Legal hub

Stay informed about the security, compliance, and privacy of our products and services.

Term of servicePrivacy policyData processing addendumSubprocessorsSecurity

Data processing addendum

Last Updated: December 19, 2021

This Data Processing Addendum ("DPA"), forms a part of the Strigo Terms of Service, or any other agreement pertaining to the delivery of the Services, including without limitation the Subscription Services Agreement and/or any “Order Form” (the "Agreement") between the Strigo legal entity signing the Agreement ("Strigo") and the Customer named in such Agreement to reflect the parties’ agreement with regard to the Processing of Personal Data (as those terms are defined below) by Strigo, on behalf of Customer. BY EXECUTING THE AGREEMENT THAT REFERENCES THIS DPA, WHETHER DIRECTLY OR INDIRECTLY, CUSTOMER AGREES TO THE TERMS OF THIS DPA.

In the course of providing the Services under the Agreement, Strigo and/or its Affiliates may Process certain Personal Data on behalf of Customer and where Strigo and/or its Affiliates Process such Personal Data on behalf of Customer, the Parties agree to comply with the terms and conditions in this DPA in connection with such Personal Data.

By signing the DPA, Customer enters into this DPA on behalf of itself and, to the extent required under applicable Data Protection Laws, in the name and on behalf of its Controller Affiliates (as those terms are defined below). For the purposes of this DPA only, and except where indicated otherwise, the term "Customer" shall include Customer and Controller Affiliates. 

If the entity signing this DPA is not a party to an effective Agreement with Strigo, this DPA shall not be valid or legally binding. In the event of a conflict between the terms and conditions of this DPA and the Agreement, the terms and conditions of this DPA shall supersede and control to the extent of such conflict.

All capitalized terms not defined herein shall have the meaning set forth in the Agreement.

1. DEFINITIONS

  • "Affiliate" means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. "Control," for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
  • Anonymous Data” means Personal Data that has been processed in such a manner that it can no longer be attributed to an identified or identifiable natural person.
  • Authorized User” means any individual authorized  or otherwise enabled by Customer to use the Services through Customer’s account.
  • CCPA” means the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et. seq., and its implementing regulations.
  • "Controller" means the entity which determines the purposes and means of the Processing of Personal Data.
  • "Controller Affiliate" means any of Customer's Affiliate(s) (a) (i) that are subject to the Data Protection Laws, and (ii) permitted to use the Services pursuant to the Agreement between Customer and Strigo, but have not signed their own Order Form and are not a "Customer" as defined under the Agreement, (b) if and to the extent Strigo processes Personal Data for which such Affiliate(s) qualify as the Controller.
  • "Data Protection Laws" means all laws and regulations of the European Union and its member states, the European Economic Area and its member states, the United Kingdom, Switzerland, the United States, Canada, New Zealand, and Australia, and their respective political subdivisions, applicable to the Processing of Personal Data.
  • "Data Subject" means the identified or identifiable person to whom Personal Data relates. Data Subjects include the individuals about whom data is provided to Strigo via the Services by or at the direction of the Customer, including natural persons who submit personal data to Customer via use of the Services (including Learners and Trainers/Customer personnel and all Course communication hosted by Strigo on behalf of Customer).
  • "GDPR" means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
  • "Personal Data" means information that identifies, relates to, describes, is capable of being associated with, or could be reasonably be linked, directly or indirectly, to a particular Data Subject which is included in Customer Data Processed by Strigo on behalf of Customer in the course of providing the Services under the Agreement.
  • Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
  • "Processing" means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
  • "Processor" means the entity which Processes Personal Data on behalf of the Controller.
  • Sensitive Data” means Personal Data that is protected under a special legislation and requires unique treatment, such as “special categories of data”, “sensitive data” or other materially similar terms under applicable Data Protection Laws, which may include any of the following: (a) social security number, tax file number, passport number, driver’s license number, or similar identifier (or any portion thereof); (b) credit or debit card number; (c) financial, credit, genetic, biometric or health information; (d) information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences; and/or (e) account passwords in unhashed form.
  • "Standard Contractual Clauses (EEA)" means the standard contractual clauses of Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj) on Standard Contractual Clauses for the transfer of personal data to processors established in third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council of the European Union.
  • Standard Contractual Clauses (UK)” means the standard contractual clauses for the transfer of personal data pursuant to the European Commission’s decision (C(2010)593) (https://eurlex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32010D0087) of 5 February 2010 on Standard Contractual Clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection.
  • "Sub-processor" means any entity engaged by Strigo to Process Personal Data in connection with the Services.
  • "Supervisory Authority" means a governmental or government-chartered regulatory body having binding legal authority over Customer.
  • UK Data Protection Law” means Data Protection Laws of the United Kingdom.

2. PROCESSING OF PERSONAL DATA

2.1 Roles of the Parties. The parties acknowledge and agree that with regard to the Processing of Personal Data, Customer is the Controller and Strigo is the Processor ; and for the purposes of the CCPA (to the extent applicable), Customer is the Business and Strigo is the Service Provider.

2.2 Strigo's Processing of Personal Data. As Customer's Processor, Strigo shall only Process Personal Data on behalf of and only in accordance with Customer’s reasonable instructions. Customer instructs Strigo to Process Personal Data for the following purposes: (i) Processing in accordance with the Agreement; (ii) Processing initiated by Customer personnel in their use of the Services; (iii) Processing to comply with other reasonable instructions provided by Customer (e.g., via email) that are consistent with the terms of the Agreement; and (iv) rendering Personal Data fully and irrevocably anonymous and non-personal, in accordance with applicable standards recognized by Data Protection Laws and guidlines issued thereunder (individually and collectively, the "Purpose"). Strigo acts on behalf of and on the instructions of Customer in carrying out the Purpose.

2.3  Details of the Processing. The subject-matter of Processing of Personal Data by Strigo is as described in the Purpose in Clause 2.2 above. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this DPA are further specified in Exhibit A (Description of Processing Activities) to this DPA.

2.4  CCPA Standard of Care; No Sale of Personal Data. Strigo certifies that it understands the rules, requirements, and definitions of the CCPA and agrees to refrain from selling (as such terms is defined in the CCPA) any Personal Data Processed hereunder, without Customer’s prior written consent, nor taking any action that would cause any transfer of Personal Data to or from Strigo under the Agreement or this DPA to qualify as “selling” such Personal Data under the CCPA.

2.5 Data Protection Impact Assessment. Upon Customer's request, Strigo shall reasonably assist Customer in fulfilling Customer's obligation under Data Protection Laws to carry out a data protection impact assessment related to Customer's use of the Services, to the extent Customer does not otherwise have access to the relevant information and such information is available to Strigo. Strigo shall reasonably assist Customer in its cooperation or prior consultation with a Supervisory Authority regarding any such data protection impact assessment to the extent required under applicable Data Protection Laws. 

2.6 Customer Obligations Regarding Personal Data. In its use of the Services, Customer will comply with the Data Protection Laws, including any applicable requirements to provide notice to and/or obtain consent from Data Subjects for Processing by Strigo. Customer shall ensure that its instructions for the Processing of Personal Data comply with Data Protection Laws. Customer shall be solely responsible for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data. Customer shall ensure that its use of the Services will not violate the rights of any Data Subject that has opted-out from sales or other disclosures of Personal Data, to the extent applicable. Customer shall indemnify, defend and hold harmless any claim, damages or fines against Strigo arising from any failure to acquire or use the Personal Data with legal consent or legitimate business purpose or in violation of any data protection legal requirement. 

2.7 Sensitive Data. The parties agree that the Services are not intended for the processing of Sensitive Data, and that if Customer wishes to use the Services to process Sensitive Data, it must first obtain Strigo’s explicit prior written consent and enter into any additional agreements as required by Strigo.

3. REQUESTS FOR CUSTOMER DATA

3.1 Requests from Data Subjects. Strigo shall, to the extent legally permitted, promptly notify Customer if Strigo receives any requests from a Data Subject to exercise the following Data Subject rights in relation to Personal Data: access, rectification, restriction of Processing, erasure ("right to be forgotten"), data portability, objection to the Processing, or to not be subject to an automated individual decision making (each, a "Data Subject Request"). Taking into account the nature of the Processing, Strigo shall assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Customer's obligation to respond to a Data Subject Request under applicable Data Protection Laws. In addition, to the extent Customer, in its use of the Services, does not have the ability to address a Data Subject Request, Strigo shall, upon Customer's request, provide commercially reasonable efforts to assist Customer in responding to such Data Subject Request, to the extent Strigo is legally permitted to do so and the response to such Data Subject Request is required under applicable Data Protection Laws. To the extent legally permitted, Customer shall be responsible for any costs arising from Strigo's provision of such assistance, including any fees associated with provision of additional functionality.

3.2 Requests from Other Third Parties. If Strigo receives a request from a third party other than a Data Subject (including, without limitation, a government agency) for Customer Data, Strigo shall where permitted by law direct the requesting party to the Customer and promptly notify the Customer of the request. Where Strigo is not permitted by law to notify the Customer of the request, Strigo shall only respond to the requesting party if required by law to do so and will make reasonable efforts to work with the requesting party to narrow the scope of the Customer Data request.

4. STRIGO PERSONNEL

4.1. Limitation of Access. Strigo will ensure that Strigo’s access to Personal Data is limited to its personnel who require such access to perform the Agreement.

4.2. Confidentiality. Strigo will impose appropriate contractual obligations upon its personnel engaged in the Processing of Personal Data, including relevant obligations regarding confidentiality, data protection, and data security. Strigo will ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training in their responsibilities, and have executed written confidentiality agreements. 

5. SUB-PROCESSORS

5.1 Appointment of Sub-processors. Customer acknowledges and agrees that Strigo’s Affiliates may be retained as Sub-processors, and Strigo and its Affiliates may engage third-party Sub-processors in connection with the provision of the Services. As a condition to permitting a third-party Sub-processor to Process Personal Data, Strigo will enter into a written agreement with each Sub-processor containing data protection obligations that provide at least the same level of protection for Personal Data as those in this DPA, to the extent applicable to the nature of the Services provided by such Sub-processor. 

5.2 Current Sub-processors and Notification of New Sub-processors. Customer hereby provides Strigo with a general authorization to engage the Sub-processors listed at https://strigo.io/subprocessors. Strigo shall notify Customer in writing of any new Sub-processor before authorizing such new Sub-processor to Process Personal Data. 

5.3 Objection Right for new Sub-processors. Customer may reasonably object to the Processing of Customer’s Personal Data by a new Sub-processor, by reasonable and explained grounds, by providing a written objection to privacy@strigo.io, within five (5) business days after receipt of Strigo's notice in connection therewith. If Customer timely sends Strigo a written objection notice, the parties will make a good faith effort to resolve Customer’s objection. In the absence of a resolution, Strigo will use commercially reasonable efforts to provide Customer with the same level of Services, without using such new Sub-processor to Process Customer’s Personal Data. If Strigo is unable to do so, either party may terminate without penalty the applicable Order Form(s) with respect only to those Services which cannot be provided by Strigo without the use of the objected-to new Sub-processor by providing written notice to Strigo. Strigo will refund Customer any prepaid fees covering the remainder of the term of such Order Form(s) following the effective date of termination with respect to such terminated Services, without imposing a penalty for such termination on Customer. 

5.4 Liability. Strigo shall be liable for the acts and omissions of its Sub-processors to the same extent Strigo would be liable if performing the Services of each Sub-processor directly under the terms of this DPA, except as otherwise provided in the Agreement.

6. SECURITY OF PERSONAL DATA

6.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Strigo shall maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk of Processing Personal Data. Strigo regularly monitors its compliance with these measures. Strigo will not materially decrease the overall security of the Services during the term of the Agreement.

6.2 Strigo shall implement such measures to ensure a level of security appropriate to the risk involved, including as appropriate: 

6.2.1 the pseudonymisation and encryption of personal data;

6.2.2 the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; 

6.2.3 the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and

6.2.4 a process for regularly testing, assessing and evaluating the effectiveness of security measures.

7. PERSONAL DATA BREACH

7.1   In the event of a Personal Data Breach, Strigo shall, without undue delay but no later than forty-eight (48) hours after confirming that a breach of personal data has occurred, inform Customer of the Personal Data Breach and take such steps as Strigo in its sole discretion deems necessary and reasonable to remediate such violation.

7.2  In the event of a Personal Data Breach, Strigo shall, taking into account the nature of the Processing and the information available to Strigo, provide Customer with reasonable cooperation and assistance necessary for Customer to comply with its obligations under Applicable Data Protection Law with respect to notifying (i) the relevant Supervisory Authority and (ii) Data Subjects affected by such Personal Data Breach without undue delay.

7.3  The obligations described in Clauses 7.1 and 7.2 above shall not apply in the event that a Personal Data Breach results from the actions or omissions of Customer. Strigo’s obligation to report or respond to a Personal Data Breach under Clauses 7.1 and 7.2 above will not be construed as an acknowledgement by Strigo of any fault or liability with respect to the Personal Data Breach.

8. AUDIT AND DEMONSTRATION OF COMPLIANCE

8.1 Strigo will make available to Customer, pursuant to Customer’s reasonable written request, all information necessary for Customer to demonstrate compliance with the obligations laid down under Article 28 to the GDPR in relation to the Processing of Personal Data under this DPA by Strigo and its Sub-Processors. Such information shall only be used by Customer to assess compliance with the aforesaid obligations, and may not be disclosed to any third party without Strigo’s prior written approval. As soon as the purpose of such information is met, Customer will permanently dispose of all copies thereof.

8.2 Strigo will allow for and contribute to audits, including inspections, conducted by Customer or a reputable auditor mandated by Customer (who are each not a competitor of Strigo or affiliated with such a competitor), to assess Strigo’s compliance with its obligations under this DPA. Strigo may satisfy the audit obligation under this section by providing Customer with attestations, certifications and summaries of audit reports conducted by accredited third party auditors. Audits by Customer are subject to the following terms: (i) the audit will be pre-scheduled in writing with Strigo, at least 45 days in advance and will be performed not more than once a year (except for an audit following a Personal Data Breach); (ii) the auditor will execute a non-disclosure and non-competition undertaking toward Strigo; (iii) the auditor will not have access to non-Customer data; (iv) Customer will make sure that the audit will not interfere with or damage Strigo’s business activities and information and network systems; (v) Customer will bear all costs and assume responsibility and liability for the audit; (vi) no audit shall include access to Strigo’s network and/ or networks that contain Strigo’s customer data, (vii) Customer will receive only the auditor’s report, without any Strigo ‘raw data’ materials, will keep the audit results in strict confidentiality and will use them solely for the specific purposes of the audit under this section; (viii) at the request of Strigo, Customer will provide it with a copy of the auditor’s report; and (ix) as soon as the purpose of the audit is completed, Customer will permanently dispose of the audit report.

9. RETURN AND DELETION OF CUSTOMER DATA

Upon termination or expiration of the Agreement, Strigo shall (at Customer’s election) return or to the fullest extent technically feasible delete all Customer Data in its possession or control. This requirement shall not apply to the extent Strigo is required by applicable law to retain some or all of the Customer Data, or to Customer Data it has archived on back-up systems (e.g., in the form of audit logs), which Customer Data Strigo shall securely isolate and protect from any further Processing, except to the extent required by applicable law.

10. LIMITATION OF LIABILITY 

Each party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, is subject to the “Liability Limit” clauses, and such other clauses that exclude or limit liability, of the Agreement, and any reference in such clauses to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and all DPAs together.

11. TERM

This DPA will commence and become legally binding on the earlier of (i) the date of its execution, (ii) the effective date of the Agreement to which it relates, or (iii) the initiation of Strigo’s Processing of Personal Data on behalf of Customer; and will continue until the Agreement expires or is terminated.

12. EUROPEAN ECONOMIC AREA SPECIFIC PROVISIONS

12.1 GDPR. Strigo will Process Personal Data in accordance with the GDPR requirements directly applicable to Strigo's provisioning of the Services.

12.2 Transfer Mechanisms for Data Transfers

12.2.1 The Standard Contractual Clauses (EEA) apply to any transfers of Personal Data under this DPA from the European Union, the European Economic Area and/or their member states, and Switzerland to countries which do not ensure an adequate level of data protection within the meaning of the Data Protection Laws of such territories, to the extent such transfers are subject to such Data Protection Laws. Strigo, on behalf of itself and/or its Affiliates, enters into the Standard Contractual Clauses (EEA) as data importer. The additional terms in Clause 12.3 below also apply to such data transfers. 

12.3  Additional Terms for Transfers subject to the Standard Contractual Clauses (EEA)

12.3.1 Customers Covered by the Standard Contractual Clauses (EEA). The Standard Contractual Clauses (EEA) and the additional terms specified in this Clause 12.3 apply to (i) Customer, to the extent Customer is subject to the data protection laws and regulations of the European Union, the European Economic Area and/or their member states, or Switzerland and, (ii) its Controller Affiliates. For the purpose of the Standard Contractual Clauses (EEA) and this Clause 12.3, such entities are “data exporters”.

12.3.2  Modules. The Parties agree that where optional modules may be applied within the Standard Contractual Clauses (EEA), that only those labelled “MODULE TWO: Transfer controller to processor” shall be applied.

12.3.3 Instructions. The instructions described in Clause 2.2 above are deemed to be instructions by Customer to process Personal Data for the purposes of Clause 8.1 of the Standard Contractual Clauses (EEA). 

12.3.3 Appointment of New Sub-processors. Pursuant to Option 2 to Clause 9(a) of the Standard Contractual Clauses (EEA), Customer agrees that Strigo’s Affiliates may be retained as Sub-processors, and Strigo and Strigo’s Affiliates may engage third party Sub-processors in connection with the provision of the Services. 

12.3.4 Notification of New Sub-processors and Objection Right for New Sub-processors. Pursuant to Option 2 to Clause 9(a) of the Standard Contractual Clauses (EEA), Customer agrees that Strigo may engage new Sub-processors as described in Clauses 5.2 and 5.3 above. 

12.3.5 Sub-processor Agreements. The parties agree that data transfers to Sub-processors may rely on a transfer mechanism other than the Standard Contractual Clauses (EEA) (for example, binding corporate rules), and that Strigo’s agreements with such Sub-processors may therefore not incorporate or mirror the Standard Contractual Clauses (EEA), notwithstanding anything to the contrary in Clause 9(b) of the Standard Contractual Clauses (EEA). However, any such agreement with a Subprocessor shall contain data protection obligations not less protective than those in this DPA regarding protection of Customer Data, to the extent applicable to the services provided by such Sub-processor. Copies of the Sub-processor agreements that must be provided by Strigo to Customer pursuant to Clause 9(c) of the Standard Contractual Clauses (EEA) will be provided by Strigo only upon the written request of Customer and may have all commercial information, or clauses unrelated to the Standard Contractual Clauses (EEA) or their equivalent, removed by Strigo beforehand.

12.3.6 Audits and Certifications. The parties agree that the audits described in Clause 8.9 and Clause 13(b) of the Standard Contractual Clauses (EEA) shall be carried out in accordance with Clause 8 above.

12.3.7 Erasure of Data. The parties agree that the erasure or return of data contemplated by Clause 8.5 or Clause 16(d) of the Standard Contractual Clauses (EEA) shall be done in accordance with Clause 9 above and any certification of deletion shall be provided by Strigo only upon Customer’s request.

12.3.8 Third-Party Beneficiaries. The parties agree that based on the nature of the Services, Customer shall provide all assistance required to allow Strigo to meet its obligations to data subjects under Clause 3 of the Standard Contractual Clauses (EEA). 

12.3.9 Impact Assessment. In accordance with Clause 14 of the Standard Contractual Clauses (EEA) the parties have conducted an analysis, in the context of the specific circumstances of the transfer, of the laws and practices of the destination country, as well as the specific supplemental contractual, organizational, and technical safeguards that apply, and, based on information reasonably known to them at the time, have determined that the laws and practices of the destination country do not prevent the parties from fulfilling each party’s obligations under the Standard Contractual Clauses (EEA).

12.3.10 Governing Law and Forum.  In Clause 17 of the Standard Contractual Clauses (EEA), Option 1 shall apply, and the parties agree that the Standard Contractual Clauses (EEA) shall be governed by the laws of the Republic of Ireland.

12.3.11 Annexes. For purposes of execution of the Standard Contractual Clauses (EEA), Exhibit A: Description of Processing Activities shall be incorporated as ANNEX I, Strigo Security Statement (which may be updated from time to time at https://strigo.io/security)

shall be incorporated as ANNEX II, and the current Sub-Processor List (as may be updated from time-to-time at at https://strigo.io/subprocessors) shall be incorporated as ANNEX III. Annex I.C of the Standard Contractual Clauses (EEA) shall be completed as follows: The data exporter’s competent supervisory authority will be determined in accordance with the GDPR.

12.3.12 Interpretation. The terms of this DPA described in this Clause 12.3 are intended to clarify and not to modify the Standard Contractual Clauses (EEA). In the event of any conflict or inconsistency between the body of this DPA and any of its Schedules and the Standard Contractual Clauses (EEA), the Standard Contractual Clauses (EEA) shall prevail.

13. UNITED KINGDOM SPECIFIC PROVISIONS 

13.1 UK Data Protection Law. Strigo will Process Personal Data in accordance with the requirements of UK Data Protection Law directly applicable to Strigo’s provision of its Services. 

13.2 Transfer Mechanism for Data Transfers

13.2.1 The Standard Contractual Clauses (UK) apply to any transfers of Personal Data under this DPA from the United Kingdom to countries which do not ensure an adequate level of data protection within the meaning of UK Data Protection Law, to the extent such transfers are subject to such Data Protection Laws. Strigo enters into the Standard Contractual Clauses (UK) as a data importer and Customer as a data exporter. For purposes of formation; (i) general and specific references in the Standard Contractual Clauses (UK) to Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 shall hereby be deemed to have the same meaning as the equivalent reference in the UK Data Protection Law; (ii) References in the Standard Contractual Clauses (UK) to “the law of the Member State in which the data exporter is established” shall hereby be deemed to mean “the law of the United Kingdom”; and (iii) any other obligation in the Standard Contractual Clauses (UK) determined by the Member State in which the data exporter is established shall hereby be deemed to refer to an obligation under UK Data Protection Law. The additional terms in Clause 13.3 below also apply to such data transfers.

13.3 Additional Terms for Transfers Subject to the Standard Contractual Clauses (UK)

13.3.1 Customers Covered by the Standard Contractual Clauses. The Standard Contractual Clauses (UK) and the additional terms specified in this Clause 13.3 apply to (i) Customer, to the extent Customer is subject to UK Data Protection Law and, (ii) the Controller Affiliates. For the purpose of the Standard Contractual Clauses (UK) and this Clause 13.3, such entities are “data exporters.” 

13.3.2 Instructions. The instructions described in Clause 2.2 above are deemed to instructions by Customer to process Personal Data for the purposes of Clause 5(a) of the Standard Contractual Clauses (UK). 

13.3.3 Appointment of New Sub-processors. Pursuant to Clause 5(h) of the Standard Contractual Clauses (UK), Customer agrees that Strigo’s Affiliates may be retained as Sub-processors, and Strigo and Strigo’s Affiliates may engage third-party Sub-processors in connection with the provision of the Services. 

13.3.4 Notification of New Sub-processors and Objection Right for New Sub-processors. Pursuant to Clause 5(h) of the Standard Contractual Clauses (UK), Customer agrees that Strigo may engage new Sub-processors as described in Clauses 5.2 and 5.3 above. 

13.3.5 Sub-processor Agreements. The parties agree that data transfers to Sub-processors may rely on a transfer mechanism other than the Standard Contractual Clauses (UK) (for example, binding corporate rules), and that Strigo’s agreements with such Sub-processors may therefore not incorporate or mirror the Standard Contractual Clauses (UK), notwithstanding anything to the contrary in Clause 11 of the Standard Contractual Clauses (UK). However, any such agreement with a Sub-processor shall contain data protection obligations not less protective than those in this DPA regarding protection of Customer Data, to the extent applicable to the services provided by such Sub-processor. Copies of the Sub-processor agreements that must be provided byStrigo to Customer pursuant to Clause 5(j) of the Standard Contractual Clauses (UK) will be provided by Strigo only upon the written request of Customer and may have all commercial information, or clauses unrelated to the Standard Contractual Clauses (UK) or their equivalent, removed by Strigo beforehand. 

13.3.6 Audits and Certifications. The parties agree that the audits described in Clause 5(f), Clause 11 and Clause 12(2) of the Standard Contractual Clauses (UK) shall be carried out in accordance with Clause 8 above. 

13.3.7 Certification of Deletion. The parties agree that the certification of deletion of Personal Data described in Clause 12(1) of the Standard Contractual Clauses (UK) shall be provided by Strigo only upon Customer’s request. 

13.3.8 Appendices. For purposes of execution of the Standard Contractual Clauses (UK), Exhibit A: Description of Processing Activities shall be incorporated as as Appendix 1, and  the Strigo Security Statement (which may be updated from time to time at https://strigo.io/security) shall be incorporated as Appendix 2. 

13.3.9  Interpretation. The terms of this DPA described in this Clause 13.3 are intended to clarify and not to modify the Standard Contractual Clauses (UK). In the event of any conflict or inconsistency between the body of this DPA and any of its Schedules and the Standard Contractual Clauses (UK), the Standard Contractual Clauses (UK) shall prevail.

EXHIBIT A

DESCRIPTION OF PROCESSING ACTIVITIES

Nature and Purpose of Processing: Strigo will Process Personal Data on behalf of Customer for the purposes of providing the Services in accordance with the Agreement and as further instructed by Customer in its use of the Services.

Duration of Processing: Strigo will Process Personal Data for the duration of the Agreement, unless otherwise agreed in writing.

Categories of Data Subjects: Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include but is not limited to Personal Data relating to the following categories of data subjects: 

  • Prospects, customers, business partners and vendors of Customer (who are natural persons)
  • Employees or contact persons of Customer’s prospects, customers, business partners and vendors 
  •  Employees, agents, advisors, freelancers of Customer (who are natural persons) 
  •  Customer’s users authorized by Customer to use the Services

Type of Personal Data: Customer and Authorized Users determine the identity of the persons which are part of the Courses and content uploaded and displayed in the framework of the Services, and the type and nature of any Personal Data (if any) exchanged in such Courses or included in such content. Strigo has no control over the identity of the data subjects whose Personal Data is processed on behalf of Customer and over the types of Personal Data Processed. 

Personal Data provided to Strigo via the Services by (or at the direction of) Customer or Authorized Users, include but are not limited to the following: 

  • User Profile: First Name, Last Name,  Employer (optional), Contact information (company, email, phone, physical business address), Professional life data (optional), Localisation data, Phone (optional), Email, Password (if SSO is not used), Profile Picture (optional), Department (optional).
  • Course Metadata:  Topic, Description (optional), Attendee IP addresses, device/hardware information 
  • At Customer’s selection, the Services may also be used to record Courses, in order to capture video, audio and chat recordings, including voice identifiers relating to Authorized Users, for speaker identification  purposes.

Sensitive Data: The parties do not intend for Sensitive Data to be transferred.

Frequency of Transfer: The frequency of the transfer is a continuous basis for the duration of the Agreement.

Period for retainment of Personal Data: The period for which the Personal Data will be retained is for the duration of the Agreement, unless agreed otherwise in the Agreement and/or the DPA.

Transfers to Sub-processors: In relation to transfers to Sub-processors, the subject matter, nature, and duration of the processing is set forth in Section ‎5 of the DPA.

Sign addendum now