MAD CURVE DATA PROCESSING ADDENDUM

This Data Processing Addendum (“Addendum”) to the Terms of Service (“Agreement”) is entered into between Horizon Labs (hereinafter “Horizon Labs”, “we”, “us” or “our”), and you, the Customer of the Services under the Agreement (hereinafter “Customer”, “you” or “your”) with respect to all the information that the Customer submits or collects via the Services. This Addendum is supplemental to, and forms an integral part of, the Agreement and is effective upon incorporation into the Agreement.

In case of any conflict or inconsistency with the terms of the Agreement, this Addendum, will take precedence over the terms of the Agreement.

All terms not otherwise defined in this Addendum, shall have the same meaning as in the Agreement, and their cognate term shall be construed accordingly.

The term of this Addendum will follow the term of the Agreement.

1. DEFINITIONS

“California Personal Information” means Personal Data that is subject to the protection of the CCPA.

"CCPA" means California Civil Code Sec. 1798.100 et seq. (also known as the California Consumer Privacy Act of 2018).

“EU Personal Data” means the Personal Data that is subject to the protection of the GDPR.

“GDPR” means the current legal framework in relation to data processing and with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) and applicable national law implementing the GDPR, or in any subsequent superseding legislation.

“Data Protection Laws” means all applicable worldwide legislation relating to data protection and privacy which applies to the respective party in the role of Processing Personal Data in question under the Agreement, including without limitation European Data Protection Laws and the CCPA; in each case as amended, repealed, consolidated or replaced from time to time.

“Data Subject” means the individual to whom the Personal Data relates.

“Customer Data” means all information that you submit or collect via the Services including End Users’ Data.

“Personal Data” means any information relating to an identified or identifiable individual where (i) such information is contained within the Customer Data; and (ii) is protected similarly as personal data, personal information or personally identifiable information under applicable Data Protection Laws.

“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed by us and/or our Sub-Processors in connection with the provision of the Subscription Services. "Personal Data Breach" will not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.

“Processing” means any operation or set of operations which is performed on Personal Data, encompassing the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction or erasure of Personal Data. The terms “Process”, “Processes” and “Processed” will be construed accordingly.

“Standard Contractual Clauses” or “SCC” means the standard contractual clauses annexed to the European Commission’s Decision (EU) 2021/914 of 4 June 2021 as may be amended, superseded or replaced available at https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0914&from=EN.

“Sub-Processor” means any Processor engaged by Horizon Labs to assist in fulfilling our obligations with respect to the provision of the Services. Sub-Processors may include third parties but will exclude any Horizon Labs employee or consultant.

The terms, “Controller”, “Personal Data Breach”, “Processor” and “Supervisory Authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.

The terms, "Business", "Sell" and "Service Provider" will have the meanings given to them in the CCPA.

2. CUSTOMERS RESPONSIBILITIES

2.1.Customer’s Instructions. The Customer hereby commissions, authorises and instructs Horizon Labs to provide the Services and for this purpose to Process the Personal Data in accordance with the Agreement (including this Addendum) and Data Protection Law. The instructions provided by the Customer under the Agreement and this Addendum constitute the full instructions to Horizon Labs with regard to the Processing of the Personal Data. The Customer may provide additional instructions during the term of the Agreement that are consistent with the Agreement and the lawful use of the Services. The Customer acknowledges that Horizon Labs will not be responsible for compliance with the Data Protection Law applicable to the Customer but not generally applicable to Horizon Labs.

2.2.Compliance with Data Protection Law. The Customer shall comply with the Data Protection Law regarding the Processing of the Personal Data and any instructions addressed to us. The Customer acknowledges and agrees that the Customer shall be solely responsible for complying with all necessary transparency and lawfulness requirements under the Data Protection Law. The Customer shall establish, abide by and communicate a privacy notice to the Data Subjects, as may be necessary under the Data Protection Law, explaining, among others, the Processing of the Personal Data carried out by Horizon Labs on behalf of the Customer; and substantiate the legal basis under the Data Protection Law for obtaining and Processing the Personal Data as carried out by Horizon Labs on behalf of the Customer.

2.3.Security. The Customer is responsible for (a) independently determining whether the data security provided for by Horizon Labs with regard to the Services adequately meets your obligations under the Data Protection Law, and for (b) the Customer’s secure use of the Services, including protecting the security of the Personal Data in transit to and from Horizon Labs (including to securely backup or encrypt any such Personal Data).

3. HORIZON LABS RESPONSIBILITIES

3.1.Compliance with Customer’s Instructions. Horizon Labs will Process the Personal Data in accordance with the Agreement (including this Addendum), the Customer’s instructions and the Data Protection Law.

3.2.Compliance with Data Protection Law. Horizon shall comply with the Data Protection Law applicable to Horizon Labs regarding the Processing of the Personal Data. If Horizon Labs become aware that any Processing of the Personal Data under the Customer’s instructions is in contradiction with the applicable Data Protection Law, Horizon Labs will notify the Customer about it and Horizon Labs will, if and to the extent necessary, cease all Processing and shall be entitled to cease the Services until the updated instructions will be received from the Customer.

3.3.Security. Horizon Labs shall implement appropriate technical and organisational measures to ensure a level of security of the Personal Data appropriate in accordance with applicable Data Protection Law as described in Annex 2 to the Agreement. In assessing the appropriate level of security, Horizon Labs shall take account in particular of the risks that are presented by Processing of the Personal Data, in particular from a Personal Data Breach. Notwithstanding anything to the contrary, Horizon Labs may change any security measures it applies to the extent such new measures comply with the applicable Data Protection Law.

3.4.Confidentiality. Horizon Labs shall ensure that any personnel authorised by Horizon Labs to access and Process the Personal Data, will be subject to confidentiality obligations in accordance with applicable Data Protection Law.

3.5.Personal Data Breach. Horizon Labs shall notify the Customer without undue delay upon Horizon Labs becoming aware of a Personal Data Breach affecting the Personal Data, providing the Customer with sufficient information to allow the Customer to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Law. Horizon Labs shall cooperate with the Customer and take reasonable commercial steps as are directed by the Customer to assist in the investigation, mitigation and remediation of each such Personal Data Breach. Horizon Labs shall provide reasonable assistance to the Customer with any data protection impact assessments, and prior consultations with Supervisory Authorities or other competent data privacy authorities, which the Customer reasonably considers to be required by the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of the Personal Data by, and taking into account the nature of the Processing and information available to, any Sub-processor.

3.6.Deletion or return of Personal Data. Horizon Labs shall promptly and in any event within 10 business days of the date of cessation of any Services involving the Processing of the Customer Data (“Cessation Date”), delete and procure the deletion of all copies of the Customer Data including the Personal Data unless Horizon Labs is required by applicable law to retain some or all the Customer Data or where we have archived the Customer Data on back-up systems, which data we will securely isolate and protect from any further Processing and delete in accordance with our deletion practices.

3.7.Data Subjects Rights. Taking into account the nature of the Processing, Horizon Labs shall assist the Customer by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Customer’s obligations, as reasonably understood by Horizon Labs, to respond to requests to exercise Data Subject rights under the Data Protection Law. Horizon Labs shall promptly notify the Customer if it receives a request from a Data Subject under any Data Protection Law in respect of the Personal Data; and ensure that it does not respond to that request except on the documented instructions of the Customer or as required by the Data Protection Law to which Horizon Labs is subject, in which case Horizon Labs shall to the extent permitted by the Data Protection Law inform the Customer of that legal requirement before respond to the request.

3.8.Sub-Processors. The Customer agrees that Horizon Labs may engage Sub-Processors to Process the Personal Data on behalf of the Customer. The list of Sup-Processors appointed by Horizon Labs is set in Annex No. 3 to this Addendum. Any updates to this list will be emailed to the Customer 10 days in advance. Horizon Labs will engage only those Sub-Processors that provide at least the same level of protection for the Personal Data as provided by this Addendum (including by the Standard Contractual Clauses), to the extent applicable to the services provided by such Sub-Processors to Horizon Labs. Horizon Labs will remain responsible for each Sub-Processor’s compliance with the obligations of this Addendum and for any acts or omissions of such Sub-Processor that cause Horizon Labs to breach any of its obligations under this Addendum.

3.9.Data Transfers. The Customer acknowledges and agrees that Horizon Labs may access and Process Personal Data on a global basis as necessary to provide the Services in accordance with the Agreement In particular, the Personal Data may be transferred to and Processed by in the jurisdictions where Sub-Processors are incorporated and operate. Wherever Personal Data is transferred outside its country of origin, each party will ensure such transfer is made in compliance with the requirements of the Data Protection Law.

4. PROCESSING WITH REGARD TO THE GDPR

These provisions will apply in addition to those set forth in section 2 and 3 of the Addendum with regard to the EU Personal Data.

4.1.Roles. The parties agree that with regard to the Processing of the EU Personal Data, the Customer acts as a Controller and Horizon Labs acts as a Processor.

4.2.Instructions. If Horizon Labs becomes aware that the instructions with regard to the Processing of the EU Personal Data infringe the GDPR, we will promptly notify you.

4.3.Objection to Sub-Processors. The Customer shall be entitled to object to the engagement of new Sub-Processors within 10 days from the data of the receipt of the notice in accordance with clause 3.8 hereof and Horizon Labs and the Customer shall discuss in good faith all Customer’s concerns with regard to such new Sub-Processor. If no agreement can be reached, Horizon Labs will at its sole discretion: (a) refuse such new appointment, or (b) allow the Customer to terminate the Services without liability to either party in accordance with the Agreement but due to the payment of any Fees for the period before such termination. The parties agree that by complying with this sub-section, Horizon Labs fulfils its obligations under Sections 9 of the Standard Contractual Clauses.

4.4.Sub-Processors Agreements. For the purposes of clause 9(c) of the Standard Contractual Clauses: the Customer acknowledges and agrees that Horizon Labs may be restricted from disclosing Sub-Processor agreements but it will use reasonable efforts to require any Sub-Processor to permit the disclosure of such agreement to the Customer and will provide (on a confidential basis) all information Horizon Labs reasonably is reasonable entitled to provide.

4.5.Data Protection Impact Assessments and Consultation with Supervisory Authorities.To the extent that the required information is reasonably available to Horizon Labs, and the Customer does not otherwise have access to the required information, Horizon Labs will provide reasonable assistance to the Customer with any data protection impact assessments, and prior consultations with Supervisory Authorities or other competent data privacy authorities to the extent required by the GDPR.

4.6.Data Transfer. If you are situated in a country outside the European Union (EU) and the European Economic Area (EEA) and your Processing of the Personal Data is not subject to the GDPR, the Standard Contractual Clauses shall be incorporated by reference and form part of this Agreement as follows:

For the purposes of the Agreement, only the modular sections in Module 4 (Processor-Controller) shall apply, in addition to all general sections, subject to the following:

• The optional clause 7 “Docking clause” shall not apply.
• The certification of deletion required by Clause 8.1(d) of the SCCs will be provided upon your written request;
• The assistance Horizon Labs is required to provide under Clause 8.2(b) of the SCCs is that assistance required of Hotjar under the applicable law under the Terms of Service
• The audit described in Clause 8.3(b) of the SCCs will be carried out in accordance with the Terms of Service
• The optional paragraph in Clause 11 (a) “Redress” shall not apply
• With regard to Clause 17 “Governing Law”, the “Governing Law and Jurisdiction” clause 13 of the Terms of Service shall apply
• With regard to clause 18 “Choice of Forum and Jurisdiction”, any dispute arising from the SCCs shall be resolved by the courts of Cyprus.
• With regard to Annex I A. Horizon Labs shall be the “data exporter” acting as a “processor” and you shall be the “data importer” acting as a “controller”
• With regard to Annex B. “Description of the transfer” - the categories described in our Privacy Policy shall be Processed.

4.7.Demonstration of Compliance. Horizon Labs will provide the Customer with all information reasonably necessary to demonstrate compliance with this Addendum and cooperate with regard to audits, including inspections conducted by the Customer or its authorised auditor in order to assess compliance with this Addendum. The Customer acknowledges and agrees that the Customer will exercise audit rights under this Addendum and clause 8.9 of the Standard Contractual Clauses by instructing Horizon Labs to comply with the audit measures described in this 'Demonstration of Compliance' section. At the Customer’s written request, Horizon Labs will provide written responses (on a confidential basis) to all reasonable requests for information necessary to confirm Horizon Labs’s compliance with this Agreement, provided that the Customer will not exercise this right more than once per calendar year unless the Customer has reasonable grounds to suspect non-compliance with the Addendum.

5. PROCESSING WITH REGARD TO CCPA

This section applies to in addition to those set forth in section 2 and 3 of the Addendum with regard to the Processing of California Personal Information.

5.1.Roles. Horizon Labs and the Customer acknowledge and agree that Horizon Labs is a Service Provider and the Customer is a Business.

5.2.Responsibilities. The parties agree that Horizon Labs will Process California Personal Information as a Service Provider strictly for the purpose of performing the Subscription Services under the Agreement or as otherwise permitted by the CCPA, including as described in our Privacy Policy. Horizon Labs does not Sell California Personal Information to any third parties.

ANNEX NO. 1 – DETAILS OF PROCESSING

A. LIST OF PARTIES

Data exporter:

Name: The Customer, as defined in the Terms of Service available at https://madcurve.com/legal/terms-of-service and as set forth in the Subscription Order.

Address: The Customer's address, as set out in the Subscription Order and/or the Account.

Contact person’s name, position and contact details: The Customer's contact details, as set out in the Subscription Order and/or as set out in the Account.

Activities relevant to the data transferred under these Clauses: Processing of the Customer Data in connection with the Customer's use of the Services under the Agreement.

Role (controller/processor): Controller.

Data importer:

Name: Horizon Labs

Address: Aigaiou 83, Flat/Office 104, Lakatamia, 2302, Nicosia, Republic of Cyprus.

Contact person’s name, position and contact details: Panagiota Stefani, Director, privacy@madcurve.com

Activities relevant to the data transferred under these Clauses: Processing of the Customer Data in connection with the Customer's use of the Services under the Agreement

Role (controller/processor): Processor 

B. DESCRIPTION OF TRANSFER

Categories of Data Subjects whose Personal Data is Transferred

You may submit the Personal Data in the course of using the Services, the extent of which is determined and controlled by you in your sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of Data Subjects:

Your contacts including your employees, end users, contractors, collaborators, customers, prospects, suppliers and subcontractors. Data Subjects may also include individuals attempting to communicate with or transfer Personal Data to your end users.

Categories of Personal Data Transferred

The categories described in our Privacy Policy.

Sensitive Data transferred and applied restrictions or safeguards

The parties do not anticipate the transfer of sensitive data.

Frequency of the transfer

Continuous

Nature of the Processing

The Personal Data will be Processed in accordance with the Agreement (including this Addendum) and may be subject to the following Processing activities:

(1) Storage and other Processing necessary to provide, maintain and improve the Services provided to the Customer; and/or

(2) Disclosure in accordance with the Agreement (including this DPA) and/or as compelled by applicable laws.

Purpose of the transfer and further processing

Horizon Labs will Process the Personal Data as necessary to provide the Services pursuant to the Agreement, as further specified in the Subscription Order, and as further instructed by you in your use of the Services.

Period for which Personal Data will be retained

Subject to the section 3.6 of the Addendum, Horizon Labs will Process the Personal Data for the duration of the Agreement, unless otherwise agreed in writing.

Competent Supervisory Authority

For the purposes of the Standard Contractual Clauses, the Supervisory Authority that will act as competent supervisory authority will be determined in accordance with GDPR.

ANNEX NO. 2 – SECURITY MEASURES

• Managing database access privileges and imposing restrictions on those with access privileges. This includes maintaining an updated list of users authorized to access the database, according to the various access privileges.
• Having its staffer who are authorized users of the data importer execute an undertaking of confidentiality and obligations.
• Employing appropriate security measures, commensurate with the sensitivity of the information, to prevent inadvertent or deliberate system intrusion beyond the scope of a user’s access privileges.
• Detecting information integrity breaches and handling such breaches.
• Developing measures to give the data exporter greater control over the various data processing settings.
• Establishing procedures to have the data deleted from the data importer’s systems at the end of the engagement.

ANNEX NO. 3 – LIST OF SUB-PROCESSORS