This Data Processing Addendum (“DPA”) is effective as of the Effective Date listed in the Order Form between TrackTik Software ULC. (“TrackTik”) and the customer identified on the Order Form (“Customer”).

TrackTik and Customer shall hereafter be collectively known as the “Parties” and individually known as a “Party”. To the extent that any of the terms or conditions contained in this DPA may contradict or conflict with any terms or conditions regarding the processing of personal data in any agreements between the Parties (each an “Agreement”, and collectively referred to as the “Agreements”), it is expressly understood and agreed that the terms of this DPA shall take precedence and supersede those other terms or conditions. The Parties acknowledge and agree that this DPA and the Schedules attached hereto form part of the TrackTik Software as a Service Terms of Service entered into by TrackTik and the Customer as identified on the relevant Order Form and shall have effect as if set out in full in the body of the Agreement.

In this DPA the definitions and rules of interpretation set out in the Original Agreement shall apply except as to where they are inconsistent with, or specifically defined within this DPA.

The Parties agree as follows:

1. Definitions

1.1  For the purposes of this DPA, the following expressions bear the following meanings unless the context otherwise requires:

Applicable Data Protection Laws” means, in respect of a Party, any applicable law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding instrument relating to the protection of personal data, including:

(a) the Directive 2002/58/EC (as amended) (the “e-Privacy Directive”), the e-Privacy Regulation 2017/003 (COD) (the “e-Privacy Regulation”), once it takes effect, and any laws implementing these;

(b) the Regulation 2016/679 (the “GDPR”), the GDPR as incorporated into UK law (“UK GDPR”);

(c) the Personal Information Protection and Electronic Document Act (the “PIPEDA”) including Canadian provincial privacy laws (to the extent applicable) such as the Quebec Act respecting the protection of personal information in the private sector as amended by the Act to modernize legislative provisions as regards the protection of personal information;

(d) as well as any other applicable legislation, regulation, recommendation or opinion replacing, adding to or amending, extending, reconstituting or consolidating the Applicable Data Protection Laws.

(in each case as amended, consolidated, re-enacted or replaced from time to time);

Data Controller” or “Controller”, “Data Processor” or “Processor”, “Data Subject”, “Personal Data”, “Process”, “Processed” or “Processing” shall each have the meaning as set out in the GDPR;

EU Data Protection Laws” means any law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding instrument relating to the protection of personal data in force in the territory of the European Union, including the GDPR, the e-Privacy Directive and the e-Privacy Regulation;

UK Data Protection Laws” means any law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding instrument relating to the protection of personal data in force in the territory of the United Kingdom, including the UK GDPR and the Data Protection Act 2018 to the extent that it relates to processing of personal data and privacy;

Model Clauses” mean the Standard Contractual Clauses as set out in the Commission Decision of 4 June 2021 ((EU) 2021/914)(which is incorporated herein by reference), in particular its Module 2 (Controller to Processor) as updated, or superseded from time to time by the European Commission; or where implemented any other set of contractual clauses or other similar mechanism approved by the UK’s Regulator or by the UK GDPR for use in respect of restricted transfer, as updated, or superseded from time to time;

Regulator” means the data protection supervisory authority which has jurisdiction over a Data Controller’s and/or Data Processor’s Processing of Personal Data;

Sub-Processor” means any third party appointed to process Personal Data on behalf of the Data Processor related to this DPA.

Third Countries” or “Third Country” means all countries outside of the scope of the data protection laws of the European Economic Area (“EEA”), excluding countries approved as providing adequate protection for Personal Data by the European Commission from time to time, which at the date of this DPA include Andorra, Argentina, Canada (for processing subject to PIPEDA), Faroe Islands, Guernsey, Isle of Man, Israel, Japan, Jersey, New Zealand, South Korea, Switzerland, United Kingdom and Uruguay.

2. Processing of Personal Data  

2.1  The Parties acknowledge and agree that with regard to the Processing of Personal Data, Customer is the “Data Controller”, TrackTik is the “Data Processor” and that TrackTik will engage “Sub-Processors” pursuant to the requirements set forth in Section 8 below.

2.2  The subject matter and duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this DPA are further specified in Schedule 1 “Processing Details” of this DPA.

2.3  The Data Processor shall only process the Personal Data on behalf of and in accordance with documented instructions from the Data Controller and shall maintain all registrations and notifications required by it under the Applicable Data Protection Laws in order to allow it to perform its obligations under the Agreement and the Order Form. The parties agree that this DPA is Customer’s complete and final instructions to TrackTik in relation to processing of Customer Data. The Data Controller shall ensure that its instructions comply with all Applicable Data Protection Laws, and that the Processing of Personal Data in accordance with Data Controller’s instructions will not cause Data Processor to be in breach of the Applicable Data Protection Laws. The Data Controller shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which the Data Controller acquired Personal Data and shall establish the legal basis for Processing under Applicable Data Protection Laws.

2.4  Each Party will comply with all laws, rules and regulations applicable to it and binding on it in the performance of this DPA, including Applicable Data Protection Laws.

3. Authorized Personnel

3.1  The Data Processor will ensure that its personnel authorized to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality with the Data Processor. The Data Processor shall ensure that such confidentiality obligations survive the termination of the personnel engagement.

4. Rights of data subjects

4.1  The Data Processor will, to the extent legally permitted, promptly notify the Data Controller, if it receives a request from a Data Subject for access to its own Personal Data, or for the rectification or erasure of such Personal Data or any other request or query from a Data Subject relating to its own Personal Data (including Data Subjects’ exercising rights under Applicable Data Protection Laws, such as rights of objection, restriction of processing, data portability or the right not to be subject to automated decision making) (a “Data Subject Request”). Where appropriate, such notification shall include the provision of further information to the Data Controller in phases, as details become available. Taking into account the nature of the Processing, the Data Processor shall assist the Data Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Data Controller’s obligation to respond to a Data Subject Request within the relevant timescales under Applicable Data Protection Laws. In addition, to the extent the Data Controller, in its use of the services, does not have the ability to address a Data Subject Request, the Data Processor shall upon Data Controller’s request provide commercially reasonable efforts to assist the Data Controller in responding to such Data Subject Request, to the extent the Data Processor is legally permitted to do so and the response to such Data Subject Request is required under Applicable Data Protection Laws. To the extent legally permitted, the Data Controller shall be responsible for any reasonable costs arising from the Data Processor’s provision of such assistance.

5. Government Access Requests

5.1  The Data Processor will promptly notify the Data Controller about any legally binding request for disclosure of Personal Data by a law enforcement authority before such disclosure, unless otherwise prohibited by law from doing so.

6. Security

6.1  The Data Processor will implement and maintain appropriate technical and organizational measures for protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Personal Data), confidentiality and integrity of Personal Data and in accordance with the requirements under Applicable Data Protection Laws.

7. Compliance

7.1  The Data Processor shall take all reasonable efforts to make available to the Data Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and Applicable Data Protection Laws.

7.2  Upon Data Controller’s request, the Data Processor shall provide the Data Controller with reasonable cooperation and assistance needed to fulfil Data Controller’s obligation under the GDPR including, where applicable, the UK GDPR, to carry out a data protection impact assessment related to Data Controller’s use of the services, to the extent the Data Controller does not otherwise have access to the relevant information, and to the extent such information is available to the Data Processor. The Data Processor shall provide reasonable assistance to the Data Controller in the cooperation or prior consultation with the Regulator in the performance of its tasks relating to section 7 of this DPA, to the extent required under the GDPR and/or, where applicable, UK GDPR.

8. Sub-Processing

8.1  The Data Controller agrees that the Data Processor may engage Sub-Processors to Process Personal Data. The Sub-Processors currently engaged by TrackTik and authorized by the Customer are listed in Schedule 2 “List of Sub-Processors”

8.2  The Data Processor ensures that such Sub-Processor has entered into a written agreement requiring the Sub-Processor to abide by terms no less protective than those provided in this DPA. The Data Processor shall be liable for the acts and omissions of any Sub-Processors to the same extent as if the acts or omissions were performed by the Data Processor.

8.3  The Data Processor notify in writing the Data Controller of any changes to the list of Sub-Processors authorized to Process Personal Data (“Sub-Processor List”), provide the Data Controller with such information regarding the Sub-processor as the Data Controller may reasonably require, and provide the Data Controller with a mechanism to obtain notice of any updates to the Sub-Processor List. Notification of a new Sub-Processor shall be issued 30 days prior to such new Sub-Processor being authorised to Process Personal Data in connection with the Agreement.

8.4  The Data Controller may object to Data Processor’s use of a new Sub-Processor where there are reasonable grounds to believe that the new Sub-Processor will be unable to comply with the terms of this DPA or the Agreement. If the Data Controller objects to Data Processor’s use of a new Sub-Processor, the Data Controller shall notify the Data Processor promptly in writing within ten (10) working days after notification regarding such Sub-Processor. Data Controller’s failure to object in writing within such time period shall constitute approval to use the new Sub-Processor. The Data Controller acknowledges that the inability to use a particular new Sub-Processor may result in delay in performing the services, inability to perform the services or increased fees. The Data Processor will notify the Data Controller in writing of any change to services or fees that would result from Data Processor’s inability to use a new Sub-Processor to which the Data Controller has objected. The Data Controller may either execute a written amendment to the Agreement implementing such change or exercise its right to terminate the Agreement in accordance with the termination provisions thereof. Such termination shall not constitute termination for breach of the Agreement. The Data Processor shall have a right to terminate the Agreement if the Data Controller unreasonably objects to a Sub-Processor, or does not agree to a written amendment to the Agreement implementing changes in fees or services resulting from the inability to use the Sub-Processor at issue.

9. Return and Deletion

9.1  The Data Processor shall, at the choice of the Data Controller, delete or return all the Personal Data to the Data Controller after the end of the provision of services relating to Processing, and delete existing copies of the Personal Data unless prohibited by law or the order of a governmental or regulatory body having authority in data protection matters or it could subject the Data Processor to liability.

9.2  The Data Controller acknowledges and agrees that the Data Processor shall have no liability arising from or in connection with Data Processor’s inability to perform the services as a result of Data Processor complying with a request to delete or return Personal Data made by the Data Controller pursuant to Section 9.1.

10. Data Breach

10.1  In the event there is, or Data Processor reasonably believes that there is, any improper, unauthorized or unlawful access to, use of, or disclosure of, or any other compromise which affects the availability, integrity or confidentiality of Personal Data which is Processed by Data Processor under or in connection with this DPA and/or the Agreement (“Data Breach”), then upon becoming aware of such Data Breach, Data Processor will promptly notify the Data Controller and provide the Data Controller with the following information as it becomes available:

(i) a description of the nature of the Data Breach, including where possible the categories and approximate number of Data Subjects concerned;

(ii) the name and contact details of the Data Processor contact from whom more information can be obtained; and

(iii) a description of the measures taken or proposed to be taken to address the Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

10.2  The parties agree to coordinate in good faith on developing the content of any related public statements and any required notices to the affected Data Subjects and/or the relevant Regulators in connection with a Data Breach, provided that nothing in this Section 10.2 shall prevent either party from complying with its obligations under Data Protection Laws.

11. International Transfers

11.1  The Data Processor will only process data in, or transfer Personal Data from the European Union or United Kingdom to, a Third Country where such processing or transfer takes place based and in compliance with the applicable Model Clauses, with the processing details that comprise Appendix 1 to the Model Clauses as set out in Schedule 1 of this DPA, and the technical and organizational security measures that comprise Appendix 2 to the applicable Model Clauses as set out in Schedule 1 of this DPA. The Data Processor shall comply with the obligations of the data importer. Data Controller shall comply with the obligations of the data exporter as set out in the applicable Model Clauses. If there is any conflict between this DPA and the Model Clauses (in particular with the Module 2 between Controllers and Processors), the terms of the Model Clauses shall apply.

11.2  Subject to Section 8.3, where the Data Processor appoints an affiliate or third-party Sub-Contractor to process Personal Data in a Third Country, the Data Processor must ensure that such processing takes place in accordance with the requirements of the Applicable Data Protection Laws. The parties agree that Personal Data may be transferred to an affiliate or third-party Sub-Contractor in the United States or Canada provided that the Data Processor and the Sub-Contractor ensure that adequate level of protection and safeguards will be in place in respect of any Personal Data that will be processed in accordance with Applicable Data Protection Laws.

12. General Provisions 

12.1  The Data Processor shall notify the Data Controller in accordance with the Applicable Data Protection Laws if it considers that any of the Data Controller’s instructions infringe the Applicable Data Protection Laws.

12.2  This DPA will terminate when the Data Processor ceases to Process Personal Data, unless otherwise agreed in writing between the Parties.

12.3  The Parties hereby acknowledge and agree that a person with rights under this DPA may be irreparably harmed by any breach of its terms and that damages alone may not be an adequate remedy. Accordingly, a person bringing a claim under this DPA shall be entitled to the remedies of injunction, specific performance or other equitable relief for any threatened or actual breach of the terms of this DPA.

12.4  If Data Processor seeks amendments to the DPA to comply with a change in Applicable Data Protection Laws or in a binding and final decision of a Regulator with jurisdiction over the Party’ Processing of Personal Data, it will publish a new version of the DPA at https://www.tracktik.com/dpa/. Such change shall be deemed effective as of the date of their publication on Data Processor’s website.

12. 5  The section headings contained in this DPA are for reference purposes only and shall not in any way affect the meaning or interpretation of this DPA.

 

SCHEDULE 1: PROCESSING DETAILS

Subject matter of Processing

The subject matter is described in the TrackTik Software as a Service Terms of Service entered into by TrackTik and the Customer as identified on the relevant Order Form.

Nature and Purpose of Processing Activities

The Personal Data Processed by Data Processor will be subject to the following basic Processing activities: 

GuardTour activities (reporting, dispatching, guard activities including GPS location, message board, analytics/summaries, pictures, videos)

Backoffice activities (scheduling of employees, payroll, invoicing of clients, client’s contracts management)

The nature of processing as is necessary to enable TrackTik to comply with obligations under Order Form to include any operation such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of data (whether or not by automated means) etc.

The purpose of the processing is the performance of the TrackTik’s obligations under the relevant Order Form including the performance of functions required or requested by the Customer.

Duration 

The Personal Data Processed by Data Processor will be Processed for the following duration: 

Contract duration between Data Controller and Data Processor. At the end of the provision of services relating to Processing, the Data Processor shall, at the choice of the Data Controller, delete or return all the Personal Data to the Data Controller in accordance with Section 9 (Return and Deletion).

Data Subjects

The Personal Data Processed by Data Processor concern the following categories of Data Subjects: 

Employees of Customer;
Clients of Customer;
Agency or other workers of Customer;
Members of the public – Incident Reports may have personal data from subjects involved in an incident.

Categories of Data

The Personal Data Processed by Data Processor includes the following default categories of data available in various forms of the application: 

Basic information:

  • First name, Last name
  • Gender
  • Birthday
  • Phone (home, cellular)
  • Work Email address and password
  • Work Address (include City, Zip/Postal Code, Country)
  • Company & Job Title
  • Employee ID
  • Employment Date & Termination Date
  • Payroll notes
  • Hourly Rate / Yearly Rate
  • Employee Schedule
  • Payroll Information (Overtime rules, Employee type, Exemptions)
  • Assignments to Sites
  • GPS location on Guard Tour Activities

Basic Customer’s information:

  • Main contact information (First name, Last name, Phone, Email)
  • Other Customer’s Contacts per Sites
  • Address (include City, Zip/Postal Code, Country)
  • Contracts Information per Sites
  • Invoices and Billing information
  • Reports on Guard Tour Activities (including Incident Reports that may have personal data from subjects involved in an incident)
  • Pictures and Videos uploaded

Special Categories of Data (if appropriate)

The Personal Data Processed by Data Processor concern the following special categories of data:

None by default.

The technical and organisational security measures in accordance with Appendix 2 the Model Clauses: 

The technical and organisational security measures are as described in Data Processor’s annual SOC-II Type 2 security audit report.

 

SCHEDULE 2: LIST OF SUB-PROCESSORS

Entity name: Atlassian
Country where processing is performed:

  • Continental US on AWS regions

Activity Provided: Jira ticketing system for user support and development

Data Processed: Ticket requests with screenshots that may contain PII (e.g. First Name and Last Name)

Address: 341 George Street, Level 6, Sydney, Australia, NSW 2000

 

Entity name: Amazon Web Services
Country where processing is performed:

  • Americas & Canada: Brazil, Continental US, Canada
  • EU and UK: Germany + Ireland
  • Pacific Asia: Australia
  • Africa: Germany + Ireland or Continental US

Activity Provided: Variety of different computing and storage services, platform and hosting services (cloud services)

Data Processed: All data received and generated by TrackTik Clients

Address: 410 Terry Avenue North Seattle, WA 98109-5210

 

Entity name: Apple Inc.
Country where processing is performed:

  • Worldwide
  • Apple processes data at location closest to the client’s request (i.e. if request from EU processing will be done in EU data center)

Activity Provided: Apple Push Notifications service (APNs)

Data Processed: Mobile Push Notification Messages which may contain PII (e.g. First Name and Last Name)

Address: https://www.apple.com/legal/privacy/contact/

 

Entity name: Google LLC, Google Ireland Limited, or any other Affiliate of Google LLC
Country where processing is performed:

  • Americas & Canada: Continental US
  • EU and UK: Ireland
  • Rest of the World: Continental US by default

Activity Provided: Google Firebase (Mobile Push Notifications and Cloud Messaging)

Data Processed: Mobile Push Notification Messages which may contain PII (e.g. First Name and Last Name)

Address: [email protected]

 

Entity name: Mailgun Technologies, Inc.
Country where processing is performed:

  • Americas & Canada: Continental US
  • EU and UK: Germany, Belgium
  • Rest of the World: Continental US

Activity Provided: Backup email delivery services

Data Processed: Emails (e.g. notifications, delivery of reports)

Address: 112 E Pecan St #1135, San Antonio, United Stated, TX 78205

 

Entity name: Pusher Ltd.
Country where processing is performed:

  • Worldwide on AWS regions
  • Pusher processes data at location closest to the client’s request (i.e. if request from EU processing will be done in EU data center)

Activity Provided: Real time managed WebSocket connections for notifications

Data Processed: Internal concurrent real-time processing of events. (e.g. multiple users looking at same dashboard, to reflect in real-time a change made by a person to other people screens)

Address: 160 Old Street, London, United Kingdom, EC1V 9BW

 

Entity name: Twilio Inc
Country where processing is performed:

  • Twilio processes data at location closest to the client’s request
    (i.e. if request from EU processing will be done in EU data center).
  • Americas & Canada: Brazil, Continental US, Canada
  • EU and UK: Germany + Ireland
  • Pacific Asia: Australia, Singapore, Japan
  • Africa: Germany + Ireland or Continental US

Activity Provided: Voice-over-IP and SMS services

Data Processed: Telephony meta-data (Phone Numbers – Caller and Recipient), and SMS messages for notifications which may contain PII (e.g. First Name and Last Name)

Address: 375 Beale St, Suite 300, San Francisco, CA 94105

 

Entity name: Zendesk
Country where processing is performed:

  • Continental US on AWS regions

Activity Provided: Ticketing system for user support and development

Data Processed: Ticket requests with screenshots that may contain PII (e.g. First Name and Last Name)

Address: 989 Market St, San Francisco, United States, CA 94103