Data Processing Addendum (DPA)

This Data Processing Addendum ("DPA") is an integral part of Fireberry's Terms of Service, available at www.fireberry.com/legal/terms-of-service, or any other written or electronic agreement governing the use of Fireberry's Services, Sites, and Additional Services (as defined in Fireberry's Terms of Service and/or in any applicable agreement) ("Agreement") between Fireberry Customer (collectively referred herein as: "you", "your", "Customer") (as defined in the Agreement), and Fireberry LTD, ("us", "we", "Fireberry", "our"). This DPA shall govern Fireberry's processing of Personal Data on behalf of the Customer, reflecting both parties' agreement on such processing as described herein. In this DPA, the terms "Parties" refer to both parties collectively, and "Party" refers to each individually.

In the event of any conflict between this DPA and any other agreement between you and Fireberry, this DPA shall prevail over the conflicting provisions, but only within the scope of Personal Data Processed by Fireberry on behalf of the Customer.

When using Fireberry's Services, Sites, and/or Additional Services, Fireberry Customer agrees to accept this DPA, and the Customer shall comply with this DPA to the fullest extent. You hereby assert and confirm that by using Fireberry's Services, Sites, and/or Additional Services, you have the legal authority to bind your employer, or any other legal entity you represent (i.e., Fireberry Customer), to this DPA.

If you cannot comply with this DPA, lack the authority to bind your employer or the entity you represent, or choose not to comply, you must not provide any Personal Data to Fireberry, nor should you upload, submit, or otherwise transmit Personal Data to Fireberry's Services and Sites.

Capitalized terms not defined herein shall have the same meanings ascribed to them in the Agreement.

1. Definitions

1.1. The terms, "Processing" and "Process", "Controller", "Member State", "Processor", and "Supervisory Authority" shall have the same meaning as in the GDPR.
1.2. "Customer Data" means any images, reports, personal information, data, files, attachments, or any other content transmitted, submitted, or uploaded by Customer and/or by Customer's Users through the Fireberry Service and/or Sites.
1.3. "CCPA" means the California Consumer Privacy Act, Cal: Civ. Code § 1798.100 et seq., and its implementing regulations, each as amended or superseded from time to time.
1.4. "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons regarding the processing of personal data and the free movement of such data, and repealing Directive 95/46/EC (General Regulation).
1.5. "Data Protection Laws and Regulations" means all applicable and binding privacy and data protection laws and regulations, including such laws and regulations of the European Union, the European Economic Area and their Member States, Israel, Canada Switzerland, the United Kingdom and the United States of America, as applicable to the Processing of Personal Data under the Agreement, including (without limitation) the GDPR, the UK GDPR, and the CCPA, as applicable to the Processing of Personal Data hereunder and in effect at the time of Processor’s performance hereunder.
1.6. "Affiliate" means any entity that directly or indirectly controls, is controlled by, or is under control of the subject entity. "Control" for purposes of this definition, means direct or indirect ownership of more than 50% of the voting interests of the subject entity.
1.7. "Authorized Affiliate" means any of the Customer's Affiliates that is explicitly permitted to use the Service pursuant to the Agreement between the Customer and Fireberry but has not signed its own agreement with Fireberry and is not a "Customer" as defined under the Agreement.
1.8. "Sub-Processor" means any third-party Processors engaged in the Processing of Personal Data pursuant to directives from Fireberry, in connection with the provision of Fireberry's Services and/or Sites.
1.9. "EU” means the European Union.
1.10. "EEA" means EU Member States and Norway, Iceland, and Liechtenstein.
1.11. "Data Subject" means the identified or identifiable person to whom the Personal Data relates.
1.12. "Personal Information" or "Personal Data" means any data or information processed by Fireberry on behalf of the Customer under this DPA and the Agreement, which can identify, relate to, describe, be linked to, or could foreseeably be connected, either directly or indirectly, with a specific natural person or Consumer.
1.13. "Sensitive Data" means Personal Data governed by specific legislative measures necessitating distinct handling, identified in various jurisdictions as "special categories of data," "sensitive data," or other substantially equivalent terms under relevant Data Protection Laws and Regulations. This may encompass data such as: (a)  financial or credit information, including credit or debit card numbers; (b) social security number, tax file number, passport number, driver’s license number, or similar identifiers (or any part thereof); (c) Personal Data pertaining to children; (d) details disclosing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, or biometric data utilized specifically to identify an individual, information regarding health, sexual orientation or sex life, or data concerning criminal convictions and offenses; and/or (e) unhashed account passwords.
1.14. "Service(s)" means any services provided to Customer by Fireberry, under the Agreement, including, but not limited to, any product, software, mobile application, cloud-based product, and/or any SaaS solution, including all functionalities, application programming interfaces, and tools owned and/or developed by Fireberry.
1.15. "UK GDPR" means the Data Protection Act 2018, in addition to the General Data Protection Regulation (GDPR) as incorporated into the legal systems of England and Wales, Scotland, and Northern Ireland pursuant to Section 3 of the European Union (Withdrawal) Act 2018 as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (Statutory Instrument 2019/419).
1.16. "Standard Contractual Clauses" means: (a) where the GDPR applies, the standard contractual clauses set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (“EU SCCs”) as published here; (b) in respect of transfers of Personal Data subject to the UK GDPR, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses of 21 March 2022 (version B.1.0) (“UK's IDTA”), as incorporated into the EU SCCs through Annex III thereto (“UK Addendum”); and (c) in respect of transfers subject to the Federal Act on Data Protection (as revised on September 1st, 2023), the terms set forth in Annex IV of the EU SCCs (“Switzerland Addendum”).

2. Processing of Personal Data

2.1. Roles of the Parties

Regarding the processing of Personal Data by Fireberry on behalf of the Customer, in accordance with this DPA and the Agreement, the Parties assert, acknowledge, and confirm that: (a) the Customer is the Controller of the Personal Data; (b) Fireberry is the Processor of such Personal Data.
"Controller" and "Processor" below signify the Customer and Fireberry, respectively, and where applicable, in accordance with Section 10.1, an Authorized Affiliate shall also be considered a "Controller".

2.2. Customer's Processing of Personal Data

Customer shall, in the use of Fireberry's Sites and Services, transmit, upload, submit, and/or transfer Personal Data in accordance with the requirements of Data Protection Laws and Regulations. Customer shall establish and maintain proper legal bases to collect, Process, and transfer any Personal Data to the Processor. Customer shall obtain any necessary applicable requirements to authorize the Processing of Personal Data by the Processor, and for the Processor's Processing activities on behalf of the Customer. Additionally, Customer shall provide notice to the Data Subjects regarding the use of Fireberry as the Processor.
Customer acknowledges that Fireberry is not responsible for determining which laws or regulations apply to the Customer’s business. Customer shall ensure that Fireberry's Processing of Customer Data, when done in accordance with Customer’s instructions, shall not cause Fireberry to violate any Data Protection Laws and Regulations.

2.3. Processor's Processing of Personal Data

Processor shall treat Personal Data as Confidential Information and shall Process Personal Data on behalf of the Customer, in accordance with the Agreement, for the following purposes: (i) Processing to comply with the Customer's reasonable and documented instructions, as long as such instructions are in accordance with the Agreement and this DPA; (ii) Processing for the Customer as part of its provisions of the Service(s); (iii) Processing in accordance with the Agreement and this DPA; (iv) Processing as required under laws applicable to the Processor and/or as required by a court of competent jurisdiction or other competent governmental or semi-governmental authority, provided that the Processor shall inform the Customer of any such legal requirement before Processing, unless such law or regulation prohibits sharing this information on important grounds of public interest; and (v) rendering Personal Data fully anonymous, non-identifiable, and non-personal in accordance with applicable standards recognized by Data Protection Laws and Regulations.

2.4. Processor's Obligations and Rights in Handling Non-Compliant Data Processing Instructions Under Data Protection Laws

Processor shall, unless prohibited from notifying the Customer under applicable Data Protection Laws and Regulations, inform the Customer without delay if, in the Processor’s opinion, an instruction for the Processing of Personal Data given by the Customer infringes applicable Data Protection Laws and Regulations. To the extent that the Processor cannot comply with the Customer's instruction, the Processor may: (i) terminate the Services offered to the Customer under the Agreement, or (ii) temporarily cease all Processing of the affected Personal Data; or (iii) suspend the Customer's access to the Services until the Customer and Processor find a mutual resolution.

2.5. Details of Processing

The scope of Personal Data Processing by the Processor encompasses the execution of Services pursuant to the Agreement and this DPA. The details regarding the duration, nature, and purpose, types of Personal Data, and categories of Data Subjects Processed under this DPA are elaborated in Schedule 1 (Details of Processing) attached to this DPA.

2.6. Sensitive Data

The Parties acknowledge and agree that the Services are not designed for the Processing of Sensitive Data. Should the Customer decide to utilize the Processor's Services for the Processing of Sensitive Data, the Customer must secure the explicit prior written consent of the Processor and enter into any supplementary agreements as may be stipulated by Fireberry.

2.7. CCPA Terms

Processor shall not have any rights and/or benefits regarding Personal Information Processed on Customer's behalf and Processor may use and disclose Personal Information solely for the purposes for which such Personal Information was provided, as stipulated in the Agreement and this DPA.

3. Rights of Data Subjects

3.1. Data Subject Request

Processor shall, to the extent legally permitted by any applicable Data Protection Laws and Regulations, promptly notify the Customer of any dispute, complaint, or request it receives from a Data Subject, such as: (i) the Data Subject's right of access; (ii) the Data Subject's right to restriction of Processing; (iii) the Data Subject's right to rectification; (iv) the Data Subject's right to erasure; (v) the Data Subject's right to object to the Processing; (vi) the Data Subject's right to data portability; (vii) the Data Subject's right not to be subject to automated individual decision-making; (viii) the Data Subject's right to 'opt-out' of the sale of Personal Information (collectively or separately referred to herein as "Data Subject Request").

3.2. Assistance in addressing Data Subject requests

Taking into account the nature of the Processing, Processor shall assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Customer's obligation to respond to a Data Subject Request under any applicable Data Protection Laws and Regulations. Furthermore, should the Customer lack the capability to address a Data Subject's Request, the Processor, upon the Customer's request, shall exert all reasonable efforts to aid the Customer in managing such a Data Subject Request, provided that such assistance is legally permissible and the response is mandated by any applicable Data Protection Laws and Regulations. The Customer shall bear any costs incurred from the Processor's assistance in these matters.

4. Confidentiality

Processor shall restrict its employees engaged in the Processing of Personal Data to only those employees necessary to successfully provide the Services pursuant to the Agreement. Processor shall ensure that any employee who is engaged in the Processing of Personal Data shall execute a written agreement requiring them to maintain all such information in strict confidence and to use said information only to facilitate the performance of the employees' services to the Processor, in connection with the Processing of Personal Data, the Services, the Agreement, and this DPA.

5. Sub-Processors

5.1. Appointment of Sub-Processors

Customer acknowledges and agrees that: (a) Processor's Affiliates may be engaged as Sub-Processors; (b) Processor and Processor's Affiliates may respectively engage third-party Sub-Processors in connection with the provision of the Services.

5.2. List of Current Sub-Processors and Notification of New Sub-Processors

Processor shall create a list of current Sub-Processors used by the Processor to process Personal Data, which shall be available to the Customer at https://www.fireberry.com/legal/sub-processors. Such a list shall include the identities of those Sub-Processors, their countries, and their processing activities. ("Current Sub-Processor List"). By using our Services, the Customer hereby acknowledges and agrees to our Current Sub-Processor List, as well as to the Sub-Processors' locations and processing activities as they pertain to the Customer's Personal Data.

5.3. Objection Right to an Existing Sub-Processor

Customer may reasonably object to Processor's use of an existing Sub-Processor by providing a written objection to support@fireberry.com within seven (7) business days following Customer's first use of Processor's Services. In the event that Customer reasonably objects to an existing Sub-Processor, Customer may, as a sole remedy, terminate the applicable Agreement and this DPA with respect to those elements of the Services that cannot be provided by the Processor without the use of the objected-to Sub-Processor, by providing written notice to the Processor. Such notice of termination shall be deemed valid, provided that all outstanding amounts due under the Agreement are duly paid to the Processor. In such an event, Customer shall have no further claims against Processor for any past use of approved Sub-Processors, and Customer shall not be entitled to receive any refund of any kind.

5.4. Objection Right to New Sub-Processors

Customer may object to the Processor's use of a new Sub-Processor by promptly notifying the Processor in writing at support@fireberry.com within seven (7) days of receiving the Processor's notice, as specified in Section 5 herein. If Customer reasonably objects to a new Sub-Processor as outlined above, the Processor shall make reasonable efforts to provide an alternative within the Services, or suggest a commercially reasonable change to Customer's configuration or use of the Services, to avoid the Processing of Personal Data by the objected-to new Sub-Processor, without unduly burdening the Customer. Should the Processor fail to provide such an alternative within sixty (60) days, the Customer may, as a sole remedy, terminate the Agreement and this DPA, solely with regard to the components of the Services that necessitate the use of the objected-to new Sub-Processor, by issuing a written notice to the Processor. Be aware that any outstanding amounts due under the Agreement prior to the termination date, concerning the Processing at issue, must be fully paid to the Processor, and the Customer shall have no further claims against the Processor in such an event.

5.5. Sub-Processor Agreements

Processor or Processor's Affiliates engaged in processing Customer Data on behalf of the Processor shall enter into a written agreement with each Sub-Processor. Such agreement shall contain appropriate safeguards to protect Customer Data, which shall be no less strict than the safeguard obligations undertaken by Fireberry in accordance with this DPA.

6. Security and Audits

6.1. Controls for the Protection of Personal Data

Processor shall maintain industry-standard technical and organizational measures for the protection of Customer Data (including protection against unauthorized or unlawful Processing of Customer Data) and against accidental or unlawful destruction, alteration, loss, or damage, as well as unauthorized disclosure of, or access to, Customer Data. These measures shall also maintain the confidentiality and integrity of Customer Data, as set forth on the Security page. Processor shall monitor compliance with this DPA and, at Processor's discretion, reasonably assist Customer in ensuring compliance with obligations pursuant to applicable articles of the GDPR or any applicable law or regulation ("Compliance Process"). Be aware that, unless specifically stated otherwise in this DPA and/or the Agreement, Customer shall bear all costs associated with the Compliance Process.

6.2. Audits and Inspections

6.2.1. Audit Process

Unless otherwise stated in the Agreement, the Processor shall maintain an audit process to help ensure compliance with the obligations set forth in this DPA by using external auditors to verify the adequacy of its security measures with respect to its Processing of Customer Data (“Audit Report”). Such audit shall be performed in accordance with the provisions of Section 6.2 herein (Audits and Inspections) by independent third-party security professionals selected by Fireberry (“Third-Party Auditor”).

6.2.2. Audit Report

Processor shall provide the Customer with a copy of the Audit Report within 30 days after its completion by the Third-Party Auditor selected by Fireberry, provided that: (a) the request is submitted in good faith; (b) the Customer has given Fireberry 30 days' advance notice; (c) the Audit Report is subject to strict confidentiality controls; (d) such request occurs no more than once annually; and (e) the Customer shall bear all costs associated with the creation of the Audit Report.

6.2.3. Audit Process Inspection and Implementation of an Audit

Customer may submit a request to inspect the Processor's audit process and/or request the implementation of an independent audit, provided that: (a) the request is submitted in good faith and is proportionate to the nature and complexity of the request; (b) the Customer is not the Processor's industry competitor and there is no conflict of interest between the Processor and the Customer's request; (c) such request is required by applicable Data Protection Laws and Regulations or by the Customer's competent supervisory authority; (d) the request is reasonable and shall not overburden the Processor; (e) such request occurs no more than once annually; and (f) such inspection and/or audit shall be performed by a third party agreed upon by both Parties, at the Customer's expense.

6.2.4. Audit and Inspection Confidentiality

All records, information, materials, and reports provided by the Processor, or by any third party on behalf of the Processor, to the Customer following the Customer's audit and/or inspection request, shall be considered Confidential Information and shall not be used for any other purpose or disclosed to any third party without the Processor's prior written consent.

6.2.5. Third-Party Auditor

The use of any third-party auditor in accordance with the provisions of Section 6.2 herein (Audits and Inspections) shall be subject to the following conditions: (a) the third-party auditor is not Processor's industry competitor; (b) the third-party auditor enters into a non-disclosure agreement containing confidentiality provisions no less protective than those set forth in the Agreement to protect Processor's proprietary information; and (c) the costs of the third-party auditor shall be at Customer's expense.

6.2.6. Disruption Minimization

Customer and any of Customer's mandated auditors shall ensure that there is no injury, damage, or disruption to the Processor's equipment, employees, premises, or business while conducting an inspection and/or audit.

6.2.7. Audit Rights Under the Agreement and Standard Contractual Clauses

The audit rights described in Sections 6.2.1., 6.2.2. and 6.2.3. above shall be applicable only to the extent that the Agreement does not already grant the Customer audit rights sufficient to fulfill the relevant requirements of Data Protection Laws and Regulations, including, where applicable, Article 28(3)(h) of the GDPR, UK GDPR, or the CCPA. Furthermore, if the Standard Contractual Clauses apply, nothing within Section 6 shall alter or amend the Standard Contractual Clauses, nor shall it impact any rights of a Supervisory Authority or Data Subject under the Standard Contractual Clauses.

6.2.8. Data Protection Impact Assessment and Prior Consultation

Upon the Customer’s reasonable request, Processor shall provide the Customer, at the Customer’s expense, with necessary cooperation and assistance to fulfill the Customer's obligations under the GDPR or UK GDPR (as applicable) to conduct a data protection impact assessment concerning the Customer’s use of the Services. This support is provided to the extent that the Customer lacks access to the required information and such information is available to the Processor. Additionally, the Processor shall offer reasonable assistance, at the Customer’s expense, to engage in cooperation or prior consultation with the Supervisory Authority regarding the duties related to this Section 6.2.8, as mandated by the GDPR or UK GDPR, and as applicable.

7. Customer Data Incident Management and Notification

Processor shall maintain security incident management policies and procedures and shall notify the Customer without undue delay after becoming aware of any unlawful destruction, alteration, loss, unauthorized disclosure of, or access to, Personal Data Processed by the Processor on behalf of the Customer ("Data Incident"). The Processor shall make reasonable efforts to identify the Data Incident and take all necessary steps to rectify, remediate, and/or mitigate the effects of any such Data Incident to the extent that remediation and/or mitigation is within the Processor's reasonable control. The Processor shall not be liable, nor shall it have any obligation to rectify, mitigate, or remediate any Data Incident that is caused by the Customer, the Customer's Authorized Users, or any individual or entity using the Processor's Services on the Customer’s behalf. Customer shall not make, publish, disclose, give notice, report, or release details by any method concerning any Data Incident that directly or indirectly identifies the Processor, including any legal proceedings, nor provide any notification to regulatory and/or supervisory authorities or affected individuals without the Processor’s prior consent, unless, and solely to the extent that, the Customer is compelled to do so pursuant to applicable Data Protection Laws and Regulations. In such an event, the Customer shall provide the Processor with reasonable prior written notice, and the Processor shall have the right to object to any such disclosure.

8. Return and Deletion of Customer Data

Following termination of the Agreement, Processor shall return Customer all Customer Data Processed on behalf of Customer in an accessible format and shall, thereafter, delete existing copies of Customer's Customer Data unless Data Protection Laws and Regulations require otherwise. Processor may retain a copy of Customer's Personal Data solely to the extent permitted by any applicable Data Protection Laws and Regulations.

9. International Provisions

9.1. Cross-Border Data Transfer

Should Customer’s utilization of the Services necessitate a lawful mechanism for transferring Personal Data across various jurisdictions (including the United States, the European Economic Area, the United Kingdom, Switzerland, Israel, or any other jurisdiction specified in Schedule 3 (Specific Terms by Jurisdiction), the provisions detailed in Schedule 2 (Cross Border Data Transfer) of this DPA shall govern the mechanism of Personal Data transfer between such jurisdictions (" Transfer Mechanism").

9.2. Specific Terms by Jurisdiction

Insofar as Fireberry processes Personal Data originating from and governed by Data Protection Laws and Regulations within any of the jurisdictions specified in Schedule 3 (Specific Terms by Jurisdiction) of this DPA, the provisions outlined in Schedule 3 pertaining to the relevant jurisdiction(s) shall be applicable, supplementary to the terms of this DPA.

10. Authorized Affiliates

10.1. Contractual Relationship

The Parties acknowledge and agree that by executing the Agreement, the Customer enters into this DPA on its own behalf and, as applicable, in the name and on behalf of the Customer's Authorized Affiliates. Where the Customer enters into this DPA on behalf of the Customer's Authorized Affiliates, each Authorized Affiliate must agree to be bound by the obligations set forth under this DPA and, to the extent applicable, under the Agreement. Authorized Affiliates' access to, and use of, the Processor's Services and content, must comply with the terms and conditions of the Agreement, and any violation of the terms and conditions of the Agreement and this DPA by an Authorized Affiliate shall be deemed a violation by the Customer.

10.2. Communication

Customer that is the contracting Party to the Agreement shall remain responsible for coordinating all communications with Processor under this DPA and be entitled to make and receive any communications in relation to this DPA on behalf of any Authorized Affiliates.

11. Limitation of Liability

11.1. The aggregate liability of each Party, together with its Affiliates, towards the other Party and its Affiliates, whether arising under contract, tort, or any other theory of liability, in relation to the Agreement and this DPA, shall be confined to the limits on liability or other liability caps as stipulated by the Parties in the Agreement.
11.2. The liability cap set forth in Section 11.1 herein shall not degrade any Party’s liability to Data Subjects under the third-party beneficiary provisions of the EU SCCs to the extent limitation of such rights is prohibited by the European Data Protection Laws and Regulation.

12. Miscellaneous

12.1. Order of Precedence

Order of Precedence. Should any conflict or inconsistency arise among the following documents, the hierarchy of precedence shall be established as follows: (1) the terms specified in Schedule 3 of this DPA (Specific Terms by Jurisdiction); (2) the terms specified in Schedule 2 of this DPA (Cross-Border Data Transfer); (3) the provisions contained within this DPA, excluding Schedules 2 and 3 (Cross-Border Data Transfer and Specific Terms by Jurisdiction); (4) the Agreement; and (5) the Fireberry Privacy Policy.

12.2. Changes and Updates

Processor may amend this DPA from time to time at its sole discretion or as required by corresponding changes and/or modifications to any applicable Data Protection Laws and Regulations. Processor shall not be obligated to give notice of any changes to this DPA, provided that: (i) such changes are not adverse in any material aspect with respect to the Customer’s rights under this DPA; and (ii) such changes do not degrade Processor’s obligations under this DPA. For clarity, if Processor makes any material adverse change to Customer’s rights or Processor’s obligations, Processor shall notify Customer by posting an announcement on the Sites, via the Services, and/or by sending an email to the Customer.

12.3. Translated Versions

This DPA was written in English and for convenience, we may translate this DPA into other languages. If there is a conflict between a translated version (non-English) to this English version of the DPA, the provisions of the English version shall prevail.

Schedule 1 – Description of Processing

1. Nature and Purpose of Processing

The Processor shall Process Personal Data on behalf of the Customer to the extent determined and controlled solely by the Customer. This may include, but is not limited to, Processing Personal Data for the following purposes: (i) performing the Agreement, the Privacy Policy Statement, this DPA, and other contracts executed by the Parties; (ii) providing the Services to the Customer; (iii) executing the Customer's instructions, where such instructions are consistent with the Agreement and Data Protection Laws and Regulations; (iv) complying with applicable Laws and Regulations; (v) sharing Personal Data with third parties in accordance with the Customer's instructions and/or pursuant to the Customer's use of the Service (like API services); and (vi) rendering Personal Data to be Anonymous Information (as defined below).For the purpose of this Schedule 1, "Anonymous Information" shall mean information that does not enable the identification of an individual, such as de-identified, aggregated, and/or analytical information.

2. Categories of Data Subjects

The Processor shall Process Personal Data on behalf of the Customer to the extent determined and controlled solely by the Customer. This may include, but is not limited to, Processing Personal Data for the following purposes: (i) performing the Agreement, the Privacy Policy Statement, this DPA, and other contracts executed by the Parties; (ii) providing the Services to the Customer; (iii) executing the Customer's instructions, where such instructions are consistent with the Agreement and Data Protection Laws and Regulations; (iv) complying with applicable Laws and Regulations; (v) sharing Personal Data with third parties in accordance with the Customer's instructions and/or pursuant to the Customer's use of the Service (like API services); and (vi) rendering Personal Data to be Anonymous Information (as defined below).For the purpose of this Schedule 1, "Anonymous Information" shall mean information that does not enable the identification of an individual, such as de-identified, aggregated, and/or analytical information.

3. Type of Personal Data

Customer may submit Personal Data to the Services at Customer's sole discretion and to the extent determined and controlled by the Customer, as permitted by any applicable Data Protection Laws and Regulations. The type of Personal Data that may be submitted by the Customer to the Services shall include, but is not limited to, the following categories: (i) personal life data; (ii) localization data; (iii) professional life data; (iv) contact information (company, email, phone, physical business address); (v) title; (vi) position; (vii) first and last name; (viii) employer name.

4. Duration of Processing

Subject to provisions within the DPA and/or the Agreement regarding the duration of Processing and the consequences of its expiration or termination, the Processor shall Process Personal Data for the term of the Agreement and the delivery of Services pursuant thereto, unless otherwise stipulated in writing.

5. Sensitive Data

Sensitive Data transfers, where applicable, shall be subject to stringent restrictions and safeguards that adequately reflect the data's nature and associated risks. Such measures may include, but are not limited to, strict limitations on the purposes for which the data may be used, and access restrictions ensuring that only personnel who have undergone specific training can access the data.Where Customer or its Users choose to submit, transfer, Process, or upload Sensitive Data to the Services or Sites, the Customer must ensure that suitable safeguards are in place prior to transmitting, submitting, transferring, or Processing, any such Sensitive Data via the Services or Sites.


Schedule 2 – Cross-Border Data Transfer

1. General

1.1. Capitalized terms not specifically defined herein shall have the meanings ascribed to them in the DPA.
1.2. This Schedule 2 shall apply and bind the Parties if and to the extent that Fireberry's Processing of Personal Information is covered by more than one lawful Transfer Mechanism in the course of providing the Services to the Customer, pursuant to the Agreement and this DPA.
1.3. The terms "Data Importer" and "Data Exporter" shall have the same meanings ascribed to them in the Standard Contractual Clauses.

2. Cross-Border Data Transfer Mechanism  

2.1. Order of Precedence

In the event that Personal Data transfers by Fireberry pursuant to the Agreement and this DPA are covered by more than one lawful Transfer Mechanism, the transfer of such Personal Data shall be subject to a single Transfer Mechanism in accordance with the following order of precedence: (a) the applicable Standard Contractual Clauses as set forth in Section 2.2 (EU SCCs); (b) the UK International Data Transfer Agreement as set forth in Section 2.3 (UK's IDTA); (c) the terms set forth in Section 2.4 (Switzerland Addendum); and, if neither (a), (b), nor (c) is applicable, then (d) other Data Transfer Mechanisms permitted under applicable Data Protection Laws and Regulations.

2.2. EU Standard Contractual Clauses

The EU SCCs shall apply to Personal Data that is transferred via the Services from the EEA and Switzerland, either directly or via onward transfer, to any country or recipient outside the EEA or Switzerland that is not recognized by the relevant competent authority as providing an adequate level of protection for Personal Data. For data transfers that are subject to the EU SCCs, said EU SCCs shall be deemed to have been entered into and incorporated into this DPA by this reference, and completed as follows:
2.2.1. Module Two (Controller to Processor) of the EU SCCs shall apply where the Customer is a Controller of Customer Personal Data and Fireberry is Processing such Customer Personal Data.
2.2.2. Module Three (Processor to Processor) of the EU SCCs shall apply where the Customer is a Processor of Customer Personal Data and Fireberry is Processing such Customer Personal Data.
2.2.3. For each of the Modules, where applicable:
2.2.3.1. In Clause 7 of the EU SCCs, the optional docking clause shall not apply;
2.2.3.2. In Clause 9 of the EU SCCs, Option 2 "General Written Authorization" shall apply, and the time period for prior notice of Sub-Processor changes shall be as set forth in Section 5 (Sub-Processors) of this DPA;
2.2.3.3. In Clause 11 of the EU SCCs, the optional language shall not apply;
2.2.3.4. In Clause 17 (Option 1), the EU SCCs shall be governed by Irish law;
2.2.3.5. In Clause 18(b) of the EU SCCs, disputes shall be resolved before the courts of Ireland.
2.2.3.6. in Annex I, Part A (List of Parties) of EU SCCs:
2.2.3.6.1. Data Exporter: The Customer.
2.2.3.6.2. Contact details: The email address(es) designated by the Customer in the Customer’s account via its notification preferences.
2.2.3.6.3. Data Exporter Role: The Data Exporter's role is set forth in Section 2 (Processing of Personal Data) of this DPA. The Parties acknowledge and agree that with regard to the Processing of Customer Personal Data, the Customer may act either as a Controller or Processor, and Fireberry is a Processor. Fireberry shall Process Customer Personal Data in accordance with the Customer’s instructions as set forth in Section 1 of this DPA.
2.2.3.6.4. Signature and Date: By entering into the Agreement, the Customer is deemed to have signed these EU SCCs incorporated herein, including their Schedules, as of the effective date of the Agreement.
2.2.3.6.5. Data Importer: Fireberry LTD.
2.2.3.6.6. Address: Menachem Begin Rd 125, Tel Aviv, Israel.
2.2.3.6.7. Contact details: Fireberry Data Security Team – support@fireberry.com.
2.2.3.6.8. Data Importer Role: The Data Importer’s role is set forth in Section 2 (Processing of Personal Data) of this DPA. The Parties acknowledge and agree that with regard to the Processing of Customer Personal Data, the Customer may act either as a Controller or Processor, and Fireberry is a Processor. Fireberry shall Process Customer Personal Data in accordance with the Customer’s instructions as set forth in Section 1 of this DPA.
2.2.3.6.9. Signature and Date: By entering into the Agreement, the data importer (Fireberry) is deemed to have signed these EU SCCs, incorporated herein, including their Schedules, as of the Effective Date of the Agreement.
2.2.3.7. In Annex I, Part B (Description of Transfer) of the EU SCCs:
2.2.3.7.1. The categories of Data Subjects are described in the "Data Subjects" section of Schedule 1 (Description of Processing) of this DPA.
2.2.3.7.2. The categories of transferred Personal Data are described in Schedule 1 (Description of Processing) of this DPA.
2.2.3.7.3. The Sensitive Data transferred is described in Section 5 (Sensitive Data) of Schedule 1 (Description of Processing) of this DPA.
2.2.3.7.4. Signature and Date: By entering into the Agreement, the data exporter (the Customer) is deemed to have signed these EU SCCs incorporated herein, including their Schedules, as of the effective date of the Agreement.
2.2.3.7.5. The nature of the Processing is described in Schedule 1 (Description of Processing) of this DPA.
2.2.3.7.6. The purpose of the Processing is described in the "Nature and Purpose of the Processing" section of Schedule 1 (Description of Processing) of this DPA.
2.2.3.7.7. The period for which Personal Data shall be retained and the criteria used to determine that period are as follows: Prior to the termination of the Agreement, Fireberry shall Process stored Customer Personal Data for the permitted purposes set forth in Section 2 of this DPA until the Customer elects to delete or request the return of such Customer Personal Data pursuant to provisions of Section 8 of this DPA. Prior to the termination of the Agreement, the Customer agrees that it is solely responsible for deleting Customer Personal Data via the Services. Upon termination of the Agreement, Fireberry shall (i) provide the Customer thirty (30) days after the effective date of termination to obtain a copy of any stored Customer Personal Data via the Services, and (ii) delete any stored Customer Personal Data within thirty (30) days upon customer request, unless alternate timeframes for retention and/or deletion are otherwise set forth in the Agreement or subsequently agreed upon by the Parties in writing. Any Customer Personal Data archived on Fireberry’s backup systems shall be securely isolated and protected from any further processing, except as otherwise required by applicable Data Protection Laws and Regulations.
2.2.3.7.8. For transfers to Sub-Processors, the subject matter, nature, and duration of the Processing are set forth at https://www.fireberry.com/legal/sub-processors.
2.2.3.8. In Annex I, Part C of the EU SCCs: The Irish Data Protection Commission shall be the competent supervisory authority.
2.2.3.9. Section 6.1 (Controls for the Protection of Personal Data) of this DPA and all documents referred to therein shall serve as Annex II of the EU SCCs.

2.3. UK's International Data Transfer Agreement

Customer and Fireberry hereby stipulate that the UK's IDTA shall govern the transfer of Personal Data conducted through the Services from the United Kingdom, whether directly or through onward transfer, to any country or recipient beyond the borders of the United Kingdom that lacks recognition by the relevant United Kingdom regulatory authority or governmental body for ensuring an adequate level of data protection. In instances where data transfers from the United Kingdom fall under the purview of the UK's IDTA, said IDTA shall be deemed to have been entered into, and incorporated into this DPA by this reference, and completed as follows:
2.3.1. In Table 1 of the UK's IDTA: (i) The details and key contact information for the Customer and Twilio are set forth in Section 2.2.3.6 of this Schedule 2 and; (ii) The Start Date is the date of the last signature of the Parties on this DPA or the Agreement.
2.3.2. In Table 2 of the UK's IDTA, information about the version of the Approved EU SCCs, modules, and selected clauses to which the UK's IDTA is appended is set forth in Section 2.2 (EU SCCs) of this Schedule 2.
2.3.3. In Table 3 of the UK's IDTA: (i) The list of Parties is set forth in Section 2.2.3.6 of this Schedule 2; (ii) The description of the transfer is set forth in Section 1, the "Nature and Purpose of the Processing" of Schedule 1 (Description of Processing) of this DPA; (iii) Section 6.1 (Controls for the Protection of Personal Data) of this DPA and all documents referred to therein shall serve as Annex II of the EU SCCs to which this IDTA is appended; and (iv) The Current Sub-Processor List of sub-processors (if applicable) is available at https://www.fireberry.com/legal/sub-processors.
2.3.4. In Table 4 of the UK's IDTA, both the Data Importer and the Data Exporter may end the UK's IDTA in accordance with the terms set forth in Section 19 of the UK's IDTA.

2.4. Switzerland Data Transfers

Regarding the transfer of Personal Data from Switzerland or of Personal Data regulated under the Switzerland Addendum to a third country not recognized by the European Commission or the relevant Swiss authority as providing adequate data protection, the Parties concur that the EU SCCs included in this DPA shall govern such transfers, subject to the following terms and conditions:
2.4.1. Clause 13: Where the transfer of Personal Data is exclusively governed by the Switzerland Addendum, the Federal Data Protection and Information Commissioner (FDPIC) of Switzerland shall serve as the sole supervisory authority. Where the transfer of Personal Data falls under the jurisdiction of both the GDPR and the Switzerland Addendum, the FDPIC shall act as the competent supervisory authority in parallel (as per Annex I.C of the EU SCCs). Furthermore, when the transfer is regulated solely by the GDPR, the selection of the competent authority must adhere to the criteria set forth in Clause 13(a).
2.4.2. Clause 17: If the transfer is exclusively subject to the Switzerland Addendum, the EU SCCs shall be governed by Swiss law.
2.4.3. Clause 18(b): Should any data transfer dispute emanate from the EU SCCs, the Swiss courts shall adjudicate such dispute, provided that the Switzerland Addendum exclusively governs the data transfer.
2.4.4. Clause 18(c): The phrase "Member State" shall not be construed to preclude Data Subjects in Switzerland from the opportunity to litigate for their rights within their habitual residence (Switzerland), pursuant to Clause 18(c) of the EU SCCs.

2.5. In the event of any discrepancy or conflict between the EU SCCs and other provisions of this DPA, including Schedule 3 (Specific Terms by Jurisdiction), the Agreement, or the Fireberry Privacy Policy, the terms of the EU SCCs shall prevail.


Schedule 3 – Specific Terms by Jurisdiction


1. General

1.1. Capitalized terms not specifically defined herein shall have the meanings ascribed to them in the DPA.
1.2. The terms set forth in this Schedule (Specific Terms by Jurisdiction) 3 shall apply to the extent that Personal Data Processed by Fireberry is governed by laws and regulations of the following jurisdictions as specified herein, without otherwise amending the Agreement or the DPA.

2. United States of America

2.1. Definitions

2.1.1. "US Laws and Regulations" means all state legislation pertaining to the protection and Processing of Personal Data currently effective within the United States of America, potentially encompassing, but not limited to, the California Consumer Privacy Act (CCPA), the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, and the Utah Consumer Privacy Act.
2.1.2. The terms "Business", "Business Purpose", "Collects" ("collected" and "collection"), "Consumer", "Deidentified", "Sell" ("selling", "sale", and "sold"), "Share" (and 'shared,' or 'sharing'), "Personal Information", and "Service Provider" shall each have the same meaning ascribed to them in the CCPA.
2.1.3. The term "Data Protection Laws and Regulations" in the DPA shall include US Laws and Regulations.

2.2. Processing of Personal Information governed by the CCPA  

2.2.1. When Fireberry Processes Personal Information governed by the CCPA on behalf of the Customer, Fireberry shall: (i) act as a Service Provider; (ii) Process any Personal Information in accordance with the Business Purposes set forth in the Agreement and this DPA; (iii) Process Personal Information in compliance with applicable sections of the CCPA. Fireberry shall not: (a) retain, use, or disclose Personal Information beyond the direct business relationship of the Parties, as specified in the Agreement, or for any purpose other than fulfilling the specific business purpose of performing the Services or as otherwise allowed under the CCPA, the Agreement, and/or this DPA; nor (b) combine — through logical separation — Personal Information that the Processor Processes on behalf of other entities with the Customer’s Personal Information, unless explicitly authorized by the CCPA, it's implementing regulations, the Agreement, and/or this DPA between the Parties.
2.2.2. Fireberry shall (i) adhere to the obligations incumbent upon it as a Service Provider under the CCPA, and (ii) Process Personal Information in accordance with the privacy protection standards mandated by the CCPA. The Customer is obligated to ensure that it has adhered, and shall continue to adhere, to the requirements of the CCPA in its utilization of the Services and in its own processing of Personal Information.
2.2.3. Fireberry acknowledges that upon providing notice to Fireberry the Customer shall be entitled to implement reasonable and appropriate measures to ensure that Fireberry handles Personal Information in compliance with the Customer’s obligations under the CCPA.
2.2.4. Should Fireberry determine that it is unable to fulfill its obligations under the CCPA, it shall promptly inform the Customer.
2.2.5. For any Sub-Processor engaged by Fireberry to Process Personal Information governed by the CCPA, Fireberry shall ensure that its contractual arrangements with such Sub-Processor adhere to the requirements of the CCPA, including, but not limited to, the specific contractual obligations applicable to service providers and contractors.
2.2.6. Fireberry acknowledges and affirms that it does not receive or Process any Personal Information as consideration for any Services or other items provided to the Customer under the Agreement or this DPA. Fireberry certifies its understanding of the rules, requirements, and definitions under the CCPA and commits not to sell or share (as defined in the CCPA) any Personal Information Processed under this Agreement without the Customer's prior written consent or instruction. Additionally, Fireberry agrees to avoid any actions that would cause the transfer of Personal Information to or from Fireberry under this Agreement or DPA to be classified as “selling” or “sharing” of such Personal Information under the CCPA.

3. Israel

3.1. "Israeli Laws and Regulations" means all Israeli laws and regulations pertaining to the protection and processing of personal data currently effective in the State of Israel, including, but not limited to, the Israeli Protection of Privacy Law, 5741-1981 (the "PPL"), and the Protection of Privacy Regulations (Data Security) 5777-2017.
3.2. The term "Data Protection Laws and Regulations" in the DPA shall include Israeli Laws and Regulations.
3.3. The term "Personal Information" or "Personal Data" in the DPA shall have the same meaning ascribed to it under Israeli Laws and Regulations.
3.4. The term "Sensitive Data" in the DPA shall have the same meaning ascribed to it under Israeli Laws and Regulations.
3.5. The term “Controller” in the DPA shall include “Database Owner” as defined under Israeli Laws and Regulations.
3.6. The term “Processor” in the DPA shall include “Holder” as defined under Israeli Laws and Regulations.
3.7. Fireberry shall require that any personnel authorized to Process Customer Data comply with the principle of data secrecy and have been duly instructed about Data Protection Laws and Regulations. Such personnel shall sign confidentiality agreements with Fireberry in accordance with Section 4 (Confidentiality) of this DPA.
3.8. Fireberry is obligated to undertake adequate measures to safeguard the privacy of Data Subjects by enforcing and upholding the security protocols delineated in Section 6 (Security and Audits) of this DPA, and adhering to the stipulations of the Agreement.

4. United Kingdom (UK)

4.1. References in this DPA to the "GDPR" shall be construed as references to the corresponding laws and regulations of the United Kingdom, including, but not limited to, the UK GDPR.
4.2. When Fireberry engages a Sub-Processor as outlined in Section 5 (Sub-Processors) of this DPA, it shall: (a) mandate that any appointed Sub-Processor safeguard Customer Data to the standard mandated by applicable Data Protection Laws and Regulations, including incorporating data protection obligations consistent with Article 28(3) of the GDPR, particularly by providing sufficient guarantees to implement appropriate technical and organizational measures such that the Processing complies with the requirements of the GDPR; and (b) require any appointed Sub-Processor to (i) formally agree to Process Personal Data only in countries that the United Kingdom has recognized as providing an "adequate" level of protection, or (ii) Process Personal Data strictly under terms equivalent to the UK' IDTA, or pursuant to binding corporate rules approved by competent United Kingdom data protection authorities.

5. Switzerland

5.1. The term "Data Protection Laws and Regulations" in the DPA shall include the Switzerland Addendum.
5.2. The terms “General Data Protection Regulation” or “Regulation (EU) 2016/679” as utilized in the EU SCCs shall be interpreted to include the Switzerland Addendum.
5.3. When Fireberry engages a Sub-Processor pursuant to Section 5 (Sub-Processors) of this DPA, it shall: (a) mandate that any appointed Sub-Processor safeguard the Customer's Personal Data in accordance with the standards mandated by Data Protection Laws and Regulations, specifically including the data protection obligations outlined in Article 28(3) of the GDPR, by providing adequate guarantees to implement suitable technical and organizational measures so that the processing complies with the GDPR, and (b) require any appointed Sub-Processor to (i) formally commit in writing to Process Personal Data solely in a jurisdiction that Switzerland has recognized as providing an “adequate” level of protection, or (ii) Process Personal Data strictly under conditions that are equivalent to the EU SCCs.

6. Canada

6.1. The term “Data Protection Laws and Regulations” in the DPA shall include the Federal Personal Information Protection and Electronic Documents Act (S.C. 2000, c.5).
6.2. Under Section 5 (Sub-Processors) of this DPA, Fireberry’s Sub-Processors are third parties recognized under Data Protection Laws and Regulations, with whom Fireberry has executed written agreements that incorporate terms substantially akin to those in this DPA. Fireberry hereby declares that it has undertaken suitable due diligence regarding its Sub-Processors.
6.3. Fireberry shall adopt technical and organizational measures as specified in Section 6 (Security and Audits) of this DPA.