DATA PROCESSING ADDENDUM

TO THE TERMS OF USE OF SPIDERFOOT HX

This Data Processing Addendum (hereinafter the “Addendum”) forms an inseparable part of terms of use of SpiderFoot HX (hereinafter the “Services”) by and between the Operator and the Client (hereinafter the “Principal Agreement”) as defined in the Principal Agreement.

  1. DEFINITIONS
  1. For the purposes of this Addendum, unless expressly otherwise stated or evident in the context, the following capitalised terms shall have the following meanings, the singular (where appropriate) shall include the plural and vice versa, and references to Sections shall be references to sections of this Addendum. Capitalised terms not otherwise defined shall have the meaning given to them in the Principal Agreement.
  1. Controller” means the entity which determines the purposes and means of the Processing of Personal Data;
  2. Data Protection Laws” means applicable data protection legislation, such as the GDPR, and laws implementing or supplementing the GDPR;
  3. Data Subject“ means an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
  4. GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council;
  5. Personal Data Breach” means breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed;
  6. Personal Data” means any information relating to a Data Subject which is sent to the Operator, is accessed by the Operator or is otherwise Processed by the Operator on the Client’s behalf in relation to the Services;
  7. Processing“ means any operation where the Operator or its Sub-processors process Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
  8. Processor” means the entity which Processes Personal Data on behalf of the Controller;
  9. Standard Contractual Clauses” means the standard contractual clauses which are adopted by the European Commission or by a supervisory authority in accordance with Data Protection Laws;
  10. Sub-processor” has the meaning set out in Section 5.1;
  11. Technical and organisational measures” means those measures aimed at protecting Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
  1. BACKGROUND AND PURPOSE
  1. For the purpose of provision of the Services under the Principal Agreement, the Operator will process the Client’s Personal Data. To the extent that such information includes Personal Data in respect to which the Client is the Controller, by this Addendum, the Client appoints the Operator as Processor of such Personal Data, subject to the terms and conditions set forth in this Addendum.
  1. PROCESSING OF PERSONAL DATA
  1. The categories of Data Subjects and the types of Personal Data processed for the purpose of providing the Services are:
  1. Types of Personal Data: the Client’s Search data regarding individuals, that include:
  1. Name, surname (if provided or found);
  2. E-mail address (if provided or found);
  3. IP address (if provided or found);
  4. Links to social media profiles (if provided or found);
  5. Content extracted from public social media profiles (may contain gender, date of birth / age, job title, etc.).
  1. Categories of Data Subjects: individuals who have been searched by the Client or the User by using the Platform.
  1. The Operator agrees to Process Personal Data in accordance with the documented instructions of the Client issued from time to time (including with regard to transfers of Personal Data to a third country or an international organisation), unless required to deviate from such instructions in order to comply with Data Protection Laws to which the Operator is subject (in such case, the Operator shall inform the Client of such requirement before processing Personal Data, unless the Data Protection Laws prohibit such notification).
  2. The Operator shall notify the Client if it considers that an instruction from the Client under Section 3.2 is in breach of the Data Protection Laws, and the Operator shall be entitled, but not obliged to suspend execution of the relevant instruction until the Client confirms such instruction in writing.
  3. The Client shall be responsible for requests made by Data Subjects seeking to exercise their rights under the Data Protection Laws and shall handle them in accordance with the Data Protection Laws. The Client shall immediately notify the Operator of such request if complying with it requires action from the Operator. Accordingly, the Operator shall immediately notify the Client if it receives such request from a Data Subject under the Data Protection Laws, and shall, at the Client’s request and cost, assist the Client, insofar as this is possible, by providing such information to the Client as the Client may reasonably require, and within the time period reasonably specified by the Client in complying with the rights and rightful requests of the Data Subjects, or with notices served by the relevant supervisory authority or any other law enforcement or regulatory authority.
  4. Taking into account the nature of the Processing, the Operator shall implement and maintain appropriate Technical and organisational measures in order to ensure a level of security appropriate to the risk and protect the Personal Data, and at the Client’s request and cost, assist the Client in ensuring compliance with the obligations pursuant to articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to the Operator.
  5. The Operator may transfer Personal Data to a country outside of the European Union or European Economic Area if:
  1. the Personal Data is transferred to a country approved by the European Commission as providing an adequate level of protection for the Personal Data;
  2. the transfer is made pursuant to Standard Contractual Clauses; or
  3. other appropriate legal data transfer mechanisms are used.
  1. The Operator shall inform the Client without undue delay if the Operator becomes aware of any Personal Data Breach.
  1. AUDIT RIGHTS
  1. The Client shall have the right, once in every twelve (12) months upon the provision of twelve (12) business days' prior written notice to audit the Operator’s operations relevant to the performance of this Addendum. If the date proposed by the Client is not suitable for the Operator, the Client can appoint another date that cannot be later than five (5) business days from the original date. The Client is responsible for the costs of the audit. However, should the audit reveal any violation or breach of this Addendum by the Operator or its Sub-processor, the Operator shall compensate the Client for the costs arising from the audit and remedy the breach.
  2. The audit must be performed on a business day during the working hours of the Operator and it must not unreasonably disturb the Operator’s course of business or jeopardise the confidentiality of any third party’s information in the Operator’s possession. The Operator undertakes to cooperate in good faith with the Client and provide the Client with such information relating to this Addendum that the Client may reasonably request in order to demonstrate that it has acted in compliance with the Data Protection Laws.
  1. USE OF SUBCONTRACTORS
  1. If the Operator uses subcontractors for the provision of the Services and such subcontractor is provided by the Operator with Personal Data in respect to which the Client is Data Controller (hereinafter the “Sub-processor”), the Operator shall ensure that such Sub-processors comply with the terms of this Addendum, inter alia including the obligation to implement Technical and organisational measures in such a manner that the Processing will meet the requirements of the Data Protection Laws.
  2. The Client hereby authorises the Operator to appoint sub-processors in accordance with this Section 5. The Operator shall ensure that Sub-processors are bound by written agreements that require them to provide at least the level of data protection required from the Operator by this Addendum. The Operator shall inform the Client of any intended changes concerning the addition or replacement of Sub-processors, thereby giving the Client the opportunity to object to such changes. If, within 7 (seven) days of receipt of the notice, the Client notifies Operator in writing (the notice must be reasoned) of any objections to the proposed appointment, the Operator shall not appoint that proposed Sub-processor until reasonable steps have been taken to address the objections raised by the Client and the Client has been informed about taken steps. If the Client and the Operator are not able to resolve appointment of a sub-processor within a reasonable period, the Operator shall have the right to terminate the Addendum without prior notice.
  1. CONFIDENTIALITY
  1. The Operator undertakes that all its personnel processing Personal Data are bound by the duty of confidentiality.
  2. If the Operator engages a Sub-processor to perform its engagement, it shall ensure that the Sub-processor and its personnel are bound by the duty of confidentiality.
  1. TERM AND TERMINATION
  1. This Addendum shall apply during such time period as the Operator Processes Personal Data on behalf of the Client. The termination of Personal Data Processing takes place on the first of the following events taking place:
  1. the Client requests the Operator to delete or return the Personal Data and stop Processing thereof;  
  2. the Operator’s obligation to provide Services to the Client ceases permanently due to termination or expiration of the Principal Agreement; or
  3. either Party terminates this Addendum by giving a prior written notice to the other Party no later than one (1) month prior to the termination.
  1. Upon termination of the Personal Data Processing, the Personal Data shall, at the Client's discretion, either be returned to the Client, to the extent possible, or be deleted unless any applicable law (including EU law or national law) to which the Operator is subject requires retention of the Personal Data.
  2. Obligations which by their nature (e.g. duty of confidentiality) should survive termination or expiration of the Addendum, shall so survive.
  1. CLAIMS AND DAMAGES
  1. Each Party agrees to give written notice to the other Party, without undue delay, of any claim made against itself in connection with the processing of Personal Data under this Addendum.
  2. To the extent due to the Operator’s or its Sub-processor’s fault, the Operator shall be liable for damage caused to the Client as a consequence of Processing contrary to the provisions of this Addendum and in respect of which the Client has had to pay compensation to the Data Subject or pay administrate fines awarded by relevant authorities. Liability of the Operator is limited pursuant to Section 11 of the Principal Agreement.
  3. The Client shall indemnify the Operator against all claims, liabilities, costs, expenses, damages and losses incurred by the Operator arising out of or in connection with proceedings brought by Data Subjects or supervisory authorities under Data Protection Laws in respect of Personal Data Processed under this Addendum, except to the extent that such claims against the Operator have arisen out of or in connection with any negligence or wilful default of the Operator or any breach by the Operator of the terms of this Addendum.
  1. APPLICABLE LAW AND DISPUTES
  1. This Addendum shall be governed by Estonian law excluding its conflicts of law rules.
  2. Any dispute, controversy or claim arising out of or in connection with this Addendum, or the breach, termination or invalidity thereof, shall be finally settled by the courts of the Republic of Estonia.
  1. MISCELLANEOUS
  1. Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or – should this not be possible – (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein. The foregoing shall also apply if this Addendum contains any omission.
  2. Any amendments to this Addendum shall be made in writing and be signed by duly authorised representatives of the Parties.
  3. In case of any conflict between the terms of this Addendum and the Principal Agreement, the provisions of this Addendum shall prevail.