Supercreator LTD

Data Processing Addendum

Last updated on July, 2024

This data processing addendum (the “Addendum”), forms a part of the general terms and conditions (the “Agreement”) of the Platform of Supercreator Ltd. (the “Company”), applicable to the provisions of the Services provided to the party engaged thereunder (the “Customer”) (with The Company on the one hand and the Customer on the other hand who may also be referred to herein as a “Party”, and collectively as the “Parties”).
Capitalized terms not defined herein will have the meaning set forth in the Agreement.

1. Definitions

In this Addendum, the following words and phrases shall (unless the context otherwise requires) have the meanings set out beside them:
‍
1.1 "Agreement Data" shall mean any Data provided by the Customer on the Platform received, or any Data accessed by the Company or any Subcontractor pursuant to or in connection with the Agreement.
1.2 "Agreement Personal Data" shall mean any Personal Data provided by the Customer on the Platform Processed by the Company or any Subcontractor pursuant to or in connection with the Agreement.
1.3 "Applicable Laws" shall mean means laws applicable directly to the Company by virtue of the Services provided under the Agreement with respect to any Personal Data.
1.4 “Applicable Privacy Laws” means any laws applicable to the Company by virtue of the Services provided under the Agreement relating to Personal Data and privacy protection, including (if applicable) the GDPR, CCPA, and Protection of Privacy Law, 1981, and the regulations promulgated thereunder.
1.5 “Data Subject” means any person to whom the Personal Data relates.
1.6 "Subcontractor" means any person appointed by or on behalf of the Company to Process Agreement Personal Data on behalf of the Customer in connection with the Agreement.
1.7 "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council.
1.8 "CCPA" means the California Consumer Privacy Act (2018), as amended by the California Privacy Rights Act (2020).
1.9"Controller", "Data Subject", "Personal Data", "Personal Data Breach", "Processing", "Sell", "Sale" or "Selling", "Share", "Shared" or "Sharing", "Business" and "Service Provider" shall have the meanings ascribed to them in the Applicable Privacy Laws.
1.10 “Standard Contractual Clauses” or “EU SCC” means European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries pursuant to the GDPR or any subsequent final version thereof which shall automatically apply. The version of the EU SCCs governing transfers of Personal Data from Controller to Processor is available online in Module 2 at:
‍
https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0914&from=EN#d1e32-57-1
‍
If the European Commission replaces the EU SCCs with amended or new standard contractual clauses, then, to the extent the relevant supervisory authority approves of the use of such amended or new standard contractual clauses, the references herein to "EU SCCs" will be read to refer to such amended or new standard contractual clauses.

2. General Requirements

2.1 Both Parties undertake to act in accordance with the provisions of this Addendum and in accordance with the provisions of the Applicable Privacy Laws.
2.2It is acknowledged by the Parties that by virtue of the Agreement, the Company may Process Agreement Personal Data on behalf of the Customer. The Customer is the party who determines the purposes and means of the Processing of Agreement Personal Data and the Company Processes Agreement Personal Data on behalf of the Customer for the provision of the Services thereto. The Company shall only Process Agreement Personal Data on behalf of and in accordance with Customer's documented instructions. To the extent that the Company believes that an instruction given by the Customer does not comply with any Applicable Law, it shall refuse to comply with such instruction even if the Customer insists on it despite the notification of the Company.
2.3 The Customer will be responsible for obtaining all authorizations and consents required to provide the Services, including where relevant, the explicit consent of the Data Subject for the processing carried out by the Company.
2.4 Accordingly, the Customer is considered as the "Controller" or the "Business" and the Company is considered as the "Processor" or the "Service Provider" (or different terms with similar meanings in any Applicable Privacy Laws) with regards to the Agreement Personal Data, by virtue of Applicable Privacy Laws.
2.5 Schedule I to this Addendum sets out certain details regarding the Company's Processing of Agreement Personal Data.
2.6 The Company will not Sell or Share Agreement Personal Data nor take any action that would cause any transfer of Agreement Personal Data to or from the Company under the Agreement or this Addendum to qualify as Selling or Sharing of such Agreement Personal Data.
2.7 The Company shall notify the Customer if it determines that it can no longer meet its obligations under Applicable Privacy Laws. The Customer may, upon written notice, take reasonable steps to stop and remediate an unauthorized use of Agreement Personal Data in accordance with Applicable Privacy Laws.

3.Company's Personnel

3.1
Company shall ensure that access to Personal Data is limited to those individuals who need to know or access the relevant Personal Data and as strictly necessary for the purpose of the Agreement.
3.2
Company shall take steps to ensure that the individuals who may have access to Personal Data on its behalf (i) are informed of the confidential nature of Personal Data; and/or (ii) are subject to confidentiality undertakings or appropriate statutory obligations of confidentiality.

4.Subcontractors

4.1 The Customer acknowledges that the Company may engage third-party Subcontractors in connection with the provision of the Services. The subcontractors currently used by the Company are listed in the Subcontractor list in Schedule II.

4.2 At least Seven (7) days before the Company engages a new subcontractor or replaces an existing one, the Company will update the Customer of that change, providing it with the details of the new subcontractor and the Services to be provided thereby. If the Customer has a legitimate reason under Applicable Privacy Laws to object to the new subcontractor's processing of Personal Data, the Customer may request that the Parties discuss a resolution of the objection. Such discussions shall not affect the Company's right to use the new subcontractor after the seven (7) day period.
4.3 The Company will take measures to ensure that all its subcontractors are subject to privacy and security undertakings which are similar to the undertakings which are applicable to the Company as part of this Addendum and are in compliance with Applicable Privacy Laws.

5.Rights of Data Subject

5.1
Without derogating from the generality of the above, the Company shall (i) notify the Customer without undue delay of any request raised by a Data Subject in relation to Personal Data concerning him or her to Company; and (ii) refrain from responding to any such request, except on a written instruction of Customer or as required by Applicable Privacy Laws to which Company is subject.
5.2
Taking into account the nature of the processing of Personal Data by Company, Company shall assist the Customer by reasonably appropriate technical and organizational measures, insofar as this is possible and reasonable, for the fulfillment of the Customer's obligations to respond to a request raised by a Data Subject in relation to Personal Data concerning him or her. Company may refer requests of Data Subjects received in relation to Personal Data concerning them and the Data Subjects making them, directly to the Customer for its treatment of such requests. To the extent permitted under Applicable Privacy Laws, the Customer shall be responsible for any costs arising from Company's provision of such assistance.

6. Security & Personal Data Breaches

6.1
Company undertakes to implement security measures that comply with the reasonable practices of the industry and in accordance with the requirements under the Applicable Privacy Laws.
6.2
Company will notify the Customer of any material personal data breach affecting Personal Data ("Personal Data Breach") without undue delay after becoming aware of the Personal Data Breach, and reasonably assist the Customer in relation to any Personal Data Breach notifications the Customer is required to make under the Applicable Privacy Laws.
6.3
Company will take reasonable steps to mitigate the effects and to minimize any damage resulting from the Personal Data Breach, to the extent mitigation is within Company's reasonable control.

7.Transfers To Third Party

7.1 The Company undertakes to transfer the Agreement Personal Data or grant access to it only to those employees, subcontractors, representatives, and/or other third parties on its behalf that will need the Agreement Personal Data for the purpose of providing the services to the Customer.
7.2 The Company undertakes that Personal Data will be only transferred to countries which are allowed under the Applicable Privacy Laws.
7.3 Without limitation to the generality of section, the Company shall ensure that transfers of Personal Data collected from the Data Subjects in EU territory to jurisdictions outside of the EU or the European Economic Area ("EEA") are made only according to the following legal methods:
The transfer is to a jurisdiction deemed by the European Commission to have an adequate level of protection; or
The transfer is to a country outside of the EEA which is not subject to an adequacy decision under GDPR and the Parties signed the EU SCCs.
7.4 In this respect, the Company on the one hand, and the Customer on the other hand, hereby enter into the Controller-Processor Standard Contractual Clauses. In the event of any conflict or inconsistency between this Addendum and the Controller to Processor Standard Contractual Clauses, the Controller to Processor Standard Contractual Clauses (Module Two) shall prevail. These Clauses shall apply to any restricted processing as set out in Article 7.3 above.
7.5 The following provisions shall apply to any such restricted processing: (i) Clause 7 (Docking Clause) is not used; Clause 9 (Use of Sub-processors), Option 2 – General Written authorization is elected, with 7 days prior notice of any changes; Clause 11 (Redress) – optional language is not used; Clause 13: The competent supervisory authority would be in Cyprus; the governing law and jurisdiction shall be Cyprus. (ii) with regard to the Controller to Processor Standard Contractual Clauses entered into by the Company, on one hand, and the Customer, on the other hand, the Customer is considered as "data exporter" and the Company is considered as "data importer"; (iii) Schedules I and II to this Addendum shall apply as Annex I and Annex III of the Controller to Processor Standard Contractual Clauses entered into by Customer, on one hand, and Processor, on the other hand; (iv) Schedule III of the Agreement shall apply as Annex II of the Controller to Processor Standard Contractual Clauses entered into by the Customer, on one hand, and Processor, on the other hand.
7.6 The Customer may, by at least 30 (thirty) days written notice to the Company, make changes to the Controller to Processor Standard Contractual Clauses entered into by and between the Customer and the Company that are required due to a change in, or a decision of a competent authority under Applicable Laws.

8. Deletion or Return of Personal Data

8.1 Within 90 days of the date of cessation of the services (the "Cessation Date"), Company will delete or return to the Customer all Personal Data in its possession, except to the extent Company is required by applicable law to retain some or all of the Personal Data (in which case Company will implement reasonable measures to prevent the Personal Data from any further processing). The terms of this Addendum will continue to apply to such Personal Data.

9.Audits

9.1 Company will allow for and contribute to audits to demonstrate compliance with this Addendum in accordance with the following provisions:
The Customer shall provide at least six (6) weeks prior written notice to Company of a request to perform an audit, provided that any such request shall occur no more than once in any twelve (12) calendar month period.
Company will inform the Customer if it has conducted an audit of its data protection and data security procedures in the preceding twelve (12) calendar month period, in which case the Customer agrees to exercise any right it may have to conduct an audit under this Addendum by instructing Company to provide Customer with a summary of such most recent relevant audit report, which shall be considered Company’s confidential information.
Any audit shall be conducted by a mutually agreed upon independent third-party auditor who is engaged and paid by the Customer and is under a non-disclosure agreement requiring the auditor to maintain the confidentiality of all Company’s confidential information and all audit findings. All audits shall be conducted during normal business hours, at Company’s principal place of business or other location(s) where Personal Data is processed. Any such audit will result in the generation of an audit report, which shall be considered Company’s confidential information. At the Customer’s written request, Company will make available to the Customer a summary of the relevant audit report.
The scope of any audit will be limited to Company’s policies, procedures, and controls relevant to the processing of Personal Data.
9.2 If legally required, the Company shall permit the Supervisory Authorities to conduct a data protection audit with regard to the Processing carried out by the Company.
9.3 If, pursuant to Applicable Privacy Laws, the Customer is required to perform a data protection impact assessment or prior consultation with Authorities, at the Customer's request, the Company shall provide such documents as are generally available for the Services. Any additional assistance shall be mutually agreed between the Parties.

10.Miscellaneous

10.1
For the avoidance of doubts, the limitation of liability and indemnification provisions of the Agreement apply to this Addendum as well.
10.2
This Addendum shall continue to be in force until the termination of the Agreement.
10.3
Regarding the subject matter of this Addendum, in the event of inconsistencies between the provisions of this Addendum and any other agreements between the Parties, including the Agreement, the provisions of this Addendum shall prevail.
10.4
The Parties hereby submit to the choice of jurisdiction stipulated in the Agreement with respect to any disputes or claims howsoever arising under this Addendum, and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the Agreement.
10.5
If any provision of this Addendum is held by a court of competent jurisdiction to be unenforceable under Applicable Law, then such provision shall be excluded from this Addendum and the remainder of this Addendum shall be interpreted as if such provision was so excluded and shall be enforceable in accordance with its terms; provided, however, that in such event this Addendum shall be interpreted so as to give effect, to the greatest extent consistent with and permitted by applicable law, to the meaning and intention of the excluded provision as determined by such court of competent jurisdiction.

Schedule I: Description of Agreement Personal Data Processing

1. Data Exporter: The Customer, contact details: hello@supercreator.app
2.Data Importer: The Company, contact details: hello@supercreator.app
3. Types of Personal Data
The following data of the Customer:
Customer's users information.
Any other information entered by the Customer.
The following data of the Customer's end-users:
Any information entered by the Customer's end-user when communicating with the Customer's users and with the Customer.

4. Categories of Personal Data: the processing may include information about the Customer's end-user's sex life, in case such information was provided by the Customer's end-user.
5. Data subjects: the Personal Data transferred concerns the following categories of data subjects: Customer's representatives and end-users.
6. Duration of Processing: The processing will begin on the effective date of the Agreement and will end upon expiration or termination of the Agreement.
7. Nature and Purpose of Processing: The nature and purposes of processing carried out by the Company in order to provide the services.

Schedule II

The list will be provided upon request, you can ask for it by writing to us at: hello@supercreator.app

Schedule III Technical and Organizational Measures to be Implemented by the Company

   1. Information security program. A written security program is implemented, maintained, and complied with. As part of the program, the Company will: (i) implement an audit program to test and, if necessary, remediate identified gaps of all security controls at least annually or whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing Personal Data; (ii) conduct, in line with ISO27001 or similar standards, an annual risk assessment that assesses the threats and vulnerabilities associated with systems; and (iii) produce (pursuant to the results of (i) and (ii)) a documented risk assessment and, where appropriate, risk remediation plan.

2. Security official. A designated management level or above security official is responsible for the development, implementation, and ongoing maintenance of the information security program. The appointed official has appropriate recognized information security credentials and qualifications.

3.Access control. Access rights are assigned according to the principle that employees and third parties are only granted the level of access they need to perform their activities (need-to-know principle). Access rights are granted according to defined (role-based) permissions. The access rights granted are reviewed regularly. Rights that are no longer required are withdrawn immediately.

4.Physical access control. Secure areas are defined based on information security and data protection requirements and protected against unauthorized access by appropriate physical safeguards, defined based on the protection needs of the information located or accessed within them. Including but not limited to: locking of server rooms; alert mechanisms for unauthorized access; rooms and building entry controls, and; implementation of well-known security standards by data storage providers.

5. Logical access control. Password procedures are implemented, including length, complexity, and locking due to failed logins. Screen and system locking is implemented after 20 minutes of idle state.  Limitations placed on the number of authorized users. Remote connection to Company's systems is made using a trusted VPN service. Endpoint devices are updated, encrypted, and protected by spyware and virus protection programs.

6. Incident response plan. Policies and procedures are implemented, designed to detect, respond to, and otherwise address incidents, including specific points of contact in the event of an incident, and procedures to: (i) monitor and detect actual and attempted attacks on, or intrusions into, the processing systems, (ii) identify and respond to suspected or known incidents, (iii) immediately mitigate the harmful effects of any incidents without detriment to measures or actions necessary to determine the seriousness of the breach.

7.Incident response plan. Policies and procedures are implemented, designed to detect, respond to, and otherwise address incidents, including specific points of contact in the event of an incident, and procedures to: (i) monitor and detect actual and attempted attacks on, or intrusions into, the processing systems, (ii) identify and respond to suspected or known incidents, (iii) immediately mitigate the harmful effects of any incidents without detriment to measures or actions necessary to determine the seriousness of the breach.

8.System Testing and Maintenance. The Company tests and maintains systems to protect data including, without limitation: (i) installing of critical security patches for operating systems and applications within thirty (30) days of publication, and within three (3) months for other types of patches and updates, (ii) installing the latest recommended versions of operating systems, software and firmware for all system components, and (iii) ensuring that up-to-date system security agent software includes malware protection set to receive automatically updated (at least daily) patches and virus definitions.

9.Availability and resilience. The Company implements measures to ensure the Data is protected from accidental destruction or loss, including without limitation: (i) performing routine database backup and mirroring of servers; (ii) implementing uninterruptable power supply (UPS); (iii) using updated antivirus and antimalware programs and firewalls updated to the latest requirements.

10.Audit logging. Hardware, software, or procedural mechanisms are implemented and maintained to record and examine activity in processing systems that contain or use electronic information, including appropriate logs and reports concerning the security requirements set forth in this Schedule.
Security awareness and privacy training. An ongoing security and privacy awareness and training program is maintained for all employees (including management, employees, contractors, and other agents), which includes training on how to implement and comply with the information security program and setting forth disciplinary measures for violation of the security program. Security and privacy awareness training is conducted at least annually.