Raydiant Data Processing Agreement

1.2. The provisions of the Agreement apply in full to this Data Processing Agreement.

2. Purpose of the Personal Data Processing

2.1. Parties agree that where the Processing of Personal Data is concerned, Raydiant acts as a processor as that term is defined under applicable Data Protection Laws and Customer as the controller as that term is defined under applicable Data Protection Laws.      

2.2. Customer and Raydiant have concluded the present Data Processing Agreement for the Processing of Personal Data in the context of the Agreement. An overview of the type of Personal Data, categories of data subjects and the purposes of Processing, is included in Annex A.

2.3. Raydiant is solely responsible for the Processing of Personal Data under this Data Processing Agreement, in accordance with the legitimate instructions of Customer and under the express (final) responsibility of Customer. For all other Processing of Personal Data, including but not limited to the collection of Personal Data by the Customer, Processing for purposes not reported to Raydiant by Customer, Processing by third parties and/or for other purposes, Raydiant is not responsible or liable. Responsibility and liability for these Processing activities rest exclusively with Customer.

2.4. Customer is responsible and liable for the processing of Personal Data in relation to the Agreement and guarantees that Processing is in compliance with all applicable legislation and does not infringe any rights of third parties. Customer will indemnify and hold harmless Raydiant against any and all claims of third parties, those of the data protection authority in particular, resulting in any way from not complying with this guarantee.

2.5. Raydiant undertakes to Process Personal Data only for the purpose of the activities referred to in this Data Processing Agreement and/or the Agreement. Raydiant will not use the Personal Data which it Processes under this Data Processing Agreement for its own or third-party purposes in any way without Customer’s express written consent, unless a legal provision requires Raydiant to do so. In such a case, Raydiant shall immediately inform Customer of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.

3. Technical and organizational security measures

3.1. Raydiant will implement (or arrange the implementation of) appropriate technical and organizational measures to ensure a level of security appropriate to the risk. These measures will guarantee an appropriate level of security, taking into account the state of the art and the costs of implementation, in view of the risks entailed by Personal Data Processing and the nature of the data to be protected. Raydiant will in any case take measures to protect Personal Data against accidental or unlawful destruction, accidental or deliberate loss, forgery, unauthorized distribution or access, or any other form of unlawful Processing.

3.2.   Raydiant will provide the appropriate technical and organizational measures to be taken by Raydiant based on the Customer agreement. Customer acknowledges having taken cognizance of the relevant measures and by signing this Data Processing Agreement, the Customer agrees with the measures taken by Raydiant.

4. Confidentiality

4.1. Raydiant will require the employees that are involved in the execution of the Agreement to sign a confidentiality statement – whether or not included in the employment agreement with those employees – which in any case states that these employees must keep strict confidentiality regarding the Personal Data.

5. Sub-Processors

5.1. Raydiant has Customer’s general authorization for the engagement of Sub-Processors as stated in Annex B. Raydiant shall specifically inform in writing Customer of any intended changes of that list through the addition or replacement of Sub-Processors, thereby giving Customer at least five working days to be able to object to such changes prior to the engagement of the concerned Sub-Processor(s). Raydiant shall provide the controller with the information necessary to enable the controller to exercise the right to object.

5.2. Where Raydiant engages a Sub-Processor for carrying out specific Processing activities on behalf of Customer, the same data protection obligations as set out in this Data Processing Agreement shall be imposed on that Sub Processor, in particular providing sufficient guarantees to implement appropriate technical and organizational measures.

5.3. Raydiant shall remain fully responsible to Customer, in accordance with the Agreement, for the performance of the Sub-Processor’s obligations in accordance with its contract with Raydiant.

6. International transfers

6.1. Raydiant will only be permitted to transfer Personal Data outside the applicable jurisdiction where the Personal Data originates if this is done in compliance with the applicable Data Protection Laws.    

6.2. Customer agrees that where Raydiant engages a Sub-Processor for carrying out specific Processing activities (on behalf of Customer) and those Processing activities involve a transfer of Personal Data that requires a transfer mechanism under Data Protection Laws,  Raydiant and the Sub-Processor can ensure compliance with applicable Data Protection Laws by using an applicable transfer mechanism, which may include relevant standard contractual clauses, adopted by the supervisory authority or data protection commission pursuant to applicable Data Protection Laws.      

7. Liability

7.1. With regard to any liability and indemnification obligations of Raydiant under this Data Processing Agreement the stipulation in the Agreement regarding the limitation of liability applies.

7.2. Without prejudice to article 7.1 of this Data Processing Agreement, Raydiant is solely liable for damages suffered by Customer and/or for third party claims as a result of any Processing, in the event the specific obligations of Raydiant under Data Protection Laws are not complied with or in case Raydiant acted in breach of the legitimate instructions of the Customer.

8. Personal Data Breach

8.1. Raydiant will notify Customer without undue delay of a Personal Data Breach and will take all reasonable measures to prevent or limit (further) violation of Data Protection Laws.    

8.2. Raydiant will provide all reasonable cooperation requested by Customer in order for Customer to comply with its legal obligations relating to the identified Personal Data Breach.

8.3.   Raydiant will, insofar as reasonable, assist Customer with Customer’s notification obligation relating to the Personal Data to the Data Protection Authority and/or the data subject.  Raydiant is never held to report a Personal Data Breach with the Data Protection Authority and/or the data subject.

8.4. Raydiant will not be responsible and/or liable for the (timely and correctly) notification obligation to the relevant supervisor and/or data subjects.    

9. Audit

9.1. When so requested by Customer, Raydiant will enable Customer, or experts (including external experts) designated by Customer, to inspect and audit the implementation of this Data Processing and, in particular, the security measures taken by Raydiant, at most once per calendar year, subject to a reasonable notice and with permission of Raydiant, to adequately monitor compliance with what has been agreed between the Parties. Such an audit will at all times be carried out in a manner that has as little effect as possible on the normal business operations of Raydiant. Customer will bear all the costs of this audit.

9.2. The audit in Article 9.1 of this Data Processing Agreement, will only take place if Customer has requested and assessed similar audit reports available at Raydiant and Customer provides reasonable arguments that justify an audit initiated by Customer. Such an audit is justified when similar audit reports present at Raydiant give no or insufficient information about compliance with this Data Processing Agreement.

9.3. In case Raydiant is of the opinion that an instruction relating to the provisions of this Article 9 infringes applicable Data Protection Laws,  Raydiant will inform the Customer immediately.

9.4. Raydiant is entitled to charge any possible costs that relate to the provisions of this Article 9 with Customer.

10. Assistance to Customer

10.1. Raydiant will, taking into account the nature of the Processing and insofar as reasonably possible, provide cooperation to Customer in fulfilling its obligation pursuant to applicable Data Protection Laws to respond to requests for exercising rights of data subjects, in particular the right of access, rectification, erasure, restriction, data portability and the right to object. Raydiant will forward a complaint or request from a data subject with regard to the Processing of Personal Data to the Customer as soon as possible, as Customer is responsible for handling the request.

10.2. Raydiant will, taking into account the nature of Processing, the information available to Raydiant and insofar as reasonably possible, provide all reasonable cooperation to Customer in fulfilling its obligation pursuant to Data Protection Laws to carry out a data protection impact assessment.

10.3. Raydiant is entitled to charge any costs associated with the cooperation as referred to in this Article 10 with Customer.

11. Termination

11.1. Following termination of the Agreement, Raydiant shall, at the choice of Customer, delete all Personal Data Processed on behalf of Customer and confirm to Customer that it has done so, or, insofar as possible, return all the Personal Data to Customer and delete existing copies unless Union or Member State law requires storage of the Personal Data. Until the data is deleted or returned, Raydiant shall continue to ensure compliance with this Data Processing Agreement.

12. CCPA Provisions

12.1. Scope. The 'CCPA Provisions' section of the DPA will apply only with respect to California Personal Information (as that term is defined under the CCPA).

12.2. Roles of the Parties. When processing California Personal Information in accordance with your Instructions, the parties acknowledge and agree that Customer is a Business and Raydiant a Service Provider for the purposes of the CCPA.

12.3. Responsibilities. Raydiant certifies that it will Process California Personal Information as a Service Provider strictly for the purpose of performing the Services under the Agreement  (the "Business Purpose") or as otherwise permitted by the CCPA.  Further, Raydiant certifies it i) will not Sell or Share California Personal Information; (ii) will not Process California Personal Information outside the direct business relationship between the parties, unless required by applicable law; and (iii) will not combine the California Personal Information with personal information that it collects or receives from another source (other than information we receive from another source in connection with our obligations as a Service Provider under the Agreement).

12.4. Compliance. Raydiant will (i) comply with obligations applicable to it as a Service Provider under the CCPA and (ii) provide California Personal Information with the same level of privacy protection as is required by the CCPA. Raydiant will notify Customer if it makes a determination that it can no longer meet its obligations as a Service Provider under the CCPA.

12.5. CCPA Audits. Customer will have the right to take reasonable and appropriate steps to help ensure that we use California Personal Information in a manner consistent with Customer’s obligations under the CCPA. Upon notice, Customer will have the right to take reasonable and appropriate steps in accordance with the Agreement to stop and remediate unauthorized use of California Personal Information.

12.6. Not a Sale. The parties acknowledge and agree that the disclosure of California Personal Information by the Customer to Raydiant does not form part of any monetary or other valuable consideration exchanged between the parties.

 ANNEX A – DESCRIPTION OF THE PROCESSING

Subject matter and duration of the Processing of Company Personal Data

• The subject matter and duration of the Processing of the Personal Data are set out in the Agreement and Data Processing Agreement between the Parties.

The categories of Personal Data

• Facial features (such as eye locations, face location and rotation, age, gender, mood, facial expressions, gaze and attention span), the face prints (also referred to as "embeddings") derived from facial features, and aggregated statistics.

The categories of Data Subject to whom the Personal Data relates

• Client of Customer, visitors, passers-by

The nature and purpose of the Processing of Personal Data

• Providing the software technology, dashboard and optional support with which Customer obtains real-time insights into audience’s spontaneous behavior, interest, and anonymized approximated demographic profile.

The obligations and rights of Customer

• The obligations and rights of Customer are set out in the Agreement and this Data Processing Agreement.

ANNEX B – SUB-PROCESSORS