AIQ Partner Data Processing Agreement

21min

AIQ Partner data processing agreement
﻿
Effective: December 11th, 2023

This Partner Data Processing Addendum (the “Addendum”) is entered into by the partner (“Partner”) and the relevant Alpine IQ entity engaged in the Services (referred to generally as “AIQ”) and forms part of and shall be incorporated into the underlying relationship and agreements (including but not limited to the AIQ API Terms of Use and the Partner Referral and Revenue Share Agreement) between AIQ and the Partner (collectively the “Agreement”) in relation to both AIQ and Partner’s (each a “Party” or together the “Parties”) Processing of Personal Information under the Agreement.
1.    INTRODUCTION
1.1    Both Partner and AIQ provide Services under the Agreement that may involve the processing of Personal Information within and outside the United States.  If Partner and AIQ mutually agree under written consent to process Personal Information outside the United States and Canada, then the EU specific provisions set out in this Addendum shall comply provided the Parties mutually agree on which party shall be the Controller and/or Processor within the context of this Addendum. 
1.2    Both Partner and AIQ agree to comply in good faith with the terms set out in this Addendum. 
1.3    If any language in this Addendum conflicts with the Agreement, this Addendum shall control.
2.    DEFINITIONS
Unless otherwise set out below, each capitalized term in this Addendum shall have the meaning set out in the Agreement.
2.1  “Alternative Transfer Mechanism” means a mechanism other than the Standard Contractual Clauses that enables the lawful transfer of Personal Information from the European Economic Area (“EEA”), the United Kingdom (“UK”) or Switzerland to a third country in accordance with Applicable Data Protection Laws, including, but not limited to, programs both approved and operated by the U.S. Department of Commerce and approved by the European Commission or other applicable governmental authority or entity.
2.2   “Applicable Data Protection Laws” means all applicable federal, state, provincial, regional and local laws, directives, regulations, and rules imposed by any government, agency or authority in relation to the processing and security of Personal Information, including, but not limited, to the European Union’s General Data Protection Regulation (Regulation 2016/679) pertaining to the protection of individuals within the European Economic Area (“EU GDPR”), the EU Directive on Privacy and Electronic Communications 2002/58/EC (“PECR”), the data protection law of the United Kingdom, including but not limited to the EU GDPR as incorporated into the United Kingdom,  the Data Protection Act  2018 and any additional legislation (“UK GDPR”), Switzerland’s Federal Data Protection Act of 19 June 1992, Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”), as well as any applicable provincial legislation, the CCPA, and other US Privacy Laws as any of the foregoing may be amended, replaced or superseded.
2.3    “CCPA” means, as applicable, the California Consumer Privacy Act of 2018, California Civil Code 1798.100 et seq. (2018), including as amended by the California Privacy Rights Act of 2020; and any subsequent replacements to the foregoing laws. All implementing regulations forming part of the laws above shall also be included in this definition. 
2.4    “Controller” means the entity that determines as a legal person alone or jointly with others the purposes and means of the Processing of Personal Information. For the purposes of this AIQ Partner Agreement, “Controller” includes similarly defined terms under the Applicable Data Protection Laws, including, but not limited to, a “business.”
2.5     “GDPR” means, as applicable, the EU GDPR and the UK GDPR.
2.6    "Individual” has the same meaning as “consumer” or “data subject” under the Applicable Data Protection Laws.
2.7    “Individual Rights Request” means the exercise of an individual’s right over their Personal Information (for example deletion, access or rectification) and shall be understood to have the same meaning as a “data subject rights request”, “a consumer right”, “a personal data rights request”, and similar terms as may be defined under Applicable Data Protection Laws.
2.8    “Subscriber” means the contracting entity listed on the applicable AIQ service order form.
2.9     “Personal Information” means any information relating to an identified or identifiable individual or household. Personal Information may include, but is not limited to, a name, address, contact details, unique identifiers, payment card information, biometric identifiers and information, preferences, history and profile data, IP addresses, and location-based information, but excludes aggregated or anonymized information. Personal Information shall include any information that constitutes “Personal Information” or “Personal Data” under the Applicable Data Protection Laws.
2.10  “Process” or “Processing” means any operation or set of operations performed on Personal Information or sets of Personal Information, whether or not by automated means, including, but not limited to, the collection, access, use, alteration, disclosure, or deletion of Personal Information.
2.11     “Processor" means the entity which processes Personal Information on behalf of a Controller.
2.12    “Sale” or “Sell” has the same meaning as such term is defined in the CCPA, any subsequent or similar legislation or other Applicable Data Protection Laws as enacted or amended from time to time.
2.13  “Security Incident” means any accidental or unlawful destruction, loss, alteration, theft, unauthorized disclosure of, or access to, Personal Information.
2.14    “Services” means services provided as part of the AIQ Partner Agreement between AIQ and the Partner.
2.15    “Share”  or “Sharing” has the same meaning as such term is defined in the CCPA, any subsequent or similar legislation or other Applicable Data Protection Laws as enacted or amended from time to time. 
2.16   “Standard Contractual Clauses” or “SCCs” means (i) in respect of EU Personal Information, the Standard Contractual Clauses implemented by the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 for the transfer of personal data to third countries pursuant to the EU GDPR, as updated or replaced from time to time (“EU Standard Contractual Clauses”) and (ii) in respect of UK Personal Information, means the International Data Transfer Addendum to the EU Standard Contractual Clauses issued by the UK Information Commissioner’s Office (ICO) in accordance with the UK GDPR and the Data Protection Act 2018, as amended or replaced (“UK Addendum”). 
2.17   “Sub-processor” means any additional authorized Processor engaged by the original Processor that agrees to receive any Personal Information from AIQ as part of the Services.
2.18   “Third Party” means any Controller, Processor or Sub-processor engaged by a Party that agrees to receive Personal Information as part of the Services.
2.19   “US Privacy Laws” refers to state-specific privacy laws in the United States, including the CCPA, the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, the Utah Consumer Privacy and other state-specific privacy laws as amended; and any subsequent replacements to the foregoing laws. All implementing regulations forming part of the laws above shall also be included in this definition. 
DATA PROCESSING
3.  CONTROLLER OBLIGATIONS  
The parties agree that AIQ shall act as a Controller only where (i) data is disclosed in the context of a referral relationship, and/or (ii) specifically set forth in the Agreement. If neither Party is a Controller, the terms provided under this Section 3 are not applicable to the Agreement. 
To the extent AIQ and Partner Process Personal Information as Controllers as part of the Agreement, the Parties agree that:
3.1     Independent controllers: Each Party shall act as independent Controller and no “Joint Controller” relationship shall exist under the Applicable Data Protection Laws.
3.2 	 Compliance with law: Both Parties agree to comply with Applicable Data Protection Laws and shall not by any act or omission, put the other Party in breach of those Laws.    
3.3     Compliance obligations: Each Party is obligated to manage its respective compliance obligations pursuant to Applicable Data Protection Laws and putting in place any applicable controls or governance, which may include (i) the provision and maintenance of a privacy statement or similar notice for each Party’s respective Processing; (ii) providing written notices to individuals (iii)  obtaining any required consents (including initial consents or consents for secondary uses) before any initial or subsequent use or disclosure of Personal Information; (iv) fulfillment and management of opt-outs and individual rights requests; (v) compliance with any applicable direct marketing or spam legislation, and (vi) the oversight of Processing operations involving Personal Information. 
3.4   Individual Rights Requests: Each Party shall comply with Individual Rights Requests under Applicable Data Protection Laws (including the right to withdraw consent, of access, restriction, rectification, and erasure) in relation to Personal Information. The Parties shall reasonably cooperate with each other to respond to such requests where required or appropriate. 
3.5    No Sales or Sharing: Each Party represents and warrants that, to the best of its knowledge, the transfer of Personal Information under the Agreement between the Parties does not constitute a “Sale” or “Sharing” under the Applicable Data Protection Laws. The Parties agree that any transfers of Personal Information to Third Parties, whether made directly by a Party or made at the request of the other Party will not constitute a “Sale” or “Sharing”  To the extent any transfer to a Third Party is found to later constitute a “Sale” or “Sharing” the Party responsible for instructing that transfer shall be solely responsible for implementing the appropriate disclosures and managing any subsequent legal obligations (e.g., opt-outs) under the Applicable Data Protection Laws.
4.    PROCESSOR OBLIGATIONS
This Section is divided into two sections depending on the relationship of the Parties. The first section (4.1 -4.10) applies only to the extent that AIQ is a Processor acting on behalf of the Partner as a Controller. The second section (4.11-4.15) applies where both AIQ and the Partner are Processors (in most cases with each Party acting on behalf of independent Third Parties).
Partner as a Controller and AIQ as a Processor
To the extent AIQ Processes Personal Information as a Processor where Partner is a Controller under the Agreement, AIQ agrees that:
4.1      Processing: AIQ shall only Process the Personal Information on documented instructions of the Partner and in order to provide the Services or where required by applicable law, in which case AIQ will inform Partner of the legal requirement unless AIQ is prohibited from doing so by law. 
4.2     Audits and Assessments: To the extent required under the Applicable Data Protection Laws, AIQ shall make available to Partner all information necessary to demonstrate compliance with the obligations under such Laws.
4.3  	CCPA Service Provider: Where AIQ acts as a “service provider” for the purposes of the CCPA, and with respect to Personal Information it processes in such capacity, in addition to the obligations set forth in this DPA and to the extent the CCPA applies:  AIQ shall not (a) combine Personal Information it receives in in connection with the Services with Personal Information it may receive from other sources (b) “Sell” or “Share” Personal Information as such terms are defined in the CCPA (c) retain, use, or disclose Personal Information for any purpose other than to provide the Services, and as otherwise permitted by applicable law (including but not limited to Applicable Data Protection Laws), (d) retain, use or disclose Personal Information outside of the direct business relationship between the Parties or outside the provision of the Services, and (e) disclose Personal Information to any person without including them on the list of Sub-processors described below. The Parties acknowledge that the transfer of Personal Information is in furtherance of a business purpose, described in the Agreement.
4.4    Sub-processors: Partner grants AIQ a general authorization to appoint Sub-processors to Process Personal Information under the Agreement and permits each Sub-processor to appoint Sub-processors in accordance with the terms herein. AIQ will have a written agreement with the Sub-processor imposing substantially similar obligations as those set out under this Addendum. AIQ is responsible to Partner (or as applicable, a Third Party) for the failure of any Sub-processors to perform their obligations under this Addendum. See Annex 3 of this Addendum for a link to a website detailing AIQ’s current Sub-processors. By visiting that site, Partner may also register to be notified of any modifications to the Sub-processor list (a “Notification”).
4.5    GDPR Sub-processors: In the case of a Sub-processor appointed that will Process Personal Information subject to the GDPR, if Partner objects on reasonable grounds to the use of a specific Sub-processor it must inform AIQ of such objection in writing (by email to [email protected]) within 15 days of receipt of Notification. AIQ will use reasonable efforts to make available to Partner a change in the Services or recommend a commercially-reasonable change to the configuration or use of the Services by Partner to avoid Processing of Personal Information by the objected-to new Sub-processor. AIQ shall at its option (a) within a commercially reasonable timeframe find a replacement Sub-processor; or (b) provide a termination right pursuant to the Agreement. Before the Sub-processor first processes Personal Information, AIQ agrees to carry out adequate due diligence to ensure that the Sub-processor is capable of providing the level of protection for Personal Information required by the Agreement. AIQ will provide for Partner to review the form of agreement for such written contract, as Partner may request up to once per year.
4.6    Retention and deletion: Upon termination of the Agreement, AIQ shall return or delete any Personal Information on Partner’s request, except where it is required to retain the Personal Information to comply with applicable laws, or, where permitted, such retention is in line with AIQ’s current data retention schedule.
4.7    Reasonable support. AIQ shall provide reasonable assistance and cooperation to Partner in relation to any individual rights requests made pursuant to the Applicable Data Protection Laws. In the event AIQ receives a notification or request pursuant to this Section, AIQ shall notify Partner and shall not respond to the individual making the request unless required to do so under applicable law (including the Applicable Data Protection Laws). Additionally, upon Partner’s request, AIQ shall provide Partner with reasonable assistance and cooperation needed to fulfill Partner’s obligation to carry out a data protection impact assessment related to Partner’s use of the Services, to the extent that Partner does not otherwise have access to the relevant information and to the extent that such information is available to AIQ. 
4.8      Government Access Requests: If AIQ becomes aware that any government authority (including law enforcement) wishes to obtain access to or a copy of some or all of the Personal Information of Partner, whether on a voluntary or a mandatory basis, then unless legally prohibited under applicable law, AIQ shall: (1) immediately notify Partner (2) inform the requestor that AIQ is a Processor and is not authorized to disclosure the Personal Information (3) inform the requestor that the request must be sent to the Partner (4) not provide access to the Personal Information unless required by applicable law or authorized by the Partner in writing. If applicable law prohibits AIQ from complying with (1) to (4) above, then AIQ shall use any lawful means to challenge (a) disclosure of the Personal Information and (b) the prohibition to notify Partner. 
4.9       Third Party transfers: Partner acknowledges that AIQ is not responsible for the Processing of Personal Information by Third Parties where the Personal Information is sent by AIQ to the Third Party on the instructions of the Partner.
4.10    Additional GDPR Processor obligations: In addition to the other requirements set out in this Addendum, to the extent AIQ Processes Personal Information subject to the GDPR, UK GDPR or laws of Switzerland, AIQ shall comply with all requirements under Article 28 of the GDPR in relation to AIQ’s role as a Processor (or the relevant equivalent requirements as applicable). This includes the contractual obligations set out in Article 28(3) as set out in this Addendum. 
AIQ and Partner as Processors
To the extent both AIQ and Partner Process Personal Information as independent Processors on behalf of a Third Party under the Agreement, the Parties agree that the following terms shall apply to the relationship.
4.11     Compliance with law: Each Party shall comply with all Applicable Data Protection Laws and not by any act or omission put the other Party in breach of those Laws. 
4.12   Partner Authority: Where Partner acting as Processor requests that AIQ Process Personal Information from a Third Party (e.g., a Merchant), Partner represents and warrants that it has the requisite authority from the Third Party Controller for such instruction.
4.13     Merchant Processing: To the extent that Partner is acting as a Processor on behalf of a Merchant Controller and the Merchant directs AIQ to transfer Personal Information to Partner, Partner agrees that it shall:
(i)        adhere to any and all obligations of a Processor under the Applicable Data Protection Laws; 
(ii)         only process the Personal Information in line with the instructions of the Merchant and to provide the requisite services; 
(iii)     be responsible for evaluating AIQ’s information collection practices and disclosures and ensuring that any downstream use by the Partner (whether on behalf of a Third Party or on behalf of the Controller) is compliant and permitted under the Applicable Data Protection Laws; and 
(iv)      ensure that at the end of the agreement with the Merchant that Personal Information is either returned or destroyed at the election of Merchant absent any obligation to retain the information under the applicable law. 
4.14     Sub-processor relationship: In the event that Partner is required to act as a Sub-processor at any time during the Services, the Parties shall negotiate a set of mutually-agreeable written terms to govern such processing activity.
4.15    CCPA Service Providers: For the purposes of the CCPA, as applicable, both Parties shall act as a “service provider” and not (a) combine Personal Information it receives in in connection with the Services with Personal Information it may receive from other sources (b) “Sell” or “Share” Personal Information as such terms are defined in the CCPA (c) retain, use, or disclose Personal Information for any purpose other than to provide the Services, and as otherwise permitted by applicable law (including but not limited to Applicable Data Protection Laws), and (d) retain, use or disclose Personal Information outside of the direct business relationship between the Parties or outside the provision of the services.
AIQ’s Processor obligations above shall be read and interpreted in light of any additional rights AIQ may have in relation to the Personal Information pursuant to an agreement with a Merchant or Third Party.
5.    SECURITY 
5.1    Security Measures: Taking into account the state of the art, costs of implementation, the nature, scope, context and purpose of the Processing, each Party shall implement and maintain a written information security program embodying all appropriate technical, organizational and administrative security measures required to protect the privacy and security of any Personal Information Processed as part of the Services.  In all cases, the Parties shall implement any and all security measures imposed under the Applicable Data Protection Laws. 
5.2    Confidentiality: Anyone authorized to process Personal Information on behalf of the Parties shall either have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
6.    SECURITY INCIDENTS
6.1    Security Incident response program: Each Party shall implement and maintain a written incident response program for the management of Security Incidents. 
6.2       Notification of a Security Incident: If either Party discovers, is notified of or reasonably suspects the occurrence of a Security Incident impacting any Personal Information Processed under the Agreement, that Party will notify the other Party without undue delay. The timing of such notification shall not exceed seventy-two (72) hours after having become aware of a Security Incident or such other time limit imposed under the Applicable Data Protection Laws.  Such notice shall (where known) contain the following: (i) the facts of the Security Incident, including the date of discovery, a date range of unauthorized activity, and any remediation and mitigation activities that have been taken or put in place; (ii) a description of the categories and approximate number of individuals and records affected by the Security Incident;  (iii) the Party’s assessment, developed through reasonable diligence, of the likely consequences of the Security Incident with respect to the affected Personal Information and affected individuals; and (iv) the name and the contact details of the data protection officer or other contact point where more information can be obtained. The Parties will reasonably assist each with any obligation to inform any impact individuals or any regulatory body of the Security Incident.
6.3     Costs and remediation obligations: To the extent any Security Incident is attributable to the actions of a specific Party or its Third Parties, that Party shall be responsible for all costs associated with the Security Incident, including, but limited to, the following: (i) the cost of providing notice to affected individuals; (ii) the cost of providing notice to government agencies, credit bureaus, and/or other entities required to be notified under applicable law; (iii) the cost of providing affected individuals with credit monitoring services (as appropriate or as required by  the Applicable Data Protection Laws); (iv) call center support for such affected individuals; (v) the cost of any other measures required under the Applicable Data Protection Laws; and (vi) other losses, liabilities or expenses for which that Party would be liable. In all cases, as to the Personal Information Processed under this Agreement impacted by a Security Incident, the Parties shall, where appropriate and reasonable, cooperate and work together as part of the remediation efforts.
7.    DATA TRANSFERS
7.1   Transfers generally: Each Party is permitted to transfer Personal Information under the Agreement to locations around the world provided that such transfers comply with Applicable Data Protection Laws.
7.2     EEA, Switzerland and United Kingdom transfers: In the event either Party Processes the Personal Information of individuals residing in the EEA, Switzerland or the United Kingdom as part of the Services, a Party shall only be permitted to transfer such Personal Information outside those jurisdictions if such transfers are compliant with the Applicable Data Protection Laws.  
7.3    Restricted transfers and SCCs: In the event AIQ or Partner seeks to transfer Personal Information collected as part of this Agreement to a country not deemed adequate by the European Commission or other governmental bodies that is not covered by an Alternative Transfer Mechanism, the Parties agree that the following shall apply:
i.      Where AIQ and Partner are Controllers and act as either a data exporter or a data importer, the Parties agree that Module 1 of the SCCs shall apply along with the UK Addendum.
ii.    Where AIQ is acting as a Processor on behalf of a Controller Partner and is the data importer, the Parties agree that Module 2 of the SCCs shall apply along with the UK Addendum.
iii.   Where AIQ and Partner are Processors and AIQ or the Partner acts as a data exporter or a data importer, the Parties agree that Module 3 of the SCCs shall apply along with the UK Addendum.
The SCCs and UK Addendum shall be populated with the following provisions (as applicable):
For the purposes of the EEA and Switzerland:
Section Reference
Concept
Selection by the Parties 
Module
In operation
Modules One, Two and Three
Section I, Clause 7
Docking
The option under clause 7 shall not apply. 
Section II, Clause 9
Sub-processors
Option 2 (General Written Authorization) under clause 9 shall apply. See clause 4.5 of this Addendum.  
Section IV, Clause  17
Governing law
Transfers under the EU SCCs will be governed by the laws of Ireland. 
﻿
The Swiss Federal Act on Data Protection (FADP) insofar as the transfers are governed by the FADP. 
Section IV, Clause 18(b)
Choice of forum and jurisdiction 
The Courts of Ireland shall have exclusive jurisdiction to resolve any dispute or lawsuit arising out of or in connection with the EU SCCs. 
Annex 1.A
List of Parties
See Annex 1 Section A 
Annex I.B
Description of Transfer 
See Annex 1 Section B
Annex I.C
Competent Supervisory Authority
Irish Data Protection Commissioner. 
﻿
Federal Data Protection and Information Commissioner insofar as the transfers are governed by the FADP. 
Annex II
Technical and Organizational Measures 
See Annex 2 of this Addendum. 
Annex III
Sub-processors 
See Annex 3 of this Addendum  (only for Modules Two and Three)
Additional adaptations insofar as the FADP governs the transfers 
The term ‘member state’ must not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of residence (Switzerland) in accordance with Clause 18(c) of the SCCs. 
﻿
References to “GDPR” are to be understood as references to FADP. The SCCs shall apply to data pertaining to legal entities until the entry into force of the revised FADP. 
For the purposes of the UK, the Parties agree that the EU Standard Contractual Clauses will apply but will be modified and interpreted in accordance with the UK Addendum and agree as follows:
Table or Section Reference
Concept
Selection by the Parties 
Table 1
Parties
See Annex 1 Section A of this Addendum 
Table 2
Selected SCCs, Modules and Selected Clauses
Modules One, Two and Three of the EU Standard Contractual Clauses entered into on the date of the Agreement. 
Table 3
Appendix Information 
Annex 1A shall be populated with the information in Annex 1 Section A of this Addendum.
﻿
Annex 1B shall be populated with the information in Annex 1 Section B of this Addendum.
﻿
Annex II shall be populated with Annex 2 of this Addendum.
﻿
Annex III shall be populated with Annex 3 of this Addendum (only for Modules Two and Three).
﻿
Table 4
End of UK Addendum when the Approved Addendum changes 
Neither Party may end this UK Addendum per Section 19 of the UK Addendum, except as set forth in this Addendum. 
Section I, Clause 7
Docking
The option under clause 7 shall not apply. 
Section II, Clause 9
Sub-processors
Option 2 (General Written Authorization) under clause 9 shall apply. See clause 3.2(iii) of this Addendum.  
Section II, Clause 11
Redress
The option under clause 11 shall not apply.
Section IV, Clause 17
Governing law
The laws of England and Wales insofar as the transfers are governed by UK Data Protection Law. 
Section IV, Clause 18(b)
Choice of forum and jurisdiction 
The Courts of England and Wales shall have exclusive jurisdiction to resolve any dispute or lawsuit arising out of or in connection with the UK Addendum. 
Part 2 
Mandatory Clauses
Mandatory clauses of the UK Addendum as issued by the Information Commissioner’s Office and laid before the United Kingdom Parliament in accordance with section 119A of the Data Protection Act 2018 on February 2, 2022, as it is revised under section 18 of those Mandatory Clauses. section
Any conflict between the terms of the Standard Contractual Clauses and the UK Addendum will be resolved in accordance with Section 10 and Section 11 of the UK Addendum.  
7.4    In the event of any changes to the UK Addendum after signature of this Addendum, the Parties agree to cooperate in good faith and repopulate any replacement UK Addendum.  
7.5    If the SCCs are implemented, adopted or recognized as a legitimate data transfer mechanism in countries other than the EEA countries, then the Parties shall apply the SCC Modules to the transfer of Personal Information originating from such country(-ies).
7.6    To the extent Section 7.3 of this Addendum is relevant and where Partner acts as an importer, as required, Partner shall include the relevant SCCs annexes (e.g. technical and organizational measures and Sub-processors annexes) in the main body of the Agreement. 
7.7    Alternative Transfer Mechanisms: If a Party is relying on an Alternative Transfer Mechanism as a legal ground for the transfer of Personal Information under the Agreement, that Party shall be responsible for ensuring that the Alternative Transfer Mechanism provides the same level of protection for Personal Information imposed on the Party under this Addendum. 
8.    MISCELLANEOUS
8.1    Assurances: Notwithstanding any requirements or specific rights granted to the Parties under the Applicable Data Protection Laws, each Party shall, with reasonable notice, have the right to obtain assurances from the other Party to verify each Party’s compliance with the terms of this Addendum if it has a reasonable suspicion of a breach or a potential breach under this Addendum.
8.2    Survival:  Each Party’s obligations under this Addendum will survive the termination of the AIQ Partner Agreement to the extent either Party continues to Process Personal Information covered by the Agreement.
8.3    Severability: If any court or competent authority decides that any term of this Addendum is held to be invalid, unlawful, or unenforceable to any extent, such term shall, to that extent only, be severed from the remaining terms, which shall continue to be valid to the fullest extent permitted by law.
8.4   Waiver: Either Party’s failure to enforce any provision of this Addendum shall not constitute a waiver of that or any other provision and will not relieve the other Party from the obligation to comply with such provision.
ANNEX 1
A.     LIST OF PARTIES 
1.    Partner / Data Exporter or Data Importer, as applicable 
Name
As set forth in the Agreement.
Address
As set forth in the Agreement.
Contact person
As set forth in the Agreement.
Activities related to data transfer under the Clauses:
Services associated with facilitation of POS-related, digital ordering and other related services, employees and consumer guests.
Role (controller/processor)
If Standard Contractual Clauses Module One applies, Partner is the data controller (either as Exporter or Importer). 
(Note: Module One will be most relevant where Partner is sending AIQ information (as Exporter) or in receipt of information from AIQ (as Importer) as part of a referral relationship).
If Standard Contractual Clauses Module Two applies, Partner is the data controller (as Exporter) and AIQ is the data processor.
﻿
(Note: Module Two will be most relevant where Partner is sending AIQ information (as Exporter) as part of an integration relationship).
﻿
If Standard Contractual Clauses Module Three applies, Partner is the data processor. 
(Note: Module Three will be most relevant where Partner is sending AIQ information (as Exporter) or in receipt of information from AIQ (as Importer) as part of an integration relationship).
2.    AIQ / Data Importer or Data Exporter, as applicable
Name
AIQ
Address
2205 W 136th Avenue Ste 106 PMB 3058 Broomfield, CO 80023
Contact person
Assistant General Counsel, Privacy; [email protected]
Activities related to data transfer under the Clauses:
Services associated with facilitation of POS-related, digital ordering and other related services, employees and consumer guests.
Role (controller/processor)
If Standard Contractual Clauses Module One applies, AIQ is the data controller (either as Exporter or Importer). 
(Note: Module One will be most relevant where AIQ is sending Partner information (as Exporter) or in receipt of information from Partner (as Importer) as part of a referral relationship).
If Standard Contractual Clauses Module Two applies,
AIQ is the data processor (as Importer) and Partner is the data controller. 
﻿
(Note: Module Two will be most relevant where AIQ is in receipt of information from Partner (as Importer) as part of an integration relationship).
﻿
Standard Contractual Clauses Module Three: AIQ is the data processor.
(Note: Module Three will be most relevant where AIQ is sending the Partner information (as Exporter) or in receipt of information from Partner (as Importer) as part of an integration relationship).
B.     DESCRIPTION OF TRANSFER & PROCESSING 
﻿
Module One
Partner is controller
AIQ is controller
Module Two 
Partner is controller
AIQ is processor 
Module Three
AIQ is processor
Partner is processor
﻿
Categories of Data Subjects 
Guests
﻿
Employees
Guests
﻿
Employees
Guests
﻿
Employees
Categories of Personal Information
﻿
Guests - Name, email, phone, address, payment card information, Government ID
﻿
Merchant employees - Name, email, phone, wages, scheduling and related employment information
﻿
Guests - Name, email, phone, address, payment card information, Government ID
﻿
Merchant employees - Name, email, phone, wages, scheduling and related employment information
﻿
Guests - Name, email, phone, address, payment card information, Government ID
﻿
Merchant employees - Name, email, phone, wages, scheduling and related employment information
Sensitive data processed 
Not applicable. 
Not applicable. 
Not applicable. 
Transfer frequency 
Ongoing transfers.
Ongoing transfers.
Ongoing transfers.
Nature of processing
Processing and storage of information required to facilitate the partner services as detailed in the Agreement. 
Processing and storage of information required to facilitate the partner services as detailed in the Agreement. 
Processing and storage of information required to facilitate the partner services as detailed in the Agreement. 
Purpose of processing
Facilitation of the services provided by the partner as part of the Agreement. 
Facilitation of the services provided by the partner as part of the Agreement. 
Facilitation of the services provided by the partner as part of the Agreement. 
Retention period 
For the period stated in the Agreement or as otherwise provided for under the applicable law. 
For the period stated in the Agreement or as otherwise provided for under the applicable law. 
For the period stated in the Agreement or as otherwise provided for under the applicable law. 
ANNEX 2
AIQ Security Measures 
TECHNICAL AND ORGANIZATIONAL MEASURES INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
EXPLANATORY NOTE:
The technical and organizational measures must be described in specific (and not generic) terms. See also the general comment on the first page of the Appendix, in particular on the need to clearly indicate which measures apply to each transfer/set of transfers.
Description of the technical and organizational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.
Organizational security
Information Security Program 
We have an Information Security Program in place that is communicated throughout the organization. Our Information Security Program follows the criteria set forth by the SOC 2 Framework. SOC 2 is a widely known information security auditing procedure created by the American Institute of Certified Public Accountants. 
Third-Party Audits 
Our organization undergoes independent third-party assessments to test our security and compliance controls. 
Third-Party Penetration Testing 
We perform an independent third-party penetration at least annually to ensure that the security posture of our services is un-compromised. 
Roles and Responsibilities
Roles and responsibilities related to our Information Security Program and the protection of our customer’s data are well defined and documented. Our team members are required to review and accept all of the security policies. 
Security Awareness Training 
Our team members are required to go through employee security awareness training covering industry standard practices and information security topics such as phishing and password management. 
Confidentiality 
All team members are required to sign and adhere to an industry standard confidentiality agreement prior to their first day of work. 
Background Checks
We perform background checks on all new team members in accordance with local laws.
Cloud security
Cloud Infrastructure Security 
All of our services are hosted with Amazon Web Services (AWS) | Google Cloud Platform (GCP). They both employ a robust security program with multiple certifications. For more information on our provider’s security processes, please visit AWS Security | GCP Security. 
Data Hosting Security 
All of our data is hosted on Amazon Web Services (AWS) | Google Cloud Platform (GCP) databases. These databases are all located in the United States unless otherwise requested. Please reference the above vendor specific documentation linked above for more information. 
Encryption at Rest
All databases are encrypted at rest. 
Encryption in Transit
Our applications encrypt in transit with TLS/SSL only. 
Vulnerability Scanning
We perform vulnerability scanning and actively monitor for threats. 
Logging and Monitoring 
We actively monitor and log various cloud services. 
Business Continuity and Disaster Recovery 
We use our data hosting provider’s backup services to reduce any risk of data loss in the event of a hardware failure. We utilize monitoring services to alert the team in the event of any failures affecting users. 
Incident Response
We have a process for handling information security events which includes escalation procedures, rapid mitigation and communication.
Access security
Permissions and Authentication 
Access to cloud infrastructure and other sensitive tools are limited to authorized employees who require it for their role.  Where available we have Single Sign-on (SSO), 2-factor authentication (2FA) and strong password policies to ensure access to cloud services are protected.
Least Privilege Access Control
We follow the principle of least privilege with respect to identity and access management. 
Quarterly Access Reviews
We perform quarterly access reviews of all team members with access to sensitive systems. 
Password Requirements 
All team members are required to adhere to a minimum set of password requirements and complexity for access. 
Password Managers 
All company issued laptops utilize a password manager for team members to manage passwords and maintain password complexity.
Vendor and risk management
Annual Risk Assessments 
We undergo at least annual risk assessments to identify any potential threats, including considerations for fraud.
Vendor Risk Management 
Vendor risk is determined, and the appropriate vendor reviews are performed prior to authorizing a new vendor.
﻿
For transfers to (sub-) processors, also describe the specific technical and organizational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter.
ANNEX 3  
Approved Sub-processors 
A list of AIQ’s current Sub-processors can be found at Data Sub-processors﻿﻿

Section Reference	Concept	Selection by the Parties
Module	In operation	Modules One, Two and Three
Section I, Clause 7	Docking	The option under clause 7 shall not apply.
Section II, Clause 9	Sub-processors	Option 2 (General Written Authorization) under clause 9 shall apply. See clause 4.5 of this Addendum.
Section IV, Clause 17	Governing law	Transfers under the EU SCCs will be governed by the laws of Ireland. The Swiss Federal Act on Data Protection (FADP) insofar as the transfers are governed by the FADP.
Section IV, Clause 18(b)	Choice of forum and jurisdiction	The Courts of Ireland shall have exclusive jurisdiction to resolve any dispute or lawsuit arising out of or in connection with the EU SCCs.
Annex 1.A	List of Parties	See Annex 1 Section A
Annex I.B	Description of Transfer	See Annex 1 Section B
Annex I.C	Competent Supervisory Authority	Irish Data Protection Commissioner. Federal Data Protection and Information Commissioner insofar as the transfers are governed by the FADP.
Annex II	Technical and Organizational Measures	See Annex 2 of this Addendum.
Annex III	Sub-processors	See Annex 3 of this Addendum (only for Modules Two and Three)
Additional adaptations insofar as the FADP governs the transfers	The term ‘member state’ must not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of residence (Switzerland) in accordance with Clause 18(c) of the SCCs. References to “GDPR” are to be understood as references to FADP. The SCCs shall apply to data pertaining to legal entities until the entry into force of the revised FADP.

Table or Section Reference	Concept	Selection by the Parties
Table 1	Parties	See Annex 1 Section A of this Addendum
Table 2	Selected SCCs, Modules and Selected Clauses	Modules One, Two and Three of the EU Standard Contractual Clauses entered into on the date of the Agreement.
Table 3	Appendix Information	Annex 1A shall be populated with the information in Annex 1 Section A of this Addendum. Annex 1B shall be populated with the information in Annex 1 Section B of this Addendum. Annex II shall be populated with Annex 2 of this Addendum. Annex III shall be populated with Annex 3 of this Addendum (only for Modules Two and Three).
Table 4	End of UK Addendum when the Approved Addendum changes	Neither Party may end this UK Addendum per Section 19 of the UK Addendum, except as set forth in this Addendum.
Section I, Clause 7	Docking	The option under clause 7 shall not apply.
Section II, Clause 9	Sub-processors	Option 2 (General Written Authorization) under clause 9 shall apply. See clause 3.2(iii) of this Addendum.
Section II, Clause 11	Redress	The option under clause 11 shall not apply.
Section IV, Clause 17	Governing law	The laws of England and Wales insofar as the transfers are governed by UK Data Protection Law.
Section IV, Clause 18(b)	Choice of forum and jurisdiction	The Courts of England and Wales shall have exclusive jurisdiction to resolve any dispute or lawsuit arising out of or in connection with the UK Addendum.
Part 2	Mandatory Clauses	Mandatory clauses of the UK Addendum as issued by the Information Commissioner’s Office and laid before the United Kingdom Parliament in accordance with section 119A of the Data Protection Act 2018 on February 2, 2022, as it is revised under section 18 of those Mandatory Clauses. section

Name	As set forth in the Agreement.
Address	As set forth in the Agreement.
Contact person	As set forth in the Agreement.
Activities related to data transfer under the Clauses:	Services associated with facilitation of POS-related, digital ordering and other related services, employees and consumer guests.
Role (controller/processor)	If Standard Contractual Clauses Module One applies, Partner is the data controller (either as Exporter or Importer). (Note: Module One will be most relevant where Partner is sending AIQ information (as Exporter) or in receipt of information from AIQ (as Importer) as part of a referral relationship). If Standard Contractual Clauses Module Two applies, Partner is the data controller (as Exporter) and AIQ is the data processor. (Note: Module Two will be most relevant where Partner is sending AIQ information (as Exporter) as part of an integration relationship). If Standard Contractual Clauses Module Three applies, Partner is the data processor. (Note: Module Three will be most relevant where Partner is sending AIQ information (as Exporter) or in receipt of information from AIQ (as Importer) as part of an integration relationship).

Name	AIQ
Address	2205 W 136th Avenue Ste 106 PMB 3058 Broomfield, CO 80023
Contact person	Assistant General Counsel, Privacy; [email protected]
Activities related to data transfer under the Clauses:	Services associated with facilitation of POS-related, digital ordering and other related services, employees and consumer guests.
Role (controller/processor)	If Standard Contractual Clauses Module One applies, AIQ is the data controller (either as Exporter or Importer). (Note: Module One will be most relevant where AIQ is sending Partner information (as Exporter) or in receipt of information from Partner (as Importer) as part of a referral relationship). If Standard Contractual Clauses Module Two applies, AIQ is the data processor (as Importer) and Partner is the data controller. (Note: Module Two will be most relevant where AIQ is in receipt of information from Partner (as Importer) as part of an integration relationship). Standard Contractual Clauses Module Three: AIQ is the data processor. (Note: Module Three will be most relevant where AIQ is sending the Partner information (as Exporter) or in receipt of information from Partner (as Importer) as part of an integration relationship).

	Module One Partner is controller AIQ is controller	Module Two Partner is controller AIQ is processor	Module Three AIQ is processor Partner is processor
Categories of Data Subjects	Guests Employees	Guests Employees	Guests Employees
Categories of Personal Information	Guests - Name, email, phone, address, payment card information, Government ID Merchant employees - Name, email, phone, wages, scheduling and related employment information	Guests - Name, email, phone, address, payment card information, Government ID Merchant employees - Name, email, phone, wages, scheduling and related employment information	Guests - Name, email, phone, address, payment card information, Government ID Merchant employees - Name, email, phone, wages, scheduling and related employment information
Sensitive data processed	Not applicable.	Not applicable.	Not applicable.
Transfer frequency	Ongoing transfers.	Ongoing transfers.	Ongoing transfers.
Nature of processing	Processing and storage of information required to facilitate the partner services as detailed in the Agreement.	Processing and storage of information required to facilitate the partner services as detailed in the Agreement.	Processing and storage of information required to facilitate the partner services as detailed in the Agreement.
Purpose of processing	Facilitation of the services provided by the partner as part of the Agreement.	Facilitation of the services provided by the partner as part of the Agreement.	Facilitation of the services provided by the partner as part of the Agreement.
Retention period	For the period stated in the Agreement or as otherwise provided for under the applicable law.	For the period stated in the Agreement or as otherwise provided for under the applicable law.	For the period stated in the Agreement or as otherwise provided for under the applicable law.

Updated 03 May 2024

Did this page help you?

EULA (Apple and Google Play Apps)

Data Sub-processors