Data Processing Addendum
Last Update: February, 2023
THIS DATA PROCESSING ADDENDUM (“DPA”) is entered into and forms part of the Terms of Use (the “Agreement”) by and between: (1) Pixton Comics Inc. (“Vendor” or “Pixton”); and (2) the entity or other person (“Customer”) who is a counterparty to the Agreement (together the “Parties” and each a “Party”).
Definitions. The capitalized terms set out in Annex I to this DPA shall have the meanings assigned to them. In the event of any conflict between provisions of this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail over the conflicting provisions of the Agreement solely with respect to the Processing of Personal Information.
Scope. The provisions of this DPA apply to, and Annex II and Annex III form part of this DPA in respect of, Pixton’s Processing of Personal Information to the extent each provision and Annex must be included in the DPA for the parties to comply with their legal obligations under Applicable Laws in respect of the required terms of contracts, and in such cases, only in respect of the Processing subject to such laws.
Roles. The Parties acknowledge and agree that as between Pixton and Customer, the Customer has legal control of the Personal Information of users related to Customer. The Parties further acknowledge and agree that with respect to the Processing and transfers of Personal Information subject to the material and territorial scope of GDPR or UK GDPR: (i) the Customer is the Controller of Personal Information; (ii) Pixton is the Processor of such Personal Information; and (iii).for the purposes of the CCPA (and to the extent applicable), Customer is the “Business” and Pixton is the “Service Provider” (as such terms are defined in the CCPA).
Compliance with Applicable Laws. Each Party shall comply with all Applicable Laws with respect of its handling of Personal Information and undertakes to use best efforts to assist the other in each Party’s compliance with any obligations under Applicable Laws. The Parties shall not perform their obligations under this DPA in such a manner as to cause the other Party to breach any of its obligations under Applicable Laws to the extent it is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations.
Processing Purposes. Pixton shall process Personal Information only in accordance with the Processing Purpose, unless required to do so by Applicable Laws. Customer may also give subsequent instructions throughout the duration of the Processing of Personal Information. Such instructions shall be documented.
Purpose limitation. Pixton shall only process the Personal Information for the Processing Purpose, to the extent, and in such a manner, as is reasonably necessary for the performance of the Services. Pixton will not process the Personal Information for any other purpose or in a way that does not comply with the Agreement (including this DPA) or Applicable Laws.
De-identified and Anonymized Data. Customer acknowledges and agrees that Vendor may create and derive from Personal Information and through the Processing related to the Agreement, de-identified, anonymized and/or aggregated data that does not identify Customer or any individual; and Vendor may use, publicize, or share with third parties such data for marketing purposes, to improve Vendor’s products and services, and for its other legitimate business purposes.
Security. Pixton shall maintain reasonable measures designed to help ensure the security of the Personal Information, including protection against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to that data (a “Personal Information Incident”). Customer agrees that the Service and Vendor’s commitments under this DPA are adequate to meet Customer’s needs, including with respect to any security obligations of Customer under Applicable Data Protection Laws, and provide a level of security appropriate to the risk in respect of the Customer Personal Information.
Personnel security. Vendor shall limit access to any sensitive Personal Information by its personnel to individuals with a reasonable and legitimate need to access such information. Pixton shall also take steps to have all of its personnel who Process Customer Personal Information enter into written confidentiality agreements.
Limiting sensitive information. In assessing the appropriate level of security, both Parties shall take due account of the risks involved in the Processing, the nature of the Personal Information and the nature, scope, context and purposes of Processing. Customer is responsible for ensuring the Personal Information provided does not reveal sensitive or biometric data for the purpose of uniquely identifying a natural person, and if Customer anticipates such data will be shared, Customer is responsible for working with Pixton to ensure specific restrictions and/or additional safeguards are implemented as reasonably required.
Appropriate use. Customer agrees that, without limiting Vendor’s security obligations under this DPA, Customer is solely responsible for its use of the Services, including (i) making appropriate use of the Services to maintain a level of security appropriate to the risk in respect of the Personal Information; (ii) securing the account authentication credentials, systems and devices Customer and related individuals use to access the Services; and (iii) backing up Customer Personal Information.
Legal basis for Processing. Customer shall ensure that there is, and will be throughout the term of the Agreement, a valid legal basis for the Processing by Vendor of Customer Personal Information in accordance with this DPA and the Agreement (including, any and all instructions issued by Customer from time to time in respect of such Processing) for the purposes of all Applicable Data Protection Laws; and (including Article 6, Article 9(2) and/or Article 10 of the GDPR and UK GDPR (where applicable)); and all individual users related to Customer have (i) been presented with all required notices and statements (including as required by Article 12-14 of GDPR and UK GDPR (where applicable)); and (ii) provided all required consents, such as those relating to Processing by Vendor of Customer Personal Information.
Children. In the event Customer is an educator or educational institution and enabling the use of the Services by children, Customer is responsible for ensuring it has obtained any required consent. Customer shall verify in such cases that lawful consent is given or authorised by the holder of parental responsibility over a child.
Notice of data incident. In the event of a Personal Information Incident involving Personal Information being processed by Pixton, upon learning of such incident, either Party shall notify the other without undue delay, and at the latest within 48 hours, after having become aware of the incident. Such notification shall contain: contact information where more information concerning the Personal Information Incident can be obtained, a description of the nature of the incident (including, where possible, nature of the unauthorized access, use or disclosure, categories and approximate number of data subjects and data records concerned), its likely consequences and the measures taken or proposed to be taken to mitigate its possible adverse effects. If it is not possible to provide all information at the same time, the initial notification shall contain the information then available and further information shall be provided as it becomes available without undue delay. Vendor’s notification of or response to a Personal Information Incident shall not be construed as Vendor’s acknowledgement of any fault or liability. Customer is solely responsible for complying with reporting and notification requirements applicable to Customer under Applicable Law and fulfilling any third-party notification obligations related to any related individuals. Customer’s reporting and notification responsibilities do not restrict Vendor’s ability to report to governmental authorities and/or provide third-party notices, or as may be required by Applicable Law as applicable to Vendor.
Individual rights. Pixton shall, to the extent legally required or permitted, promptly notify the Customer if it receives a Data Subject Access Request. Customer shall be responsible for responding to Data Subject Access Requests. To the extent the Customer does not have the ability to address a Data Subject Access Request, Pixton shall, where required by law or upon the Customer’s request, provide reasonable efforts to assist the Customer in responding to such Data Subject Access Request, including by directing the individual with respect to access to their own account information. Except to the extent prohibited by applicable law, Customer shall be fully responsible for all time spent by Vendor if Vendor’s assistance is requested and shall on demand reimburse Vendor for any such costs incurred by Vendor. Customer agrees that it shall be solely responsible for making any notifications to relevant individuals or authorities in relation to any Data Subject Access Request if and as required.
Sub-processors. The Customer acknowledges and agrees that Pixton and its affiliates (a) may retain sub-processors; and (b) may each engage third-party sub-processors in connection with and to assist in the provision of the Services. Pixton will ensure its sub-processors agree to receive Personal Information exclusively for permitted Processing activities. Pixton uses sub-processors such as Hubspot for client relationship management, Stripe for payment processing, Amazon Web Services for hosting data and its platform, and Google Analytics for website analysis. Pixton may and Customer hereby agrees Pixton may remove, replace, or appoint suitable and reliable further sub-processors, at its own discretion. If Customer and Pixton cannot resolve reasonable concerns about any new sub-processors, Customer may terminate the Agreement in accordance with the terms of the Agreement. Termination shall not relieve Customer of any fees owed to Pixton under the Agreement. Until there is a resolution regarding the new sub-processor, Pixton may, where necessary, temporarily suspend the Processing of the affected Personal Information and/or suspend access to the account and Customer will have no further claims against Pixton due to the temporary suspension or the termination of the Agreement (including, without limitation, requesting refunds).
International data transfers from and to Canada. Pixton is resident in Canada and any international data transfers to Pixton are to Canada. Personal Information may be transferred from EU Member States and the EEA member countries (Norway, Liechtenstein, and Iceland) (collectively, “EEA”) to countries offering an adequate level of data protection. The European Commission has determined Canada, including PIPEDA to which Pixton is subject in respect of the international transfer of Personal Information, provides an adequate level of data protection as reflected in the adequacy decisions (“Adequacy Decision”), as relevant and applicable, without any further safeguard being necessary. On the basis that Pixton is subject to PIPEDA including in respect of the international transfer of Personal Information, the Adequacy Decision, and the data protection provisions in this DPA, the Parties are not implementing additional safeguards such as SCCs.
Return and deletion. Subject to Applicable Law, Pixton will retain Personal Information associated with an Account as long as is reasonably necessary to comply with Pixton’s legitimate business purposes, legal requirements, and Applicable Laws.
Reasonable changes to comply with Applicable Laws. Customer shall not unreasonably withhold or delay agreement to any consequential variations to this DPA proposed by Pixton to protect either Party against additional risks associated with the transfer and processing of Personal Information. If Customer proposes any other variations to this DPA which it reasonably considers to be necessary to address the requirements of Applicable Laws, the Parties shall promptly discuss the proposed variations and negotiate in good faith with a view to agreeing and implementing those or alternative variations as soon as is reasonably practicable. Notwithstanding the foregoing, upon notice to the Customer, Pixton may revise this DPA so as to incorporate any mandatory data protection provisions, standard contractual clauses (known as SCCs) or other terms that are required by any relevant competent data protection authority under Applicable Law.
ANNEX I
The following definitions are used in the DPA:
a. “Applicable Law” means all laws, including but not limited to statutes, legislation, and regulation which apply to the Parties, as the case may be, and also for Pixton includes but is not limited to PIPEDA, and may include one or more of GDPR, UK GDPR, the Children’s Online Privacy Protection Act (“COPPA”), the Family Educational Rights and Privacy Act (“FERPA”), the California Consumer Privacy Act (“CCPA”), the Connecticut Data Privacy Act (“CTDPA”), the Student Online Personal Information Protection Act (“SOPIPA”), the Illinois Student Online Personal Protection Act (“SOPPA”), the New York State Student Education Law section 2-d (“Ed 2d”), the Washington Student User Privacy in Education Rights Act (“SUPER”), the Virginia Consumer Data Protection Act (“VCDPA”), the Colorado Privacy Act (“CPA”), the Utah Consumer Privacy Act (“UCPA”).
b. “Data Controller” (or the “Controller”) is the legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Information; for the purposes of the Agreement, the Customer.
c. “Data Processor” (or the “Processor”) is Pixton, the legal entity that processes the Personal Information on behalf of the Data Controller.
d. “Data Subject Access Request” means a request by an individual to request access, copy, amendment, dispute, delete or any such additional actions to their Personal Information as may be permitted or mandated by Applicable Law.
e. “GDPR” means the European Union’s General Data Protection Regulation (EU) 2016/679.
f. “Personal Information” means any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, to or with an identified or identifiable individual, which is processed by Pixton on behalf of the Customer, under this DPA and the Agreement. For clarity, Personal Information includes personal data as it is defined in GDPR.
g. “PIPEDA” means the Personal Information Protection and Electronic Documents Act, and regulations thereunder, as well as any successor Canadian private-sector privacy and/or data protection laws (such as the Consumer Privacy Protection Act).
h. “Processing” (or “Process” or “Processed”) means any operation or set of operations which is performed on Personal Information or on sets of Personal Information, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
i. “Processing Purpose” means the purposes for providing the services determined by the Agreement, as outlined in Annex II.B, or as requested by the Customer from time to time.
j. “UK GDPR” means the United Kingdom General Data Protection Regulation, as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018, and any such other relevant laws relating to data protection, the processing of Personal Information, privacy and/or electronic communications in force from time to time in the UK.
ANNEX II
Annex II.A - PARTIES
The Data Exporter |
The data exporter is identified as the Customer or the “Controller” in the DPA. |
|---|---|
The Data Importer |
The data importer is Pixton, a provider of comic creation, authorship and creative support services. |
Annex II.B - PROCESSING INFORMATION
Data Subjects (Individuals) |
Those individuals and educators who access the services provided by Pixton for any other lawful and permissible purpose as instructed by the Controller. |
|---|---|
Categories of Personal Information Transferred |
Personal Information: Email addresses, names, contact details, job titles, residential or business address; photograph; personal identification numbers (where applicable); academic and/or professional title; payment details; IP address; cookie data; login credentials (username and password); gender, age, grade level, traffic data; images, as well as literary and artistic creations. |
Sensitive Categories of Data, and associated additional restrictions/safeguards |
Customer agrees that it will ensure Restricted Content, which includes ‘sensitive data’ (as defined in GDPR), must not be submitted. Customer agrees that it will ensure lawful consent is provided by an individual or authorized by the holder of parental responsibility for a child. No additional safeguards for sensitive data are required. |
The Frequency of Transfers |
Transfers will be processed on an on-demand basis. |
Nature of the Processing |
The nature and purpose of processing means any operation such as collection, recording, organization, structuring, storage, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction of data (whether or not by automated means) |
Purpose(s) of the Data Transfer and Further Processing |
Providing the Services to the Customer and any related individuals as set out in the Agreement; performing the Agreement, this DPA and/or other contracts executed by the Parties; providing support and technical maintenance, if agreed in the Agreement; preventing, mitigating and investigating the risks of security incidents, detecting and combatting fraud, error or any illegal or prohibited activity; complying with Applicable Laws; all reasonable tasks related with any of the above. |
The Period for Which the Personal Data Will Be Retained, or, If That Is Not Possible, the Criteria Used to Determine that Period |
The Parties agree to erase Personal Information from any computers, storage devices and storage media as soon as practicable after it has ceased to be reasonably necessary for such Party to retain the Personal Information under Applicable Law, for legitimate business purposes, or as otherwise required by the Agreement. Notwithstanding the foregoing, unless otherwise agreed between the Parties, or required under Applicable Law, the Parties agree that Personal Information will be retained by Pixton in accordance with its retention and destruction policies and processes in place from time to time. |
ANNEX III
Security Measures
Vendor will implement and maintain the Security Measures as set out below.
1. Organizational management and designated staff responsible for the development, implementation and maintenance of Vendor’s privacy practices.
2. Risk assessment and review of privacy and security practices, risks and compliance requirements.
3. Data security controls which include technological means such as segregation of data, restricted (e.g. role-based) access, multi-factor authentication, and utilisation of commercially available and industry standard security and threat protection technologies designed to identify, assess, mitigate and protect against identified security threats, viruses and other malicious code.
4. Logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions.
5. Password controls designed to manage and control password strength, expiration and usage.
6. System audit or event logging and related monitoring procedures to proactively record user access, unauthorized access, and system activity.
7. Physical and environmental security of data storage and servers containing Personal Information designed to protect information assets from unauthorized physical access or damage.
8. Change management procedures designed to test, approve and monitor all material changes to Vendor’s technology and information assets.
9. Incident management procedures designed to allow Vendor to investigate, respond to, mitigate and notify of events related to Vendor’s technology and information assets.
10. Network security controls that provide for the use of enterprise firewalls and intrusion detection systems designed to protect systems from intrusion and limit the scope of any successful attack.
11. Business resiliency/continuity and disaster recovery procedures designed to maintain service and/or recovery from foreseeable emergencies or disasters