Last modified: December 1, 2023
Capitalized terms not defined in this Section 1 will have the meaning given to them in this Addendum or the Agreement.
2. Relationship of the Parties
2.1 Scribe as a Processor. The parties acknowledge and agree that with regard to the processing of Customer Content, Customer may act either as a controller or processor and Scribe is a processor. Scribe will process Customer Content in accordance with Customer’s instructions as set forth in Section 5 (Customer Instructions).
2.2 Scribe as a Controller of Customer Account Data. The parties acknowledge that, with regard to the processing of Customer Account Data, Customer is a controller and Scribe is an independent controller, not a joint controller with Customer. Scribe will process Customer Account Data as a controller in order to (a) manage the relationship with Customer; (b) carry out Scribe’s core business operations, such as accounting and filing taxes; (c) detect, prevent, or investigate security incidents, fraud, and other abuse or misuse of the Services; (d) perform identity verification; (e) comply with Scribe’s legal or regulatory obligation to retain Subscriber Records; and (f) as otherwise permitted under Applicable Data Protection Law and in accordance with this Addendum, the Agreement, and the Scribe Privacy Notice.
3. Purpose Limitation. Scribe will process personal data in order to provide the Services in accordance with the Agreement. Schedule 1 (Details of Processing) of this Addendum further specifies the nature and purpose of the processing, the processing activities, the duration of the processing, the types of personal data and categories of data subjects.
4. Compliance. Customer is responsible for ensuring that (a) it has complied, and will continue to comply, with Applicable Data Protection Law in its use of the Services and its own processing of personal data and (b) it has, and will continue to have, the right to transfer, or provide access to, personal data to Scribe for processing in accordance with the terms of the Agreement and this Addendum.
5. Customer Instructions. Customer appoints Scribe as a processor to process Customer Content on behalf of, and in accordance with, Customer’s instructions (a) as set forth in the Agreement, this Addendum, and as otherwise necessary to provide the Services to Customer, and which includes investigating security incidents and preventing spam, and fraudulent activity and detecting and preventing network exploits or abuse; (b) as necessary to comply with applicable law or regulation, including Applicable Data Protection Law; and (c) as otherwise agreed in writing between the parties (“Permitted Purposes”).
5.1 Lawfulness of Instructions. Customer will ensure that its instructions comply with Applicable Data Protection Law. Customer acknowledges that Scribe is neither responsible for determining which laws or regulations are applicable to Customer’s business nor whether Scribe’s provision of the Services meets or will meet the requirements of such laws or regulations. Customer will ensure that Scribe’s processing of Customer Content, when done in accordance with Customer’s instructions, will not cause Scribe to violate any applicable law or regulation, including Applicable Data Protection Law. Scribe will inform Customer if it becomes aware, or reasonably believes, that Customer’s instructions violate any applicable law or regulation, including Applicable Data Protection Law.
5.2 Additional Instructions. Additional instructions outside the scope of the Agreement or this Addendum will be agreed to between the parties in writing, including any additional fees that may be payable by Customer to Scribe for carrying out such additional instructions.
6. Confidentiality
6.1 Responding to Third Party Requests. In the event any Third Party Request is made directly to Scribe in connection with Scribe’s processing of Customer Content, Scribe will promptly inform Customer and provide details of the same, to the extent legally permitted. Scribe will not respond to any Third Party Request without Customer’s prior consent, except as legally required to do so or to confirm that such Third Party Request relates to Customer.
6.2 Confidentiality Obligations of Scribe Personnel. Scribe will ensure that any person it authorizes to process Customer Content has agreed to protect personal data in accordance with Scribe's confidentiality obligations in the Agreement.
7. Sub-processors
7.1 Authorization for Onward Sub-processing. Customer provides a general authorization for Scribe to engage onward sub-processors that is conditioned on the following requirements:
(a) Scribe will restrict the onward sub-processor’s access to Customer Content only to what is strictly necessary to provide the Services, and Scribe will prohibit the sub-processor from processing the personal data for any other purpose;
(b) Scribe agrees to impose contractual data protection obligations, including appropriate technical and organizational measures to protect personal data, on any sub-processor it appoints that require such sub-processor to protect Customer Content to the standard required by Applicable Data Protection Law, including the requirements set forth in Schedule 4 (Jurisdiction Specific Terms) of this Addendum; and
(c) Scribe will remain liable for any breach of this Addendum that is caused by an act, error, or omission of its sub-processors.
7.2 Current Sub-processors and Notification of Sub-processor Changes. Customer consents to Scribe engaging third party sub-processors to process Customer Content within the Services for the Permitted Purposes provided that Scribe maintains an up-to-date list of its sub-processors at https://wf.scribehow.com/legal/subprocessors, which contains a mechanism for Customer to subscribe to notifications of new sub-processors. If Customer subscribes to such notifications, Scribe will provide details of any change in sub-processors as soon as reasonably practicable. With respect to changes in infrastructure providers, Scribe will endeavor to give written notice sixty (60) days prior to any change, but in any event will give written notice no less than thirty (30) days prior to any such change. With respect to Scribe’s other sub-processors, Scribe will endeavor to give written notice thirty (30) days prior to any change, but will give written notice no less than ten (10) days prior to any such change.
7.3 Objection Right for new Sub-processors. Customer may object to Scribe's appointment or replacement of a sub-processor prior to its appointment or replacement, provided such objection is in writing and based on reasonable grounds relating to data protection. In such an event, the parties agree to discuss commercially reasonable alternative solutions in good faith. If the parties cannot reach a resolution within ninety (90) days from the date of Scribe’s receipt of Customer’s written objection, Customer may discontinue the use of the affected Services by providing written notice to Scribe. Such discontinuation will be without prejudice to any fees incurred by Customer prior to the discontinuation of the affected Services. If no objection has been raised prior to Scribe replacing or appointing a new sub-processor, Scribe will deem Customer to have authorized the new sub-processor.
8. Data Subject Rights. As part of the Services, Scribe provides Customer with a number of self-service features, including the ability to delete, obtain a copy of, or restrict use of Customer Content. Customer may use these self-service features to assist in complying with its obligations under Applicable Data Protection Law with respect to responding to requests from data subjects via the Services at no additional cost. To the extent Customer does not have the ability to resolve a data subject request through the self-service features, upon Customer’s request, Scribe will provide reasonable additional and timely assistance to assist Customer in complying with its data protection obligations with respect to data subject rights under Applicable Data Protection Law.
9. Impact Assessments and Consultations. Scribe will provide reasonable cooperation to Customer in connection with any data protection impact assessment (at Customer’s expense only if such reasonable cooperation will require Scribe to assign significant resources to that effort) or consultations with regulatory authorities that may be required in accordance with Applicable Data Protection Law.
10. Return or Deletion of Customer Content. Scribe will, in accordance with Section 3 (Duration of the Processing) of Schedule 1 (Details of Processing) of this Addendum, delete or return to Customer any Customer Content stored within the Services.
10.1 Extension of Addendum. Upon termination of the Agreement, Scribe may retain Customer Content in storage for the time periods set forth in Schedule 1 (Details of Processing) of this Addendum, provided that Scribe will ensure that Customer Content (a) is processed only as necessary for the Permitted Purposes and (b) remains protected in accordance with the terms of the Agreement, this Addendum, and Applicable Data Protection Law.
10.2 Retention Required by Law. Notwithstanding anything to the contrary in this Section 10, Scribe may retain Customer Content, or any portion of it, if required by applicable law or regulation, including Applicable Data Protection Law, provided such Customer Content remains protected in accordance with the terms of the Agreement, this Addendum, and Applicable Data Protection Law.
11. Security
11.1 Security Measures. Scribe has implemented and will maintain the technical and organizational security measures as set forth in the Agreement. Additional information about Scribe’s technical and organizational security measures to protect Customer Data is set forth in Schedule 2 (Technical and Organizational Security Measures) of this Addendum.
11.2 Determination of Security Requirements. Customer acknowledges the Services include certain features and functionalities that Customer may elect to use which impact the security of Customer Data processed by Customer’s use of the Services, such as, but not limited to, encryption of data, availability of single sign on on Customer’s account, or optional Transport Layer Security (TLS) encryption. Customer is responsible for reviewing the information Scribe makes available regarding its data security, including its audit reports, and making an independent determination as to whether the Services meet the Customer’s requirements and legal obligations, including its obligations under Applicable Data Protection Law. Customer is further responsible for properly configuring the Services and using features and functionalities made available by Scribe to maintain appropriate security in light of the nature of Customer Data processed as a result of Customer’s use of the Services.
11.3 Security Incident Notification. Scribe will provide notification of a Security Incident in the following manner:
(a) Scribe will, to the extent permitted by applicable law, notify Customer without undue delay, but in no event later than seventy-two (72) hours after Scribe’s discovery of a Security Incident impacting Customer Data of which Scribe is a processor;
(b) Scribe will, to the extent permitted and required by applicable law, notify Customer without undue delay of any Security Incident involving Customer Data of which Scribe is a controller; and
(c) Scribe will notify Customer of any Security Incident via email to the email address(es) designated by Customer in Customer’s account.
Scribe will make reasonable efforts to identify a Security Incident, and to the extent a Security Incident is caused by Scribe’s violation of this Addendum, remediate the cause of such Security Incident. Scribe will provide reasonable assistance to Customer in the event that Customer is required under Applicable Data Protection Law to notify a regulatory authority or any data subjects impacted by a Security Incident.
12. Audits. The parties acknowledge that Customer must be able to assess Scribe’s compliance with its obligations under Applicable Data Protection Law and this Addendum, insofar as Scribe is acting as a processor on behalf of Customer.
12.1 Scribe’s Audit Program. Scribe uses external auditors to verify the adequacy of its security measures with respect to its processing of Customer Content. Such audits are performed at least once annually at Scribe’s expense by independent third-party security professionals at Scribe’s selection and result in the generation of a confidential audit report (“Audit Report”).
12.2 Customer Audit. Upon Customer’s written request at reasonable intervals, and subject to reasonable confidentiality controls, Scribe will make available to Customer a copy of Scribe’s most recent Audit Report. Customer agrees that any audit rights granted by Applicable Data Protection Law will be satisfied by these Audit Reports. To the extent that Scribe’s provision of an Audit Report does not provide sufficient information or Customer is required to respond to a regulatory authority audit, Customer agrees to a mutually agreed-upon audit plan with Scribe that: (a) ensures the use of an independent third party; (b) provides written notice to Scribe in a timely fashion; (c) requests access only during business hours; (d) accepts billing to Customer at Scribe’s then-current rates; (e) occurs no more than once annually; (f) restricts its findings to only data relevant to Customer; and (g) obligates Customer, to the extent permitted by law or regulation, to keep confidential any information gathered that, by its nature, should be confidential.
13. Jurisdiction Specific Terms. To the extent Scribe processes personal data originating from and protected by Applicable Data Protection Law in one of the jurisdictions listed in Schedule 4 (Jurisdiction Specific Terms) of this Addendum, the terms specified in Schedule 4 with respect to the applicable jurisdiction(s) apply in addition to the terms of this Addendum.
14. Cross Border Data Transfer Mechanisms for Data Transfers. To the extent Customer’s use of the Services requires an onward transfer mechanism to lawfully transfer personal data from a jurisdiction (i.e., the European Economic Area, the United Kingdom, Switzerland, or any other jurisdiction listed in Schedule 4 (Jurisdiction Specific Terms) of this Addendum) to Scribe located outside of that jurisdiction (“Transfer Mechanism”), the terms set forth in Schedule 3 (Cross Border Transfer Mechanisms) of this Addendum will apply.
15. Cooperation and Data Subject Rights. In the event that either party receives (a) any request from a data subject to exercise any of its rights under Applicable Data Protection Law (including its rights of access, correction, objection, erasure, and data portability, as applicable) or (b) any Third Party Request relating to the processing of Customer Account Data conducted by the other party, such party will promptly inform such other party in writing. The parties agree to cooperate, in good faith, as necessary to respond to any Third Party Request and fulfill their respective obligations under Applicable Data Protection Law.
16. Conflict. In the event of any conflict or inconsistency among the following documents, the order of precedence will be: (1) the applicable terms set forth in Schedule 4 (Jurisdiction Specific Terms) of this Addendum; (2) the terms of this Addendum outside of Schedule 4 (Jurisdiction Specific Terms); (3) the Agreement; and (4) the Scribe Privacy Notice. Any claims brought in connection with this Addendum will be subject to the terms and conditions, including, without limitation, the exclusions and limitations set forth in the Agreement.
17. Updates. Scribe may update the terms of this Addendum from time to time; provided, however, Scribe will provide at least thirty (30) days prior written notice to Customer when an update is required as a result of (a) changes in Applicable Data Protection Law; (b) a merger, acquisition, or other similar transaction; or (c) the release of new products or services or material changes to any of the existing Services.
1. Nature and Purpose of the Processing. Scribe will process personal data as necessary to provide the Services under the Agreement. Scribe does not sell Customer’s personal data or Customer end users’ personal data and does not share such end users’ information with third parties for compensation or for those third parties’ own business interests.
1.1 Customer Content. Scribe will process Customer Content as a processor in accordance with Customer’s instructions as set forth in Section 5 (Customer Instructions) of this Addendum.
1.2 Customer Account Data. Scribe will process Customer Account Data as a controller for the purposes set forth in Section 2.2 (Scribe as a Controller of Customer Account Data) of this Addendum.
2. Processing Activities.
2.1 Customer Content. Personal data contained in Customer Content will be subject to the following basic processing activities:
(a) the provision of automated how-to guide generation products and services, primarily offered in the form of software as a service, to Customer, including transmittal to or from Customer’s software applications or; services and designated third parties as directed by Customer, from or to the virtual private cloud network via secure connection. Storage of personal data on Scribe’s network.
(b) the provision of products and services which allows Customer to view and manage its data relating to end users. Storage of personal data on Scribe’s network.
2.2 Customer Account Data. Personal data contained in Customer Account Data will be subject to the processing activities of providing the Services.
3. Duration of the Processing. The period for which personal data will be retained and the criteria used to determine that period is as follows:
3.1 Customer Content.
(a) Services. Prior to the termination of the Agreement, (x) Scribe will process stored Customer Content for the Permitted Purposes until Customer elects to delete such Customer Content via the Services and (y) Customer agrees that it is solely responsible for deleting Customer Content via the Services. Except as set forth in any applicable order form, upon termination of the Agreement, Scribe will (i) provide Customer thirty (30) days after the termination effective date to obtain a copy of any stored Customer Content via the Services; (ii) automatically delete any stored Customer Content thirty (30) days after the termination effective date. Any Customer Content archived on Scribe’s back-up systems will be securely isolated and protected from any further processing, except as otherwise required by applicable law or regulation.
3.2 Customer Account Data. Scribe will process Customer Account Data as long as required (a) to provide the Services to Customer; (b) for Scribe’s legitimate business needs; or (c) by applicable law or regulation. Customer Account Data will be stored in accordance with the Scribe Privacy Notice.
4. Categories of Data Subjects.
4.1 Customer Content. Customer’s end users.
4.2 Customer Account Data. Customer’s employees and individuals authorized by Customer to access Customer’s Scribe account or make use of the SSO Services received from Scribe.
5. Categories of Personal Data. Scribe processes personal data contained in Customer Account Data, and Customer Content.
6. Sensitive Data or Special Categories of Data.
6.1 Customer Content. Sensitive Data may, from time to time, be processed via the Services where Customer or its end users choose to include Sensitive Data within the systems that are recorded as directed by the end user while using the Services. Customer is responsible for ensuring that suitable safeguards are in place prior to transmitting or processing, or prior to permitting Customer’s end users to transmit or process, any Sensitive Data via the Services.
6.2 Customer Account Data
(a) Sensitive Data may be found in Customer Account Data or Content in the form of Subscriber Records containing email address, name approximate geolocation, or similar identifier data necessarily processed in order to attribute account ownership.
The full text of Scribe’s technical and organizational security measures to protect Customer Data is available at https://wf.scribehow.com/security (“Security Page”).
Where applicable, this Schedule 2 will serve as Annex II to the EU Standard Contractual Clauses. The following table provides more information regarding the technical and organizational security measures set forth below.
Technical and Organizational Security Measure
Details
Measures of pseudonymisation and encryption of personal data
Scribe has deployed secure methods and protocols for transmission of confidential or sensitive information over public networks. Databases housing sensitive customer data are encrypted at rest. Scribe uses only recommended secure cipher suites and protocols to encrypt all traffic in transit and Customer Data is securely encrypted with strong ciphers and configurations when at rest (AES 256).
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services
Scribe’s customer agreements contain strict confidentiality obligations. Additionally, Scribe requires every downstream Subprocessor to sign confidentiality provisions that are substantially similar to those contained in Segment's customer agreements.
Scribe has undergone a SOC 2 Type II audit that includes the Security and Processing Integrity Trust Service Criteria.
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
Daily and monthly backups of production datastores are taken.
Backups are periodically tested in accordance with information security and data management policies.
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing
Scribe has undergone a SOC 2 Type II audit that includes the Security and Processing Integrity Trust Service Criteria.
Measures for user identification and authorization
Scribe uses secure access protocols and processes and follows industry best-practices for authentication, including Single Sign On (SSO). All production access requires the use of two-factor authentication, and network infrastructure is securely configured to vendor and industry best practices to block all unnecessary ports, services, and unauthorized network traffic.
Measures for the protection of data during transmission
Scribe has deployed secure methods and protocols for transmission of confidential or sensitive information over public networks. Scribe uses only recommended secure cipher suites and protocols to encrypt all traffic in transit (i.e. TLS 1.2)
Measures for the protection of data during storage
Encryption-at-rest is automated using AWS’s transparent disk encryption, which uses industry standard AES-256 encryption to secure all volume (disk) data. All keys are fully managed by AWS.
Measures for ensuring physical security of locations at which personal data are processed
All Scribe processing occurs in physical data centers that are managed by AWS. https://aws.amazon.com/compliance/data-center/controls/
Measures for ensuring events logging
Scribe monitors access to applications, tools, and resources that process or store Customer Data, including cloud services. Monitoring of security logs is managed by the security and engineering teams. Log activities are investigated when necessary and escalated appropriately.
Measures for ensuring system configuration, including default configuration
Scribe adheres to a change management process to administer changes to the production environment for the Services, including changes to its underlying software, applications, and systems. All production changes are automated through CI/CD tools to ensure consistent configurations.
Measures for internal IT and IT security governance and management
Company maintains an ISO 31000-informed and SOC 2 Type II audited risk-based information security governance program. The framework for Scribe’s security program includes administrative, organizational, technical, and physical safeguards reasonably designed to protect the Services and confidentiality, integrity, and availability of Customer Data.
Measures for certification/assurance of processes and products
Scribe undergoes annual SOC 2 Type II audits.
Measures for ensuring data minimisation
Scribe’s Customers unilaterally determine what Customer PII Data they route through the Services. As such, Scribe operates on a shared responsibility model. Scribe gives Customers control over exactly what PII data enters the platform. Additionally, Scribe has built in self-service functionality to the Services that allows Customers to delete and suppress PII at their discretion.
Measures for ensuring data quality
Scribe has a multi-tiered approach for ensuring data quality. These measures include: (i) unit testing to ensure quality of logic used to process API calls, (ii) database schema validation rules which execute against data before it is saved to our database, (iii) a schema-first API design using GraphQL and strong typing to enforce a strict contract between official clients and API resolvers. Company applies these measures across the board, both to ensure the quality of any Usage Data that Company collects and to ensure that the Company Platform is operating within expected parameters.
Scribe ensures that data quality is maintained from the time a Customer sends Customer Data into the Services and until that Customer Data is presented or exported.
Measures for ensuring limited data retention
Scribe Customers unilaterally determine what Customer Data they route through the Services. As such, Company operates on a shared responsibility model. If a Customer is unable to delete Customer PII Data via the self-services functionality of the Services, then Scribe deletes Customer Data upon the Customer's written request, within the timeframe specified in the Data Protection Addendum and in accordance with Applicable Data Protection Law. All Customer Data is deleted from the Services following service termination.
Measures for ensuring accountability
Scribe has adopted measures for ensuring accountability, such as implementing data protection and information security policies across the business, recording and reporting Security Incidents involving Personal Data, and formally assigning roles and responsibilities for information security and data privacy functions. Additionally, the Scribe conducts regular third-party audits to ensure compliance with our privacy and security standards.
Measures for allowing data portability and ensuring erasure
All PII in the Services may be deleted by the Customer or at the Customer’s request.
PII is incidental to the Scribe’s Services. Based on Privacy by Design and Data Minimization principles, Scribe severely limits the instances of PII collection and processing within the Services. Most use cases for porting PII from Company are not applicable. However, Company will respond to all requests for data porting in order to address Customer needs.
Technical and organizational measures of sub-processors
Scribe enters into Data Processing Agreements with its Authorized Sub-Processors with data protection obligations substantially similar to those contained in this Addendum.
1. Definitions
“EEA” means the European Economic Area
“EU Standard Contractual Clauses” means the Standard Contractual Clauses approved by the European Commission in decision 2021/914.
“UK International Data Transfer Agreement” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner, Version B1.0, in force 21 March 2022.
2. Cross Border Data Transfer Mechanisms.
2.1 Order of Precedence. In the event the Services are covered by more than one Transfer Mechanism, the transfer of personal data will be subject to a single Transfer Mechanism in accordance with the following order of precedence: (a) the EU Standard Contractual Clauses as set forth in Section 2.3 (EU Standard Contractual Clauses) of this Schedule 3; (b) the UK International Data Transfer Agreement as set forth in Section 2.4 (UK International Data Transfer Agreement) of this Schedule 3; and, if neither (a) nor (b) is applicable, then (d) other applicable data Transfer Mechanisms permitted under Applicable Data Protection Law.
2.2 EU Standard Contractual Clauses. The parties agree that the EU Standard Contractual Clauses will apply to personal data that is transferred via the Services from the EEA or Switzerland, either directly or via onward transfer, to any country or recipient outside the EEA or Switzerland that is: (a) not recognized by the European Commission (or, in the case of transfers from Switzerland, the competent authority for Switzerland) as providing an adequate level of protection for personal data. For data transfers from the EEA that are subject to the EU Standard Contractual Clauses, the EU Standard Contractual Clauses will be deemed entered into (and incorporated into this Addendum by this reference) and completed as follows:
(a) Module One (Controller to Controller) of the EU Standard Contractual Clauses will apply where (i) Scribe is processing Customer Account Data;
(b) Module Two (Controller to Processor) of the EU Standard Contractual Clauses will apply where Customer is a controller of Customer Content and Scribe is processing Customer Content;
(c) Module Three (Processor to Processor) of the EU Standard Contractual Clauses will apply where Customer is a processor of Customer Content and Scribe is processing Customer Content;
(d) For each Module, where applicable:
(e) in Clause 7 of the EU Standard Contractual Clauses, the optional docking clause will not apply;
(ii) in Clause 9 of the EU Standard Contractual Clauses, Option 2 will apply and the time period for prior written notice of sub-processor changes will be as set forth in Section 7.2 (Current Sub-processors and Notification of Sub-processor Changes) of this Addendum;
(iii) in Clause 11 of the EU Standard Contractual Clauses, the optional language will not apply;
(iv) in Clause 17 (Option 1), the EU Standard Contractual Clauses will be governed by Irish law;
(v) in Clause 18(b) of the EU Standard Contractual Clauses, disputes will be resolved before the courts of Ireland;
(vi) in Annex I, Part A of the EU Standard Contractual Clauses:
Data Exporter: Customer
Contact details: The email address(es) designated by Customer in Customer’s account via the order form.
Data Exporter Role: The Data Exporter’s role is set forth in Section 2 (Relationship of the Parties) of this Addendum.
Signature and Date: By entering into the Agreement, Data Exporter is deemed to have signed these EU Standard Contractual Clauses incorporated herein, including their Annexes, as of the effective date of the Agreement.
Data Importer: Colony Labs, Inc. dba Scribe
Contact details: Scribe Privacy Team - [email protected]
Data Importer Role: The Data Importer’s role is set forth in Section 2 (Relationship of the Parties) of this Addendum.
Signature and Date: By entering into the Agreement, Data Importer is deemed to have signed these EU Standard Contractual Clauses, incorporated herein, including their Annexes, as of the effective date of the Agreement;
(vii) in Annex I, Part B of the EU Standard Contractual Clauses:
The categories of data subjects are set forth in Section 4 of Schedule 1 (Details of Processing) of this Addendum.
The Sensitive Data transferred is set forth in Section 6 of Schedule 1 (Details of Processing) of this Addendum.
The frequency of the transfer is a continuous basis for the duration of the Agreement.
The nature of the processing is set forth in Section 1 of Schedule 1 (Details of Processing) of this Addendum.
The purpose of the processing is set forth in Section 1 of Schedule 1 (Details of Processing) of this Addendum.
The period for which the personal data will be retained is set forth in Section 3 of Schedule 1 (Details of Processing) of this Addendum.
For transfers to sub-processors, the subject matter, nature, and duration of the processing is set forth at https://wf.scribehow.com/legal/subprocessors;
(viii) in Annex I, Part C of the EU Standard Contractual Clauses: The Irish Data Protection Commission will be the competent supervisory authority; and
(ix) Schedule 2 (Technical and Organizational Security Measures) of this Addendum serves as Annex II of the EU Standard Contractual Clauses.
2.4 UK International Data Transfer Agreement. The parties agree that the UK International Data Transfer Agreement will apply to personal data that is transferred via the Services from the United Kingdom, either directly or via onward transfer, to any country or recipient outside of the United Kingdom that is: (a) not recognized by the competent United Kingdom regulatory authority or governmental body for the United Kingdom as providing an adequate level of protection for personal data. For data transfers from the United Kingdom that are subject to the UK International Data Transfer Agreement, the UK International Data Transfer Agreement will be deemed entered into (and incorporated into this Addendum by this reference) and completed as follows:
(a) In Table 1 of the UK International Data Transfer Agreement, the parties’ details and key contact information is located in Section 2.3 (e)(vi) of this Schedule 3.
(b) In Table 2 of the UK International Data Transfer Agreement, information about the version of the Approved EU SCCs, modules and selected clauses which this UK International Data Transfer Agreement is appended to is located in Section 2.3 (EU Standard Contractual Clauses) of this Schedule 3.
(c) In Table 3 of the UK International Data Transfer Agreement:
The list of Parties is located in Section 2.3(e)(vi) of this Schedule 3.
The description of the transfer is set forth in Section 1 (Nature and Purpose of the Processing) of Schedule 1 (Details of the Processing).
Annex II is located in Schedule 2 (Technical and Organizational Security Measures)
The list of sub-processors is located at https://wf.scribehow.com/legal/subprocessors.
(d) In Table 4 of the UK International Data Transfer Agreement, both the Importer and the exporter may end the UK International Data Transfer Agreement in accordance with the terms of the UK International Data Transfer Agreement.
2.5 Conflict. To the extent there is any conflict or inconsistency between the EU Standard Contractual Clauses or UK International Data Transfer Agreement and any other terms in this Addendum, including Schedule 4 (Jurisdiction Specific Terms), the Agreement, or the Scribe Privacy Notice, the provisions of the EU Standard Contractual Clauses or UK International Data Transfer Agreement, as applicable, will prevail.
1. Australia:
1.1 The definition of “Applicable Data Protection Law” includes the Australian Privacy Principles and the Australian Privacy Act (1988).
1.2 The definition of “personal data” includes “Personal Information” as defined under Applicable Data Protection Law.
1.3 The definition of “Sensitive Data” includes “Sensitive Information” as defined under Applicable Data Protection Law.
2. Brazil:
2.1 The definition of “Applicable Data Protection Law” includes the Lei Geral de Proteção de Dados (LGPD).
2.2 The definition of “Security Incident” includes a security incident that may result in any relevant risk or damage to data subjects.
2.3 The definition of “processor” includes “operator” as defined under Applicable Data Protection Law.
3. California:
3.1 The definition of “Applicable Data Protection Law” includes the California Consumer Privacy Act (CCPA).
3.2 The definition of “personal data” includes “Personal Information” as defined under Applicable Data Protection Law and, for clarity, includes any Personal Information contained within Customer Account Data and Customer Content.
3.3 The definition of “data subject” includes “Consumer” as defined under Applicable Data Protection Law. Any data subject rights, as set forth in Section 8 (Data Subject Rights) of this Addendum, apply to Consumer rights. In regards to data subject requests, Scribe can only verify a request from Customer and not from Customer’s end user or any third party.
3.4 The definition of “controller” includes “Business” as defined under Applicable Data Protection Law.
3.5 The definition of “processor” includes “Service Provider” as defined under Applicable Data Protection Law.
3.6 Scribe will process, retain, use, and disclose personal data only as necessary to provide the Services under the Agreement, which constitutes a business purpose. Scribe agrees not to (a) sell (as defined by the CCPA) Customer’s personal data or Customer end users’ personal data; (b) retain, use, or disclose Customer’s personal data for any commercial purpose (as defined by the CCPA) other than providing the Services; or (c) retain, use, or disclose Customer’s personal data outside of the scope of the Agreement. Scribe understands its obligations under the Applicable Data Protection Law and will comply with them.
3.7 Scribe certifies that its sub-processors, as set forth in Section 7 (Sub-processors) of this Addendum, are Service Providers under Applicable Data Protection Law, with whom Scribe has entered into a written contract that includes terms substantially similar to this Addendum. Scribe conducts appropriate due diligence on its sub-processors.
3.8 Scribe will implement and maintain reasonable security procedures and practices appropriate to the nature of the personal data it processes as set forth in Section 11 (Security) of this Addendum.
4. Canada:
4.1 The definition of “Applicable Data Protection Law” includes the Federal Personal Information Protection and Electronic Documents Act (PIPEDA).
4.2 Scribe’s sub-processors, as set forth in Section 7 (Sub-processors) of this Addendum, are third parties under Applicable Data Protection Law, with whom Scribe has entered into a written contract that includes terms substantially similar to this Addendum. Scribe has conducted appropriate due diligence on its sub-processors.
4.3 Scribe will implement technical and organizational measures as set forth in Section 11 (Security) of this Addendum.
5. European Economic Area (EEA):
5.1 The definition of “Applicable Data Protection Law” includes the General Data Protection Regulation (EU 2016/679) (“GDPR”).
5.2 When Scribe engages a sub-processor under Section 7.1 (Authorization for Onward Sub-processing) of this Addendum, it will:
(a) require any appointed sub-processor to protect the Customer Content to the standard required by Applicable Data Protection Law, such as including the same data protection obligations referred to in Article 28(3) of the GDPR, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR, and
(b) require any appointed sub-processor to (i) agree in writing to only process personal data in a country that the European Union has declared to have an “adequate” level of protection or (ii) only process personal data on terms equivalent to the EU Standard Contractual Clauses.
5.3 Notwithstanding anything to the contrary in this Addendum or in the Agreement (including, without limitation, either party’s indemnification obligations), neither party will be responsible for any GDPR fines issued or levied under Article 83 of the GDPR against the other party by a regulatory authority or governmental body in connection with such other party’s violation of the GDPR.
6. Israel:
6.1 The definition of “Applicable Data Protection Law” includes the Protection of Privacy Law (PPL).
6.2 The definition of “controller” includes “Database Owner” as defined under Applicable Data Protection Law.
6.3 The definition of “processor” includes “Holder” as defined under Applicable Data Protection Law.
6.4 Scribe will require that any personnel authorized to process Customer Content comply with the principle of data secrecy and have been duly instructed about Applicable Data Protection Law. Such personnel sign confidentiality agreements with Scribe in accordance with Section 6 (Confidentiality) of this Addendum.
6.5 Scribe must take sufficient steps to ensure the privacy of data subjects by implementing and maintaining the security measures as specified in Section 11 (Security) of this Addendum and complying with the terms of the Agreement.
6.6 Scribe must ensure that the personal data will not be transferred to a sub-processor unless such sub-processor has executed an agreement with Scribe pursuant to Section 7.1 (Authorization for Onward Sub-processing) of this Addendum.
7. Japan:
7.1 The definition of “Applicable Data Protection Law” includes the Act on the Protection of Personal Information (APPI).
7.2 The definition of “personal data” includes “Personal Information” as defined under Applicable Data Protection Law.
7.3 The definition of “controller” includes “Business Operator” as defined under Applicable Data Protection Law. As a Business Operator, Scribe is responsible for the handling of personal data in its possession.
7.4 The definition of “processor” includes a business operator entrusted by the Business Operator with the handling of personal data in whole or in part (also a “trustee”), as defined under Applicable Data Protection Law. As a trustee, Scribe will ensure that the use of the entrusted personal data is securely controlled.
8. Mexico:
8.1 The definition of “Applicable Data Protection Law” includes the Federal Law for the Protection of Personal Data Held by Private Parties and its Regulations (FLPPIPPE).
8.2 When acting as a processor, Scribe will:
(a) treat personal data in accordance with Customer’s instructions set forth in Section 5 (Customer Instructions) of this Addendum;
(b) process personal data only to the extent necessary to provide the Services;
(c) implement security measures in accordance with Applicable Data Protection Law and Section 11 (Security) of this Addendum;
(d) keep confidentiality regarding the personal data processed in accordance with the Agreement;
(e) delete all personal data upon termination of the Agreement in accordance with Section 10 (Return or Deletion of Customer Content) of this Addendum; and
(f) only transfer personal data to sub-processors in accordance with Section 7 (Sub-processors) of this Addendum.
9. Singapore:
9.1 The definition of “Applicable Data Protection Law” includes the Personal Data Protection Act 2012 (PDPA).
9.2 Scribe will process personal data to a standard of protection in accordance with the PDPA by implementing adequate technical and organizational measures as set forth in Section 11 (Security) of this Addendum and complying with the terms of the Agreement.
10. Switzerland:
10.1 The definition of “Applicable Data Protection Law” includes the Swiss Federal Act on Data Protection, as revised (FADP).
10.2 When Scribe engages a sub-processor under Section 7.1 (Authorization for Onward Sub-processing) of this Addendum, it will:
(a) require any appointed sub-processor to protect the Customer Content to the standard required by Applicable Data Protection Law, such as including the same data protection obligations referred to in Article 28(3) of the GDPR, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR, and
(b) require any appointed sub-processor to (i) agree in writing to only process personal data in a country that Switzerland has declared to have an “adequate” level of protection or (ii) only process personal data on terms equivalent to the EU Standard Contractual Clauses.
10.3 To the extent that personal data transfers from Switzerland are subject to the EU Standard Contractual Clauses in accordance with Section 2.3 of Schedule 3 (Cross Border Data Transfer Mechanisms), the following amendments will apply to the EU Standard Contractual Clauses:
(a) references to "EU Member State" and "Member State' will be interpreted to include Switzerland, and
(b) insofar as the transfer or onward transfers are subject to the FADP:
(i) references to "Regulation (EU) 2016/679" are to be interpreted as references to the FADP;
(ii) the "competent supervisory authority" in Annex I, Part C will be the Swiss Federal Data Protection and Information Commissioner;
(iii) in Clause 17 (Option 1), the EU Standard Contractual Clauses will be goverened by the laws of Switzerland; and
(iv) in Clause 18(b) of the EU Standard Contractual Clauses, disputes will be resolved before the courts of Switzerland.
11. United Kingdom (UK):
11.1 References in this Addendum to GDPR will to that extent be deemed to be references to the corresponding laws of the United Kingdom (including the UK GDPR and Data Protection Act 2018).
11.2 When Scribe engages a sub-processor under Section 7.1 (Authorization for Onward Sub-processing) of this Addendum, it will:
(a) require any appointed sub-processor to protect the Customer Content to the standard required by Applicable Data Protection Law, such as including the same data protection obligations referred to in Article 28(3) of the GDPR, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR, and
(b) require any appointed sub-processor to (i) agree in writing to only process personal data in a country that the United Kingdom has declared to have an “adequate” level of protection or (ii) only process personal data on terms equivalent to the UK International Data Transfer Agreement.
11.3 Notwithstanding anything to the contrary in this Addendum or in the Agreement (including, without limitation, either party’s indemnification obligations), neither party will be responsible for any UK GDPR fines issued or levied under Article 83 of the UK GDPR against the other party by a regulatory authority or governmental body in connection with such other party’s violation of the UK GDPR.
