Data Processing Agreement
Updated 7th March 2022
This Data Processing Agreement (the “DPA”) is made by and between Specs, Inc. (“Company”) and the entity identified as Customer (“Customer”) in the Spectacles SaaS Agreement or any other agreement between Customer and Company for the purchase of Services (in each case, the “Agreement”). This DPA is incorporated into the Agreement between Company and Customer. This DPA shall be effective for so long as the Company Processes Customer Personal Data.
1.1. “Customer Personal Data” means the Personal Data provided to Company in connection with Company’s provision of Services under the Agreement.
1.2. “Data Protection Legislation” means all applicable legislation relating to data protection and privacy together with any national implementing laws in any Member State of the European Union or, to the extent applicable, in any other country, as amended, repealed, consolidated or replaced from time to time.
1.3. “Personal Data”, “Data Subject”, “Process”, “Processor”, “Controller”, and “Supervisory Authority” will each have the meaning given to them or similar terms in applicable Data Protection Legislation.
1.4. “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data transmitted, stored or otherwise Processed by Company that compromises the confidentiality, integrity, or availability of such Customer Personal Data.
1.5. “Standard Contractual Clauses” or “SCC” means the Standard Contractual Clauses annexed to European Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
1.6. “UK Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, version B1.0 in force March 21, 2022, as may be amended or replaced from time to time by the UK Information Commissioner (as currently available at https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-and-guidance/).
1.7. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement.
2. Details of The Processing
2.1. Categories of Data Subjects. Categories Data Subjects whose Personal Data may be included in Customer Personal Data include Customer’s employees, contractors, and other personnel whom Customer authorizes to use the Services, and other Data Subjects about whom Customer receives or collects, and thereafter provides to Customer, Personal Data in the form of Customer Personal Data.
2.2. Types of Personal Data. Customer Personal Data may include Personal Data, the extent of which is determined and controlled by Customer in its sole discretion, such as names and email addresses.
2.3. Subject-Matter and Nature of the Processing. The subject-matter of Company’s Processing of Customer Personal Data is the provision of the Services to Customer, which include the Processing of Customer Personal Data. Customer Personal Data will be subject to those Processing activities that Company must perform to provide the Services pursuant to the Agreement and any applicable statement of work or other ordering document.
2.4. Purpose of the Processing. Company will process Customer Personal Data for purposes of providing the Services described in the Agreement and any applicable Order Form or other ordering document.
2.5. Duration of the Processing. Customer Personal Data will be Processed for the duration of the Agreement, subject to Section 11 of this DPA.
3. Processing of Customer Personal Data
3.1. This DPA applies to the Processing of Customer Personal Data by Company as set forth in the Agreement and this DPA. If applicable Data Protection Legislation recognizes the roles of Controller and Processor as applied to Customer Personal Data, then as between Company and Customer, Customer acts as Controller and Company acts as a Processor (or Subprocessor, as the case may be) of Customer Personal Data. Company will only Process Customer Personal Data as a Processor on behalf of and in accordance with Customer’s prior written instructions, including with respect to transfers of Customer Personal Data, unless Processing is required by applicable Data Protection Legislation to which Company is subject, in which case Company shall, to the extent permitted by applicable law, inform Customer of that legal requirement before so Processing that Customer Personal Data. The Parties agree that such instructions are contained in the Agreement and that Company may Process Customer Personal Data as necessary to enable Company to provide the Services according to the Agreement. Any additional or different instructions require a signed agreement between Company and Customer and may be subject to additional fees. For the avoidance of doubt, Customer’s instructions for the Processing of Customer Personal Data shall comply with Data Protection Legislation. Customer shall have sole responsibility for the accuracy, quality, and legality of Customer Personal Data and the means by which Customer acquired Personal Data. Company will inform Customer if, in its opinion, an instruction from Customer infringes the Data Protection Legislation, provided, however, Company is not responsible for performing legal research and/or for providing legal advice to Customer.
3.2. If Company cannot process Customer Personal Data according to Customer’s instructions due to a legal requirement under any applicable Data Protection Legislation, Company will (i) promptly notify Customer of such inability, providing a reasonable level of detail as to the instructions with which it cannot comply and the reasons why it cannot comply, to the greatest extent permitted by applicable law; and (ii) Process (or continue to Process) Customer Personal Data to the extent Company is able to comply with Customer’s instructions in order to provide the Services as set forth in the Agreement.
3.3. Each of Customer and Company will comply with their respective obligations under Data Protection Legislation. Customer shall (a) provide all required notices and appropriate disclosures to all Data Subjects regarding Customer’s, and Company’s, Processing of Customer Personal Data and (b) ensure that Customer has obtained (or will obtain) and maintain during the term of the Agreement all rights and consents (if required) which are necessary for Company to Process Customer Personal Data in accordance with this DPA and the Agreement. If Customer is not required by Data Protection Legislation to obtain and maintain valid consent from Data Subjects, Customer will otherwise obtain and maintain a valid legal basis in accordance with Data Protection Legislation to Process Customer Personal Data and for providing such data to Company for Processing under the Agreement.
3.4. Unless set forth in an Order Form or other document signed by the parties, Customer Personal Data may not include any sensitive or special data that imposes specific data security or data protection obligations on Company in addition to or different from those specified in any documentation or which are not provided as part of the Services.
4. International Transfers
4.1. In accordance with Customer’s instructions under Section 3, Company may Process Customer Personal Data on a global basis as necessary to provide the Services, including for IT security purposes, maintenance and provision of the Services and related infrastructure, technical support, and change management.
4.2. To the extent that the Processing of Customer Personal Data by Company involves the transfer of such Customer Personal Data from the European Economic Area (“EEA”) to a country or territory outside the EEA, other than a country or territory that has received a binding adequacy decision as determined by the European Commission (an "EEA Transfer"), such EEA Transfer shall be subject to the protections and provisions of the Standard Contractual Clauses (for which the SCC Appendix is attached to this DPA in Schedule 1) or other binding and appropriate transfer mechanisms that provide an adequate level of protection in compliance with Data Protection Legislation.
4.3. Customer shall be deemed to have signed the SCC in Schedule1, Annex I in its capacity of “data exporter” and Company in its capacity as “data importer.” Module Two or Module Three of the SCC shall apply to the transfer depending on whether Customer is Controller of the Customer Personal Data (for Module Two) or a Processor of the Customer Personal Data on behalf of its customer (for Module Three). If Module Three applies, Customer hereby notifies Company that it is a Processor and the instructions shall be as set forth in Section 3. For purposes of Clauses 17 and 18 of the SCCs, the Parties select The Netherlands. Additional provisions applicable to customer Personal Data transferred pursuant to SCC are set forth in Schedule 2.
4.4. The SCC will cease to apply if Company has implemented an alternative recognized compliance mechanism for the lawful transfer of personal data in accordance with applicable Data Protection Legislation.
4.5. In the event of any conflict between any terms in the SCC and DPA, the SCC shall prevail to the extent of the conflict.
4.6. Where Customer Personal Data originating from the United Kingdom ("UK”) specifically is processed by Company outside of the UK, in a territory that has not been designated by the UK Information Commissioner ("ICO”) as ensuring an adequate level of protection pursuant to Data Protection Legislation in the UK (“UK Transfer”), and to the extent such processing and transfer would be subject to such UK Data Protection Legislation, the Parties agree that the UK Addendum shall apply to such UK Transfer and shall be completed with the information set forth in this DPA and the Agreement.
Company shall implement processes designed to ensure that Customer Personal Data is only made available to those of its personnel, including its Subprocessors, who (i) need to access such Customer Personal Data in order to carry out their roles in the performance of Company’s obligations under the Agreement and this DPA and (ii) have committed themselves to protect the confidentiality of such Customer Personal Data or are otherwise under an appropriate statutory obligation of confidentiality.
6. Security Measures.
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Company will implement appropriate technical and organizational measures designed to protect against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data (described under Annex II to the Standard Contractual Clauses). Company may update its security practices from time to time but will not materially decrease the overall security of the Services during the term of a statement of work or other ordering document. Such measures shall include process for regularly testing, assessing and evaluating the effectiveness of the measures.
7.1. Customer authorizes Company to appoint the entities identified on Schedule 1, Annex III of this DPA as Subprocessors of Customer Personal Data and generally authorizes Company’s engagement of additional Subprocessors and Company’s replacement of any Subprocessors identified in Annex III. For the avoidance of doubt, the above authorization constitutes Customer’s prior written consent to the subprocessing of Customer Personal Data for purposes of Clause 9, Option 2 of the Standard Contractual Clauses. Company will inform Customer of any intended changes concerning the addition or replacement of any Subprocessors. To receive such notifications, customer agrees to sign up for notifications as set forth on https://www.spectacles.dev/utility/subprocessors. If Customer can show on reasonable and objective grounds that a new Subprocessor does not or cannot comply with applicable Data Protection Legislation and wishes to object to Company’s use of such Subprocessor, then Customer has fifteen (15) days after Company notifies customer of such new Subprocessor to notify Company in writing of its reasonable and objective basis, supported by documentary evidence, for objection to the use of the new Subprocessor. Upon receipt of Customer’s written objection, Customer and Company will work together without unreasonable delay to find a mutually acceptable resolution to address the objection, including but not limited to reviewing additional documentation supporting the Subprocessor’s ability to comply with Data Protection Legislation. To the extent Customer and Company do not reach a mutually acceptable resolution within a reasonable timeframe, Company will use reasonable endeavors to make available to Customer a change in the Services or will recommend a commercially reasonable change to the Services to prevent the applicable Subprocessor from Processing Customer Personal Data. If Company is unable to make available such a change within a reasonable period of time, which shall not exceed thirty (30) days, Customer shall have the right, as its sole remedy, to terminate the relevant Services (i) in accordance with the termination provisions in the Agreement; (ii) without liability to Customer or Company, and (iii) without relieving Customer from its payment obligations under the Agreement up to the date of termination.
7.2. Company will enter into a binding written agreement with any Subprocessors that imposes on the Subprocessors the same level of restrictions that apply to Company under this DPA to the extent applicable to the nature of the services provided by such Subprocessors. Where any of its Subprocessors fails to fulfil its data protection obligations in relation to the Services provided to Customer, such that Company would be found to have violated its obligations to Customer under this DPA, Company will be responsible to Customer for the performance of its Subprocessors’ obligations.
8. Data Subject Rights
8.1. To the extent legally permitted, and where a Data Subject identifies Customer as the entity that collected its Personal Data, Company shall notify Customer without undue delay of receiving any request or complaint from Data Subjects regarding Customer Personal Data (“Data Subject Inquiry”). Company shall not respond to Data Subject Inquiries without Customer’s prior written consent and written instructions. To the extent Customer, in its use of the Services, does not have the ability to address a Data Subject Inquiry, Company will provide Customer with reasonable assistance necessary for the fulfilment of Customer’s obligation to respond to requests for the exercise of Data Subjects’ rights in accordance with Data Protection Legislation. To the extent legally permitted, Customer shall be responsible for any costs arising from Company’s provision of such assistance.
8.2. If a Data Subject does not identify an entity that collected its Personal Data, Company will instruct the Data Subject to identify and contact the relevant entity that collected its Personal Data.
8.3. Company shall comply with Customer’s instructions regarding the handling of a Data Subject Inquiry, subject to the terms of Section 3.1.
9. Personal Data Breaches
9.1. Company will notify Customer at the contact information on file without undue delay and in any event within seventy-two (72) hours after it becomes aware of and confirms any Personal Data Breach. As information regarding the Personal Data Breach is collected or otherwise reasonably becomes available to Company, Company will also provide Customer with information regarding (1) the nature of the Personal Data Breach including where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Customer Personal Data records concerned; (2) the reasonably anticipated consequence of the Personal Data Breach; (3) measures taken to mitigate any possible adverse effects; and (4) other information concerning the Personal Data Breach reasonably known or available to Company that Customer is required to disclose to a Supervisory Authority or Data Subjects under Data Protection Legislation. Company’s contact point for additional details regarding a Personal Data Breach is email@example.com. Except as required by applicable Data Protection Legislation, the obligations set out in this Section shall not apply to Personal Data Breaches caused by Customer.
9.2. Customer is solely responsible for complying with data incident notification requirements applicable to Customer and fulfilling any third-party notification obligations related to any data incidents. Customer and Company shall work together in good faith within the timeframes for Customer to provide Personal Data Breach notifications in accordance with Data Protection Legislation to finalize the content of any notifications to Data Subjects or Supervisory Authorities, as required by Data Protection Legislation. In any event, Customer shall not disclose any confidential or proprietary information of Company in the content of any notification. Company’s prior written approval shall be required for any statements regarding, or references to, the Personal Data Breach or Company made by Customer in any such notifications. Except as required by Data Protection Legislation, Company’s obligations in this Section shall not apply to Personal Data Breaches caused by Customer.
10. Data Protection Impact Assessment; Prior Consultation
Company will provide Customer with reasonable assistance to facilitate conducting data protection impact assessments and consultation with data protection authorities, including by providing Customer with documentation regarding Company’s Processing operations, if Customer is required to engage in such activities under applicable Data Protection Legislation and such assistance relates to the Processing by Company of Customer Personal Data.
11. Return or Deletion of Customer Personal Data
11.1. Subject to Section 11.2 below, Company shall:
11.1.1. Make Customer Personal Data available for retrieval to Customer for thirty (30) days after termination or expiration of the Agreement (“Retrieval Period”); and
11.1.2. After such Retrieval Period, delete Customer Personal Data Processed by Company or any Subprocessors, and where deletion is not possible, sufficiently de-identify Customer Personal Data such that it is no longer Personal Data, except if required or permitted by applicable law or for compliance, audit, or security purposes.
11.2. Company and its Subprocessors may retain Customer Personal Data to the extent required by applicable laws, only to the extent and for such period as required by applicable laws, and provided that Company shall protect the confidentiality of all such Customer Personal Data and Process such Customer Personal Data only as necessary for the purpose(s) specified in the applicable laws requiring its storage and for no other purpose.
12.1. Company will provide Customer with all information reasonably necessary to enable Customer to demonstrate compliance with its obligations under Data Protection Legislation (which such information is Company Confidential Information under the Agreement), and, subject to the terms below, allow for and contribute to audits, including inspections, conducted by Customer or an auditor mandated by Customer, to the extent that such information is within Company’s control and Company is not precluded from disclosing it by applicable law, a duty of confidentiality, or any other obligation owed to a third party.
12.2. Upon Customer’s written request at reasonable intervals, and subject to the confidentiality obligations set forth in the Agreement, Company shall make available to Customer that is not a competitor of Company (or Customer’s independent, third-party auditor that is not a competitor of Company) a copy of Company’s security documentation and any available and recent third-party audits or certifications, as applicable, each for the sole purposes of confirming Company’s compliance with this DPA and to assist Customer with complying with its obligations under Data Protection Legislation. If no such audit report is available at the time of Customer’s request, Company will allow and contribute to audits as set forth below.
12.3. Customer may, upon reasonable notice and at reasonable times, audit (either by itself or using independent third-party auditors) Company's compliance with this DPA. Company shall assist with and contribute to any audits conducted in accordance with this Section 12. Such audits may be carried out once per year or more often if required by Data Protection Legislation.
12.4. Any third party engaged by Customer to conduct an audit must be pre-approved by Company (such approval not to be unreasonably withheld) and sign Company’s confidentiality agreement. Customer must provide Company with a proposed audit plan at least two weeks in advance of the audit, after which Customer and Company shall discuss in good faith and finalize the audit plan prior to commencement of any audit activities.
12.5. Audits may be conducted only during regular business hours, in accordance with the finalized audit plan and Company’s security and other policies, and may not unreasonably interfere with Company’s regular business activities. Customer shall reimburse Company for any reasonable costs or expenses incurred by Company in connection with the audit.
12.6. Information obtained or results produced in connection with an audit are Company Confidential Information under the Agreement and may only be used by Customer to confirm compliance with this DPA and for complying with its requirements under Data Protection Legislation.
12.7. Company may charge Customer a reasonable fee for time spent in connection with any assistance or cooperation required by Customer under this DPA if such assistance or cooperation involves the commitment of resources over a prolonged period of time, which are not included as part of the Services, or involve third-party costs and does not arise from any breach by Company of this DPA.
13. General Provisions
13.1. Customer acknowledges that Company is reliant on Customer for direction as to the extent to which Company is entitled to Process Customer Personal Data on behalf of Customer in performance of the Services. Consequently, Company will not be liable under the Agreement or this DPA for any claim brought by a Data Subject arising from any action or omission by Company, to the extent that such action or omission resulted from Customer’s instructions or from Customer’s failure to comply with its obligations under the applicable Data Protection Legislation.
13.2. With regard to the subject matter of this DPA, in the event of inconsistencies between the provisions of this DPA and the Agreement, the provisions of this DPA shall prevail.
13.3. To the extent the California Consumer Protection Act (“CCPA”) applies to any Customer Personal Data, Company certifies that it understands its restrictions set forth in Section 1798.140(w)(2)(A) of the CCPA as to such Customer Personal Data regarding residents of California and will comply with the same to the extent no CCPA exemptions apply.
13.4. Company may share and disclose Customer Personal Data in connection with, or during the negotiation of, any merger, sale of company assets, consolidation or restructuring, financing, or acquisition of all or a portion of Company’s business by or to another company, including the transfer of contact information and data of Customer’s customers, partners and end users, and Customer Personal Data Processed in connection with the Services.
13.5. The parties agree that the bundling of Customer’s data exporters, for example, if Customer consists of multiple global affiliates, as controllers within this single DPA is undertaken for efficiency purposes (i.e., to avoid a multitude of different contract documents) and (i) shall result in legally separate Addenda between the respective Customer entity and Company solely for purposes of addressing any such obligations under Data Protection Legislation; (ii) shall not create any new or different legal or other relationship whatsoever between the “bundled” Customer entities; (iii) does not create any additional rights or remedies for such bundled Customer entities; (iv) all processing instructions must be provided by the Customer entity that is signatory to the Agreement and Company is not responsible for consolidating or evaluating the validity of instructions received from other Customer entities; (v) any commercial terms not provided by the DPA are provided by the Agreement regardless of whether the bundled Customer entities signed or were consulted regarding the terms of the Agreement or are aware of the Agreement; and (vi) any audits conducted in accordance with the DPA shall be conducted only by and through the Customer entity that is signatory to the Agreement.
Appendix to the Standard Contractual Clauses
A. LIST OF PARTIES
Name: The data exporter is the entity identified as “Customer” in the DPA.
Address: as set forth in the Agreement.
Contact person: as set forth in the Agreement.
Activities relevant to the data transferred under these Clauses: as set forth in the Agreement.
Signature and date: refer to DPA.
Role: Controller, except when processing data on behalf of another entity, in which case data exporter is a processor.
Name: The data importer is the entity identified as “Company” in the DPA.
Address: as set forth in the Agreement.
Contact person: as set forth in the Agreement.
Activities relevant to the data transferred under these Clauses: as set forth in the Agreement.
Signature and date: refer to DPA.
Role: processor, or sub-processor if data exporter is a processor.
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred: Data subjects are defined in the DPA.
Categories of personal data transferred: Categories of personal data are defined in the DPA.
Sensitive categories of data (if appropriate): As set forth in the DPA.
The frequency of the transfer: As set forth in the Agreement.
Nature of the processing: The nature of the processing defined in the DPA and the Agreement.
Purposes of the data transfer and further processing: The purposes of data transfers and further processing are defined in the DPA and the Agreement.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: As set forth in the DPA and the Agreement.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: As set forth in the DPA and the Agreement.
C. COMPETENT SUPERVISORY AUTHORITY
If Customer is established in an EU Member state, the competent supervisory authority shall be the supervisory authority applicable to the establishment location of Customer. If Customer is not established in an EU Member state, the competent supervisory authority shall be the supervisory authority located where Customer has appointed its EU Representative. If Customer is not established in an EU Member state and is not required to appoint an EU Representative, the competent supervisory authority shall be the supervisory authority applicable to the location of the Data Subject whose data is at issue.
Technical and organizational measures including technical and organizational measures to ensure the security of the data:
Please reference the webpage https://www.spectacles.dev/security.
List of Subprocessors
Please reference the webpage: https://www.spectacles.dev/utility/subprocessors
Schedule 2 - Additional SCC Provisions
Based on European Data Protection Board Recommandations 01/2020
1. Company shall unless otherwise prohibited by law or a legally binding order of an applicable body or agency promptly notify Customer of any request for the disclosure of Customer Personal Data by a governmental or regulatory body or law enforcement authority (including any Supervisory Authority) (“Disclosure Request”) without responding to such request, unless otherwise required by applicable law (including to provide acknowledgement of receipt of the request). Company will review applicable law to evaluate any Disclosure Request, for example the ability of the requesting authority to make the Disclosure Request, and to challenge the Disclosure Request if, after a careful assessment, it concludes that there are grounds under applicable law to do so. When challenging a Disclosure Request, Company shall seek interim measures to suspend the effects of the Disclosure Request until an applicable court or other authority has decided on the merits. Company shall not disclose Customer Personal Data requested until required to do so under applicable law. Company shall only provide the minimum amount of Customer Personal Data permissible when responding to the Disclosure Request, based on a reasonable interpretation of the Disclosure Request. If the Disclosure Request is incompatible with the SCCs or other data transfer mechanism utilized in accordance with Section 3 in this DPA, Company will so notify the requesting authority and, if permitted by applicable law, notify the competent EEA government authority with jurisdiction over the Customer Personal Data subject to the Disclosure Request. Company will maintain a record of Disclosure Requests and its evaluation, response, and handling of the requests. Company will provide Customer with such records relevant to Customer Personal Data except as prohibited by applicable law or legal process or in the interest in protecting Company’ legal rights in connection with threatened, pending, or current litigation.
2. Company has not purposefully created “back doors” or similar programming in its systems that provide Services that could be used to access the systems and/or Customer Personal Data, nor has Company purposefully created or changed its business processes in a manner that facilitates access to Customer Personal Data or its systems that provide the Services. To the best of Company’ knowledge, United States Data Protection Legislation does not require Company to create or maintain “back doors” or to facilitate access to Customer Personal Data or systems that provide Services or for Company to possess or provide the encryption key in connection with a United States Disclosure Request.
3. Company shall use reasonable efforts to assist Customer and its Data Subjects, as instructed by Customer (in accordance with Section 8 of the DPA), regarding Disclosure Requests, unless prohibited by applicable law, for example to provide information to Customer in connection with the Data Subject’s efforts to exercise its rights and obtain legally-available redress, provided Company shall not be required to provide Customer or Data Subjects with legal advice.
4. Customer may request to audit Company information regarding access to Customer Personal Data, subject to the terms of Section 12 of the DPA.
5. Company has established an internal procedure regarding handling of Disclosure Requests and applicable transfers of Personal Data of customers. Company has procedures for applicable personnel to receive information, as appropriate, regarding applicable transfers of Customer Personal Data, where such information may include an explanation of the necessity of the transfer and any data protection safeguards in scope.
6. In the event Company receives a request to voluntarily disclose unencrypted Customer Personal Data to a government authority, Company will use reasonable efforts to first obtain Customer’s consent, either on its behalf or on behalf of the relevant Data Subject.