Recraft Data Processing Addendum

This Data Processing Addendum (this “DPA” or “Addendum”) amends and forms a part of the agreement, order form, Terms of Service, or Master Services Agreement (as applicable) to which this DPA is appended or incorporated by reference (the “Agreement”) and is entered into by and between the customer identified in the Agreement (“Customer” or “you”), and Recraft, Inc. or its affiliates, subsidiaries or related entities named in the Agreement (“Recraft,” “we” or “us”). Customer and Recraft are each a “Party” and collectively the “Parties”. In the event of a conflict between the terms of this Addendum and the Agreement, this Addendum will prevail, but only with respect to the subject matter of this Addendum.

Customer and Recraft agree as follows:

  1. Definitions. For purposes of this Addendum:

    1. Data Privacy Laws” means all applicable laws, regulations, and other legal or self-regulatory requirements in any jurisdiction relating to privacy, data protection, data security, breach notification, or the Processing of Personal Information as the same may be updated from time-to-time, including without limitation, and to the extent applicable, the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. (“CCPA”), the General Data Protection Regulation, Regulation (EU) 2016/679 (“GDPR”), the United Kingdom Data Protection Act (2018) (“UK Privacy Act”), and the Swiss Federal Act on Data Protection (“Swiss FADP”). For the avoidance of doubt, if Recraft’s Processing activities involving Personal Information are not within the scope of a given Data Privacy Law, such law is not applicable for purposes of this Addendum.

    2. Consumer” means an identified or identifiable natural person about whom Personal Information relates.

    3. Personal Information” includes “personal data,” “personal information,” “personally identifiable information,” and similar terms, and such terms shall have the same meaning as defined by applicable Data Privacy Laws.

    4. Process” and “Processing” mean any operation or set of operations performed on Personal Information or on sets of Personal Information, whether or not by automated means, such as collection, recording, organization, creating, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

    5. Security Breach” means any accidental or unlawful acquisition, destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Information.

    6. Standard Contractual Clauses” means one or both of the following, as the context requires:

      1. For Personal Information subject to the UK Data Protection Law, the “International Data Transfer Addendum” approved 2 February 2022 to the European Commission’s 2021 Standard Contractual Clauses; and

      2. For Personal Information subject to the GDPR or the Swiss FADP, the “2021 Standard Contractual Clauses,” defined as the clauses issued pursuant to the EU Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, available at http://data.europa.eu/eli/dec_impl/2021/914/oj [blocked] and completed as described in the “Data Transfers” section below.

  2. Scope and Purposes of Processing.

    Recraft will Process Personal Information solely: (1) to fulfill its obligations to Customer under the Agreement, including this Addendum; (2) pursuant to Customer’s instructions and consents; and (3) in compliance with Data Privacy Laws.

  3. CCPA Acknowledgment.

    The parties acknowledge and agree that Recraft is a service provider for the purposes of the California Consumer Privacy Act (the “CCPA”). Recraft certifies that it understands the rules, restrictions, requirements and definitions of the CCPA. Recraft agrees to refrain from taking any action that would cause any transfers of Personal Information to or from Recraft to qualify as a “sale” of Personal Information under the CCPA.

  4. Personal Information Processing Requirements. Recraft will:

    1. Ensure that the persons it authorizes to Process the Personal Information have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

    2. Assist Customer in the fulfilment of Customer’s obligations to respond to verifiable requests by Consumers (or their lawful representatives) for exercising their rights under Data Privacy Laws (such as rights to access or delete Personal Information).

    3. Promptly notify Customer of (i) any third-party or Consumer complaints regarding the Processing of Personal Information; or (ii) any government or Consumer requests for access to or information about Recraft’s Processing of Personal Information on Customer’s behalf, unless prohibited by Data Privacy Laws. Recraft will provide Customer with reasonable cooperation and assistance in relation to any such request.

  5. Data Security. Recraft will implement and maintain appropriate technical and organizational measures to ensure a level of security for Personal Information appropriate to the risk, including those measures as set forth in Exhibit A.

  6. Security Breach. Recraft will notify Customer without undue delay of the discovery of any Security Breach and will assist Customer in Customer’s compliance with its Security Breach-related obligations, including without limitation, by:

  7. Taking steps to mitigate the effects of the Security Breach and reduce the risk to Consumers whose Personal Information was involved; and

  8. Providing Customer with the following information, to the extent known:

    1. The nature of the Security Breach, including, where possible, how the Security Breach occurred, the categories and approximate number of Consumers concerned, and the categories and approximate number of Personal Information records concerned;

    2. The likely consequences of the Security Breach; and

    3. Measures taken or proposed to be taken by Recraft to address the Security Breach, including, where appropriate, measures to mitigate its possible adverse effects.

  9. Subcontractors.

    1. Customer acknowledges and agrees that Recraft may use Recraft affiliates and other third parties to Process Personal Information in accordance with the provisions within this Addendum and Data Privacy Laws. Where Recraft sub-contracts any of its rights or obligations concerning Personal Information, including to any affiliate, Recraft will take steps to select and retain sub-processors that are capable of maintaining appropriate privacy and security measures to protect Personal Information consistent with applicable Data Privacy Laws.

    2. Recraft maintains a list of its current sub-processors at https://www.recraft.ai/subprocessors (the “Sub-processors Page”). Customer consents to Recraft’s use of the sub-processors listed there as of the Effective Date. Recraft will provide notice of any intended additions to its sub-processor list by updating the Sub-processor Page at least thirty (30) days prior to engaging any new sub-processor that will process Customer Personal Information. Customers may subscribe to receive email notifications of changes by submitting their contact information through the form provided on the Sub-processors Page. In the event Customer objects to a new sub-processor, Recraft will not transfer Customer Personal Information to the new sub-processor and will use reasonable efforts to make available to Customer a change in the services or recommend a commercially reasonable change to, Customer’s use of the services to avoid Processing of Personal Information by the objected to sub-processor without unreasonably burdening the Customer. Customer may, in its sole discretion, terminate the Agreement at that time by providing written notice to Recraft in the event that it objects to a sub-processor and Recraft is unable to change the services to the reasonable satisfaction of Customer.

  10. Data Transfers.

    1. Customer authorizes Recraft to make international transfers of Personal Information only if (i) the applicable Data Privacy Law for such transfers is respected and (ii) the transfer is otherwise permitted by this DPA.

    2. With respect to Personal Information transferred from the United Kingdom for which UK Data Protection Law (and not the law in any European Economic Area (“EEA”) jurisdiction or Switzerland) governs the international nature of the transfer, the 2021 Standard Contractual Clauses along with the UK International Data Transfer Agreement form part of this DPA and take precedence over the rest of this DPA to the extent of any conflict and shall be deemed completed as follows:

      • The “exporter” is Customer, and the exporter’s contact information is set forth below,

      • The “importer” is Recraft, and Recraft’s contact information is set forth below.

      • By entering into this DPA, the Parties are deemed to be signing the 2021 Standard Contractual Clauses and their applicable Appendices.

    3. With respect to Personal Information transferred from the EEA and Switzerland, the 2021 Standard Contractual Clauses form part of this DPA and take precedence over the rest of this DPA to the extent of any conflict, and they will be deemed completed as follows:

      • Customer acts as a Controller and Recraft acts as Customer’s Processor with respect to the Personal Information subject to the 2021 Standard Contractual Clauses, and its Module 2 applies.

      • Clause 7 (the optional docking clause) is included.

      • Under Clause 9 (Use of sub-processors), the parties select Option 2 (General written authorization). Recraft maintains a list of its current sub-processors at https://www.recraft.ai/subprocessors (the “Sub-processors Page”). Customer consents to Recraft’s use of the sub-processors listed there as of the Effective Date. Recraft will provide notice of any intended additions to its sub-processor list by updating the Sub-processors Page at least thirty (30) days prior to engaging any new sub-processor that will process Customer Personal Information. Customers may subscribe to receive email notifications of changes by submitting their contact information through the form provided on the Sub-processors Page. In the event Customer objects to a new sub-processor, Recraft will not transfer Customer Personal Information to the new sub-processor and will use reasonable efforts to make available to Customer a change in the services or recommend a commercially reasonable change to Customer’s use of the services to avoid Processing of Personal Information by the objected to sub-processor without unreasonably burdening the Customer. Customer may, in its sole discretion, terminate the Agreement at that time by providing written notice to Recraft in the event that it objects to a sub-processor and Recraft is unable to change the services to the reasonable satisfaction of Customer.

      • Under Clause 11 (Redress), the optional requirement that data subjects be permitted to lodge a complaint with an independent dispute resolution body does not apply.

      • Under Clause 17 (Governing law), the parties choose Option 1 (the law of an EU Member State that allows for third-party beneficiary rights). The parties select the laws of Ireland.

      • Under Clause 18 (Choice of forum and jurisdiction), the parties select the courts of Ireland.

      • Annexes I and II of the 2021 Standard Contractual Clauses are set forth in Schedule B of the DPA.

      • Annex III of the 2021 Standard Contractual Clauses (List of sub-processors) is inapplicable.

    4. Additional Safeguards for the Transfer and Processing of Personal Information from the EEA, Switzerland, and the United Kingdom. To the extent that Recraft Processes Personal Information of Data Subjects located in or subject to the applicable Data Privacy Laws of the EEA, Switzerland, or the United Kingdom, Recraft agrees to the following safeguards to protect such data to an equivalent level as applicable Data Privacy Laws:

      • Recraft and Customer shall encrypt all transfers of the Personal Information between them, and Recraft shall encrypt any onward transfers it makes of such personal data, to prevent the acquisition of such data by third parties.

      • Recraft will use all reasonably available legal mechanisms to challenge any demands for data access through the national security process it receives as well as any non-disclosure provisions attached thereto.

      • At 12-month intervals or more often if required by applicable Data Privacy Law, Recraft shall create a transparency report that it will make available to Customer upon request, indicating the types of binding legal demands for the Personal Information it has received, including national security orders and directives, which shall encompass any process issued under FISA Section 702.

      • Recraft will promptly notify Customer if Recraft can no longer comply with the applicable Standard Contractual Clauses or the clauses in this Section. Recraft shall not be required to provide Customer with specific information about why it can no longer comply, if providing such information is prohibited by applicable law. Such notice shall entitle Customer to terminate the Agreement (or, at Customer’s option, affected statements of work, order forms, and like documents thereunder) and receive a prompt pro-rata refund of any prepaid amounts thereunder. This is without prejudice to Customer’s other rights and remedies with respect to a breach of the Agreement.

  11. Customer Responsibilities. Without limiting Customer’s other obligations under the Agreement and this DPA, Customer is responsible as Controller to be in full compliance with applicable Data Privacy Laws in its collection, Processing, disclosure, and use of Personal Information, including, without limitation: open, transparent public disclosure of, and compliance with, its policies and practices relating to the management of personal information; using proper consent mechanisms when required for collection and use of information that may require recording explicit or “opt-in” consent from the data subject; and complying with data subject requests regarding their Personal Information as required by applicable Data Privacy Laws and providing appropriate instructions to Recraft if needed in that regard. Data subjects shall be given a right to appeal determinations made regarding a data subject request within Customer’s organization as may be required by applicable Data Privacy Laws. Data subjects shall not be retaliated against for exercising their rights with regard to their Personal Information under applicable Data Privacy Laws.

  12. Audits. Recraft will make available to Customer all information necessary to demonstrate compliance with this Addendum and will allow for and contribute to audits conducted by Customer or another auditor mandated by Customer, provided that, such audit shall occur nor more than once every twelve (12) calendar months, upon reasonable prior written notice, and to the extent Recraft’s personnel are required to cooperate thereupon, during Recraft’s normal business hours.

  13. Return or Destruction of Personal Information. Except to the extent required otherwise by Data Privacy Laws, Recraft will, at the choice of Customer, return to Customer and/or securely destroy all Personal Information upon (a) written request of Customer or (b) termination of the Addendum. Except to the extent prohibited by Data Privacy Laws, Recraft will inform Customer if it is not able to return or delete the Personal Information.

  14. Term; Survival. The term of this Addendum shall commence as of the Effetctive Date and will continue until terminated by the parties upon a 30-day prior written notice or until the underlying Addendum between the parties has been terminated. The provisions of this Addendum shall survive the termination or expiration of this Addendum for so long as Recraft or its subcontractors Process the Personal Information.

Schedule A

Appendix 1 to the 2021 Standard Contractual Clauses

This Appendix forms part of the Standard Contractual Clauses.

Data exporter

The data exporter is (please specify briefly your activities relevant to the transfer): Customer, who is engaging Recraft for the purposes described in the Agreement and any relevant Statements of Work.

Data importer

The data importer is (please specify briefly activities relevant to the transfer): Recraft, Inc., who will Process the Personal Information for the purposes described in the Agreement and any relevant Statements of Work.

Data subjects

The personal data transferred concern the following categories of data subjects (please specify):

Data subjects located in the EEA, UK, or Switzerland whose information is provided from Customer to Recraft for Processing pursuant to the Agreement and this DPA, which is anticipated by the parties to involve only employee or other personnel Personal Data provided by Customer to create authorized user accounts or access to the Services as described in Recraft’s posted Privacy Policy at https://www.recraft.ai/legal/privacy.

Categories of data

The personal data transferred concern the following categories of data (please specify):

Any categories of personal data provided by Customer to Recraft regarding data subjects under applicable Data Privacy Laws whose information is provided from Customer to Recraft for Processing pursuant to the Agreement and this DPA which is anticipated by the parties to involve only employee or other personnel Personal Data provided by Customer to create authorized user accounts or access to the Services as described in Recraft’s posted Privacy Policy at https://www.recraft.ai/legal/privacy.

Special categories of data (if appropriate)

The personal data transferred concern the following special categories of data (please specify):

The Services are not designed for processing any special categories of data and none is required.

Processing operations (including subject matter, nature, purpose and duration of Processing)

The personal data transferred will be subject to the following basic Processing activities (please specify): All Processing activities set forth in the Agreement and any relevant Statements of Work.

Appendix 2 to the 2021 Standard Contractual Clauses

This Appendix forms part of the Standard Contractual Clauses.

Description of the technical and organizational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):

See Exhibit A.

Schedule B

Annexes I and II of the 2021 Standard Contractual Clauses ANNEX I

A. List of Parties

Data exporter:

Name: The Customer, as defined in the agreement between Customer and Recraft under which data will be Processed (“Agreement”) on behalf of itself and its Affiliates.

Address: The Customer's address, as set out in the Agreement.

Contact person’s name, position and contact details: The Customer's contact details, as set out in the Order Form and/or as set out in the Agreement.

Activities relevant to the data transferred under these Clauses: Processing of Personal Data in connection with Customer's use of the Company Services under the terms of the Agreement and this DPA.

Role (controller/processor): Controller

Data importer(s): Recraft

Name: As listed in the Agreement
Address: As listed in the Agreement
Contact person’s name, position and contact details: Attn: Privacy Officer help@recraft.ai.
Activities relevant to the data transferred under these Clauses: The Processing activities as described in the Agreement and any relevant Statements of Work
Role (controller/processor): Processor

B. Description of Transfer

Categories of Data Subjects whose Personal Data is Transferred

Customer may submit Personal Data in the course of using the Services, the extent of which is determined and controlled by Customer in Customer’s sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of Data Subjects:

Customer’s authorized employees and contractor personnel who will have access to the Services, as well as the data selected and provided by Customer to Recraft for processing under the Agreement.

Categories of Personal Data Transferred

You may submit Personal Data to the Services, the extent of which is determined and controlled by you in your sole discretion, and which may include but is not limited to the following categories of Personal Data:

a. Contact Information.

b. Any other Personal Data submitted by or on behalf of Customer for Processing.

Sensitive Data transferred and applied restrictions or safeguards

The parties do not anticipate the transfer of sensitive data except as selected and provided by Customer. Customer is responsible for having the right to transfer and authorize processing of any sensitive data it provides to Recraft for processing.

Frequency of the transfer

Continuous

Purpose of the transfer and further Processing

We will Process Personal Data as necessary to provide the Services pursuant to the Agreement, as further specified in the Order Form, and as further instructed by you in your use of the Services.

Period for which Personal Data will be retained

Subject to the data retention requirements of the Agreement, we will Process Personal Data for the duration of the Agreement, unless otherwise agreed in writing.

Competent Supervisory Authority

For the purposes of the Standard Contractual Clauses, the supervisory authority that shall act as competent supervisory authority is either (i) where Customer is established in an EU Member State, the supervisory authority responsible for ensuring Customer's compliance with the GDPR; (ii) where Customer is not established in an EU Member State but falls within the extra-territorial scope of the GDPR and has appointed a representative, the supervisory authority of the EU Member State in which Customer's representative is established; or (iii) where Customer is not established in an EU Member State but falls within the extra-territorial scope of the GDPR without having to appoint a representative, the supervisory authority of the EU Member State in which the Data Subjects are predominantly located. In relation to Personal Data that is subject to the UK GDPR or Swiss DPA, the competent supervisory authority is the UK Information Commissioner or the Swiss Federal Data Protection and Information Commissioner (as applicable).

ANNEX II – TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the Processing, and the risks for the rights and freedoms of natural persons.

See Exhibit A.

Exhibit A

Recraft DATA SECURITY MEASURES

Recraft will implement and maintain the following administrative, technical, physical, and organizational security measures for the Processing of Personal Information:

Recraft’s Information Security Program includes specific security requirements for its personnel and all subcontractors or agents who have access to Personal Information (“Data Personnel”). Recraft’s security requirements cover the following areas:

  1. Information Security Policies and Standards. Recraft will maintain written information security policies, standards and procedures addressing administrative, technical, and physical security controls and procedures. These policies, standards, and procedures shall be kept up to date, and revised whenever relevant changes are made to the information systems that use or store Personal Information. 2. Physical Security. Recraft will maintain commercially reasonable security systems at all Recraft sites at which an information system that uses or stores Personal Information is located (“Processing Locations”) that include reasonably restricting access to such Processing Locations, and implementing measures to detect, prevent, and respond to intrusions.

    1. Organizational Security. Recraft will maintain information security policies and procedures addressing data disposal, data minimization, data classification, and incident response protocols.

    2. Network Security. Recraft maintains commercially reasonable information security policies and procedures addressing network security.

    3. Access Control. Recraft agrees that: (1) only authorized Recraft staff can grant, modify or revoke access to an information system that Processes Personal Information; and (2) it will implement commercially reasonable physical and technical safeguards to create and protect passwords.

    4. Virus and Malware Controls. Recraft protects Personal Information from malicious code and will install and maintain anti-virus and malware protection software on any system that handles Personal Information.

    5. Personnel. Recraft has implemented and maintains a security awareness program to train employees about their security obligations. Data Personnel follow established security policies and procedures. Disciplinary process is applied if Data Personnel fail to adhere to relevant policies and procedures.

    6. Subcontractor security. Recraft shall only select and contract with subcontractors that are capable of maintaining appropriate security safeguards that are no less onerous than those contained in the Addendum and this Exhibit.

    7. Business Continuity. Recraft implements disaster recovery and business resumption plans that are kept up to date and revised on a regular basis. Recraft also adjusts its Information Security Program in light of new laws and circumstances, including as Recraft’s business and Processing change.