Bito Data Processing Addendum
This Data Processing Addendum including its appendices (“DPA”) is incorporated into and forms part of the Terms of Service where Bito has agreed to provide the Services to Customer. This DPA sets forth both parties’ obligations with respect to the processing and security of Personal Data under Applicable Data Protection Laws.
- Definitions. Capitalized terms have the following meanings:
- Applicable Data Protection Laws means any applicable laws, statutes or regulations as may be amended, extended, re-enacted from time to time, or any successor laws which relate to personal data including: (a) the GDPR and any EU Member State laws implementing the GDPR, (b) California Consumer PrivacyAct of 2018 (“CCPA”), including as modified by the California Privacy Rights Act of
- 2020 (the “CPRA”), and the California Attorney General Regulations thereof, and
- (c) the UK Data Protection Act 2018.
- Data Breach means a confirmed unauthorized access by a third party or confirmedaccidental or unlawful destruction, loss or alteration of Personal
- GDPR means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regardto the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
- Personal Data means all personal data or personal information (as definedunder Applicable Data Protection Laws) which is uploaded into the Services by Customer and accessed, stored or otherwise processed by
- Process, Processing, Processor, and Controller have the meaning asdefined under
- Standard Contractual Clauses means Exhibit B located at https://bito.ai/personal-data/ , forming part of this DPA pursuant to the European Commission Implementing Decision of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as well as the Switzerland Addendum and the United Kingdom Addendum, which shall prescribe specific amendments to the standard contractual clauses as set forth for application in each of those respective countries. “Module One”, “Module Two”, and “Module Three” refers to the respective Modules set forth therein and the relevant terms
Any defined terms not defined in this DPA are as defined in the Terms of Service.
3. Scope of Data Processing. The subject-matter of the data Processing, along with the nature and purpose of the Processing to be carried out by Bito under this DPA, and the types of Personal Data and categories of data subjects are set out in Exhibit A. To the extentthe Standard Contractual Clauses, Article 28 of the GDPR, or Article 75 of the UK Data Protection Act apply, further information on the nature and purpose of the Processing is set out in Exhibit B.
4. ProcessingInstructions. Where Bito acts as a Processor, Bito shall only Process Personal Data on behalf of Customer and only in accordance with documented instructions received from Customer. The parties agree this DPA, the Terms of Service, and any features and settings used in the Services constitute Customer’s documented instructions. Bito will notify Customer promptly if it considers that an instruction from Customer is in breach of any Applicable Data Protection Laws, and Bito shall be entitled to suspend execution of the instructions. In the event Bito is required to Process Personal Data under European Union or Member State law to which it is subject, Bito will without undue delay notify Customer of this legal requirement before carrying out such Processing, unless Bito is prohibited from doing so on important grounds of public interest.
5. Confidentiality by Bito Personnel. Bito will limit access to Personal Data to personnel who are required to access Personal Data to perform the obligations under the Terms of Service. Bito will impose appropriate contractual obligations on its personnel to maintain the confidentiality of the Personal Data.
6. Security Measures. Bito will implement and maintain appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed. Those measures are set forth in our Technical and Organizational Measures section. Such measures take into account the art and costs of implementation as well as the nature, scope, context and purposes of the Processing. Bito reserves the right to modify the Technical and OrganizationalMeasures, provided that such changes will maintain or provide better measures.
7. Data Breach. In the event that Bito becomes aware of a Data Breach, Bito will: (i) notify Customer without undue delay after Bito becomes aware of the Data Breach; (ii) as part of the notification, provide Customer with information regarding the Data Breach, to the extent such information is available to Bito, to enable Customer to comply with its notification requirements under the Applicable Data Protection Laws; and (iii) promptly commence an investigation into the Data Breach and take appropriate remedial steps to prevent and minimize any possible harm. For the avoidance of doubt, Data Breaches will not include unsuccessful attempts to, or activities that do not compromise the security of Personal Data. These obligations shall not apply to incidents that are caused by Customer or Customer’s users.
8. Data Subject Rights. Where Bito is a Processor and it receives a data subject request in relation to Customer’s Personal Data, Bito will either notify Customer directly or reject the user’s request and inform the user to contact Customer. Customer is responsible for ensuring such requests are handled in accordance with Applicable Data Protection Laws. Bito will assist Customer with its obligations in connection with data subject requests.
To the extent Bito is a Controller and it receives a data subject request, Bito will comply with the requirements of Applicable Data Protection Laws.
9. Data Protection Impact Assessments (DPIA) and Prior Consultation. On Customer’s request, Bito will provide Customer with reasonable cooperation and assistance needed to fulfil Customer’s obligation under Applicable Data Protection Laws to carry out a data protection impact assessment related to Customer’s use of the Services. Bito will also provide reasonable assistance to Customer in the cooperation or prior consultation with supervisory authorities in the performance of its tasks relating to this Section 9, to the extent required under Applicable Data Protection Laws.
10. Requests from Authorities.
- General Obligations. Bito will, unless otherwise prohibited, such as in order to preserve the confidentiality of an investigation by law enforcementauthorities, promptly inform Customer of: (i) any legally binding request for disclosure of Personal Data by a law enforcement authority; and (ii) any relevant notice, inquiry or investigation by a supervisory authority relating to Personal
- Obligations for Personal Data Transferred Under the Standard Contractual Clauses. To the extent Bito is a data importer under the Standard Contractual Clauses and receives a legally binding request for disclosure of Personal Data, Bito agrees that: (i) it will attempt to obtain a waiver in the event that the country of destination prohibits Bito from notifying Customer of the legally binding request for disclosure of Personal Data; and (ii) provide as much relevant information as possible to Customer, if permitted under the laws of the country, about the requests received. For the Personal Data disclosed, Bito agrees that: (i) it will challenge the request for disclosure if, after careful assessment, Bito believes the request is unlawful; and (ii) provide the minimum amount of Personal Data permitted when responding to the request.
11. Return or Deletion of Personal Data. This section applies where Bito acts as a Customer may, at any time during the term of the Agreement or upon termination of the Agreement, delete users containing Personal Data through the in-product administrative settings. Further, Bito will, upon request, securely destroy or, at Customer’s sole discretion, return all Personal Data (including all copies) and confirm to Customer that it has taken such measures, in each case to the extent permitted by applicable law. Bito agrees to preserve the confidentiality of any Personal Data retained by it in accordance with applicable law. Bito will ensure that the obligations set forth in this section are also required of sub-processors.
12. Controller Obligations. Customer, acting as the Controller or on behalf of the Controller, agreesthat:
- It will comply with all Applicable Data Protection laws, and as between Customer and Bito, it will have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired PersonalData;
- All instructions from Customer to Bito with respect to Processing of Personal Data will comply with Applicable Data ProtectionLaws;
- It will promptly inform Bito of any non-compliance by Customer, its employees or contractors with this DPA or the provisions of the Applicable Data Protection Law relating to the protection of Personal Data Processed under the Terms of Service;and
- It is solely responsible for making an independent determination as to whether the technical and organizational measures for the Service meet Customer’s requirements, including any of its security obligations under applicable data protection requirements. Customer acknowledges and agrees that the security practices and policies implemented and maintained by Bito provide a level of security appropriate to the risk with respect to its Personal Data. Customer is responsible for implementing and maintaining privacy protections and security measures for components that Customer provides or controls.
13. Audit. Bito will make available to Customer such information in Bito’s possessionor control as Customer may reasonably request with a view to demonstrating Bito’s compliance with the obligations of data processors under Data Protection Law in relation to its processing of Personal Data.
14. Processors. To the extent that Bito acts as aProcessor:
- Customer agrees that Bito is entitled to use the sub-processors listed at https://docs.bito.ai/privacy-and-security for the Services. If Bito wishes to add a new sub-processor to the list, Bito will update the list on the website. If Customer wishes to object to the approval of a new sub-processor it must provide such objection in writing to Bito within fourteen (14) days after notice has been received. If Customer objects to the change in sub-processor, the parties will work together in good faith to resolve the objection. Customer can only object to the addition of a new sub-processor on the basis that such addition would cause Customer to violate applicable legal requirements. If Customer does not object within the referred period, the respective sub- processor shall be considered approved by Customer. Bito may use a new or replacement sub-processor while the objection procedure in this Section 14.a. is in process.
- Where a sub-processor is appointed as described in Section 14.a.above:
- Bito will restrict the sub-processor’s access to Personal Data to what is necessary to maintain the Service or to provide the Service toCustomer in accordance with the documentation, and Bito will prohibit the sub- processor from accessing Personal Data for any other purpose;
- Bito will enter into a written agreement with the sub-processor and, to the extent that the sub-processor is Processing Personal Data to enable the Service provided by Bito under this DPA, Bito will impose on the sub- processor substantially similar contractual obligations that Bito has under this DPA;and
- Bito will remain responsible for its compliance with the obligations ofthis DPA and for any acts or omissions of the sub-processors that cause Bito to breach any of Bito’s obligations under this DPA.
15. International Data Transfers.
- Theparties agree that the Standard Contractual Clauses in Exhibit B will only apply to Personal Data that is transferred outside of the European Economic Area, United Kingdom, or Switzerland to a country that does not ensure an adequate level of protection for Personal Data (as described in the GDPR).
- When Bito is acting as a Controller for the Processing described in Section 18.a., Module One of the Standard Contractual Clauses will apply to the Personal Data transferred by
- When Bito is acting as a Processor and Customer is acting as a Controller, Module Two of the Standard Contractual Clauses will apply to the PersonalData transferred by
- When Bito is acting as a Processor and Customer is acting as a Processor,Module Three of the Standard Contractual Clauses will apply to the Personal Data transferred by
- If there is a conflict or inconsistency between this DPA and the Standard ContractualClauses, the Standard Contractual Clauses will prevail to the extent of the conflict or inconsistency.
16. CaliforniaConsumer Privacy Act and California Privacy Rights Act. The following applies where Bito is processing Personal Data that is within the scope of CCPA:
- The parties agree that Bito is a service provider as defined under CCPA, and that any Personal Data transferred to Bito is done for a valid business purpose and for Bito to perform theServices;
- Bitoagrees that it will not “sell” (as such term is defined in CCPA) Personal Data Processed under the Terms of Service;
- Bito will not share, rent, release, disclose, disseminate, make available, transfer or otherwise communicate orally, in writing or by electronic or other means,the Personal Data, transferred under the Terms of Service or to perform the Services, to a third party for cross-contextual behavioral advertising;
- Customer may monitor Bito’s compliance with this DPA through those measures set forth in Section 13;
- Bito will not use or disclose Personal Data outside its direct businessrelationship with Customer; and
- Bito will not combine the Personal Data transferred under the Terms of Service or to perform the Services with information that it receives from or on behalfof a third-party or that it collects independently from California residents, except that Bito may combine Personal Data to perform a valid business purpose as permitted under the CCPA.
17. Limitation of Liability. To the maximum extent allowed under Applicable Data Protection Laws, the parties intend and agree that each party’s liability, taken together in the aggregate, arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, is subject to the ‘Limitation of Liability’ section of the Terms of Service, and any reference in such section to the liability of a party means the aggregate liability of that party under the Agreement and this DPA.
- Customer acknowledges and agrees that as part of providing the Services, Bito has the right to use data relating to or obtained in connection with the operation, support, or use of the Services for its legitimate business purposes, such as billing and account management, internal reporting, to administer and deliver the Services, to improve and develop our products and services, to comply with legal obligations, to ensure the security of the Services, and to prevent fraud or mitigate risk. To the extent any such data is Personal Data, Bito agrees that it will process such Personal Data in compliance with Applicable Data Protection Laws and only for the purposes that are compatible with those described in this Section
- Bito further agrees that it shall be an independent Controller and solely responsible and liable for any of its
- This DPA, including the Standard Contractual Clauses, constitute the entire agreement and understanding of the parties, and supersedes any prior agreement or understanding between the parties, in each case in respect ofthe Processing of Personal Data for the purposes specified herein. In case of discrepancies between this DPA and Terms of Service, this DPA shall
Data Processing Details
For the purposes of Section 3 of the DPA, the parties set out below a description of the Personal Data being processed under the Agreement and further details required pursuant to Applicable Data Protection Laws
Subject Matter of the Processing
Bito’s provision of the Services to Customer as further instructed by Customer in its use of the Services.
Nature and purpose of Processing
The collection and storage of Personal Data pursuant to providing the Services to Customer.
Types of Personal Data
Customer Names and associated service usage, account details, payment details and marketing preferences.
Sensitive Personal Data and applied restrictions
Categories of Data Subject
Data Subjects may include any end users (including without limitation employees, customers, or suppliers) about whom Personal Data is provided to Bito via the Services by, or at the direction of, Customer.
Duration of Processing
For the duration of the Agreement, or until the processing is no longer necessary for the purposes.
Data Processing Details
SEE ATTACHED STANDARD CONTRACTUAL CLAUSES