DATA PROCESSING ADDENDUM

This Data Processing Addendum (“Addendum”), is entered into by and between StockTree Inc. dba OpenChannel, an Ontario corporation, having its principal place of business at 1 Yonge St Suite 1801, Toronto, ON M5E 1W7 (“Company”) and Customer (as defined in the Terms of Service – https://support.openchannel.io/guides/terms-of-service/)

This Addendum supplements the Terms of Service (the “Agreement” – https://support.openchannel.io/guides/terms-of-service/) between the Company and Customer for the provision of Company’s services as set out in Annex A (the “Services”). In the event of any conflict between the Agreement and this Addendum, the terms and conditions of this Addendum shall control.  Except to the extent expressly superseded or modified in this Addendum, the terms and conditions of the Agreement will apply to this Addendum and remain in full force and effect.

Definitions.

Processing” or “Process” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as but not limited to collection, use, modification, retrieval, disclosure, storage, anonymization, deletion, and/or management Personal Information.

Personal Information” means any information that constitutes “Personal Information” under Regulation (EU) 2016/679 (“EU GDPR”) and Directive 2002/58/EC EU, or “personal information” under the Personal Information Protection and Electronic Documents Act, SC 2000, c.5 (“PIPEDA”) or the California Consumer Privacy Act and related regulations and guidance (“CCPA”), transferred by Customer or its permitted agents to Company in performance of or pursuant to the Agreement or this Addendum, and any information relating to an identified or identifiable individual derived or otherwise created by Company in connection therewith.

Privacy Laws” means all applicable laws and regulations governing the processing or protection of Personal Information as amended, modified or replaced from time to time, including for example and without limitation Regulation (EU) 2016/679 (“GDPR”) and Directive 2002/58/EC, the Personal Information Protection and Electronic Documents Act, s.c. 2000, and the California Consumer Privacy Act and related regulations and guidance (“CCPA”), as well as any implementing legislation or further particularising rules, regulatory decisions or orders, or regulations.

Data Processing and Security Responsibilities.

  1. Customer and Company shall each comply with all Privacy Laws that apply to it in relation to any Personal Information Processed in connection with this Addendum, as set out in the description of Services in Annex A to this Addendum.

Customer agrees that it has:

  1. made and shall maintain all necessary registrations and notifications as required in order to permit Company to perform its obligations and exercise its rights under this Addendum;
  2. obtained and shall continue to obtain all consents necessary, and provided all necessary notices and otherwise has and continues to have all necessary authority to permit Company to perform its obligations and exercise its rights under this Addendum, and shall inform Company immediately if any such consents are withdrawn;
  3. ensured and shall continue to ensure that all Personal Information Processed by Company is adequate, relevant, accurate and up-to-date, and limited to what is necessary to permit Company to perform its obligations and exercise its rights under this Addendum;
  4. ensured and shall continue to ensure that there are valid legal bases to enable Company to Process Customer’s Personal Information;

In the course of Processing Personal Information on behalf of Customer in connection with the Services as set out in Annex A to this Addendum, Company shall:

  1. only Process Personal Information as reasonably necessary for the purposes of rendering the Services and as otherwise instructed by Customer in writing from time to time, and not Process any Personal Information in any other manner without the express prior written authorization of Customer unless required to do so by applicable law. Company shall not retain, use, disclose, or otherwise Process Personal Information outside of the direct business relationship between Company and Customer.;
  2. immediately inform the Customer if, in Company’s opinion, any instruction received from the Customer infringes any Privacy Laws;
  3. not disclose (and not allow any of its employees, or permitted agents or representatives to disclose) any Personal Information to any third party without the prior written authorization of Customer unless required to do so under applicable law;
  4. not sell the Personal Information
  5. where any disclosure, transfer or other Processing of Personal Information is required by applicable law, promptly notify Customer in writing before complying with any such requirement (unless prohibited by applicable law, such as on important grounds of public interest);
  6. promptly notify Customer in writing of any (i) enquiry received from individuals relating to the individual’s rights under applicable law regarding Personal Information, and provide prompt reasonable assistance to Customer with respect to any obligations Customer has to respond to such requests, such as by an obligation to provide access to Personal Information, or to correct, rectify, erase or restrict the processing of Personal Information; (ii) complaint or correspondence received by Company relating to the Processing of Personal Information, and (iii) order, demand, warrant or any other document purporting to compel the production of any Personal Information, and provide reasonable assistance at Customer’s cost to facilitate Customer’s compliance with Customer’s obligations under Privacy Laws;
  7. implement reasonable and appropriate physical, technical, administrative and organizational security procedures and practices appropriate to the sensitivity of the Personal Information, to protect the Personal Information against loss, theft, destruction, damage, alteration and unauthorized or unlawful access, use, disclosure or other risks incurred by Processing in pursuit of the Services, as further described in Annex B, as would allow Company to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services and to provide reasonable assistance at Customer’s cost to ensure compliance with Customer’s obligations to implement such security measures;
  8. limit access to Personal Information only to those employees and authorized agents of Company who need to have access to the Personal Information and solely for the purposes of Company rendering the Services;
  9. ensure or cause each of the employees and permitted contractors of Company to agree in writing to keep and to protect the confidentiality and security of the Personal Information in accordance with the terms of this Addendum, and otherwise properly advise and train each of its employees and permitted subcontractor of the requirements of Company under this Addendum and applicable Privacy Law; and
  10. ensure that each employee or permitted contractor of Company involved in rendering the Services hereunder is appropriately screened to confirm the suitability of the performance of their duties in connection with the Services, including the access to and Processing of Personal Information;
  11. provide reasonable assistance, at Customer’s cost and request, to Customer in connection with Customer’s obligations under Privacy Laws to carry out a data protection impact assessment or to consult with the relevant supervisory authority in respect of any such data protection impact assessment).

Audit Rights.

Upon request, Company will provide Customer (or its representatives) with access to information necessary to demonstrate Company’s compliance with this Addendum and to the records, facilities and premises of Company during business hours and upon at least 30 days’ advance notice in writing, at most once per year, for the purposes of verifying Company’s compliance with this Addendum.

Subcontracting.

Customer acknowledges and agrees that Company shall use sub-processors (including Company affiliates) to provide the Services set out in Annex A. Company shall enter into a written contract with each such sub-processor that imposes obligations on the sub-processor that are substantially similar to those imposed on Company under this Addendum.  Company shall only retain sub-processors that Company can reasonably expect to appropriately protect the privacy, confidentiality and security of the Personal Information. Prior to appointing any new sub-processor in addition to or in lieu of those listed in Annex C, Company shall notify Customer of such sub-processors, whereupon Customer shall have 10 days to object to such appointment by providing detailed reasons for such objection to Company.

Security Breach Notification.

  1. Company shall notify Customer within 48 hours upon Company becoming aware of any accidental or unlawful destruction, loss, alteration, theft, or unauthorized access to or disclosure of or other Processing of Personal Information (“Privacy Breach”);
  2. Company shall reasonably cooperate with Customer in notifying individuals affected by a Privacy Breach and other parties in accordance with applicable law;

Termination.

Upon the termination of the Agreement or at such other times as instructed by Customer in writing, Company shall either return or, upon the written instruction of Customer, securely dispose of the Personal Information and all existing copies. In the event applicable law does not permit Company to comply with the delivery or destruction of the Personal Information, Company warrants that it shall ensure the confidentiality of the Personal Information in accordance with applicable law

ANNEX A

DATA PROCESSING DESCRIPTION

Subject-matter and duration of the Processing.

The Services are intended to provide a web-based API and hosting services that provides Customer with support tools and an online marketplace for applications (the “Market”) where third-party developers approved by Customer (“Developers”) can offer applications to anyone who is allowed access to the Market by Customer (collectively, the “Services”).

The duration of the Processing is the duration of the Agreement.

Nature and purposes of the Processing.

The nature of the Processing is to provide an App Marketplace as a Service.

Personal Information are Processed for the following purposes:

  • To provide the Services
  • To notify Developers of application updates and statuses
  • To notify Customers of service updates
  • To notify End Users of application updates

 Data Categories.

The following types of Personal Information will be Processed:

  • Business email
  • Name
  • Application metadata including, when applicable, text, files and images

The following categories of Data Subjects are involved:

  • Employees
  • Business partners
  • End users
ANNEX B

SECURITY MEASURES

Technical controls and security configurations are implemented and maintained in order to ensure the integrity and availability of the data environment at OpenChannel.

Requirements and restrictions apply to databases, external media, encryption, hardcopy reports, films, slides, models, wireless, telecommunication, conversations, and any other methods used to convey knowledge and ideas across all hardware, software, and data transmission mechanisms. These requirements and restrictions are be adhered to by all OpenChannel employees or temporary workers at all locations and by contractors working with OpenChannel.

Existing Information Security practices and policies provide a comprehensive framework for:

  • Protecting the confidentiality, integrity, and availability of OpenChannel information assets and information resources.
  • Protecting OpenChannel, its employees, and its clients from the illicit use of OpenChannel information assets and information resources.
  • Ensuring the effectiveness of information security controls over information assets and information resources that support OpenChannel operations.
  • Providing effective company-wide management and oversight of those related information security risks.
  • Providing for development and maintenance of controls required to protect OpenChannel’s information assets and information resources.
  • Ensuring that regular review of requirement and restrictions is conducted at a minimum annually or more frequently as needed.

OpenChannel defines security requirements for all company personnel and systems that create, maintain, store, access, process or transmit information. These apply to information resources owned by others, such as contractors of the Company, entities in the private sector, in cases where the company has a legal, contractual or fiduciary duty to protect said resources while in OpenChannel custody. Thee also apply to company systems which comprises various hardware, software, communication equipment and other devices designed to assist the Company in the creation, receipt, storage, processing, and transmission of information.

Dedicated policies and requirements include, but are not limited to:

  • Access Control Policy
  • Change Management Policy
  • Incident Response Policy/Plan
  • Bring Your Own Device Policy
  • Password Management Policy
  • Log Management Policy
  • Antivirus Policy
  • Email Policy
  • Vulnerability Management Policy
  • SDLC Policy
  • Backup Policy
  • Data Classification Policy
  • Encryption Policy
  • Information Transfer Policy
  • Network Security Policy
  • Security Policy for Supplier Relationships
  • Risk Assessment Policy
  • Remote Access Policy
  • Human Resource Security Policy
  • Patch Management Policy

It is OpenChannel policy to inform and educate employees on the importance of maintaining secure environment and abiding by the policies as set forth in this manual. All employees must participate in Information Security Awareness training upon hire and annually thereafter. Training on these policies and procedures as well as additional safeguards, as selected by OpenChannel Management are to be presented. 

ANNEX C

SUBCONTRACTORS

Name of Subprocessor Purpose Entity Country
Amazon Web Services Infrastructure as a service USA
WP Engine Interface hosting USA
CleanTalk Spam protection USA
Stripe Payment processing USA
Mongo Cloud Services Database USA
Twilio Chat USA
Mandrill (Mailchimp) Email distribution USA
CloudAMQP Messaging USA
Cloudflare Content delivery network USA
PaperTrail Log management USA
LogRocket Logging USA
Chargebee Subscription management USA
Netlify Web Hosting USA
Atlassian Code repository and delivery USA