of Customer Data by a law enforcement authority or other third party, EC shall promptly notify Customer unless prohibited by law. EC will take reasonable steps to contest such requests if Customer so instructs and bears the costs of legal challenges.
EC shall implement pseudonymization and data minimization techniques, where feasible, to ensure that the processing of Personal Data is limited to what is necessary to achieve the purposes of the Agreement.
EC shall maintain continuous monitoring systems and advanced threat detection tools to identify and respond to potential security breaches or vulnerabilities in real-time.
EC agrees to cooperate fully with supervisory authorities in all investigations, inquiries, or enforcement actions related to the processing of Customer Data, as required under Applicable Data Protection Law.
This DPA is subject to the terms of the Agreement and is incorporated into the Agreement. In the event of any conflict or inconsistency between this DPA and the Agreement, the terms of this DPA shall prevail to the extent of such inconsistency. This DPA replaces and supersedes any existing data processing addendum that the parties may have previously entered into in connection with the Services.
This Data Processing Addendum (“DPA”) forms part of the Everconnected Terms of Service (the “Agreement”) between Everconnected (“EC”, “we”, “us”, or “our”) and the Customer agreeing to these terms (“Customer”, “you”, or “your”).
“Controller”, “Processor”, “Data Subject”, “Personal Data”, “processing” (and “process”) and “Special Categories of Personal Data” shall have the meanings given in Applicable Data Protection Law.
“Applicable Data Protection Law” means all laws and regulations applicable to the processing of Personal Data under the Agreement, including but not limited to UK GDPR and the Data Protection Act 2018.
“Customer Data” means any Personal Data that EC processes on behalf of Customer as a Processor in the course of providing Services.
“Services” means the services provided by EC to Customer pursuant to the Agreement.
“UK GDPR” means the United Kingdom General Data Protection Regulation.
The parties acknowledge and agree that with regard to the processing of Personal Data, Customer is the Controller, EC is the Processor and that EC will engage Sub-processors pursuant to the requirements set forth in Section 5 “Sub-processors” below.
3.1. EC shall treat Customer Data as confidential and shall only process Customer Data on behalf of and in accordance with Customer’s documented instructions for the following purposes: (i) Processing in accordance with the Agreement; (ii) Processing initiated by users in their use of the Services; and (iii) Processing to comply with other documented reasonable instructions provided by Customer (e.g., via email) where such instructions are consistent with the terms of the Agreement.
3.2. EC shall inform Customer if, in its opinion, an instruction from Customer infringes Applicable Data Protection Law.
4.1. Subject matter: The subject matter of the processing under this DPA is the Customer Data.
4.2. Duration: The duration of the processing under this DPA is until the termination of the Agreement in accordance with its terms.
4.3. Nature and Purpose of the Processing: EC will process Customer Data as necessary to perform the Services pursuant to the Agreement, as further specified in the DPA, and as further instructed by Customer in its use of the Services.
4.4. Categories of Data Subjects: Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects:
– Prospects, customers, business partners and vendors of Customer (who are natural persons)
– Employees or contact persons of Customer’s prospects, customers, business partners and vendors
– Employees, agents, advisors, freelancers of Customer (who are natural persons)
– Customer’s users authorized by Customer to use the Services
4.5. Type of Personal Data: Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:
– Contact information (sign up: email, phone, google/apple/FB account login)
– Language (preference and proficiency)
– Age (18 and above)
– Gender identity
– Interests
– Lifestyle and habits
– Connection data (Time availability, local time)
– Credit card information (apple/google pay)
– Localization data – City name (manual data input/gps), time zone
– Beliefs and faith
– Relationship status
– Nature of employment and relevant skills
– Personality type / MBTI Personality Test Result
– Zodiac sign
– Personal life experiences (faced and looking forward)
– Audio data
– Video data
5.1. Appointment of Sub-processors: Customer acknowledges and agrees that (a) EC’s Affiliates may be retained as Sub-processors; and (b) EC and EC’s Affiliates respectively may engage third-party Sub-processors in connection with the provision of the Services.
5.2. List of Current Sub-processors and Notification of New Sub-processors: EC shall make available to Customer the current list of Sub-processors for the Services. Such Sub-processor list shall include the identities of those Sub-processors and their country of location. EC shall provide notification of a new Sub-processor(s) before authorizing any new Sub-processor(s) to process Personal Data in connection with the provision of the applicable Services.
5.3. Objection Right for New Sub-processors: Customer may object to EC’s use of a new Sub-processor by notifying EC promptly in writing within ten (10) business days after receipt of EC’s notice in accordance with the mechanism set out in Section 5.2. In the event Customer objects to a new Sub-processor, EC will use reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer’s configuration or use of the Services to avoid Processing of Personal Data by the objected-to new Sub-processor without unreasonably burdening the Customer. If EC is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, Customer may terminate the applicable Order Form(s) with respect only to those Services which cannot be provided by EC without the use of the objected-to new Sub-processor by providing written notice to EC.
EC shall implement and maintain appropriate technical and organizational measures to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access as described in EC’s security documentation. EC regularly monitors compliance with these measures. EC will not materially decrease the overall security of the Services during Customer’s subscription term.
EC shall, to the extent legally permitted, promptly notify Customer if EC receives a request from a Data Subject to exercise the Data Subject’s right of access, right to rectification, restriction of Processing, erasure, data portability, object to the Processing, or its right not to be subject to automated individual decision making (“Data Subject Request”). Taking into account the nature of the Processing, EC shall assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to a Data Subject Request under Applicable Data Protection Law. In addition, to the extent Customer, in its use of the Services, does not have the ability to address a Data Subject Request, EC shall, upon Customer’s request, provide commercially reasonable efforts to assist Customer in responding to such Data Subject Request, to the extent EC is legally permitted to do so and the response to such Data Subject Request is required under Applicable Data Protection Law.
EC shall notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Data. EC shall provide Customer with sufficient information to allow Customer to meet any obligations to report or inform Data Subjects of the Personal Data Breach under Applicable Data Protection Law. Such notification shall as a minimum:
9. Deletion or Return of Customer Data
EC shall, at the choice of Customer, delete or return all the Personal Data to Customer after the end of the provision of Services relating to processing, and delete existing copies unless Applicable Data Protection Law requires storage of the Personal Data.
EC shall make available to Customer all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer.
Any transfer of Customer Data made subject to this DPA from the United Kingdom to countries which do not ensure an adequate level of data protection within the meaning of Applicable Data Protection Law shall be made in compliance with the transfer restrictions set forth in the relevant Applicable Data Protection Law.
EC shall maintain a record of all processing activities performed on behalf of Customer, including the nature of processing, categories of data subjects, types of personal data processed, and any transfers to third countries or international organizations. This record will be made available to Customer upon request to demonstrate compliance with Applicable Data Protection Law.
EC shall provide reasonable assistance to Customer in conducting Data Protection Impact Assessments (DPIAs) and prior consultations with supervisory authorities, as required under Applicable Data Protection Law, where Customer deems the processing activities carried out by EC as likely to result in high risks to the rights and freedoms of individuals.
EC shall ensure that all Customer Data transmitted electronically is encrypted using industry-standard protocols, including but not limited to SSL/TLS, and that data stored at rest is encrypted using AES-256 or an equivalent standard.
EC shall ensure that its employees and contractors authorized to process Customer Data are adequately trained on data protection principles and security practices. Regular training sessions will be conducted to maintain awareness of data protection requirements.
EC agrees not to process Customer Data for any purposes other than those explicitly documented in this DPA or as required by law. Any deviation from the agreed-upon purposes must be communicated and approved by Customer in advance.
If EC receives a legally binding request for the disclosure of Customer Data by a law enforcement authority or other third party, EC shall promptly notify Customer unless prohibited by law. EC will take reasonable steps to contest such requests if Customer so instructs and bears the costs of legal challenges.
EC shall implement pseudonymization and data minimization techniques, where feasible, to ensure that the processing of Personal Data is limited to what is necessary to achieve the purposes of the Agreement.
EC shall maintain continuous monitoring systems and advanced threat detection tools to identify and respond to potential security breaches or vulnerabilities in real-time.
EC agrees to cooperate fully with supervisory authorities in all investigations, inquiries, or enforcement actions related to the processing of Customer Data, as required under Applicable Data Protection Law.
This DPA is subject to the terms of the Agreement and is incorporated into the Agreement. In the event of any conflict or inconsistency between this DPA and the Agreement, the terms of this DPA shall prevail to the extent of such inconsistency. This DPA replaces and supersedes any existing data processing addendum that the parties may have previously entered into in connection with the Services.
