This Data Processing Addendum ("DPA") forms part of, and is subject to, the Master Agreement or other written or electronic terms of service or subscription agreement between Ghost AI, Inc. ("Ghost") and the legal entity defined as 'Customer' thereunder together with all Customer Affiliates who are signatories to an Order Form for their own Account (as defined in Section 1 below) pursuant to such agreement (collectively, for purposes of this DPA, "Customer", and together with Ghost, the "parties") (such agreement, the "Agreement"). This DPA shall be effective on the effective date of the Agreement, unless this DPA is separately executed in which case it's effective on the date of the last signature ("DPA Effective Date"). All capitalized terms not defined in this DPA shall have the meanings set forth in the Agreement.
"Account" means Customer's account in the Services in which Customer stores and processes Customer Data.
"Affiliate" has the meaning set forth in the Agreement.
"Authorized Affiliate" shall mean a Customer Affiliate who has not signed an Order Form pursuant to the Agreement, but is either a Data Controller or Data Processor for the Customer Personal Data processed by Ghost pursuant to the Agreement, for so long as such entity remains a Customer Affiliate.
"California Consumer Privacy Act" or "CCPA" means the California Consumer Privacy Act of 2018, as may be amended from time to time.
"Customer Data" has the meaning set forth in the Agreement.
"Customer Personal Data" means any Customer Data that is Personal Data.
"Data Controller" means an entity that determines the purposes and means of the Processing of Personal Data.
"Data Processor" means an entity that Processes Personal Data on behalf of a Data Controller.
"Data Protection Laws" means all data protection and privacy laws applicable to the respective party in its role in the Processing of Personal Data under the Agreement, including, where applicable, EU & UK Data Protection Law and the CCPA.
"Data Subject" means the identified or identifiable natural person to whom Customer Personal Data relates.
"EU & UK Data Protection Law" means (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) ("GDPR"); and (ii) the GDPR as it forms part of United Kingdom law pursuant to Section 3 of the European Union (Withdrawal) Act 2018 ("UK GDPR") and the Data Protection Act 2018.
"Personal Data" means any information, including opinions, relating to an identified or identifiable natural person and includes similarly defined terms in Data Protection Laws, including, but not limited to, the definition of "personal information" in the CCPA.
"Processing" shall mean any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination and "Process", "Processes" and "Processed" will be interpreted accordingly.
"Purposes" shall mean (i) Ghost's provision of the Services as described in the Agreement, including Processing initiated by End Users in their use of the Services; and (ii) further documented, reasonable instructions from Customer agreed upon by the parties.
"Security Incident" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Personal Data.
"Services" means the generally available Ghost software-as-a-service offering described in the Documentation and procured by Customer (including Ghost's proprietary software platform used to annotate and manage data, among other functionality), and services ordered by Customer under an Order Form or otherwise provided by Ghost and used by Customer under the Agreement.
"Ghost Group" means Ghost AI, Inc. and its Affiliates.
"SCCs" means together (i) "EU SCCs" means the standard contractual clauses for the transfer of personal data to third countries approved pursuant to Commission Decision (EU) 2021/914 of 4 June 2021, currently found at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en and (ii) "UK Addendum" means the International Data Transfer Addendum issued by the Information Commissioner's Office under s.119(A) of the UK Data Protection Act 2018, currently found at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf ("UK Addendum").
"Sub-Processor" means any other Data Processors engaged by a member of the Ghost Group to Process Customer Personal Data.
This DPA applies where and only to the extent that Ghost Processes Customer Personal Data on behalf of Customer as Data Processor in the course of providing the Services.
As between Ghost and Customer, Ghost shall Process Customer Personal Data only as a Data Processor (or sub-processor) acting on behalf of Customer and, with respect to CCPA, as a "service provider" as defined therein, in each case regardless of whether Customer acts as a Data Controller or as a Data Processor on behalf of a third-party Data Controller ("Third-Party Controller") with respect to Customer Personal Data. To the extent any Enhancement Data (as defined in the Agreement) is considered Personal Data under applicable Data Protection Laws, Ghost is the Data Controller of such data and shall Process such data in accordance with the Agreement and applicable Data Protection Laws.
Ghost will Process Customer Personal Data only for the Purposes. Customer shall ensure its Processing instructions are lawful and that the Processing of Customer Personal Data in accordance with such instructions will not violate applicable Data Protection Laws. The parties agree that the Agreement (including this DPA) sets out the exclusive and final instructions to Ghost for all Processing of Customer Personal Data, and (if applicable) include and are consistent with all instructions from Third-Party Controllers. Any additional requested instructions requires the prior written agreement of Ghost. Ghost shall promptly notify Customer if, in Ghost's opinion, such an instruction violates EU & UK Data Protection Law. Where applicable, Customer shall be responsible for any communications, notifications, assistance and/or authorizations that may be required in connection with a Third-Party Controller.
Ghost's obligations set forth in this DPA shall also extend to Authorized Affiliates, subject to the following conditions:
Customer agrees that it: (i) will comply with its obligations under Data Protection Laws with respect to its Processing of Customer Personal Data; (ii) will make appropriate use of the Services to ensure a level of security appropriate to the particular content of the Customer Personal Data, such as pseudonymizing and backing-up Customer Personal Data; (iii) will maintain reasonable security practices for its own systems and user accounts used to access the Services, including using strong, unique credentials, enabling multi-factor authentication where available, promptly revoking access for departing users, and promptly notifying Ghost of any suspected compromise of Customer credentials or accounts; and (iv) has obtained all consents, permissions and rights necessary under Data Protection Laws for Ghost to lawfully Process Customer Personal Data for the Purposes, including, without limitation, Customer's sharing and/or receiving of Customer Personal Data with third parties via the Services.
(a) Subject Matter: The subject matter of the Processing under this DPA is the Customer Personal Data.
(b) Frequency and duration: Notwithstanding expiry or termination of the Agreement, Ghost will Process the Customer Personal Data continuously and until deletion of all Customer Personal Data as described in this DPA.
(c) Purpose: Ghost will Process the Customer Personal Data for the Purposes, as described in this DPA.
(d) Nature of the Processing: Ghost will perform Processing as needed for the Purposes, and to comply with Customer's Processing instructions as provided in accordance with the Agreement and this DPA.
(e) Retention Period. The period for which Customer Personal Data will be retained and the criteria used to determine that period shall be determined by Customer during the term of the Agreement via its use and configuration of the Services. Upon termination or expiration of the Agreement, Customer may retrieve or delete all Customer Personal Data as set forth in the Agreement. Any Customer Personal Data not deleted by Customer shall be deleted by Ghost promptly upon the later of (i) expiration or termination of the Agreement and (ii) expiration of any post-termination "retrieval period" set forth in the Agreement. Notwithstanding the foregoing, Ghost may retain Customer Personal Data to the extent (and only for so long as) required to comply with applicable law, to respond to a legal hold or ongoing dispute, to enforce its agreements, or for archival or financial record-keeping purposes; any such retained data will remain subject to the protections of this DPA.
(f) Categories of Data Subjects: The categories of Data Subjects to which Customer Personal Data relate are determined and controlled by Customer in its sole discretion, and may include, but are not limited to:
(g) Categories of Personal Data: The types of Customer Personal Data are determined and controlled by Customer in its sole discretion, and may include, but are not limited to:
(h) Special Categories of Personal Data (if applicable): Subject to any applicable restrictions and/or conditions in the Agreement or Documentation, Customer may also include 'special categories of personal data' or similarly sensitive Personal Data (as described or defined in Data Protection Laws) in Customer Personal Data, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to Customer Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data Processed for the purposes of uniquely identifying a natural person, data concerning health and/or data concerning a natural person's sex life or sexual orientation.
Customer shall not submit to the Services, and shall not use the Services to Process, any of the following categories of data (collectively, "Prohibited Data"): (i) protected health information subject to the Health Insurance Portability and Accountability Act ("HIPAA") or similar U.S. federal or state health care privacy laws, unless Customer and Ghost have entered into a separate business associate agreement; (ii) payment card data subject to the Payment Card Industry Data Security Standard ("PCI-DSS"); (iii) personal information of children under the age of 13 as defined by the Children's Online Privacy Protection Act ("COPPA"); (iv) biometric identifiers as defined under applicable biometric privacy laws; (v) government-issued classified, controlled unclassified, or export-controlled information; or (vi) any other data that Customer knows or should know requires security, privacy, or handling controls beyond those described in Section 5.1. Customer is solely responsible for any Prohibited Data it submits to the Services in breach of this Section 3.6, and Ghost shall have no liability arising from Customer's submission or Processing of Prohibited Data.
Ghost may create aggregated, anonymized, or de-identified data from Customer Personal Data (collectively, "Aggregate Data"), provided that such Aggregate Data does not identify Customer, any Data Subject, or any specific individual. Ghost may use Aggregate Data for any lawful business purpose, including to operate, develop, benchmark, and improve the Services and Ghost's products, to produce analytics and insights, and for internal research. Ghost's rights in Aggregate Data survive termination of the Agreement.
Customer provides Ghost with a general authorization to engage Sub-processors, subject to Section 4.3 (Changes to Sub-processors), as well as Ghost's current Sub-processors listed at https://www.ghostgtm.ai/legal/sub-processors ("Sub-processor Site") as of the DPA Effective Date and members of the Ghost Group.
Ghost shall: (i) enter into a written agreement with each Sub-processor imposing data protection obligations no less protective of Customer Personal Data as Ghost's obligations under this DPA to the extent applicable to the nature of the services provided by such Sub-processor; and (ii) remain liable for each Sub-processor's compliance with the obligations under this DPA. Upon written request, and subject to any confidentiality restrictions, Ghost shall provide Customer all relevant information it reasonably can in connection with its applicable Sub-processor agreements where required to satisfy Customer's obligations under Data Protection Laws.
Ghost shall make available on its Sub-processor Site a mechanism to subscribe to notifications of new Sub-processors. Ghost shall provide such notification to those emails that have subscribed at least fourteen (14) days in advance of allowing the new Sub-processor to Process Customer Personal Data (the "Objection Period"). During the Objection Period, objections (if any) to Ghost's appointment of the new Sub-processor must be provided to Ghost in writing and based on reasonable grounds relating to data protection. In such event, the parties will discuss those objections in good faith with a view to achieving resolution. If it can be reasonably demonstrated to Ghost that the new Sub-processor is unable to Process Customer Personal Data in compliance with the terms of this DPA and Ghost cannot provide an alternative Sub-processor, or the parties are not otherwise able to achieve resolution as provided in the preceding sentence, Customer, as its sole and exclusive remedy, may provide written notice to Ghost terminating the Order Form(s) with respect only to those aspects of the Services which cannot be provided by Ghost without the use of the new Sub-processor. Ghost will refund Customer any prepaid unused fees of such Order Form(s) following the effective date of termination with respect to such terminated Services.
Ghost shall implement and maintain appropriate technical and organizational security measures designed to protect Customer Personal Data from Security Incidents and to preserve the security and confidentiality of the Customer Personal Data. These measures include, at a minimum:
Ghost may update these measures from time to time, provided that any such updates shall not materially diminish the overall security of the Services or Customer Personal Data.
Ghost shall ensure that any person who is authorized by Ghost to Process Customer Personal Data (including its staff, agents and subcontractors) shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).
Ghost shall have no obligation to assess the contents or accuracy of Customer Personal Data, including to identify information subject to any specific legal, regulatory, or other requirement. Customer is responsible for reviewing the information made available by Ghost relating to data security and making an independent determination as to whether the Services meet Customer's requirements and legal obligations under Data Protection Laws.
Upon written request and at no additional cost to Customer, Ghost shall provide Customer, and/or its appropriately qualified third-party representative (collectively, the "Auditor"), access to reasonably requested documentation evidencing Ghost's compliance with its obligations under this DPA. Such documentation may include this DPA, the description of Ghost's technical and organizational security measures set forth in Section 5.1, completed industry-standard security questionnaires (such as a SIG or CAIQ), and any third-party audit reports or certifications that Ghost holds from time to time (collectively, "Reports").
Customer may also send a written request for an audit of Ghost's applicable controls, including inspection of its facilities. Following receipt by Ghost of such request, Ghost and Customer shall mutually agree in advance on the details of the audit, including the reasonable start date, scope and duration of, and security and confidentiality controls applicable to, any such audit. Ghost may charge a fee (rates shall be reasonable, taking into account the resources expended by Ghost) for any such audit. The Reports, audit, and any information arising therefrom shall be considered Ghost's Confidential Information and may only be shared with a third party (including a Third-Party Controller) with Ghost's prior written agreement.
Where the Auditor is a third party, the Auditor may be required to execute a separate confidentiality agreement with Ghost prior to any review of Reports or an audit of Ghost, and Ghost may object in writing to such Auditor, if in Ghost's reasonable opinion, the Auditor is not suitably qualified or is a direct competitor of Ghost. Any such objection by Ghost will require Customer to either appoint another Auditor or conduct the audit itself. Any expenses incurred by an Auditor in connection with any review of Reports or an audit shall be borne exclusively by the Auditor. For clarity, the exercise of audit rights under the SCCs shall be as described in this Section 6 (Customer Audit Rights) and Customer agrees these rights are carried out on behalf of Customer and all relevant Third-Party Controllers, subject to the confidentiality and non-use restrictions of the Agreement.
Ghost will only host Customer Personal Data in the region(s) offered by Ghost and selected by Customer on an Order Form or as Customer otherwise configures via the Services (the "Hosting Region"). Customer is solely responsible for the regions from which its End Users access the Customer Personal Data, for any transfer or sharing of Customer Personal Data by Customer or its End Users and for any subsequent designation of other Hosting Regions (either for the same Account, a different Account, or a separate Service). Once Customer has selected a Hosting Region, Ghost will not Process Customer Personal Data from outside the Hosting Region except as reasonably necessary to provide the Services procured by Customer, or as necessary to comply with the law or binding order of a governmental body.
For any transfers by Customer of Customer Personal Data from the European Economic Area and its member states, United Kingdom and/or Switzerland (collectively, "Restricted Countries") to Ghost in a country which does not ensure an adequate level of protection (within the meaning of and to the extent governed by the applicable Data Protection Laws of the Restricted Countries) (collectively, "Third Country"), such transfers shall be governed by a valid mechanism for the lawful transfer of Customer Personal Data recognized under applicable Data Protection Laws, such as those directly below in 7.2.1. For clarity, for transfers from the United Kingdom and Switzerland, references in the SCCs shall be interpreted to include applicable terminology for those jurisdictions (e.g., 'Member State' shall be interpreted to mean 'United Kingdom' for transfers from the United Kingdom).
Each party agrees to abide by and transfer Customer Personal Data from the Restricted Countries in accordance with the EU SCCs and UK Addendum respectively and where applicable, which are incorporated into this DPA by reference. Each party is deemed to have executed the SCCs as of the Effective Date by entering into this DPA and such details shall apply for the purposes of Table 1 of the UK Addendum.
(a) The below shall apply to the SCCs, including the election of specific terms and/or optional clauses as described in more detail in (i)-(x) below, and any optional clauses not expressly selected are not incorporated (including with respect to Table 2 of the UK Addendum):
(b) Binding Corporate Rules for Processors ("BCRs"): Notwithstanding the foregoing, if Ghost has adopted BCRs for Processors that cover the transfer of Customer Personal Data to a Third Country, then such BCRs shall govern the transfer of Customer Personal Data.
If Ghost becomes aware of a Security Incident, Ghost shall notify Customer without undue delay, and in any case, where feasible, notify Customer within seventy-two (72) hours after becoming aware. Ghost's notification shall be sent to the email registered by Customer within the Service for such purposes, and where no such email is registered, Customer acknowledges that the means of notification shall be at Ghost's reasonable discretion and Ghost's ability to timely notify shall be negatively impacted. Ghost shall promptly take commercially reasonable steps to assist Customer in its efforts to contain, investigate, and mitigate any Security Incident.
Ghost shall provide Customer timely information about the Security Incident, including, but not limited to, the nature and consequences of the Security Incident, the measures taken and/or proposed by Ghost to mitigate or contain the Security Incident, the status of Ghost's investigation, a contact point from which additional information may be obtained, and the categories and approximate number of data records concerned. Notwithstanding the foregoing, Customer acknowledges that because Ghost personnel do not have visibility to the content of Customer Personal Data, it will be unlikely that Ghost can provide information as to the particular nature of the Customer Personal Data, or where applicable, the identities, number or categories of affected Data Subjects. Communications by or on behalf of Ghost with Customer in connection with a Security Incident shall not be construed as an acknowledgment by Ghost of any fault or liability with respect to the Security Incident.
Ghost shall promptly notify Customer if Ghost receives a request from a Data Subject that identifies Customer Personal Data or otherwise identifies Customer, including where the Data Subject seeks to exercise any of its rights under applicable Data Protection Laws (collectively, "Data Subject Request"). The Services provide Customer with controls that Customer may use to assist it in responding to Data Subject Requests, and Customer is responsible for responding to any such Data Subject Requests. Ghost's obligation to assist Customer in responding to Data Subject Requests is limited to Data Subject Requests that Customer cannot reasonably fulfill using the controls available in the Services. Where such assistance is required, Ghost shall provide commercially reasonable cooperation upon Customer's written request, taking into account the nature of the Processing. Ghost may charge a reasonable fee for assistance that is disproportionate or that exceeds what is required by applicable Data Protection Laws.
Ghost shall provide reasonably requested information regarding the Services to enable Customer to carry out data protection impact assessments or prior consultations with data protection authorities as required by Data Protection Laws, so long as Customer does not otherwise have access to the relevant information.
If Ghost receives a demand to retain, disclose, or otherwise Process Customer Personal Data for any third party, including, but not limited to law enforcement or a government authority ("Third-Party Demand"), then Ghost shall attempt to redirect the Third-Party Demand to Customer. Customer agrees that Ghost can provide information to such third-party as reasonably necessary to redirect the Third-Party Demand. If Ghost cannot redirect the Third-Party Demand to Customer, then Ghost shall, to the extent legally permitted to do so, provide Customer reasonable notice of the Third-Party Demand as promptly as feasible under the circumstances to allow Customer to seek a protective order or other appropriate remedy. This section does not diminish Ghost's obligations under the SCCs with respect to access by public authorities.
The parties agree that this DPA shall replace and supersede any existing data processing addendum, attachment, exhibit or standard contractual clauses that Ghost and Customer may have previously entered into in connection with the Services. Ghost may update this DPA from time to time, with such updated version posted to https://www.ghostgtm.ai/legal, or a successor website designated by Ghost; provided, however, that no such update shall materially diminish the privacy or security of Customer Personal Data.
Except as provided by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement, this DPA shall prevail to the extent of that conflict in connection with the Processing of Customer Personal Data.
Notwithstanding anything to the contrary in the Agreement or this DPA, each party's and all of its Affiliates' liability, taken together in the aggregate, arising out of or relating to this DPA, the SCCs, and any other data protection agreements in connection with the Agreement (if any), shall be subject to any aggregate limitations on liability set out in the Agreement. Without limiting the parties' obligations under the Agreement, each party agrees that any regulatory penalties incurred by one party (the "Incurring Party") in relation to the Customer Personal Data that arise as a result of, or in connection with, the other party's failure to comply with its obligations under this DPA or any applicable Data Protection Laws shall count toward and reduce the Incurring Party's liability under the Agreement as if it were liability to the other party under the Agreement.
In no event shall this DPA benefit or create any right or cause of action on behalf of a third party (including a Third-Party Controller), but without prejudice to the rights or remedies available to Data Subjects under Data Protection Laws or this DPA (including the SCCs).
This DPA will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement.
Customer shall defend, indemnify, and hold harmless Ghost, its Affiliates, and their respective officers, directors, employees, agents, and Sub-processors from and against any claims, damages, losses, liabilities, fines, penalties, settlements, costs, and expenses (including reasonable attorneys' fees) arising out of or in connection with: (i) Customer's breach of its obligations under this DPA or applicable Data Protection Laws; (ii) Customer's Processing instructions to Ghost; (iii) Customer's submission of Prohibited Data to the Services in breach of Section 3.6; or (iv) any act or omission of Customer's Authorized Affiliates, End Users, or Third-Party Controllers with respect to Customer Personal Data. This Section 10.6 applies in addition to, and does not limit, any indemnification obligations Customer has under the Agreement.
