Podsights Data Protection Agreement

Last updated December 19, 2022

This Data Protection Agreement (“DPA”) amends or supplements any existing and currently valid agreement(s) and any agreements entered into in the future (each an “Agreement”) made between In Defense of Growth LLC d/b/a Podsights (“Podsights”) and (“Customer”).  If there is any inconsistency or conflict between this DPA and any Agreement, then this DPA will govern and will survive termination of the Agreement.

1. Definitions.

1. “Applicable Law” means any and all privacy, security and data protection laws and regulations that apply to Customer’s Personal Data, including, but not limited to: (i) the EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”) and (ii) the California Consumer Privacy Act of 2018, (Cal. Civ. Code §§ 1798.100 to 1798.199) ("CCPA"), as amended by the California Privacy Rights Act of 2020 (“CPRA"). Terms defined in Applicable Law;
2. The terms “controller” “data subject,” “personal data,” “personal data breach” “process,” “processor,” and “supervisory authority” as used in this DPA will have the meanings ascribed to them in the relevant law.

2. Personal Data.

In connection with performing its obligations under the Agreement, Podsights will process Customer’s Personal Data on behalf of Customer.  Specific categories of Customer’s Personal Data that Podsights will process in connection with the Agreement and Customer’s instructions with respect to how Podsights shall process such personal data are set forth in Schedule 1.   The parties acknowledge and agree that: (a) Customer is a controller of Customer’s Personal Data; and (b) Podsights is a processor of Customer’s Personal Data.

3. Podsights' Responsibilities.

Podsights will:

1. process Customer’s Personal Data solely for the purpose of performing the services specified in the Agreement and not collect, use, disclose, sell, rent, release, disseminate, transfer, or otherwise communicate or make available to a third-party Customer’s Personal Data except as necessary to perform the services specified in the Agreement;
2. process Customer’s Personal Data solely in accordance with Customer’s documented instructions, including those set forth in this DPA and the Agreement;
3. process Customer’s Personal Data in accordance with Applicable Law;
4. commit to confidentiality when processing Customer’s Personal Data;
5. except as permitted under Section 4 of this DPA, not disclose or otherwise make available in any form any Customer’s Personal Data to any third party. Podsights may disclose Customer Personal Data to government authorities when required by law but must first notify Customer of the anticipated disclosure (so as to provide Customer the opportunity to oppose the disclosure and obtain a protective order or seek other relief) except to the extent prohibited by Applicable Law;
6. amend, correct or erase Customer’s Personal Data at Customer’s reasonable written request and ensure that Personal Data processed by Podsights is accurate;
7. immediately notify Customer in writing of any third-party request to (i) restrict the processing of Customer’s Personal Data, (ii) port Customer’s Personal Data to a third party, or (iii) access, rectify or erase Customer’s Personal Data.
8. To the extent required by Applicable Law, Podsights will assist Customer, at Customer’s reasonable request, in complying with Customer’s obligations to respond to requests and complaints directed to Customer with respect to Customer’s Personal Data processed by Podsights;
9. at the reasonable direction of Customer, cooperate and assist Customer in conducting a data protection impact assessment and related consultations with any supervisory authority, if applicable, to ensure Customer’s secure processing of Customer’s Personal Data;
10. assist Customer in responding to any inquiry from any data subject or any supervisory authority concerning the processing of Customer’s Personal Data, as reasonably requested by Customer;
11. immediately inform Customer if Podsights is aware or reasonably suspects that Customer’s instructions regarding the processing of Customer’s Personal Data may breach any Applicable Law; and
12. ensure the reliability of all personnel who process Customer’s Personal Data, including without limitation, by assigning specific and necessity-based access privileges to such personnel, ensuring that such personnel have undergone training in data protection and privacy and ensuring that such personnel are bound by obligations of confidentiality at least as protective as those imposed on Podsights under this DPA.

4. Subcontractors.

Podsights will not subcontract or delegate the processing of Customer’s Personal Data without approval of Customer.

Podsights may continue to use subprocessors already engaged by it as of the effective date of this DPA set forth in Schedule 2. Podsights will give Customer written notice of the appointment of any new or replacement subprocessors. Customer has five (5) business days from the receipt of that notice, to object in writing (on reasonable grounds) to the proposed appointment, we will not appoint (or disclose any Personal Data to) that proposed sub-processor until reasonable steps have been taken to address Customer’s objections or permit Customer to terminate the Agreement.  Podsights will remain fully responsible for fulfillment of its obligations under the Agreement and will remain the primary point of contact regarding any processing of Customer’s Personal Data or the performance of any services that have been subcontracted or delegated. Customer will be responsible for the acts and omissions of its subprocessors and anyone else to which the processing of Customer’s Personal Data or performance of the services has been delegated.  Podsights will impose contractual obligations on its subcontractors that are substantially similar to those obligations imposed hereunder.

5. Data Transfers.

1. The EU standard contractual clauses adopted by decision of 4 June 2021 document number C/2021/3972 (module 2, controllers to processors) (“SCCs”) shall apply to any transfers of Personal Data under this DPA from the European Union (“EU”) and the European Economic Area (“EEA”) to countries which do not ensure an adequate level of data protection within the meaning of Applicable Laws of the foregoing territories, to the extent such transfers are subject to such Applicable Laws.
2. The parties agree that Customer is the “data exporter” and Podsights are the “data importer” as defined in the SCCs.

For the purposes of Annex I of the Appendix to the SCCs, the following will apply:

A: List of Parties. The names and contact details of the parties shall be as set out in the applicable Order Form for the services.

B: Description of Transfer.

1. Data subjects: Listeners of podcasts
2. Categories of data. IP address and/or other usage data agreed with Customer
3. Sensitive data: None
4. Frequency of transfer: Continuous
5. Nature and purpose of processing: To provide the services under the Agreement
6. Period for which data will be retained: During the term of the agreement, as prescribed by Applicable Law

C: Competent Supervisory Authority. The relevant competent supervisory authority(ies) for the Customer as data exporter as applicable.

For purposes of Annex II of the Appendix to the SCCs, the following will apply:

Data importer shall undertake appropriate technical and organizational security measures to protect personal data against the unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. These measures should take into account available encryption technology and the costs of implementing the specific measures and must ensure a level of security appropriate to the harm that might result from a breach of security and the nature of the data to be protected.

The parties further agree that: (i) option 2 in clause 9 of the SCCs shall apply for the general authorisation for the use of sub-processors with a time period of thirty days for notice of the addition or replacement of sub-processors; (ii) the optional additional clauses of the SCC shall not apply; and (iii) the laws and courts of Sweden shall apply for the purposes of clause 17 of the SCC. Information for the purposes of impact assessments is available if requested.

6. Audits.

Upon reasonable notice, and to the extent required by Applicable Law, Customer may conduct or may engage an independent third party to conduct an information security audit of Customer’s obligations under this DPA. As such, Podsights will, upon reasonable notice, make available to Customer all relevant information necessary to demonstrate compliance with the obligations laid down in this DPA and Applicable Law (including processing that may be carried out by its subcontractors, if any) and allow for and contribute to audits, including inspections. Customer will bear the costs of such an audit.

7. Security Breach.

In the event Podsights has notice of any actual Personal Data Breach, Podsights will take all reasonable action to mitigate the Personal Data Breach and without undue delay (a) notify Customer of the Personal Data Breach.

8. Return or Destruction of Personal Data.

Podsights will delete or anonymize Customer’s Personal Data upon completion of any work, as requested by Customer concerning such data in writing, and in any event within three months from the date of receipt or collection of such data, subject to archival and/or legally required copies which shall be maintained in confidence.  Either upon written request, Podsights will certify such deletion and/or anonymization in writing.

9. Records.

Podsights will keep records relating to its compliance under this DPA.

SCHEDULE 1

Scope of Processing

Subject Matter, Nature, and Purpose of Processing: To provide podcast attribution.

Duration of Processing: During the term of the contract or until no longer materially useful.

Types of Personal Data: IP address and/or other usage data agreed with Customer.

Categories of Data Subjects: Listener of podcast.

SCHEDULE 2

Approved Subcontractors