This Data Processing Addendum (“DPA”) forms part of the Agreement between With Tether Inc. (“Provider”) and Customer and applies to the extent Provider Processes Personal Data on behalf of Customer in connection with the Services.
This DPA is effective as of the Effective Date of the Agreement.
1. Roles of the Parties
Customer is the Controller (or Business, as defined under applicable U.S. privacy law) of Customer Personal Data. Provider is a Processor (or Service Provider) that Processes Customer Personal Data on behalf of Customer solely to provide the Services.
Provider will not:
- Sell Customer Personal Data;
- Share Customer Personal Data for cross-context behavioral advertising;
- Retain, use, or disclose Customer Personal Data for any purpose other than providing the Services or as otherwise permitted by applicable law.
2. Scope of Processing
2.1 Processing Details
The subject matter, nature, and purpose of the Processing are to provide and maintain the Services. Categories of Personal Data may include:
- Name
- Email address
- Phone number
- Birth year
- Organization data
- Usage data
- Content submitted through the Service
Categories of Data Subjects may include:
- Customer personnel
- End users of Customer’s platform
- Members, subscribers, or participants
2.2 Customer Instructions
Customer instructs Provider to Process Customer Personal Data:
(a) To provide and maintain the Services;
(b) As configured by Customer through its use of the Services;
(c) As documented in the Agreement; and
(d) As otherwise agreed in writing.
Provider will inform Customer if it believes an instruction violates applicable law.
3. Subprocessors
Provider may engage Subprocessors to assist in providing the Services.
Provider will:
- Maintain a list of Subprocessors upon request;
- Ensure Subprocessors are bound by written agreements requiring confidentiality and appropriate data protection measures;
- Remain responsible for the performance of its Subprocessors in accordance with this DPA.
Customer may object to a new Subprocessor on reasonable data protection grounds within 15 days of notice. If the parties cannot resolve the objection in good faith, Customer may terminate the affected Services.
4. Security Measures
Provider will implement and maintain reasonable administrative, technical, and organizational safeguards appropriate to the nature of the Services designed to protect Customer Personal Data against:
- Unauthorized access
- Accidental or unlawful destruction
- Loss, alteration, or disclosure
Such measures may include:
- Access controls
- Encryption in transit
- Secure hosting environments
- Role-based permissions
- Logging and monitoring
5. Security Incidents
In the event of a confirmed unauthorized access to Customer Personal Data (“Security Incident”), Provider will:
- Notify Customer without undue delay and, where required by applicable law, within 72 hours of confirmation;
- Provide reasonably available information about the nature and scope of the incident;
- Take reasonable steps to contain and remediate the incident.
Notification does not constitute an admission of fault.
6. Assistance with Data Subject Requests
To the extent required under applicable U.S. privacy law, Provider will provide reasonable assistance to Customer in responding to verified consumer requests relating to Customer Personal Data.
Provider may direct end users to Customer where appropriate.
7. Data Retention and Deletion
Provider will:
- Enable Customer to delete Customer Personal Data through the functionality of the Service; and
- Upon termination of the Agreement, delete or return Customer Personal Data within a reasonable period, except where retention is required by law or for legitimate backup and disaster recovery purposes.
Residual copies in backups will be protected and deleted in accordance with Provider’s retention policies.
8. Audit and Information Rights
Upon reasonable written request no more than once per year, Provider will provide information reasonably necessary to demonstrate compliance with this DPA.
Provider may satisfy this obligation by providing:
- Security documentation;
- Third-party audit summaries, if available;
- Responses to reasonable security questionnaires.
Customer audits must not unreasonably disrupt Provider’s operations or compromise confidential information.
9. Restricted Data
Customer shall not provide to Provider any:
- Protected health information (PHI);
- Government-issued identification numbers;
- Financial account numbers;
- Payment card data;
- Biometric identifiers; or
- Other highly sensitive regulated data,
unless expressly agreed in writing.
10. Limitation of Liability
The liability of each party under this DPA is subject to the limitations of liability set forth in the Agreement.
11. Term
This DPA remains in effect for as long as Provider Processes Customer Personal Data under the Agreement.
12. Updates to DPA
Provider may update this DPA from time to time to reflect changes in applicable law or the Services, provided that such updates do not materially reduce Customer’s data protection rights.
Provider will provide notice of any material updates. If Customer objects to a material update, the parties will work in good faith to address the concern.
For questions regarding this DPA or data protection matters, Customer may contact Provider at:
With Tether Inc..
73 White Bridge Road
Ste 103-324
Nashville TN 37205
privacy@withtether.com
