Data Processing Agreement

    1. Introduction
      1. The purpose of this Data Processing Agreement (“DPA”) is to set out the additional terms and conditions applicable to Piiano’s Processing of Personal Data under the Terms of Use.
      2. EACH PARTY’S CONSENT AND/OR SIGNATURE UNDER THE TERMS OF USE SHALL CONSTITUTE THEIR ACKNOWLEDGEMENT AND AGREEMENT TO THE PROVISIONS SET FORTH UNDER THIS DPA.
      3. This DPA covers all relevant jurisdictions and applies to both EU and non-EU clients, subject to applicable Data Protection Laws.  The use of specific terminology based on EU data protection laws and regulations (e.g., controller, processor, etc.) does not limit the application of the DPA.
      4. This DPA supplements that certain Terms of Use entered into by and between Piiano and the Client.
      5. This DPA consists of: (i) the main body of the DPA, (ii) the Data Processing Details at Schedule A, and (iii) any applicable Standard Contractual Clauses, or amendments thereto for application of Swiss or United Kingdom Data Protection Laws incorporated therein by reference in Section 11.4.
    2. Definitions – Unless defined below, definitions are as set out in the Terms of Use. The following terms apply unless the context requires otherwise:
      1. “US Data Protection Laws” means, only if applicable to the Processing of Client Personal Data in accordance with the Terms of Use, the (i) Assembly Bill 375 of the California House of Representatives, an act to add Title 1.81.5 (commencing with Section 1798.100) to Part 4 of Division 3 of the Civil Code, relating to privacy and approved by the California Governor on June 28, 2018, including all regulations enacted in connection therewith, as the same may be amended, supplemented, or replaced from time-to-time (“CCPA”), including without limitation, effective on January 1, 2023, the California Privacy Rights Act, Cal. Civ. Code §§ 1798.100–1798.199.100 (“CPRA”) (collectively, “CCPA”); (ii) effective on January 1, 2023, the Virginia Consumer Data Protection Act, Va. Code Ann. §§ 59.1-571–59.1-581 (2021), including all regulations enacted in connection therewith, as the same may be amended, supplemented, or replaced from time-to-time (“CDPA”); (iii) effective on July 1, 2023, the Colorado Privacy Act, C.R.S. § 6-1-1301, et seq. (2021), including all regulations enacted in connection therewith, as the same may be amended, supplemented, or replaced from time-to-time (“CPA”); (iv) effective on December 31, 2023, Utah Consumer Privacy Act, UCA § 13-61-102, including all regulations enacted in connection therewith, as the same may be amended, supplemented, or replaced from time-to-time (“UTCPA”); and/or (v) effective on July 1, 2023, the Connecticut Data Privacy Act, P.A. 22-15, including all regulations enacted in connection therewith, as the same may be amended, supplemented, or replaced from time-to-time (“CTDPA”).
      2. “Controller” means the natural or legal person which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data and include the term “Business” as defined in CCPA and CPRA.
      3. “Terms of Use” means that certain Pianno Scanner Terms of Use entered into by the parties concurrently with this DPA.
      4. “Data Protection Laws” means all laws and regulations applicable to the Processing of Personal Data under the Terms of Use, including laws and regulations of the European Union, the European Economic Area (“EEA”) and their member states, Switzerland, the United Kingdom and the United States and its states.
      5. “Data Subject” means the identified or identifiable natural person to whom Personal Data relates.
      6. “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation), as amended from time to time, including as implemented or adopted under the laws of the United Kingdom.
      7. “Personal Data” means any information relating to an identified or identifiable natural person where such data is Processed by Piiano on behalf of the Client as part of, or in connection with the Services and shall at all times include where such data is Client Data, and includes the term “Personal Information” or “Personal Data” as defined by Data Protection Laws.
      8. “Processing” or “Process” means any operation or set of operations, which is performed on Personal Data or on sets of Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
      9. “Processor” means Piiano.
      10. “Supervisory Authority” means any supervisory authority with authority under Data Protection Laws over all or any part of the provision or receipt of the Services or the Processing of Personal Data.
      11. “Standard Contractual Clauses” or “SCCs” means (i) the standard data protection clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 approved by the European Commission decision 2021/914 dated 4 June 2021 (“EEA SCCs”); (ii) the standard data protection clauses for the transfer of personal data to processors established in third countries approved by the European Commission decision 2010/87/EC dated 5 February 2010 (“C2P SCCs”); and (iii) such other amended or replacement standard data protection clauses as may be adopted by the European Commission or the UK Information Commissioner’s Office from time to time.
      12. “Sub-processor” means a subcontractor engaged by Piiano or its Affiliates that will Process Personal Data as part of the performance of the Services, and include the term “Service Provider” as defined in Data Protection Laws.
    3. Processing of Personal Data
      1. Roles of the Parties. The parties acknowledge and agree that with regard to the Processing of Personal Data, the Client is the Controller and Piiano is the Processor and that Piiano or its Affiliates will engage Sub-processors pursuant to the requirements set forth in clause 9 (“Sub-processors”) below.
      2. Client’s Instructions. The Client shall:

        (a)     comply with Data Protection Laws and ensure that any instructions it issues to Piiano shall comply with Data Protection Laws; and

        (b)     have sole responsibility for the accuracy, quality, integrity, reliability and legality of Personal Data and the means by which the Client acquired Personal Data, and shall establish, to the extent required, the legal basis for Processing under Data Protection Laws, including by providing all notices and obtaining all consents as may be required under Data Protection Laws in order for Piiano to Process Personal Data in order to provide the Services and as otherwise contemplated by this DPA and/or the Terms of Use.

        (c)     Piiano reserves the right to verify any instructions provided with the Client’s representative(s).

      3. Piiano’s Processing of Personal Data.

        (a)     Piiano shall only Process Personal Data in accordance with the Client’s documented instructions, or as required by applicable law; in such a case, Piiano shall inform Client of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.  The Client hereby instructs Piiano to Process Personal Data only for the limited and specific purpose of performing the Services and as described in this DPA and/or the Terms of Use.

        (b)     This DPA and the Terms of Use are the Client’s instructions to Piiano for the Processing of Personal Data.  Piiano may also Process Personal Data to comply with other documented reasonable instructions provided by the Client where such instructions are consistent with the terms of the Terms of Use.  The Client shall utilise Piiano’s Change Order or other applicable template form of writing to document any new instructions.  Piiano shall not be bound by any other additional or alternative instructions except pursuant to the Parties’ mutual written agreement.

      4. Purpose; Categories of Personal Data and Data Subjects. The subject matter of Processing of Personal Data by Piiano is the performance of the Services pursuant to the Terms of Use.  The duration of the Processing, the nature and purpose of the Processing, types of Personal Data and categories of Data Subjects Processed under this DPA are further specified in Schedule A (Data Processing Details) to this DPA.
      5. Limitation on Disclosure.  Piiano shall not disclose Personal Data to any third parties without the Client’s prior consent, except as required by applicable law or permitted by the Terms of Use. Without limiting the generality of the foregoing, Piiano may disclose Personal Data to Sub-processors (including Piiano Affiliates acting in such capacities) engaged as described in clause 9.
      6. Piiano shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data and are subject to binding confidentiality obligations.
      7. Client agrees to allow Piiano to aggregate and deidentify Personal data in accordance with Data Protection Law (“Client Deidentified Data”) to use such Client Deidentified Data for the improvement of Piiano’s own products and services, benchmarking, and marketing. Piiano will: (i) take reasonable measures to ensure that the information cannot be associated with a consumer or household; (ii) contractually obligate any recipients of the information to comply with Data Protection Law; and (iii) publicly commit to maintain and use the information in deidentified form and not to attempt to re-identify the information, except that Piiano may attempt to reidentify the information solely for the purpose of determining whether its deidentification process satisfy the requirements of Data Protection Law.
    4. Data Subject Rights
      1. Piiano shall, to the extent legally permitted, promptly notify the Client if Piiano receives a request from a Data Subject to exercise the Data Subject’s right of access, right to rectification, restriction of Processing, erasure (“right to be forgotten”), data portability, object to the Processing, or its right not to be subject to an automated individual decision making, each such request being a “Data Subject Request”.
      2. Taking into account the nature of the Processing, Piiano shall assist the Client by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Client’s obligation to respond to a Data Subject Request under Data Protection Laws.
      3. To the extent the Client, in its use of the Services, does not have the ability to address a Data Subject Request, Piiano shall upon the Client’s written request, provide commercially reasonable efforts to assist the Client in responding to such Data Subject Request, to the extent Piiano is legally permitted to do so and the response to such Data Subject Request is required under Data Protection Laws.  Where applicable, the Client shall submit its request using the support tool made available by Piiano.
      4. To the extent legally permitted, the Client shall be responsible for any costs arising from Piiano’s provision of such assistance referenced in these clauses 4.
    5. Cooperation with Supervisory Authorities and Other Third Parties
      1. Solely to the extent required under applicable Data Protection Laws:

        (a)     Piiano shall notify the Client of all complaints, correspondences or enquiries from a Supervisory Authority or other third party (other than Data Subject Requests, which are addressed in clauses 4 of this DPA) that Piiano receives which relate to the Processing of Personal Data or either party’s obligations under this DPA, unless prohibited from doing so at law or by the Supervisory Authority.

        (b) Unless a Supervisory Authority requests in writing to engage directly with Piiano, the Parties agree that the Client shall handle itself any such complaint, correspondence or enquiry from a Supervisory Authority or third party. The Client shall keep Piiano informed of such communications or correspondence to the extent permitted by law.

        (c) Piiano shall provide such assistance as the Client may reasonably request in relation to any such complaint, correspondence or enquiry from a Supervisory Authority or third party.  The Client shall be responsible for any reasonable costs arising from the provision of such assistance by Piiano.

    6. Security – Piiano shall implement reasonable technical and organizational measures to protect the confidentiality, integrity, and availability of Personal Data in compliance with Article 32 of the GDPR.
    7. Personal Data Security Incident Management and Notification
      1. In the event of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data, transmitted, stored or otherwise Processed by Piiano or its Sub-processors of which Piiano becomes aware (a “Personal Data Security Incident”), Piiano shall:(a)     without undue delay notify the Client of the Personal Data Security Incident;

        (b) provide all information reasonably requested by the Client regarding the Personal Data Security Incident, its manner of occurrence and the effect the Personal Data Security Incident has or is likely to have on the Personal Data and the Services, while preserving legal privileges and confidentiality obligations owed to third parties; and

        (c) to the extent the remediation is within Piiano’s reasonable control, implement reasonable remedial measures to rectify or mitigate the effects of a Personal Data Security Incident caused by Piiano and its consequences, and use reasonable efforts to prevent a reoccurrence of the Personal Data Security Incident. The Client shall cooperate with Piiano to the extent reasonably necessary to undertake that rectification, mitigation or prevention.

      2. The obligations in 7.1(b) – (c) ‎ shall not apply to incidents that are caused by the Client or the Client’s Users.  Any notification of a Personal Data Security Incident will be delivered by a means selected by Piiano including via telephone, email or the Client Portal. Any notification of a Personal Data Security Incident by Piiano is not an acknowledgment by Piiano of any fault or liability with respect to the Personal Data Security Incident.
    8. Return and Deletion of Client Data – Upon written request from the Client at any time and upon the termination or expiration of the Terms of Use, Piiano shall cease Processing any Personal Data on behalf of the Client, and (at the Client’s written direction) return to the Client or delete (in accordance with Piiano’s document retention and deletion policies), any Personal Data in Piiano’s possession or control, except as required by applicable Data Privacy laws.
    9. Sub-processors
      1. Appointment of Sub-processors. The Client hereby grants to Piiano general authorization to engage Sub-processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of Data Protection Laws and ensure the protection of the rights of the Data Subjects. Without limiting the generality of the foregoing, the Client acknowledges and agrees that (a) Piiano’s Affiliates may be retained as Sub-processor; and (b) Piiano and Piiano’s Affiliates respectively may engage third-party Sub-processors in connection with the provision of the Services.
      2. Sub-processing Terms of Use. Piiano shall ensure that its contract with any Sub-processor imposes on the Sub-processor obligations that are substantially equivalent to, but in no even less than, the obligations to which Piiano is subject under this DPA, taking into account the nature of sub-processing and the information available to the Sub-processor and subject to specific information regarding the Hosting Providers as set forth in the applicable Security Schedule.
      3. List of Current Sub-processors and Notification of New Sub-processors. A list of Sub-processors is available upon written request submitted to Piiano.  Unless a longer period is stipulated elsewhere in the Terms of Use, Piiano shall notify the Client at least fourteen (14) days prior to granting any Sub-processor not included in such list (“New Sub-processor”) access to Personal Data.
      4. Objection Right for New Sub-processors.

        (a)     If the Client reasonably objects to Piiano’s New Sub-processor, the Client shall notify Piiano promptly in writing specifying the reasons for the Client’s objections within five (5) days after Piiano’s notice.  If the Client does not object in writing within such time period, the use of the New Sub-processor is approved.

        (b)     The Client acknowledges that the inability to use a particular New Sub-processor may result in delay in performing the Services, inability to perform the Services, or increased fees (but will not otherwise release the Client of any accrued fees).

        (c)     Piiano will notify the Client in writing of any change to Services or fees that would result from Piiano’s inability to use a New Sub-processor to which the Client has objected (the “Impact Notification”).  Within thirty (30) days of the Impact Notification, the Client shall:

        1.      assent to the New Sub-processor,

        2.      execute a written amendment to the Terms of Use implementing such change, or

        3. terminate the affected Service by providing Piiano with a ninety (90) days written notice of termination that includes an explanation of the grounds for termination.

      5. Responsibility for Sub-processors. Piiano shall be responsible for the acts, omissions or defaults of its Sub-processors in the performance of Piiano’s obligations under this DPA as if they were Piiano’s own acts, omissions or defaults.
    10. Audits and Requests for Information and Assistance
      1. The Client may audit Piiano’s compliance with its obligations under this DPA and Piiano will cooperate with such audits conducted by the Client or another auditor as mandated by the Client, as set forth below:

        (a)     the Client may perform such audits once per year, or more frequently if required by Data Protection Laws applicable to the Client;

        (b)     the Client may use a third party to perform the audit on its behalf, provided the third party is mutually agreed to by the Client and Piiano and executes a confidentially agreement acceptable to Piiano before the audit;

        (c)     audits must be conducted during regular business hours, subject to Piiano’s policies, legal privileges, and confidentiality obligations owed to third parties, and may not unreasonably interfere with Piiano business activities;

        (d)     the Client may use the audit reports only for the purposes of meeting its audit requirements under Data Protection Laws and/or confirming compliance with the requirements of this DPA.  The audit reports shall constitute Confidential Information of the parties under the Terms of Use;

        (e)     to request an audit, the Client must submit a detailed audit plan to Piiano at least sixty (60) days in advance of the proposed audit date. The audit plan must describe the proposed scope, duration, and start date of the audit. Piiano will review the audit plan and inform the Client of any concerns or questions (for example, any request for information that could compromise Piiano’s confidentiality obligations or its security, privacy, employment or other relevant policies).  Piiano will work cooperatively with the Client to agree on a final audit plan;

        (f)      nothing in this clause 10.1 shall result in access to any data belonging to another client of Piiano or any other Client of any Hosting Provider, nor any Confidential Information or financial information relating to Piiano, its other clients or prospective clients;

        (g)     if the requested audit scope is addressed in an accredited certification or audit report performed by a qualified third-party auditor within twelve (12) months of the Client’s audit request and Piiano confirms there are no known material changes in the controls audited, the Client agrees to accept those findings in lieu of requesting an audit of the controls covered by the report; and

        (h)     all audits are at the Client’s sole expense. The parties will negotiate in good faith any charges or fees for Piiano’s assistance with an audit that requires the use of resources different from or in addition to those required for the provision of the Services.

      2. Data Protection Impact Assessment. Upon the Client’s request, Piiano shall provide the Client with reasonable cooperation and assistance needed to fulfil the Client’s obligation under the Data Protection Laws to carry out a data protection impact assessment related to the Client’s use of the Services, to the extent the Client does not otherwise have access to the relevant information, and to the extent such information is available to Piiano.  To the extent legally permitted, the Client shall be responsible for any costs arising from Piiano’s provision of such assistance.
    11. EUROPE SPECIFIC PROVISIONS
      1. GDPR. Piiano will Process Personal Data in accordance with the GDPR requirements directly applicable to Piiano’s provision of its Services.
      2. Data Protection Impact Assessment. Piiano shall provide reasonable assistance to the Client in the cooperation or prior consultation with the Supervisory Authority in the performance of its tasks relating to clause 10.2 of this DPA, to the extent required under the GDPR.
      3. Data Transfers.  Subject to the remainder of this clause ‎11, the Client consents to transfers of Personal Data to Piiano’s Sub-processors based in countries outside the European Economic Area, Switzerland, or the United Kingdom.
      4. Piiano will abide by the requirements of European Economic Area, Swiss and United Kingdom data protection law regarding the collection, use, transfer, retention, and other processing of Personal Data from the European Economic Area, Switzerland or the United Kingdom, as applicable. All transfers of Personal Data to a third country or an international organization without an adequacy decision will be subject to appropriate safeguards as described in applicable Data Protection Laws, which may include, as applicable, the European Economic Area Standard Contractual Clauses, the UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (Version B1.0, in force 21 March 2022), or Swiss Addendum to European Economic Area Standard Contractual Clauses in accordance with applicable guidance from the Swiss Federal Data Protection and Information Commissioner, and such transfers will be documented accordance with applicable Data Protection Laws. Where such transfers are made pursuant to the C2P SCCs, the Parties agree that Piiano enters into the C2P SCCs in the name of the Client and on the Client’s behalf.
      5. Unlawful Instructions.  Without prejudice to the Client’s obligations hereunder, Piiano shall inform the Client if, in its reasonable opinion, an instruction issued by the Client infringes Data Protection Laws and shall, without liability, be entitled to stop Processing Personal Data in accordance with such infringing instruction. The parties acknowledge and agree that a failure or delay by Piiano to identify that an instruction infringes Data Protection Laws shall not cause Piiano to be in breach of this DPA nor relieve the Client from its liability under this DPA.
      6. Change to SCCs.  In the event the European Commission or the UK Information Commissioner’s Office makes mandatory changes to the SCCs, Piiano may implement such changes and amend this DPA accordingly by giving sixty (60) days prior notice to the Client.  The Client agrees to provide any reasonable cooperation required to implement such changes.
    12. US DATA PROTECTION LAWS SPECIFIC PROVISIONS
      1. 1.1           To the extent US Data Protection Laws apply to the Processing of Personal Data:

        (a)          Piiano is prohibited from (i) selling or sharing (as such terms are defined under US Data Protection Laws) Personal Data that Piiano receives from, or on behalf of, Client; (ii) retaining, using, or disclosing the Personal Data received from, or on behalf of, Client, unless expressly permitted by US Data Protection Laws, (A) for any purposes other than those specified in the Terms of Use or the DPA, (B) for any commercial purpose other than the business purposes specified in the Terms of Use and DPA, including in the servicing of a different client, (C) outside the direct business relationship between the Piiano and Client. Piiano shall Process Personal Data only for the limited and specified business purpose(s) set forth within the Terms of Use and DPA; and (iii) combining the personal information that Piiano receives from, or on behalf of, Client with Personal Data that Piiano receives from, or on behalf of, another client, or collects from Piiano’s own interaction with the client, provided that Piiano may combine personal information to perform certain business purposes as defined in regulations adopted under US Data Protection Laws. Notwithstanding the foregoing, Piiano may use, disclose, or retain Client Personal Data to: (i) to detect data security incidents or to protect against fraudulent or illegal activity; (ii) to comply with applicable Laws; or (iii) to defend legal claims or comply with a law enforcement investigation; or (iv) retain and employ a Sub-processor in accordance with this DPA. Piiano certifies it shall comply with these restrictions.

        (b)          Piiano shall comply with all applicable sections of US Data Protection Laws and its regulations, including providing the same level of privacy protection as required by Client and protecting the Personal Data from unauthorized or illegal access, destruction, use, modification, or disclosure in accordance with US Data Protection Laws.

        (c)          Piiano shall promptly notify Client after it makes a determination that it can no longer meet its obligations under the CCPA. Upon such notice, Client shall have the right to take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Data.

        (d)          Subject to Section 10, Client shall have the right to take reasonable and appropriate steps to ensure that Piiano uses Personal Data that is received from Client, or on behalf of Client, in a manner consistent with Client’s obligations under the CCPA.

    13. TERMINATION – This DPA will terminate when Piiano ceases to Process Personal Data for and on behalf of the Client.
    14. LIABILITY – The parties agree that all liabilities between them under this DPA will be subject to the limitations and exclusions of liability set forth in the Terms of Use.
    15. ORDER OF PRECEDENCEIn the event of any inconsistency between parts of the DPA and the Terms of Use, the inconsistency will be resolved by reference to the following order of precedence:

      (a)       the European Economic Area Standard Contractual Clauses, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (Version B1.0, in force 21 March 2022), or Swiss Addendum to European Economic Area Standard Contractual Clauses in accordance with applicable guidance from the Swiss Federal Data Protection and Information Commissioner;

      (b)       the DPA;

      (c)       the Terms of Use; and

      (d)       any document incorporated by reference.

 

 

 

SCHEDULE A

Details of Personal Data Processing

A. List of Parties 

Data exporter: 

Name: Client named in the Terms of Use.

Address and contact information: As set out in the Terms of Use.

Activities relevant to the transfer: Piiano provides the Services to Client and, as a result, Processes Client Personal Data as described in the Terms of Use and this DPA.

Signature and date: The Parties agree that execution of the Terms of Use shall constitute execution of the Standard Contractual Clauses, if applicable.

Role: Controller

Data importer: 

Name: Piiano Privacy Solutions Ltd.

Address: Derech Menachem Begin 132, Tel Aviv, El-Aviv, 6701101 Israel

Contact information: info@piiano.com

Activities relevant to the transfer: Piiano provides the Services to Client and, as a result, Processes Client Personal Data as described in the Terms of Use and DPA.

Signature and date: The Parties agree that execution of the Terms of Use shall constitute execution of the Standard Contractual Clauses, if applicable.

Role: Processor

B. Description of Transfer

Categories of Individuals: The categories of Individuals are determined and controlled by Client, including Personnel (i.e., employees or contractors) of Client associated with developing and/or supporting Client’s software.

Categories of Personal Data: Client uploads, submits, or otherwise provides Client Personal Data to the Services, the extent of which is controlled and determined by Client, in its sole discretion.  The data consists of: full name, a personal Git profile, email address.

Sensitive Personal Data transferred: Not applicable.

The frequency of transfer: Continuous and as determined by Client’s use of the Services.

Nature of the Processing: Piiano will collect, receive, store, retain, transmit, delete (as provided in the DPA), use, and otherwise Process Client Personal Data as needed to provide the Services. Such processing shall include the tasks to: (a) process Personal Data in accordance with the Services descriptions; (b) to prevent or address service or technical problems; and (c) to assist the Client or its Users with any on boarding, implementation or set up of the Services or any Client support matters.

Purpose of the Processing: The purpose of the Processing is to facilitate Piiano’s provision of the Services to Client in accordance with the Terms of Use, this DPA, and applicable Law.

Period for which the Personal Data will be retained: Piiano will Process Client Personal Data for as long as required to provide the Services, and as described in the Return and Deletion of Client Data section of this DPA.

Sub-processors: Same as above.

  1. Competent Supervisory Authority 

The Client’s competent supervisory authority will be determined by Client in accordance with Data Protection Laws.

 

Last updated: January 2023