Data Protection Addendum

Data Protection Regulation Addendum

Customers trust Popl with their data, and the Popl team takes that responsibility seriously. Security and compliance are top priorities for Popl because they are fundamental to customers’ trust with our service. Popl is committed to securing the customer data, eliminating systems vulnerability, and ensuring continuity of service. Popl uses a variety of best practices, along with industry-standard technologies and services to secure your data from unauthorized access, disclosure, use, and loss.

This Data Protection Regulation Addendum (“Data Protection Addendum”) is part of the Terms of Service available at, or, if applicable, any other separate written agreement (“Services Agreement”), by and between Popl Co., a Delaware corporation (“Company”) and Customer named in Services Agreement, that Customer has subscribed to use services as specified in Services Agreement. The parties agree this Data Protection Agreement is an extension of Services Agreement and as an extension, Data Protection Agreement will outline certain requirements for Company’s processing of certain personal data provided or made available by Customer, or collected, or otherwise obtained by Company, in the course of providing services to Customer.

Table of Contents

1. Definitions
2. Scope
3. Protection
4. Incidents
5. Appendix 1: Subject Matter and Details of the Data Processing
6. Appendix 2: Technical and Operational Security Policies and Practices
7. Appendix 3: List of Subprocessors

1 Definitions

1.1 “Data Protection Laws” means all applicable laws relating to privacy and the processing of personal data that may exist in any relevant jurisdiction where Company conducts business. Data Protection Law includes, where applicable, European Data Protection Laws and Non- European Data Protection Laws (as defined below).

1.1.1  “European Data Protection Laws” means all data protection laws and regulations applicable to European Economic Area and its member states (“EEA”), Switzerland and the United Kingdom (“UK”), including (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (“GDPR”); (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector; (iii) applicable national implementations of (i) and (ii); (iv) the GDPR as it forms part of UK law by virtue of section 3 of the UK European Union (Withdrawal) Act 2018 and the UK Data Protection Act 2018 (together, “UK Data Protection Laws”); and (v) the Swiss Federal Data Protection Act of 19 June 1992 and its Ordinance (“Swiss DPA”).

1.1.2  “Non-European Data Protection Laws” means the California Consumer Privacy Act (“CCPA”); the Canadian Personal Information Protection and Electronic Documents Act (“PIPEDA”); the Brazilian General Data Protection Laws (“LGPD”), Federal Law no. 13,709/2018; and the Privacy Act 1988 (Cth) of Australia, as amended (“Australian Privacy Law”).

1.2 “Quality Industry Practice” means, in relation to any activity and under any circumstance, exercising the same skill, expertise and judgement and using facilities and resources of a similar or superior quality as would be expected from a person who:

(a) Is skilled and experienced in providing the services in question, seeking in good faith to comply with his contractual obligations and seeking to avoid liability arising under any duty of care that might reasonably apply;
(b) Takes all proper and reasonable care and is diligent in performing his obligations; and
(c) Complies with all applicable laws and any applicable industry standards including any recognized industry quality standards and applicable law.

1.3 “Standard Contractual Clauses” mean the model controller-to-processor contract for the transfer of personal data to third countries issued by the European Commission on the basis of Article 26(4) of Directive 95/46/EC pursuant to Decision 2010/87/EU.

1.4 The terms “Appropriate Technical and Organizational Measures”, “Data Controller”, “Data Processor”, “Data Subject”, “Personal Data”, “Processing”, and “Subprocessor”, have the meaning given to them under applicable Data Protection Laws or if not defined thereunder, the GDPR, and “process”, “processes" and “processed”, with respect to any personal data, shall be interpreted accordingly.

2 Scope

2.1 Roles: The parties agree that, as between the parties, Customer is a Data Controller and that Company is a Data Processor in relation to personal data that Company processes on behalf of Customer in the course of providing the services under Services Agreement (“Services”).

2.2 Categories: The subject-matter of the data processing, the types of personal data processed, and the categories of data subjects will be defined by, and/or limited to that necessary to carry out Services described in, Service Agreement. The categories of data subjects and personal data are set forth on Appendix 1 hereto.

2.3 Duration: Processing will be carried out until the date Company ceases to provide Services to Customer.

3 Protection

Regarding personal data processed in the course of providing Services, Company will adhere to the following requirements:

3.1 Instructions: Company will process the personal data only in accordance with the written instructions from Customer and only in compliance with Data Protection Laws. Such instructions may be specific or of a general nature as set out in this Data Protection Agreement, the Services Agreement, or as otherwise notified by Customer to Company in writing from time to time. The nature and purposes of the processing shall be limited to that necessary to carry out such instructions, and not for Company's own purposes, or for any other purposes except as required by law. If Company is required by law to process the personal data for any other purpose, Company will inform Customer of such requirement prior to the processing unless prohibited by law from doing so.

3.2 Extent: Company will process the personal data only to the extent, and in such manner, as is necessary for the provision of Services. Company may only correct, delete or block the personal data processed on behalf of Customer as and when instructed to do so by Customer.

3.3 Measures: Company will implement and maintain appropriate technical and organizational measures to protect the personal data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, alteration, or disclosure. These measures will consider the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. The measures shall be appropriate to the harm which might result from any unauthorized or unlawful processing, accidental loss, destruction, damage, or theft of the personal data and having regard to the nature of the personal data which is to be protected and as a minimum shall be in accordance with the Data Protection Laws and Quality Industry Practice. Such measures shall include, as appropriate:

3.3.1  Encryption and pseudonymization of personal data;

3.3.2  Ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

3.3.3  Ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;

3.3.4. Process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

3.4  Access: Company will not give access to or transfer any personal data to any third party (including any affiliates, group companies or subcontractors) without giving Customer prior notice and an opportunity to object to Customer via an update to; notwithstanding the foregoing, the sub-contractors listed on as of the date of this Data Protection Agreement are deemed pre-approved by Customer, subject to the conditions contained herein. Where Customer does not object in good faith on grounds related to data protection to Company engaging a subcontractor to carry out any part of Services, Company must ensure the reliability and competence of such third party, its employees or agents who may have access to the personal data processed in the provision of Services, and must include in any contract with such third party provisions in favor of Customer which are substantially equivalent to those in this Data Protection Agreement and Service Agreement and as are required by applicable Data Protection Laws. For the avoidance of doubt, where a third party fails to fulfil its obligations under any sub-processing agreement or any applicable Data Protection Laws, Company will remain fully liable to Customer for the fulfilment of its obligations under this Data Protection Agreement and the Services Agreement.

3.5 Personnel: Company will take reasonable steps to ensure the reliability and competence of any Company personnel who have access to the personal data. Company will ensure that all Company personnel required to access the personal data are informed of the confidential nature of the personal data and comply with the obligations set out in this Data Protection Agreement.

3.6 Obligations: Company will take all reasonable steps to assist Customer in meeting Customer’s obligations under applicable Data Protection Laws, including Customer’s obligations to respond to requests by data subjects to exercise their rights with respect to personal data, adhere to data security obligations, respond to data breaches and other incidents involving personal data, conduct data protection impact assessments, and consult with supervisory authorities. Company will promptly inform Customer in writing if it receives:

(i) a request from a data subject concerning any personal data; or
(ii) a complaint, communication, or request relating to Customer’s obligations under Data Protection Laws.

3.7 Retention: Company will not retain any of the personal data for longer than is necessary to provide the Services. At the end of Services, or upon Customer's request, Company will securely destroy or return (at Customer’s election) the personal data to Customer.

3.8 Location: Regarding personal data related to data subjects located in the European Economic Area, Customer hereby gives consent to the processing of such personal data in the United States by Company, provided that

3.8.1 Company will take such steps as may reasonably be required by Customer on an ongoing basis to ensure there is adequate protection for such personal data in accordance with applicable Data Protection Laws; and

3.8.2 Company will process such data in accordance Standard Contractual Clauses. For the purposes of the descriptions in Standard Contractual Clauses and only as between Customer and Company, Customer agrees that Customer is a data controller and "data exporter" and Company is the data processor and "data importer". Additionally, Appendixes 1 and 2 of this Data Protection Agreement will take the place of Appendixes 1 and 2 of Standard Contractual Clauses, respectively.

3.9 Audit: Company will allow Customer and its respective auditors or authorized agents to conduct reasonable audits and inspections during the term of Services Agreement, solely to allow Customer to verify that Company is processing personal data in accordance with its obligations under this Data Protection Agreement, Services Agreement, and applicable Data Protection Laws.

4 Incidents

4.1 Response: If Company becomes aware of any accidental, unauthorized or unlawful destruction, loss, alteration, or disclosure of, or access to the personal data that is processed by Company in the course of providing Services under Services Agreement (a “Security Incident”), then Company will:

4.1.1  Without undue delay, and in any event no later than sixty (60) hours from becoming aware of the Security Incident, notify Customer and provide Customer with:

(i) a detailed description of the Security Breach;
(ii) the type of data that was the subject of the Security Breach;
(iii) the identity of each affected person, and
(iv) the steps Company takes in order to mitigate and remediate such Security Breach, in each case as soon as such information can be collected or otherwise becomes available (as well as periodic updates to this information and any other information Customer may reasonably request relating to the Security Incident); and

4.1.2  Immediately act, at Company’s own expense, to investigate the Security Incident and to identify, prevent and mitigate the effects of the Security Incident and, with the prior written approval of Customer, to carry out any recovery or other action necessary to remedy the Security Incident.

4.2 Laws: Company shall comply at all times with, and assist Customer in complying with its applicable obligations under, Data Protection Laws. Company shall provide any information requested by Customer to demonstrate compliance with the obligations set out in this Data Protection Agreement. Company will not perform its obligations under the Services Agreement or this Data Protection Agreement in such a way as to cause Customer to breach any of its obligations under applicable Data Protection Laws.

4.3 Infringement: Company will notify Customer immediately if, in Company's reasonable opinion, an instruction for the processing of personal data given by Customer infringes applicable Data Protection Laws.

5 Appendix 1: Subject Matter and Details of the Data Processing

5.1 Data Exporter
The data exporter is Customer.

5.2 Data Importer
The data importer is Company, Inc. 

5.3 Data Subjects
The personal data transferred concern the following categories of data subjects

5.3.1 Customer

Individual contacts of Customer and any other data subjects whose data may be processed from time to time pursuant to Service Agreement and this Data Protection Agreement.

5.4 Categories of data

5.4.1 The personal data transferred concern the following categories of data:

5.4.2 First and last name

5.4.3 Email address

5.4.4 Telephone number

5.4.5 Mailing or other address information IP address

5.4.6 IP address

5.4.7 Headshots and other images

5.4.8 Social media usernames and links

5.4.9 Date of birth

5.4.10 Job Title

5.4.11 Company Name

5.4.12 Gender pronoun choice 

5.5 Processing operations
The personal data transferred will be subject to those described in Services Agreement.


6 Appendix 2: Technical and Operational Security Measures

Company adopts an Information Security Management Systems (ISMS) as a framework for continuous improvement of security. This ISMS includes (but is not limited to):

6.1 Policies: Company has and periodic reviews the Information Security Policies as the major guidelines for security practices. This includes Risk Management, Data Classification, Access Control, Software Development and Data Breaches.

6.2 Awareness: Awareness on security and compliance is fundamental and provided to all users. Some users may have additional specific awareness, relevant for their function.

6.3 Access control: Access is granted on a need-to-know basis and only a small number of users can access production systems where information from Customers is stored. Authentication to production systems is made with 2-factor Authentication as a standard.

6.4 Logging: Relevant audit logs are maintained, including access to sensitive information (including personal data). The logs are kept in separate infrastructure and only accessed by Security team.

6.5 Breaches: Processes are defined to handle Data Breaches. These processes include notification to relevant stakeholders, according to type of incident and applicable laws.

6.6 Network Security: Company implements several security measures to protect its infrastructure from external and internal threats. This includes encryption, firewalls, IDS, and other cloud provider specifics. Access to production systems is made in secure mode and encryption in transit is a default. Sensitive information is also encrypted at rest.

6.7 Physical Security: Company uses data centers managed by cloud providers and delegates all physical security to them, after a due diligence.

6.8 Business Continuity: Company has several technical implementations to assure business continuity of its service. Those include backups, resilient and redundant infrastructure, and a Disaster Recovery Plan.

6.9 Development: Development is made using a secure development methodology that includes peer review and secure coding and testing.

6.10 Improvement: Company security position is based on a continuous improvement process that includes periodic review of security controls effectiveness.

7 Appendix 3: List of Subprocessors

Company uses certain subprocessors to assist it in providing to Services under Service Agreement. Defined terms used herein will have the same meaning as defined in Service Agreement.

A subprocessor is a third-party data processor engaged by Company who has or potentially will have access to, or process customer information (which may contain personal data). Company engages subprocessors to perform various functions as explained in the table below. You can see a list of all Popl subprocessors here.