Updated on January 25, 2022
This Data Privacy Addendum (“Addendum”) supplements the License and Services Agreement (“License”) of the “Perse” product (“Perse API/SDK”), developed by Cyberlabs Produtos e Serviços Tecnológicos S.A., registered with CNPJ No. 28.487.683/0001-72 (“Processor” or “Perse”), including trial versions (“Beta” and/or “Free Use”), and is an integral part of the License between Licensor and the entity using the Perse API/SDK (“Licensee” or “Controller”).
All capitalized terms used and not otherwise defined herein shall have the meanings ascribed to them in the License.
Whereas Perse develops, markets and licenses Perse, designed to provide identity verification, through biometrics, of a user of Licensee’s products or services, and whereas Licensee wishes to obtain a license to install, access and use Perse, now therefore the Parties agree to the following:
1. Definitions. For purposes of this Addendum:
a. “Affiliate” means any entity which directly or indirectly controls, is controlled by, or is under common control by a Party. For purposes of the preceding sentence, “control” means direct or indirect ownership or control of more than fifty percent (50%) of the voting interests of the subject entity.
b. “Data Privacy Laws” means all applicable laws, regulations, and other legal or self-regulatory requirements in any jurisdiction relating to privacy, data protection, data security, breach notification, or the Processing of Personal Data, including without limitation, to the extent applicable, the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. (“CCPA”), the General Data Protection Regulation, Regulation (EU) 2016/679 (“GDPR”), the United Kingdom Data Protection Act of 2018 (“UK Privacy Act”), and the Swiss Federal Act on Data Protection (“FADP”). For the avoidance of doubt, if Perse’s Processing activities involving Personal Data are not within the scope of a given Data Privacy Law, such law is not applicable for purposes of this Addendum.
c. “Data Subject” means an identified or identifiable natural person about whom Personal Data relates.
d. “Personal Data” includes “personal data,” “personal information,” “personally identifiable information,” and similar terms, and such terms shall have the same meaning as defined by applicable Data Privacy Laws, that is Processed in relation to the License.
e. “Process” and “Processing” mean any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, creating, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
f. “Security Breach” means any accidental or unlawful acquisition, destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
g. “Standard Contractual Clauses” (or “SCCs”) refers to one or both of the following, as the context requires:
i. For Personal Data subject to UK Data Protection Law, the “2010 Standard Contractual Clauses,” defined as the clauses issued pursuant to EU Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council, available at http://data.europa.eu/eli/dec/2010/87/2016-12-17, shall apply, until such time as the UK adopts the 2021 Standard Contractual Clauses, in which case the 2021 Standard Contractual Clauses shall apply and all references to governing law, venue, and supervisory authorities will be deemed to fall under UK Data Protection Law; and
ii. For Personal Data subject to the GDPR, the “2021 Standard Contractual Clauses,” defined as the clauses issued pursuant to the EU Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, available at http://data.europa.eu/eli/dec_impl/2021/914/oj.
2. Scope and Purposes of Processing.
a. Perse will Process Personal Data solely: (1) to fulfill its obligations to Licensee under the License, including this Addendum; (2) on Licensee’s behalf pursuant to Licensee’s instructions; and (3) in compliance with Data Privacy Laws. Perse will not sell Personal Data or otherwise Process Personal Data for any purpose other than for the specific purposes set forth herein.
b. During the period of this Addendum, in the context of any processing of Personal Data performed, each Party shall (a) comply with all applicable Data Privacy Laws; and (b) implement sufficient technical and organizational security procedures and measures to preserve the security and privacy of personal data processed pursuant to this Addendum.
c. Licensee acknowledges and agrees that it has an obligation to take the necessary measures in accordance with Applicable Data Privacy Laws to notify data subjects in advance that their information may be used, stored, or processed by Perse, for the provision of resources and functionalities necessary and sufficient for the management of biometric identification (identification of the face or voice, through artificial intelligence algorithms), and agrees to provide any relevant notification of Processing or consent provided by Perse to data subjects in accordance with the requirements included in Exhibit D.
3. Personal Data Processing Requirements. Perse will:
a. Ensure that the persons it authorizes to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
b. Upon Licensee’s written request, assist Licensee in the fulfilment of Licensee’s obligations to respond to verifiable requests by Data Subjects (or their lawful representatives) for exercising their rights under Data Privacy Laws (such as rights to access or delete Personal Data), at Licensee’s reasonable expense.
c. Promptly notify Licensee of (i) any third-party or Data Subject complaints regarding the Processing of Personal Data; or (ii) any government or Data Subject requests for access to or information about Perse’s Processing of Personal Data on Licensee’s behalf, unless prohibited by Data Privacy Laws. Perse will provide Licensee with reasonable cooperation and assistance in relation to any such request. If Perse is prohibited by applicable Data Privacy Laws from disclosing the details of a government request to Licensee, Perse shall inform Licensee that it can no longer comply with Licensee’s instructions under this Addendum, without providing more details, and await Licensee’s further instructions. Perse shall use all available legal mechanisms to challenge any demands for data access through national security process that it receives, as well as any non-disclosure provisions attached thereto.
d. Provide reasonable assistance to and cooperation with Licensee for Licensee’s performance of a data protection impact assessment of Processing or proposed Processing of Personal Data, when required by applicable Data Privacy Laws, and at Licensee’s reasonable expense.
e. Provide reasonable assistance to and cooperation with Licensee for Licensee’s consultation with regulatory authorities in relation to the Processing or proposed Processing of Personal Data, including complying with any obligation applicable to Perse under Data Privacy Laws to consult with a regulatory authority in relation to Perse’s Processing or proposed Processing of Personal Data.
4. Data Security. Perse will implement appropriate administrative, technical, physical, and organizational measures to protect Personal Data, as set forth in Exhibit B.
5. Security Breach. Perse will notify Licensee promptly of any known Security Breach and will assist Licensee in Licensee’s compliance with Licensee’s Security Breach-related obligations, including without limitation, by:
a. Taking steps to mitigate the effects of the Security Breach and reduce the risk to Data Subjects whose Personal Data was involved; and
b. Providing Licensee with the following information, to the extent known:
i. The nature of the Security Breach, including, where possible, how the Security Breach occurred, the categories and approximate number of Data Subjects concerned, and the categories and approximate number of Personal Data records concerned;
ii. The likely consequences of the Security Breach; and
iii. Measures taken or proposed to be taken by Perse to address the Security Breach, including, where appropriate, measures to mitigate its possible adverse effects.
a. Licensee acknowledges and agrees that Perse may use Affiliates and other subprocessors to Process Personal Data in accordance with the provisions within this Addendum and Data Privacy Laws. Where Perse sub-contracts any of its rights or obligations concerning Personal Data, including to any Affiliate, Perse will take steps to select and retain subprocessors that are capable of maintaining appropriate privacy and security measures to protect Personal Data consistent with applicable Data Privacy Laws. Perse’s current subprocessors are set forth in Exhibit C (the “Subprocessor List”).
b. If Perse Processes Personal Data on Licensee’s behalf that is subject to the applicable Data Privacy Laws in the EEA, UK, and/or Switzerland: (1) Licensee hereby consent to Perse’s use of such subprocessors; (2) Perse will maintain an up-to-date list of its subprocessors and it will provide Licensee with notice of at least 20 days (which may be provided through email to Licensee’s administrator’s email address that was communicated to Perse, or such other reasonable means) of any new subprocessor added to the list; (3) In the event Licensee objects to a new subprocessor due to a reasonable belief that the subprocessor cannot provide the level of protection required under this Addendum, Perse will use reasonable efforts to make available to Licensee a change in the services or recommend a commercially reasonable change to, Licensee’s use of the services to avoid Processing of Personal Data by the objected-to subprocessor without unreasonably burdening Licensee; and (4) Licensee may, in Licensee’s sole discretion, terminate the License upon reasonable prior notice in the event that Licensee continues to reasonably object to a subprocessor and Perse is unable to make reasonable modifications to accommodate such objection.
7. Data Transfers and Additional Safeguards.
a. Perse will not engage in any cross-border Processing of Personal Data, or transmit, directly or indirectly, any Personal Data to any country outside of the country from which such Personal Data was collected, without complying with applicable Data Privacy Laws. Where Perse engages in an onward transfer of Personal Data, Perse shall ensure that a lawful data transfer mechanism is in place prior to transferring Personal Data from one country to another.
b. To the extent legally required, Licensee and Perse are deemed to have signed the 2021 Standard Contractual Clauses, which form part of this Addendum and (except as described in Section 7(d) below) will be deemed completed as follows:
i. Module 2 of the 2021 Standard Contractual Clauses applies to transfers of Personal Data from Licensee (as a controller) to Perse (as a processor);
ii. Clause 7 (the optional docking clause) is included;
iii. Under Clause 9 (Use of sub-processors), the Parties select Option 2 (General written authorization). The initial list of sub-processors is set forth in Exhibit C of this Addendum and Perse shall propose an update to that list at least 20 days in advance of any intended additions or replacements of sub-processors in accordance with Section 6(b) of this Addendum;
iv. Under Clause 11 (Redress), the optional language requiring that data subjects be permitted to lodge a complaint with an independent dispute resolution body shall not be deemed to be included;
v. Under Clause 17 (Governing law), the Parties choose Option 1 (the law of an EU Member State that allows for third-Party beneficiary rights). The Parties select the law of Ireland;
vi. Under Clause 18 (Choice of forum and jurisdiction), the Parties select the courts of Ireland;
vii. Annex I(A) and I(B) (List of Parties) is completed as set forth in Exhibit A of this Addendum;
viii. Under Annex I(C) (Competent supervisory authority), the Parties shall follow the rules for identifying such authority under Clause 13 and, to the extent legally permissible, select the Irish Data Protection Commission.
ix. Annex II (Technical and organizational measures) is completed with Exhibit B of this Addendum; and
x. Annex III (List of subprocessors) is not applicable as the Parties have chosen General Authorization under Clause 9.
c. For Personal Data about individuals located in the UK, and other Personal Data for which Licensee are subject to UK Data Protection Law, to the extent required under UK Data Protection Law, the signatories to the Agreement are deemed to have signed the 2010 Standard Contractual Clauses (including its Appendices), which collectively form part of this Addendum and will be deemed completed as follows:
i. The “exporter” is Licensee.
ii. The “importer” is Perse.
iii. Where Clause 9 of the 2010 Standard Contractual Clauses requires specification of the law that governs the 2010 Standard Contractual Clauses, the Parties select the law of the United Kingdom.
iv. The “illustrative indemnification clause” labeled “optional” is deemed stricken from the 2010 Standard Contractual Clauses.
v. Appendices 1 and 2 of the 2010 Standard Contractual Clauses are deemed completed with the information set forth in Exhibits A and B of this Addendum, respectively.
d. For transfers of Personal Data that are subject to the FADP, the 2021 Standard Contractual Clauses form part of this Addendum as set forth in Section 7(b) of this Addendum, but with the following differences to the extent required by the FADP: (1) references to the GDPR in the 2021 Standard Contractual Clauses are to be understood as references to the FADP insofar as the data transfers are subject exclusively to the FADP and not to the GDPR; (2) references to personal data in the 2021 Standard Contractual Clauses also refer to data about identifiable legal entities until the entry into force of revisions to the FADP that eliminate this broader scope; and (3) the relevant supervisory authority with respect to transfers from Switzerland is the Swiss Federal Data Protection and Information Commissioner.
e. Supplementary Measures. In addition to the obligations under Sections 7(a)-(d), if and to the extent that the Parties will engage in cross-border Processing of Personal Data or will transmit, directly or indirectly, any Personal Data to a country outside of the country from which such Personal Data was collected (including without limitation transfers of Personal Data outside of the EEA, Switzerland or the UK), the Parties agree to the following supplementary measures:
i. The obligations in Section III of the 2021 Standard Contractual Clauses (Local laws and obligations in case of access by public authorities) shall form part of this Addendum with respect to Personal Data subject to UK Data Protection Law, regardless of whether the rest of the 2021 Standard Contractual Clauses apply to any Personal Data;
ii. All Personal Data shall be encrypted both in transit and at rest using state of the art encryption technology that is robust against the performance of cryptanalysis;
iii. Perse warrants and represents that, as of the date of the License, it has not received any national security data production orders (e.g., pursuant to Section 702 of the Foreign Intelligence Surveillance Act (“FISA Section 702”) or U.S. Presidential Policy Directive 28);
iv. Perse will use all reasonable legal mechanisms to challenge any demands for data access through the national security process that Perse receives; and
v. Perse will provide, up to once per calendar year upon Licensee’s request, a transparency report indicating the types of binding legal demands for the Personal Data it has received, including national security orders and directives.
8. Audits. Perse will make available to Licensee all reasonable information necessary to demonstrate compliance with this Addendum and will allow for and contribute to audits, including inspections, conducted by Licensee or another auditor mandated by Licensee, provided that, such audit shall occur not more than once every twelve (12) calendar months, upon reasonable prior written notice, and to the extent Perse’s personnel are required to cooperate therewith, during Perse’s normal business hours.
9. Return or Destruction of Personal Data. Except to the extent required otherwise by Data Privacy Laws, Perse will, at Licensee’s choice and upon Licensee’s written request, return to Licensee and/or securely destroy all Personal Data upon such request or at termination of the License within thirty (30) days of the date of termination. Except to the extent prohibited by Data Privacy Laws, Perse will inform Licensee if it is not able to return or delete the Personal Data.
10. Survival. The provisions of this Addendum survive the termination or expiration of the License for so long as Perse or its subprocessors Process the Personal Data.
11. Conflict. In the event of a conflict between this Addendum and the License, the terms of this Addendum shall prevail.
12. Changes to this Addendum. Perse reserves the right to modify this Addendum from time to time after notice to Licensee (by email or by posting a notice on the online platform page where Licensee accesses its Perse account or on the online platform page where Licensor makes this Addendum available); if Licensee does not agree to the modified Addendum, Licensee’s sole remedy will terminate this Addendum by providing notice to Perse. Any use or access to Perse in any way following notice of modification to this Addendum will constitute acceptance of the Addendum as amended. If any part of this Addendum is found to be unenforceable for any reason, that part shall be reformed only to the extent necessary to enforce it.
A. LIST OF PARTIES
Data exporter(s): The data exporter is a user of the importer’s services pursuant to their underlying License. The data exporter acts as a controller with respect to its own personal data. The entity that electronically accepts the License shall be deemed to have also electronically signed and agreed to this Addendum and the SCCs.
Data importer(s): Cyberlabs Produtos e Serviços Tecnológicos S.A. The data importer acts as the exporter’s processor and is deemed to have signed this Addendum and the SCCs upon the data exporter’s electronic acceptance of the Addendum and SCCs.
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred: The personal data transferred concern data subjects residing in the European Economic Area, the United Kingdom and Switzerland.
Categories of personal data transferred: The personal data transferred concern the following categories of data (please specify): Data Exporter may transfer Personal Data to Perse, the extent of which is determined and controlled by the data exporter in its sole discretion, and which may include, and is not limited to the following categories of personal data:
- Biometric information, as necessary and sufficient for Perse’s use in biometric identification of the data subject’s face or voice, through artificial intelligence algorithms;
- Basic identifiers (e.g., name, address, phone number) in the event that a data subject contacts Perse for assistance.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures: The personal data transferred concerns the following special categories: Biometric information, which is collected and stored in accordance with Perse’s information security policies and procedures.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): Continuous.
Nature of the processing: Perse’s Processing activities shall be limited to those discussed in the License and this Addendum.
Purpose(s) of the data transfer and further processing: The objective of the transfer and further processing of personal data by Perse is the access and use of Perse.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: Data will be retained for the period of time necessary to provide Perse to Licensee under the License, this Addendum, and/or in accordance with applicable legal requirements and the Addendum.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: Same as above to the extent such information is provided to subprocessors for purposes of providing Perse.
C. COMPETENT SUPERVISORY AUTHORITY
See Section 7(b)(viii) of this Addendum.
ANNEX II – TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.
Perse shall comply with Exhibit B to the Addendum.
For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter:
Perse shall require its subprocessors to take appropriate technical and organizational measures to provide assistance to the controller and/or data exporter that are no less restrictive than those in Exhibit B.
Exhibit B – PERSE DATA SECURITY MEASURES
Perse will implement and maintain the following administrative, technical, physical, and organizational security measures for the Processing of Personal Data:
Perse’s Information Security Program includes specific security requirements for its personnel and all subprocessors or agents who have access to Personal Data (“Data Personnel”). Perse’s security requirements covers the following areas:
1. Information Security Policies and Standards. Perse will maintain written information security policies, standards and procedures addressing administrative, technical, and physical security controls and procedures. These policies, standards, and procedures shall be kept up to date, and revised whenever relevant changes are made to the information systems that use or store Personal Data.
2. Physical Security. Perse will maintain commercially reasonable security systems at all Perse sites at which an information system that uses or stores Personal Data is located (“Processing Locations”) that include reasonably restricting access to such Processing Locations, and implementing measures to detect, prevent, and respond to intrusions.
3. Organizational Security. Perse will maintain information security policies and procedures addressing acceptable data use standards, data classification, and incident response protocols.
4. Network Security. Perse maintains commercially reasonable information security policies and procedures addressing network security.
5. Access Control. Perse agrees that: (1) only authorized Perse staff can grant, modify or revoke access to an information system that Processes Personal Data; and (2) Perse will implement commercially reasonable physical and technical safeguards to create and protect passwords.
6. Virus and Malware Controls. Perse protects Personal Data from malicious code and will install and maintain anti-virus and malware protection software on any system that handles Personal Data.
7. Personnel. Perse has implemented and maintains a security awareness program to train employees about their security obligations. Data Personnel follow established security policies and procedures. Disciplinary process is applied if Data Personnel fail to adhere to relevant policies and procedures.
8. Business Continuity. Perse implements disaster recovery and business resumption plans that are kept up to date and revised on a regular basis. Perse also adjusts its Information Security Program in light of new laws and circumstances, including as Perse’s business and Processing change.
Exhibit C – Subprocessor List
|Sub-processor||Purpose of Processing||Location of Processing|
|Amazon Web Services||Cloud Computing Services||United States|
Exhibit D – User Consent Acknowledgment
Licensee hereby agrees that it will take the following steps before providing Personal Data to Perse, and that Perse will understand that any Personal Data provided by Licensee to Perse for Processing pursuant to Licensee’s instructions has met these requirements. Specifically, Licensee shall:
1. Obtain legally valid consent in accordance with applicable Data Privacy Laws to provide individuals’ unique images or voice to Perse, and such consent shall provide clear disclosures to such individuals that their images or voices will be shared with Licensee’s processor, Perse, which will perform identity verification services based on the creation and analysis of biometric information;
2. Retain records of each consent obtained from an individual, including records of the consent process and related disclosures, and provide such records to Perse upon request; and
3. Provide clear instructions to individuals regarding how they can withdraw their consent at any time.